> With Safari providing this, it can be used by some providers, but nobody can block or behave differently with unattested clients.
What mechanism prevents websites from blocking or behaving differently for unattested clients? The article doesn't make that clear.
Also: Apple's attestation implementation introduces an external real-time single-point-of-failure, but given that the failure mode is just "show a captcha", it doesn't seem too severe. Is it even possible to implement a broader attestation infrastructure without introducing a similar single point of failure? TLS PKI, for example, does not rely on an external "live" server; the private keys live on the origin.