The spec allows for hardware attestation as well, to ensure passkeys are being provided from blessed computing environments. Hopefully implementers continue to ignore this anti-feature, because it's entirely stupid to lock out users who want to control their own security; at the same time, letting anyone with an Android phone restore passkeys from the cloud with one of their device PINs.
https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
The credential exchange changes nothing IMO, the rod to punish anyone who doesn't want their credentials stored on a tech giants servers is still there.
This is something that has been proposed that Tim fought against but mentioned in the thread to provide context of the types of kneejerk reactions the spec authors have had to push back against.
> (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations)
I read "these situations" to mean "non-spec-compliant providers", where "spec-compliant" means to prevent plaintext export of resident keys.