But the big three can't do that, with FIDO. All they can do is influence the FIDO Alliance to add other SK manufacturers to the pseudo-CRL, which:
- is transparent
- is mediated by the FIDO Alliance; the platform makers cannot do it unilaterally, as they can with CAs in browsers
- is mediated by the RPs; even if the FIDO Alliance did do this for some reason, RPs could just ignore it with no ill effects, unlike with CA trust in browsers
- wouldn't have any effect today for the vast majority of RPs, since the vast majority do not even use attestation today
- honestly, isn't something they have any incentive to do; hardware security keys are not a meaningful source of revenue for someone like Apple, Microsoft, or Google
I'm guessing you've never worked in a big tech company before if you think they have an incentive to do that. :)
- is transparent
- is mediated by the FIDO Alliance; the platform makers cannot do it unilaterally, as they can with CAs in browsers
- is mediated by the RPs; even if the FIDO Alliance did do this for some reason, RPs could just ignore it with no ill effects, unlike with CA trust in browsers
- wouldn't have any effect today for the vast majority of RPs, since the vast majority do not even use attestation today
- honestly, isn't something they have any incentive to do; hardware security keys are not a meaningful source of revenue for someone like Apple, Microsoft, or Google
I'm guessing you've never worked in a big tech company before if you think they have an incentive to do that. :)