@tante I have tried looking into them and found it very difficult to find any *clear* information.

I grew suspicious and a deeper look into it confirmed my suspicions - while it *is* a form of keypair auth, and nominally an open standard, the general design choices and implementation recommendations are quite problematic and primarily seem chosen to entrench large players like Google as authentication providers (via eg. Android).

(Like how there are specific provisions and recommendations for allowlisting "attestation providers", which people are only ever going to do for major providers)