I'll put upfront that I'm no expert in any of this, but ... unlike passwords and certificates, attestation is a thing for passkeys. The thing being attested to is "the private key of this cert is being secured by X". X might be YubiKey in the case of a FIDO2 key, or Google or Apple in the case of passkeys.
This aspect of passkeys made me uncomfortable with them. If Google is going to attest they manage your passkey, then it follows the aren't giving a copy to anybody, including you. That means if you lose your Google account you've lost control of your ID. But note: that's control, not the keys themselves. You probably will have a copy of them on a phone, so you can still use them until that phone dies. But when it does you've in a world of pain because you can't backup / transfer / copy them - only Google can do that. In effect you don't own your Google passkey - Google does.
I don't know if Bitwarden does attestation now, or if the are planning to implement it in the future. But if either of those things are true they can't give you a copy of the key, ever.
This still makes me uncomfortable. But I can see why it is so. You and I may be capable of protecting a private key, but my mother and 99% of the rest of the planet aren't. Your bank or whoever trusting me on my say so isn't going to work, so the end result of us never being able to manage our own keys is inevitable. We have to put them in the hands of a 3rd party the bank or whoever can trust.
And it is ameliorated by another aspect of FIDO2 / passkeys: unlike passwords where you can only have one per site, sites are expected to support many FIDO2 keys for the same person. And, you are expected to keep several of them and authenticate each of them at every site you use. So you might have a Google one, and a Bitwarden one, and maybe even a Keypass one. If you did you solve the "Google owns my ID" problem, but it's such a pain in the arse to do I don't see it happening.
We've seen several iterations of this concept: FIDO, WebAuthn/FIDO2, and now passkeys. I'd like to see one more: some way of bundling up a whole pile of passkeys from different providers, so when I establish a new account on a web site, I register all of them. That would make maintaining a bunch of PassKeys trackable. Right now, the reality is bugger all people are going to do it. And as a consequence, a good chunk of the planet is going to end up with Apple / Google / whoever owning their identities. And of course some of them are going to lose their relationship they had with there ID manager, and wake up one day to discover themselves wiped from the digital planet.
I hate attestation with a passion. But luckily Apple has not implemented it and nobody wants to lock all Apple users out. So at least right now it's not a thing in practice.
Yep. The end game of this is that web applications will, either through laziness or a sense of 'better security', only accept passkeys attested by Google/Apple/MS and/or those backed by TPM with non-exportable keys. You have to register with the FIDO Alliance to obtain an attestation GUID, and unsurprisingly, only the big guys are on the list: https://github.com/passkeydeveloper/passkey-authenticator-aa...
This move by Bitwarden clearly shows that they believe products that allow you to export/backup your keys will be blackballed, so they played it safe and blocked that.
My government's e-signing web application (which stores private keys on the vendor's servers for all citizens, but that's another story) already does that.
It used to not even accept Yubikeys, only a fairly unknown other brand; now they finally do support Yubikeys, but only the "FIDO L2" certified kind, i.e. the FIDO and "security key" models, but not the most common plain Yubikey ones...
The repo README for the link you provided says "This is a community-driven list of known passkey provider AAGUIDs to assist with naming passkeys in end user passkey management interfaces (e.g. account settings)."
It also says:
"It is not intended to be used for any other purpose and could go away at any time."
Finally it looks like anyone can contribute attached to an implementation according to the Readme
I'll put upfront that I'm no expert in any of this, but ... unlike passwords and certificates, attestation is a thing for passkeys. The thing being attested to is "the private key of this cert is being secured by X". X might be YubiKey in the case of a FIDO2 key, or Google or Apple in the case of passkeys.
This aspect of passkeys made me uncomfortable with them. If Google is going to attest they manage your passkey, then it follows the aren't giving a copy to anybody, including you. That means if you lose your Google account you've lost control of your ID. But note: that's control, not the keys themselves. You probably will have a copy of them on a phone, so you can still use them until that phone dies. But when it does you've in a world of pain because you can't backup / transfer / copy them - only Google can do that. In effect you don't own your Google passkey - Google does.
I don't know if Bitwarden does attestation now, or if the are planning to implement it in the future. But if either of those things are true they can't give you a copy of the key, ever.
This still makes me uncomfortable. But I can see why it is so. You and I may be capable of protecting a private key, but my mother and 99% of the rest of the planet aren't. Your bank or whoever trusting me on my say so isn't going to work, so the end result of us never being able to manage our own keys is inevitable. We have to put them in the hands of a 3rd party the bank or whoever can trust.
And it is ameliorated by another aspect of FIDO2 / passkeys: unlike passwords where you can only have one per site, sites are expected to support many FIDO2 keys for the same person. And, you are expected to keep several of them and authenticate each of them at every site you use. So you might have a Google one, and a Bitwarden one, and maybe even a Keypass one. If you did you solve the "Google owns my ID" problem, but it's such a pain in the arse to do I don't see it happening.
We've seen several iterations of this concept: FIDO, WebAuthn/FIDO2, and now passkeys. I'd like to see one more: some way of bundling up a whole pile of passkeys from different providers, so when I establish a new account on a web site, I register all of them. That would make maintaining a bunch of PassKeys trackable. Right now, the reality is bugger all people are going to do it. And as a consequence, a good chunk of the planet is going to end up with Apple / Google / whoever owning their identities. And of course some of them are going to lose their relationship they had with there ID manager, and wake up one day to discover themselves wiped from the digital planet.