diff --git a/index.bs b/index.bs
index bcd25ceb2..f1882d418 100644
--- a/index.bs
+++ b/index.bs
@@ -1662,7 +1662,6 @@ that are returned to the caller when a new credential is created, or a new asser
         required Base64URLString authenticatorData;
         required Base64URLString signature;
         Base64URLString userHandle;
-        Base64URLString attestationObject;
     };
 
     dictionary AuthenticationExtensionsClientOutputsJSON {
@@ -2518,10 +2517,6 @@ When this method is invoked, the user agent MUST execute the following algorithm
                 ::  If the [=authenticator=] returned a [=user handle=], set the value of [=userHandleResult=] to be the bytes of
                     the returned [=user handle=]. Otherwise, set the value of [=userHandleResult=] to null.
 
-                :   <code><dfn for="assertionCreationData">assertionAttestation</dfn></code>
-                ::  If the [=authenticator=] returned an [=attestation=], set the value of [=assertionAttestation=] to be the bytes of
-                    the [=attestation statement=]. Otherwise set it to null.
-
                 :   <code><dfn for="assertionCreationData">clientExtensionResults</dfn></code>
                 ::  whose value is an {{AuthenticationExtensionsClientOutputs}} object containing [=extension identifier=] →
                     [=client extension output=] entries. The entries are created by running each extension's
@@ -2566,12 +2561,6 @@ When this method is invoked, the user agent MUST execute the following algorithm
                             [=%ArrayBuffer%=], containing the bytes of
                             <code>|assertionCreationData|.[=assertionCreationData/userHandleResult=]</code>.
 
-                        :   {{AuthenticatorAssertionResponse/attestationObject}}
-                        ::  If <code>|assertionCreationData|.[=assertionCreationData/assertionAttestation=]</code> is null, set this
-                            field to null. Otherwise, set this field to a new {{ArrayBuffer}}, created using |global|'s
-                            [=%ArrayBuffer%=], containing the bytes of
-                            <code>|assertionCreationData|.[=assertionCreationData/assertionAttestation=]</code>.
-
                     :   {{PublicKeyCredential/[[clientExtensionsResults]]}}
                     ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                         <code>|assertionCreationData|.[=assertionCreationData/clientExtensionResults=]</code>.
@@ -2654,30 +2643,6 @@ The steps for [=issuing a credential request to an authenticator=] are as follow
 
             </dl>
 
-    1. Let |enterpriseAttestationPossible| be a Boolean value, as follows. If
-        <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/attestation}}</code>
-
-            <dl class="switch">
-
-                :   is set to {{AttestationConveyancePreference/enterprise}}
-                ::  Let |enterpriseAttestationPossible| be [TRUE] if the user agent wishes to support enterprise attestation for |rpId| (see [Step 7](#GetAssn-DetermineRpId) of [[#sctn-discover-from-external-source]]). Otherwise [FALSE].
-
-                :   otherwise
-                ::  Let |enterpriseAttestationPossible| be [FALSE].
-
-            </dl>
-
-    1. Let |attestationFormats| be a list of strings, initialized to the value of <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/attestationFormats}}</code>.
-
-    1. If <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/attestation}}</code>
-
-            <dl class="switch">
-
-                :   is set to {{AttestationConveyancePreference/none}}
-                ::  Set |attestationFormats| be the single-element list containing the string &ldquo;none&rdquo;
-
-            </dl>
-
     1. <span id="allowCredentialDescriptorListCreation"></span>
         If <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>
         <dl class="switch">
@@ -2715,23 +2680,19 @@ The steps for [=issuing a credential request to an authenticator=] are as follow
                             Then, using |transport|, invoke the [=authenticatorGetAssertion=] operation on
                             |authenticator|, with |rpId|, |clientDataHash|, |allowCredentialDescriptorList|,
                             |userVerification|,
-                            |enterpriseAttestationPossible|,
-                            |attestationFormats|,
                             and |authenticatorExtensions| as parameters.
 
                         :   [=list/is empty=]
                         ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|,
                             invoke the [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|,
                             |clientDataHash|, |allowCredentialDescriptorList|, |userVerification|,
-                            |enterpriseAttestationPossible|, |attestationFormats|, and |authenticatorExtensions| as parameters.
+                            and |authenticatorExtensions| as parameters.
                     </dl>
 
             :   [=list/is empty=]
             ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|, invoke the
                 [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|, |clientDataHash|,
                 |userVerification|,
-                |enterpriseAttestationPossible|,
-                |attestationFormats|,
                 and |authenticatorExtensions| as parameters.
 
                 Note: In this case, the [=[RP]=] did not supply a list of acceptable credential descriptors. Thus, the
@@ -2911,8 +2872,6 @@ value and terminate the operation.
         sequence<PublicKeyCredentialDescriptorJSON>             allowCredentials = [];
         DOMString                                               userVerification = "preferred";
         sequence<DOMString>                                     hints = [];
-        DOMString                                               attestation = "none";
-        sequence<DOMString>                                     attestationFormats = [];
         AuthenticationExtensionsClientInputsJSON                extensions;
     };
 </xmp>
@@ -3019,7 +2978,6 @@ optionally evidence of [=user consent=] to a specific transaction.
         [SameObject] readonly attribute ArrayBuffer      authenticatorData;
         [SameObject] readonly attribute ArrayBuffer      signature;
         [SameObject] readonly attribute ArrayBuffer?     userHandle;
-        [SameObject] readonly attribute ArrayBuffer?     attestationObject;
     };
 </xmp>
 <div dfn-type="attribute" dfn-for="AuthenticatorAssertionResponse">
@@ -3040,9 +2998,6 @@ optionally evidence of [=user consent=] to a specific transaction.
         [=user handle=]. See [[#sctn-op-get-assertion]]. The authenticator MUST always return a [=user handle=] if
         the {{PublicKeyCredentialRequestOptions/allowCredentials}} option used in the [=authentication ceremony=] is [=list/is empty|empty=],
         and MAY return one otherwise.
-
-    :   <dfn>attestationObject</dfn>
-    ::  This OPTIONAL attribute contains an [=attestation object=], if the [=authenticator=] supports attestation in assertions. The [=attestation object=], if present, includes an [=attestation statement=]. Unlike the {{AuthenticatorAttestationResponse/attestationObject}} in an {{AuthenticatorAttestationResponse}}, it does not contain an `authData` key because the [=authenticator data=] is provided directly in an {{AuthenticatorAssertionResponse}} structure. For more details on attestation, see [[#sctn-attestation]], [[#sctn-attestation-in-assertions]], [[#sctn-generating-an-attestation-object]], and [Figure 6](#fig-attStructs).
 </div>
 
 ## Parameters for Credential Generation (dictionary <dfn dictionary>PublicKeyCredentialParameters</dfn>) ## {#dictionary-credential-params}
@@ -3483,8 +3438,6 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member MUST be
         sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
         DOMString                            userVerification = "preferred";
         sequence<DOMString>                  hints = [];
-        DOMString                            attestation = "none";
-        sequence<DOMString>                  attestationFormats = [];
         AuthenticationExtensionsClientInputs extensions;
     };
 </xmp>
@@ -3549,21 +3502,6 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member MUST be
     :   <dfn>hints</dfn>
     ::  This OPTIONAL member contains zero or more elements from {{PublicKeyCredentialHints}} to guide the user agent in interacting with the user. Note that the elements have type `DOMString` despite being taken from that enumeration. See [[#sct-domstring-backwards-compatibility]].
 
-    :   <dfn>attestation</dfn>
-    ::  The [=[RP]=] MAY use this OPTIONAL member to specify a preference regarding [=attestation conveyance=].
-        Its value SHOULD be a member of {{AttestationConveyancePreference}}.
-        [=Client platforms=] MUST ignore unknown values, treating an unknown value as if the [=map/exist|member does not exist=].
-
-        The default value is {{AttestationConveyancePreference/none}}.
-
-    :   <dfn>attestationFormats</dfn>
-    ::  The [=[RP]=] MAY use this OPTIONAL member to specify a preference regarding the [=attestation=] statement format used by the [=authenticator=].
-        Values SHOULD be taken from the IANA "WebAuthn Attestation Statement Format Identifiers" registry [[!IANA-WebAuthn-Registries]] established by [[!RFC8809]].
-        Values are ordered from most preferable to least preferable.
-        This parameter is advisory and the [=authenticator=] MAY use an attestation statement not enumerated in this parameter.
-
-        The default value is the empty list, which indicates no preference.
-
     :   <dfn>extensions</dfn>
     ::  The [=[RP]=] MAY use this OPTIONAL member to provide [=client extension inputs=]
         requesting additional processing by the [=client=] and [=authenticator=].
@@ -4788,10 +4726,6 @@ It takes the following input parameters:
     wish to make a [=test of user presence=] optional although WebAuthn does not.
 : |requireUserVerification|
 :: The [=effective user verification requirement for assertion=], a Boolean value provided by the client.
-: |enterpriseAttestationPossible|
-:: A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator.
-: |attestationFormats|
-:: A sequence of strings that expresses the [=[RP]=]'s preference for attestation statement formats, from most to least preferable. If the [=authenticator=] returns [=attestation=], then it makes a best-effort attempt to use the most preferable format that it supports.
 : |extensions|
 :: A [=CBOR=] [=map=] from [=extension identifiers=] to their [=authenticator extension inputs=], created by the client based on
     the extensions requested by the [=[RP]=], if any.
@@ -4837,17 +4771,9 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
     which approach is implemented by the [=authenticator=], by some positive value.
     If the [=authenticator=] does not implement a [=signature counter=], let the [=signature counter=] value remain constant at
     zero.
-1. If |attestationFormats|:
-    <dl class="switch">
-        : is [=list/is not empty|not empty=]
-        :: let |attestationFormat| be the first supported [=attestation statement format=] from |attestationFormats|, taking into account |enterpriseAttestationPossible|. If none are supported, fallthrough to:
-
-        : is [=list/is empty|empty=]
-        :: let |attestationFormat| be the [=attestation statement format=] most preferred by this authenticator. If it does not support attestation during assertion then let this be `none`.
-    </dl>
 1. Let |authenticatorData| [=perform the following steps to generate an authenticator data structure|be the byte array=]
     specified in [[#sctn-authenticator-data]] including |processedExtensions|, if any, as
-    the <code>[=authData/extensions=]</code> and excluding <code>[=attestedCredentialData=]</code>. This |authenticatorData| MUST include [=attested credential data=] if, and only if, |attestationFormat| is not `none`.
+    the <code>[=authData/extensions=]</code> and excluding <code>[=attestedCredentialData=]</code>.
 1. Let |signature| be the [=assertion signature=] of the concatenation <code>|authenticatorData| || |hash|</code> using the
     [=public key credential source/privateKey=] of |selectedCredential| as shown in <a href="#fig-signature">Figure <span class="figure-num-following"></span></a>, below. A simple,
     undelimited
@@ -4859,11 +4785,8 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
         <figcaption>Generating an [=assertion signature=].</figcaption>
     </figure>
 
-1. The |attestationFormat| is not `none` then create an [=attestation object=] for the new credential using the procedure specified in
-    [[#sctn-generating-an-attestation-object]], the [=attestation statement format=] |attestationFormat|, and the values |authenticatorData|
-    and |hash|, as well as {{enterprise|taking into account}} the value of |enterpriseAttestationPossible|. For more details on attestation, see [[#sctn-attestation]].
-
-1. If any error occurred then return an error code equivalent to "{{UnknownError}}" and terminate the operation.
+1. If any error occurred while generating the [=assertion signature=], return an error code equivalent to "{{UnknownError}}" and
+    terminate the operation.
 
 <!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to render it as
 a numbered step. If outdented, it (today) is rendered as a bullet in the midst of a numbered list :-/
@@ -4880,7 +4803,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
 
             - |authenticatorData|
             - |signature|
-            - The attestation object, if an [=attestation object=] was created for this assertion.
             - |selectedCredential|.[=public key credential source/userHandle=]
 
                     Note: In cases where |allowCredentialDescriptorList| was supplied the returned
@@ -5002,11 +4924,10 @@ produce, for each [=credential public key=], an [=attestation statement=] verifi
 a challenge, as well as a certificate or similar data providing provenance information for the [=attestation public key=],
 enabling the [=[RP]=] to make a trust decision. However, if an [=attestation key pair=] is not available, then the authenticator
 MAY either perform [=self attestation=] of the [=credential public key=] with the corresponding [=credential private key=],
-or otherwise perform [=None|no attestation=].
-
-All this information is returned by [=authenticators=] any time a new [=public key credential=] is generated, and optionally when exercised, in the overall form of an
-<dfn>attestation object</dfn>. The relationship of the [=attestation object=] with [=authenticator data=] (containing
-[=attested credential data=]) and the [=attestation statement=] is illustrated in <a href="#fig-attStructs">figure <span class="figure-num-following"></span></a>, below.
+or otherwise perform [=None|no attestation=]. All this information is returned by [=authenticators=] any time a new
+[=public key credential=] is generated, in the overall form of an <dfn>attestation object</dfn>. The relationship of the
+[=attestation object=] with [=authenticator data=] (containing [=attested credential data=]) and the [=attestation statement=]
+is illustrated in <a href="#fig-attStructs">figure <span class="figure-num-following"></span></a>, below.
 
 If an [=authenticator=] employs [=self attestation=] or [=None|no attestation=], then no provenance information is provided
 for the [=[RP]=] to base a trust decision on.
@@ -5014,7 +4935,7 @@ In these cases, the [=authenticator=] provides no guarantees about its operation
 
 <figure id="fig-attStructs">
     <img src="images/fido-attestation-structures.svg"></img>
-    <figcaption>[=Attestation object=] layout illustrating the included [=authenticator data=] from a {{CredentialsContainer/create()|create()}} operation (containing [=attested credential
+    <figcaption>[=Attestation object=] layout illustrating the included [=authenticator data=] (containing [=attested credential
     data=]) and the [=attestation statement=].</figcaption>
 </figure>
 <div class="note">
@@ -5051,24 +4972,13 @@ The privacy, security and operational characteristics of [=attestation=] depend
     operating environment, and so on.
 
 The [=attestation type=] and [=attestation statement format=] is chosen by the [=authenticator=];
-[=[RPS]=] can only signal their preferences by setting the {{PublicKeyCredentialCreationOptions/attestation}} and {{PublicKeyCredentialCreationOptions/attestationFormats}} parameters, or those with the same names in {{PublicKeyCredentialRequestOptions}}.
+[=[RPS]=] can only signal their preferences by setting the {{PublicKeyCredentialCreationOptions/attestation}} and {{PublicKeyCredentialCreationOptions/attestationFormats}} parameters.
 
 It is expected that most [=authenticators=] will support a small number of [=attestation types=] and [=attestation statement
 formats=], while [=[RPS]=] will decide what [=attestation types=] are acceptable to them by policy. [=[RPS]=] will also need to
 understand the characteristics of the [=authenticators=] that they trust, based on information they have about these
 [=authenticators=]. For example, the FIDO Metadata Service [[FIDOMetadataService]] provides one way to access such information.
 
-### Attestation in assertions ### {#sctn-attestation-in-assertions}
-
-Attestation is most commonly provided during credential creation. However, if supported by the authenticator and requested by the [=[RP]=] using the {{PublicKeyCredentialRequestOptions/attestation}} parameter, attestation MAY be provided in [=assertions=].
-
-Attestations in [=assertions=] could be helpful in at least the following situations:
-
-1. For [=multi-device credentials=], the [=generating authenticator=] may have returned a meaningfully different attestation than the authenticator currently exercising the credential. Thus returning an attestation for each use of the credential allows the [=[RP]=] to observe these changes.
-1. If the [=attestation statement format=] involves a 3rd-party attesting to the state of the authenticator, then returning an attestation with each use of the credential allows for the continued good health of the authenticator to be attested.
-
-[=Attestation objects=] provided in an {{AuthenticatorAttestationResponse}} structure (i.e. as the result of a {{CredentialsContainer/create()|create()}} operation) contain at least the three keys shown in [the previous figure](#fig-attStructs): `fmt`, `attStmt`, and `authData`. The `authData` key is not included when an [=attestation object=] is provided in an {{AuthenticatorAssertionResponse}} (i.e. as the result of a {{CredentialsContainer/get()|get()}} operation). That is because the [=authenticator data=] is provided directly in the {{AuthenticatorAssertionResponse/authenticatorData}} member of the {{AuthenticatorAssertionResponse}}. Otherwise, processing of the [=attestation object=] is identical.
-
 ### Attested Credential Data ### {#sctn-attested-credential-data}
 
 <dfn>Attested credential data</dfn> is a variable-length byte array added to the [=authenticator data=] when generating an [=attestation
@@ -5116,8 +5026,6 @@ object=] for a credential. Its format is shown in <a href="#table-attestedCreden
     </figcaption>
 </figure>
 
-Attested credential data is always present in any [=authenticator data=] that results from a {{CredentialsContainer/create()|create()}} operation. It MUST be present in an [=authenticator data=] resulting from a {{CredentialsContainer/get()|get()}} operation if, and only if, the {{AuthenticatorAssertionResponse/attestationObject}} attribute is present in the assertion result.
-
 #### Examples of `credentialPublicKey` Values Encoded in COSE_Key Format #### {#sctn-encoded-credPubKey-examples}
 
 This section provides examples of COSE_Key-encoded Elliptic Curve and RSA public keys for the ES256, PS256, and RS256
@@ -5716,20 +5624,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
                   [=[RP]=]-specific. </dd>
            </dl>
 
-1. If <code>|response|.{{AuthenticatorAssertionResponse/attestationObject}}</code> is present and the [=[RP]=] wishes to verify the attestation then perform CBOR decoding on {{AuthenticatorAssertionResponse/attestationObject}} to obtain the attestation statement format |fmt|, and the attestation statement |attStmt|.
-
-    1. Verify that the `AT` bit in the [=flags=] field of |authData| is set, indicating that [=attested credential data=] is included.
-
-    1. Verify that the [=credentialPublicKey=] and [=credentialId=] fields of the [=attested credential data=] in |authData| match <code>|credentialRecord|.[$credential record/publicKey$]</code> and <code>|credentialRecord|.[$credential record/id$]</code>, respectively.
-
-    1. Determine the attestation statement format by performing a USASCII case-sensitive match on |fmt| against the set of supported WebAuthn Attestation Statement Format Identifier values. An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in the IANA "WebAuthn Attestation Statement Format Identifiers" registry [[!IANA-WebAuthn-Registries]] established by [[!RFC8809]].
-
-    1. Verify that |attStmt| is a correct [=attestation statement=], conveying a valid [=attestation signature=], by using the [=attestation statement format=] |fmt|'s [=verification procedure=] given |attStmt|, |authData| and |hash|.
-
-        Note: Each [=attestation statement format=] specifies its own [=verification procedure=]. See [[#sctn-defined-attestation-formats]] for the initially-defined formats, and [[!IANA-WebAuthn-Registries]] for the up-to-date list.
-
-    1. If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates) for that attestation type and attestation statement format |fmt|, from a trusted source or from policy. The [=authData/attestedCredentialData/aaguid=] in the [=attested credential data=] can be used to guide this lookup.
-
     <li id='authn-ceremony-update-credential-record'>
         Update |credentialRecord| with new state values:
 
@@ -5740,12 +5634,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
                 This change SHOULD require authorization by an additional [=authentication factor=] equivalent to WebAuthn [=user verification=];
                 if not authorized, skip this step.
 
-            1. OPTIONALLY, if <code>|response|.{{AuthenticatorAssertionResponse/attestationObject}}</code> is present,
-                update <code>|credentialRecord|.[$credential record/attestationObject$]</code>
-                to the value of <code>|response|.{{AuthenticatorAssertionResponse/attestationObject}}</code>
-                and update <code>|credentialRecord|.[$credential record/attestationClientDataJSON$]</code>
-                to the value of <code>|response|.{{AuthenticatorResponse/clientDataJSON}}</code>.
-
         If the [=[RP]=] performs additional security checks beyond these WebAuthn [=authentication ceremony=] steps,
         the above state updates SHOULD be deferred to after those additional checks are completed successfully.
     </li>