Allow desired attestation format to be an ordered list

[sbweeden]

Proposed Change

During credential registration in particular (and also given that attestation can now, in theory, be requested on assertions), the attestation property can be specified, as a single-valued string.

Consider a scenario where an enterprise would prefer an enterprise attestation, but is willing to fallback to direct attestation, e.g. if there is a mix of managed and un-managed employee devices, or if some employees have EA-capable authenticators and others do not. Currently there is no way to express this, and practical tests on current behaviour show that no attestation is returned if enterprise is requested but not available/permitted on the client.

Need a discussion on what's viable here, as we do not want the user to have to go through multiple registration ceremonies or pre-select whether they are on a managed device or not.