feature idea: test password manager security and conformance

[smessmer]

I saw some claims online that a password manager I was considering to use doesn't correctly enforce the RPID domain check and therefore would allow phishing attacks. Not mentioning the password manager in question because I haven't confirmed the rumor.

But wouldn't it be nice if we had a way of testing this? e.g. have webauthn.io use a passkey for a different rpid and see if the password manager accepts it?

And extending on the concept, maybe we could add other checks testing for conformance with other parts of the standard?