From d945586b73d6927ca3cf1346387338f5b986ea26 Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Mon, 8 Jul 2024 20:30:42 +0000 Subject: [PATCH] Merge pull request #2085 from w3c/tc-remove-uvm SHA: 061a649f3ae7634e1448129ea72951fa7e387fdd Reason: push, by nsatragno Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- index.html | 6606 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 3824 insertions(+), 2782 deletions(-) diff --git a/index.html b/index.html index d84ef2b89..f778e7c04 100644 --- a/index.html +++ b/index.html @@ -4,9 +4,10 @@ Web Authentication: An API for accessing Public Key Credentials - Level 3 - + - + + - + - + - +

Web Authentication:
An API for accessing Public Key Credentials
Level 3

-

Editor’s Draft,

+

Editor’s Draft,

More details about this document
@@ -931,9 +982,11 @@

Web Authentication:
An API for accessing Public Key Credentials
Level
Feedback:
GitHub
Editors: +
(Okta)
(Self-Issued Consulting)
(Microsoft)
(Yubico) +
(Cisco)
Former Editors:
(Google)
(Microsoft) @@ -947,10 +1000,9 @@

Web Authentication:
An API for accessing Public Key Credentials
Level
Contributors:
John Bradley (Yubico)
Christiaan Brand (Google) -
Tim Cappalli (Microsoft)
Adam Langley (Google)
Giridhar Mandyam (Qualcomm) -
Matthew Miller (Cisco) +
Pascoe (Apple)
Nina Satragno (Google)
Ki-Eun Shin (SK Telecom)
Nick Steele (1Password) @@ -958,24 +1010,24 @@

Web Authentication:
An API for accessing Public Key Credentials
Level
Shane Weeden (IBM)
Mike West (Google)
Jeffrey Yasskin (Google) +
Anders Åberg (Bitwarden)
Tests:
web-platform-tests webauthn/ (ongoing work)

-

Copyright © 2023 World Wide Web Consortium. W3C® liability, trademark and permissive document license rules apply.

+

Copyright © 2024 World Wide Web Consortium. W3C® liability, trademark and permissive document license rules apply.

Abstract

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based - - credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key - credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public - key credentials in order to preserve user - privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This - specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

+credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key +credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public +key credentials in order to preserve user +privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This +specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Status of this document

@@ -995,7 +1047,7 @@

Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

-

This document is governed by the 03 November 2023 W3C Process Document.

+

This document is governed by the 03 November 2023 W3C Process Document.

@@ -1059,11 +1111,10 @@

Table of Contents

  • 5.1.4.2 Issuing a Credential Request to an Authenticator
  • 5.1.5 Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method -
  • 5.1.6 Preventing Silent Access to an Existing Credential - PublicKeyCredential’s [[preventSilentAccess]](credential, sameOriginWithAncestors) Method -
  • 5.1.7 Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method -
  • 5.1.8 Availability of a passkey platform authenticator - PublicKeyCredential’s isPasskeyPlatformAuthenticatorAvailable() Method -
  • 5.1.9 Deserialize Registration ceremony options - PublicKeyCredential’s parseCreationOptionsFromJSON() Method -
  • 5.1.10 Deserialize Authentication ceremony options - PublicKeyCredential’s parseRequestOptionsFromJSON() Methods +
  • 5.1.6 Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method +
  • 5.1.7 Availability of client capabilities - PublicKeyCredential’s getClientCapabilities() Method +
  • 5.1.8 Deserialize Registration ceremony options - PublicKeyCredential’s parseCreationOptionsFromJSON() Method +
  • 5.1.9 Deserialize Authentication ceremony options - PublicKeyCredential’s parseRequestOptionsFromJSON() Methods
  • 5.2 Authenticator Responses (interface AuthenticatorResponse) @@ -1112,7 +1163,8 @@

    Table of Contents

  • 5.8.4 Authenticator Transport Enumeration (enum AuthenticatorTransport)
  • 5.8.5 Cryptographic Algorithm Identifier (typedef COSEAlgorithmIdentifier)
  • 5.8.6 User Verification Requirement Enumeration (enum UserVerificationRequirement) -
  • 5.8.7 User-agent Hints Enumeration (enum PublicKeyCredentialHints) +
  • 5.8.7 Client Capability Enumeration (enum ClientCapability) +
  • 5.8.8 User-agent Hints Enumeration (enum PublicKeyCredentialHints)
  • 5.9 Permissions Policy integration
  • 5.10 Using Web Authentication within iframe elements @@ -1146,22 +1198,26 @@

    Table of Contents

  • 6.4 String Handling
      -
    1. 6.4.1 String Truncation +
    2. + 6.4.1 String Truncation +
        +
      1. 6.4.1.1 String Truncation by Clients +
      2. 6.4.1.2 String Truncation by Authenticators +
    3. 6.4.2 Language and Direction Encoding
  • 6.5 Attestation
      -
    1. 6.5.1 Attestation in assertions
    2. - 6.5.2 Attested Credential Data + 6.5.1 Attested Credential Data
        -
      1. 6.5.2.1 Examples of credentialPublicKey Values Encoded in COSE_Key Format +
      2. 6.5.1.1 Examples of credentialPublicKey Values Encoded in COSE_Key Format
      -
    3. 6.5.3 Attestation Statement Formats -
    4. 6.5.4 Attestation Types -
    5. 6.5.5 Generating an Attestation Object -
    6. 6.5.6 Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures +
    7. 6.5.2 Attestation Statement Formats +
    8. 6.5.3 Attestation Types +
    9. 6.5.4 Generating an Attestation Object +
    10. 6.5.5 Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
  • @@ -1219,22 +1275,21 @@

    Table of Contents

  • 10.2 Authenticator Extensions
      -
    1. 10.2.1 User Verification Method Extension (uvm)
    2. - 10.2.2 Supplemental public keys extension (supplementalPubKeys) + 10.2.1 Supplemental public keys extension (supplementalPubKeys)
        -
      1. 10.2.2.1 Relying Party Usage +
      2. 10.2.1.1 Relying Party Usage
      3. - 10.2.2.2 Extension Definition + 10.2.1.2 Extension Definition
          -
        1. 10.2.2.2.1 AAGUIDs -
        2. 10.2.2.2.2 Attestation calculations +
        3. 10.2.1.2.1 AAGUIDs +
        4. 10.2.1.2.2 Attestation calculations
      4. - 10.2.2.3 supplementalPubKeys Extension Output Verification Procedures + 10.2.1.3 supplementalPubKeys Extension Output Verification Procedures
          -
        1. 10.2.2.3.1 Registration (create()) -
        2. 10.2.2.3.2 Authentication (get()) +
        3. 10.2.1.3.1 Registration (create()) +
        4. 10.2.1.3.2 Authentication (get())
    @@ -1255,6 +1310,7 @@

    Table of Contents

  • 11.7 Remove Credential
  • 11.8 Remove All Credentials
  • 11.9 Set User Verified +
  • 11.10 Set Credential Properties
  • 12 IANA Considerations @@ -1307,6 +1363,7 @@

    Table of Contents

  • 14.5.1 Registration Ceremony Privacy
  • 14.5.2 Authentication Ceremony Privacy
  • 14.5.3 Privacy Between Operating System Accounts +
  • 14.5.4 Disclosing Client Capabilities
  • 14.6 Privacy considerations for Relying Parties @@ -1398,7 +1455,7 @@

    Note: Along with the Web Authentication API itself, this specification defines a - request-response cryptographic protocol—the WebAuthn/FIDO2 protocol—between + request-response cryptographic protocol—the WebAuthn/FIDO2 protocol—between a WebAuthn Relying Party server and an authenticator, where the Relying Party's request consists of a challenge and other input data supplied by the Relying Party and sent to the authenticator. The request is conveyed via the @@ -1873,9 +1930,9 @@

    2.3. WebAuthn Relying Parties

    A WebAuthn Relying Party MUST behave as described in § 7 WebAuthn Relying Party Operations to obtain all the security benefits offered by this specification. See § 13.4.1 Security Benefits for WebAuthn Relying Parties for further discussion of this.

    2.4. All Conformance Classes

    -

    All CBOR encoding performed by the members of the above conformance classes MUST be done using the CTAP2 canonical CBOR encoding form. +

    All CBOR encoding performed by the members of the above conformance classes MUST be done using the CTAP2 canonical CBOR encoding form. All decoders of the above conformance classes SHOULD reject CBOR that is not validly encoded -in the CTAP2 canonical CBOR encoding form and SHOULD reject messages with duplicate map keys.

    +in the CTAP2 canonical CBOR encoding form and SHOULD reject messages with duplicate map keys.

    3. Dependencies

    This specification relies on several other underlying specifications, listed below and in Terms defined by reference.

    @@ -1887,7 +1944,7 @@

    CTAP2 canonical CBOR encoding form of the Compact Binary Object Representation (CBOR) [RFC8949], +

    A number of structures in this specification, including attestation statements and extensions, are encoded using the CTAP2 canonical CBOR encoding form of the Compact Binary Object Representation (CBOR) [RFC8949], as defined in [FIDO-CTAP].

    CDDL
    @@ -1905,9 +1962,6 @@

    %ArrayBuffer% is defined in [ECMAScript].

    -
    HTML -
    -

    The concepts of browsing context, origin, opaque origin, tuple origin, relevant settings object, same site and is a registrable domain suffix of or is equal to are defined in [HTML].

    URL

    The concepts of domain, host, port, scheme, valid domain and valid domain string are defined in [URL].

    @@ -1921,8 +1975,9 @@

    determining the FacetID of a calling application and determining if a caller’s FacetID is authorized for an AppID (used only in the AppID extension) are defined by [FIDO-APPID].

    -

    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and -"OPTIONAL" in this document are to be interpreted as described in [RFC2119].

    +

    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", +"NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in +BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

    4. Terminology

    Attestation @@ -1958,7 +2013,7 @@

    register a user with a given Relying Party and later assert possession of the registered public key credential, and optionally verify the user to the Relying Party. Authenticators can report information regarding their type and security characteristics via attestation during registration and assertion.

    A WebAuthn Authenticator could be a roaming authenticator, a dedicated hardware subsystem integrated into the client device, -or a software component of the client or client device. A WebAuthn Authenticator is not necessarily confined to operating in +or a software component of the client or client device. A WebAuthn Authenticator is not necessarily confined to operating in a local context, and can generate or store a credential key pair in a server outside of client-side hardware.

    In general, an authenticator is assumed to have only one user. If multiple natural persons share access to an authenticator, @@ -2278,19 +2333,25 @@

    WebAuthn API, a relying party identifier is a valid domain string identifying the WebAuthn Relying Party on whose behalf a given registration or authentication ceremony is being performed. A public key credential can only be used for authentication with the same entity (as identified by RP ID) it was registered with.

    By default, the RP ID for a WebAuthn operation is set to the caller’s origin's effective domain. This default MAY be -overridden by the caller, as long as the caller-specified RP ID value is a registrable domain suffix of or is equal +overridden by the caller, as long as the caller-specified RP ID value is a registrable domain suffix of or is equal to the caller’s origin's effective domain. See also § 5.1.3 Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method and § 5.1.4 Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method.

    - Note: An RP ID is based on a host's domain name. It does not itself include a scheme or port, as an origin does. The RP ID of a public key credential determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: + Note: An RP ID is based on a host's domain name. It does not itself include a scheme or port, as an origin does. The RP ID of a public key credential determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: -

    For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: login.example.com (default) and example.com, but not m.login.example.com and not com.

    +

    For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: login.example.com (default) and example.com, but not m.login.example.com and not com. Another example of a valid origin is http://localhost:8000, due to the origin being localhost.

    This is done in order to match the behavior of pervasively deployed ambient credentials (e.g., cookies, [RFC6265]). Please note that this is a greater relaxation of "same-origin" restrictions than what document.domain's setter provides.

    These restrictions on origin values apply to WebAuthn Clients.

    @@ -2398,16 +2459,16 @@

    5. deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to scripts.

    The security properties of this API are provided by the client and the authenticator working together. The authenticator, which -holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against -a different origin, by incorporating the origin in its responses. Specifically, as defined in § 6.3 Authenticator Operations, -the full origin of the requester is included, and signed over, in the attestation object produced when a new credential +holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against +a different origin, by incorporating the origin in its responses. Specifically, as defined in § 6.3 Authenticator Operations, +the full origin of the requester is included, and signed over, in the attestation object produced when a new credential is created as well as in all assertions produced by WebAuthn credentials.

    Additionally, to maintain user privacy and prevent malicious Relying Parties from probing for the presence of public key credentials belonging to other Relying Parties, each credential is also scoped to a Relying Party Identifier, or RP ID. This RP ID is provided by the client to the authenticator for all operations, and the authenticator ensures that credentials created by a Relying Party can only be used in operations -requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases -where a single Relying Party maintains multiple origins.

    -

    The client facilitates these security measures by providing the Relying Party's origin and RP ID to the authenticator for +requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases +where a single Relying Party maintains multiple origins.

    +

    The client facilitates these security measures by providing the Relying Party's origin and RP ID to the authenticator for each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in secure contexts. For web contexts in particular, this only includes those accessed via a secure transport (e.g., TLS) established without errors.

    @@ -2456,10 +2517,11 @@

    This operation returns the value of [[clientExtensionsResults]], which is a map containing extension identifierclient extension output entries produced by the extension’s client extension processing.

    isConditionalMediationAvailable()
    -

    PublicKeyCredential overrides this method to indicate availability for conditional mediation. WebAuthn Relying Parties SHOULD verify availability before attempting to set options.mediation to conditional.

    +

    PublicKeyCredential overrides this method to indicate availability for conditional mediation during navigator.credentials.get(). WebAuthn Relying Parties SHOULD verify availability before +attempting to set options.mediation to conditional.

    Upon invocation, a promise is returned that resolves with a value of true if conditional user mediation is available, or false otherwise.

    This method has no arguments and returns a promise to a Boolean value.

    -

    Note: If this method is not present, conditional user mediation is not available.

    +

    Note: If this method is not present, conditional user mediation is not available for navigator.credentials.get().

    toJSON()

    This operation returns RegistrationResponseJSON or AuthenticationResponseJSON, @@ -2480,58 +2542,57 @@

    typedef object PublicKeyCredentialJSON; dictionary RegistrationResponseJSON { - required Base64URLString id; - required Base64URLString rawId; - required AuthenticatorAttestationResponseJSON response; - DOMString authenticatorAttachment; - required AuthenticationExtensionsClientOutputsJSON clientExtensionResults; - required DOMString type; + required Base64URLString id; + required Base64URLString rawId; + required AuthenticatorAttestationResponseJSON response; + DOMString authenticatorAttachment; + required AuthenticationExtensionsClientOutputsJSON clientExtensionResults; + required DOMString type; }; dictionary AuthenticatorAttestationResponseJSON { - required Base64URLString clientDataJSON; - required Base64URLString authenticatorData; - required sequence<DOMString> transports; + required Base64URLString clientDataJSON; + required Base64URLString authenticatorData; + required sequence<DOMString> transports; // The publicKey field will be missing if pubKeyCredParams was used to - // negotiate a public-key algorithm that the user agent doesn’t + // negotiate a public-key algorithm that the user agent doesn't // understand. (See section “Easily accessing credential data” for a // list of which algorithms user agents must support.) If using such an // algorithm then the public key must be parsed directly from // attestationObject or authenticatorData. - Base64URLString publicKey; - required long long publicKeyAlgorithm; + Base64URLString publicKey; + required long long publicKeyAlgorithm; // This value contains copies of some of the fields above. See // section “Easily accessing credential data”. - required Base64URLString attestationObject; + required Base64URLString attestationObject; }; dictionary AuthenticationResponseJSON { - required Base64URLString id; - required Base64URLString rawId; - required AuthenticatorAssertionResponseJSON response; - DOMString authenticatorAttachment; - required AuthenticationExtensionsClientOutputsJSON clientExtensionResults; - required DOMString type; + required Base64URLString id; + required Base64URLString rawId; + required AuthenticatorAssertionResponseJSON response; + DOMString authenticatorAttachment; + required AuthenticationExtensionsClientOutputsJSON clientExtensionResults; + required DOMString type; }; dictionary AuthenticatorAssertionResponseJSON { - required Base64URLString clientDataJSON; - required Base64URLString authenticatorData; - required Base64URLString signature; - Base64URLString userHandle; - Base64URLString attestationObject; + required Base64URLString clientDataJSON; + required Base64URLString authenticatorData; + required Base64URLString signature; + Base64URLString userHandle; }; dictionary AuthenticationExtensionsClientOutputsJSON { };
    -
    [[type]] +
    [[type]]

    The PublicKeyCredential interface object's [[type]] internal slot's value is the string "public-key".

    Note: This is reflected via the type attribute getter inherited from Credential.

    -
    [[discovery]] +
    [[discovery]]

    The PublicKeyCredential interface object's [[discovery]] internal slot's value is "remote".

    @@ -2545,35 +2606,42 @@

    credential private key wrapped with a symmetric key that is burned into the authenticator.

    [[clientExtensionsResults]]
    -

    This internal slot contains the results of processing client extensions requested by the Relying Party upon the Relying Party's invocation of either navigator.credentials.create() or navigator.credentials.get().

    +

    This internal slot contains the results of processing client extensions requested by the Relying Party upon the Relying Party's invocation of either navigator.credentials.create() or navigator.credentials.get().

    PublicKeyCredential's interface object inherits Credential's implementation of [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors), and defines its own implementation of each of [[Create]](origin, options, sameOriginWithAncestors), [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors), and [[Store]](credential, sameOriginWithAncestors).

    +

    Calling CredentialsContainer's preventSilentAccess() method +will have no effect on PublicKeyCredential credentials, since they always require user interaction.

    5.1.1. CredentialCreationOptions Dictionary Extension

    To support registration via navigator.credentials.create(), this document extends the CredentialCreationOptions dictionary as follows:

    partial dictionary CredentialCreationOptions {
-    PublicKeyCredentialCreationOptions      publicKey;
+    PublicKeyCredentialCreationOptions      publicKey;
 };

    5.1.2. CredentialRequestOptions Dictionary Extension

    -

    To support obtaining assertions via navigator.credentials.get(), this document extends the CredentialRequestOptions dictionary as follows:

    +

    To support obtaining assertions via navigator.credentials.get(), this document extends the CredentialRequestOptions dictionary as follows:

    partial dictionary CredentialRequestOptions {
-    PublicKeyCredentialRequestOptions      publicKey;
+    PublicKeyCredentialRequestOptions      publicKey;
 };

    5.1.3. Create a New Credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) Method

    - PublicKeyCredential's interface object's implementation of the [[Create]](origin, -options, sameOriginWithAncestors) internal method [CREDENTIAL-MANAGEMENT-1] allows WebAuthn Relying Party scripts to call navigator.credentials.create() to request the creation of a new public key credential source, bound to an authenticator. This navigator.credentials.create() operation can be aborted by leveraging the AbortController; -see DOM § 3.3 Using AbortController and AbortSignal objects in APIs for detailed instructions. + PublicKeyCredential's interface object's implementation of the [[Create]](origin, +options, sameOriginWithAncestors) internal method [CREDENTIAL-MANAGEMENT-1] allows WebAuthn Relying Party scripts to call navigator.credentials.create() to request the creation of a new public key credential source, bound to an authenticator. +

    By setting options.mediation to conditional, Relying Parties can indicate that they would like to register a credential without prominent modal UI if user has already consented to create a credential. The Relying Party SHOULD first check that conditionalCreate is present +in the result of getClientCapabilities() in order to avoid the possibility of causing a user-visible error to be returned if the user agent does +not support conditional user mediation for navigator.credentials.create(). +The client MUST set BOTH requireUserPresence and requireUserVerification to FALSE when options.mediation is set to conditional unless they may explicitly performed during the ceremony.

    +

    Any navigator.credentials.create() operation can be aborted by leveraging the AbortController; +see DOM § 3.3 Using AbortController and AbortSignal objects in APIs for detailed instructions.

    This internal method accepts three arguments:

    origin
    -

    This argument is the relevant settings object's origin, as determined by the -calling create() implementation.

    -
    options +

    This argument is the relevant settings object's origin, as determined by the +calling create() implementation.

    +
    options

    This argument is a CredentialCreationOptions object whose options.publicKey member contains a PublicKeyCredentialCreationOptions object specifying the desired attributes of the to-be-created public key credential.

    sameOriginWithAncestors @@ -2582,7 +2650,7 @@

    Note: Invocation of this internal method indicates that it was allowed by permissions policy, which is evaluated at the [CREDENTIAL-MANAGEMENT-1] level. See § 5.9 Permissions Policy integration.

    -

    Note: This algorithm is synchronous: the Promise resolution/rejection is handled by navigator.credentials.create().

    +

    Note: This algorithm is synchronous: the Promise resolution/rejection is handled by navigator.credentials.create().

    Note: All BufferSource objects used in this algorithm must be snapshotted when the algorithm begins, to avoid potential synchronization issues. The algorithm implementations should get a copy of the bytes held by the buffer source and use that copy for relevant portions of the algorithm.

    @@ -2594,15 +2662,21 @@

    If sameOriginWithAncestors is false:

    1. -

      If the relevant global object, as determined by the calling create() implementation, does not have transient activation:

      +

      If options.mediation is present with the value conditional:

      +
        +
      1. +

        Throw a "NotAllowedError" DOMException

        +
      +
    2. +

      If the relevant global object, as determined by the calling create() implementation, does not have transient activation:

      1. -

        Throw a "NotAllowedError" DOMException.

        +

        Throw a "NotAllowedError" DOMException.

    3. Consume user activation of the relevant global object.

    -

    NOTE: The client SHOULD make it clear to the user in the case where the origin that is creating a credential is different from the top-level origin of the relevant global object (i.e., is a +

    NOTE: The client SHOULD make it clear to the user in the case where the origin that is creating a credential is different from the top-level origin of the relevant global object (i.e., is a different origin than the user can see in the address bar).

  • Let pkOptions be the value of options.publicKey.

    @@ -2615,14 +2689,14 @@

    If the length of pkOptions.user.id is not between 1 and 64 bytes (inclusive) then throw a TypeError.

  • -

    Let callerOrigin be origin. If callerOrigin is an opaque origin, throw a "NotAllowedError" DOMException.

    +

    Let callerOrigin be origin. If callerOrigin is an opaque origin, throw a "NotAllowedError" DOMException.

  • Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then throw a -"SecurityError" DOMException.

    -

    Note: An effective domain may resolve to a host, which can be represented in various manners, +"SecurityError" DOMException.

    +

    Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. - Only the domain format of host is allowed here. This is for simplification and also + Only the domain format of host is allowed here. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.

  • @@ -2631,14 +2705,14 @@

    is present
    -

    If pkOptions.rp.id is not a -registrable domain suffix of and is not equal to effectiveDomain, throw a "SecurityError" DOMException.

    +

    If pkOptions.rp.id is not a +registrable domain suffix of and is not equal to effectiveDomain, throw a "SecurityError" DOMException.

    Is not present

    Set pkOptions.rp.id to effectiveDomain.

    • Note: pkOptions.rp.id represents the - caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set pkOptions.rp.id when calling create().

    + caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set pkOptions.rp.id when calling create().

  • Let credTypesAndPubKeyAlgs be a new list whose items are pairs of PublicKeyCredentialType and a COSEAlgorithmIdentifier.

    @@ -2666,7 +2740,7 @@

    Append the pair of current.type and alg to credTypesAndPubKeyAlgs.

    -

    If credTypesAndPubKeyAlgs is empty, throw a "NotSupportedError" DOMException.

    +

    If credTypesAndPubKeyAlgs is empty, throw a "NotSupportedError" DOMException.

  • Let clientExtensions be a new map and let authenticatorExtensions be a new map.

    @@ -2717,6 +2791,15 @@

    Let authenticators represent a value which at any given instant is a set of client platform-specific handles, where each item identifies an authenticator presently available on this client platform at that instant.

    Note: What qualifies an authenticator as "available" is intentionally unspecified; this is meant to represent how authenticators can be hot-plugged into (e.g., via USB) or discovered (e.g., via NFC or Bluetooth) by the client by various mechanisms, or permanently built into the client.

    +
  • +

    If options.mediation is present with the value conditional:

    +
      +
    1. +

      If the user agent has not recently mediated an authentication, the origin of said authentication is not callerOrigin, or the user +does not consent to this type of credential creation, throw a "NotAllowedError" DOMException.

      +

      It is up to the user agent to decide when it believes an authentication ceremony has +been completed. That authentication ceremony MAY be performed via other means than the Web Authentication API.

      +

  • Consider the value of hints and craft the user interface accordingly, as the user-agent sees fit.

  • @@ -2730,7 +2813,7 @@

    For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests.

    If the user exercises a user agent user-interface option to cancel the process,
    -

    For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Throw a "NotAllowedError" DOMException.

    +

    For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Throw a "NotAllowedError" DOMException.

    If options.signal is present and aborted,

    For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Then throw the options.signal’s abort reason.

    @@ -2797,15 +2880,21 @@

    is set to required
    -

    Let userVerification be true.

    +
      +
    1. +

      If options.mediation is set to conditional and user verification cannot be collected during the ceremony, +throw a ConstraintError DOMException.

      +
    2. +

      Let userVerification be true.

      +
    is set to preferred

    If the authenticator

    -
    is capable of user verification +
    is capable of user verification

    Let userVerification be true.

    -
    is not capable of user verification +
    is not capable of user verification

    Let userVerification be false.

    @@ -2818,7 +2907,7 @@

    is set to enterprise
    -

    Let enterpriseAttestationPossible be true if the user agent wishes to support enterprise attestation for pkOptions.rp.id (see Step 8, above). Otherwise false.

    +

    Let enterpriseAttestationPossible be true if the user agent wishes to support enterprise attestation for pkOptions.rp.id (see step 8, above). Otherwise false.

    otherwise

    Let enterpriseAttestationPossible be false.

    @@ -2846,11 +2935,9 @@

  • Otherwise, Append C to excludeCredentialDescriptorList.

    -
  • - -

    Invoke the authenticatorMakeCredential operation on authenticator with clientDataHash, pkOptions.rp, pkOptions.user, requireResidentKey, userVerification, credTypesAndPubKeyAlgs, excludeCredentialDescriptorList, enterpriseAttestationPossible, attestationFormats, - and authenticatorExtensions as parameters.

    +
  • Invoke the authenticatorMakeCredential operation on authenticator with clientDataHash, pkOptions.rp, pkOptions.user, requireResidentKey, userVerification, credTypesAndPubKeyAlgs, excludeCredentialDescriptorList, enterpriseAttestationPossible, attestationFormats, + and authenticatorExtensions as parameters.

  • Append authenticator to issuedRequests.

    @@ -2875,14 +2962,14 @@

    For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.

  • -

    Throw an "InvalidStateError" DOMException.

    +

    Throw an "InvalidStateError" DOMException.

    Note: This error status is handled separately because the authenticator returns it only if excludeCredentialDescriptorList identifies a credential bound to the authenticator and the user has consented to the operation. Given this explicit consent, it is acceptable for this case to be -distinguishable to the Relying Party.

    +distinguishable to the Relying Party.

    If any authenticator returns an error status not equivalent to "InvalidStateError",

    Remove authenticator from issuedRequests.

    -

    Note: This case does not imply user consent for the operation, so details about the error are hidden from the Relying Party in order to prevent leak of potentially identifying information. See § 14.5.1 Registration Ceremony Privacy for +

    Note: This case does not imply user consent for the operation, so details about the error are hidden from the Relying Party in order to prevent leak of potentially identifying information. See § 14.5.1 Registration Ceremony Privacy for details.

    If any authenticator indicates success,
    @@ -2895,7 +2982,7 @@

    attestationObjectResult

    whose value is the bytes returned from the successful authenticatorMakeCredential operation.

    -

    Note: this value is attObj, as defined in § 6.5.5 Generating an Attestation Object.

    +

    Note: this value is attObj, as defined in § 6.5.4 Generating an Attestation Object.

    clientDataJSONResult

    whose value is the bytes of clientDataJSON.

    @@ -2920,12 +3007,12 @@

    If the aaguid in the attested credential data is 16 zero bytes, credentialCreationData.attestationObjectResult.fmt is "packed", and "x5c" is absent from credentialCreationData.attestationObjectResult, then self attestation is being used and no further action is needed.

  • -

    Otherwise

    +

    Otherwise:

    1. -

      Replace the aaguid in the attested credential data with 16 zero bytes.

      +

      Set the value of credentialCreationData.attestationObjectResult.fmt to "none", and set the value of credentialCreationData.attestationObjectResult.attStmt to be an empty CBOR map. (See § 8.7 None Attestation Statement Format and § 6.5.4 Generating an Attestation Object).

    2. -

      Set the value of credentialCreationData.attestationObjectResult.fmt to "none", and set the value of credentialCreationData.attestationObjectResult.attStmt to be an empty CBOR map. (See § 8.7 None Attestation Statement Format and § 6.5.5 Generating an Attestation Object).

      +

      If authenticator is not a platform authenticator then replace the aaguid in the attested credential data with 16 zero bytes.

    indirect @@ -2934,7 +3021,7 @@

    Anonymization CA).

    direct or enterprise
    -

    Convey the authenticator's AAGUID and attestation statement, unaltered, to the Relying Party.

    +

    Convey the authenticator's AAGUID and attestation statement, unaltered, to the Relying Party.

  • Let attestationObject be a new ArrayBuffer, created using global’s %ArrayBuffer%, containing the @@ -2942,7 +3029,7 @@

    Let id be attestationObject.authData.attestedCredentialData.credentialId.

  • -

    Let pubKeyCred be a new PublicKeyCredential object associated with global whose fields are:

    +

    Let pubKeyCred be a new PublicKeyCredential object associated with global whose fields are:

    [[identifier]]
    @@ -2963,9 +3050,9 @@

    [[transports]]

    A sequence of zero or more unique DOMStrings, in lexicographical order, that the authenticator is believed to support. The values SHOULD be members of AuthenticatorTransport, but client platforms MUST ignore unknown values.

    -

    If a user agent does not wish to divulge this information it MAY substitute an arbitrary sequence designed to preserve privacy. This sequence MUST still be valid, i.e. lexicographically sorted and free of duplicates. For example, it may use the empty sequence. Either way, in this case the user agent takes the risk that Relying Party behavior may be suboptimal.

    +

    If a user agent does not wish to divulge this information it MAY substitute an arbitrary sequence designed to preserve privacy. This sequence MUST still be valid, i.e. lexicographically sorted and free of duplicates. For example, it may use the empty sequence. Either way, in this case the user agent takes the risk that Relying Party behavior may be suboptimal.

    If the user agent does not have any transport information, it SHOULD set this field to the empty sequence.

    -

    Note: How user agents discover transports supported by a given authenticator is outside the scope of this specification, but may include information from an attestation certificate (for example [FIDO-Transports-Ext]), metadata communicated in an authenticator protocol such as CTAP2, or special-case knowledge about a platform authenticator.

    +

    Note: How user agents discover transports supported by a given authenticator is outside the scope of this specification, but may include information from an attestation certificate (for example [FIDO-Transports-Ext]), metadata communicated in an authenticator protocol such as CTAP2, or special-case knowledge about a platform authenticator.

    [[clientExtensionsResults]]
    @@ -2981,26 +3068,26 @@

  • -

    Throw a "NotAllowedError" DOMException. In order to prevent information leak that could identify the +

    Throw a "NotAllowedError" DOMException. In order to prevent information leak that could identify the user without consent, this step MUST NOT be executed before lifetimeTimer has expired. See § 14.5.1 Registration Ceremony Privacy for details.

    During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and -authorizing an authenticator.

    +authorizing an authenticator. When options.mediation is set to conditional, prominent modal UI should not be shown unless credential creation was previously consented to via means determined by the user agent.

    • 5.1.4. Use an Existing Credential to Make an Assertion - PublicKeyCredential’s [[Get]](options) Method

    -

    WebAuthn Relying Parties call navigator.credentials.get({publicKey:..., ...}) to -discover and use an existing public key credential, with the user’s consent. Relying Party script optionally specifies some criteria +

    WebAuthn Relying Parties call navigator.credentials.get({publicKey:..., ...}) to +discover and use an existing public key credential, with the user’s consent. Relying Party script optionally specifies some criteria to indicate what public key credential sources are acceptable to it. The client platform locates public key credential sources matching the specified criteria, and guides the user to pick one that the script will be allowed to use. The user may choose to -decline the entire interaction even if a public key credential source is present, for example to maintain privacy. If the user picks a public key credential source, the user agent then uses § 6.3.3 The authenticatorGetAssertion Operation to sign a Relying Party-provided challenge and other collected data into an authentication assertion, which is used as a credential.

    -

    The navigator.credentials.get() implementation [CREDENTIAL-MANAGEMENT-1] calls PublicKeyCredential.[[CollectFromCredentialStore]]() to collect any credentials that -should be available without user mediation (roughly, this specification’s authorization gesture), and if it does not find +decline the entire interaction even if a public key credential source is present, for example to maintain privacy. If the user picks a public key credential source, the user agent then uses § 6.3.3 The authenticatorGetAssertion Operation to sign a Relying Party-provided challenge and other collected data into an authentication assertion, which is used as a credential.

    +

    The navigator.credentials.get() implementation [CREDENTIAL-MANAGEMENT-1] calls PublicKeyCredential.[[CollectFromCredentialStore]]() to collect any credentials that +should be available without user mediation (roughly, this specification’s authorization gesture), and if it does not find exactly one of those, it then calls PublicKeyCredential.[[DiscoverFromExternalSource]]() to have the user select a public key credential source.

    Since this specification requires an authorization gesture to create any assertions, the PublicKeyCredential.[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors) internal method inherits the default behavior of Credential.[[CollectFromCredentialStore]](), of returning an empty set.

    In general, the user agent SHOULD show some UI to the user to guide them in selecting and authorizing an authenticator with which -to complete the operation. By setting options.mediation to conditional, Relying Parties can indicate that a prominent modal UI should not be shown unless credentials are discovered. Relying Party script SHOULD first check that isConditionalMediationAvailable() returns true in order to avoid -the possibility of causing a user-visible error to be returned if the user agent does not support conditional user mediation.

    -

    This navigator.credentials.get() operation can be aborted by leveraging the AbortController; +to complete the operation. By setting options.mediation to conditional, Relying Parties can indicate that a prominent modal UI should not be shown unless credentials are discovered. Relying Party script SHOULD first check that isConditionalMediationAvailable() returns true in order to avoid +the possibility of causing a user-visible error to be returned if the user agent does not support conditional user mediation.

    +

    This navigator.credentials.get() operation can be aborted by leveraging the AbortController; see DOM § 3.3 Using AbortController and AbortSignal objects in APIs for detailed instructions.

    5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method
    @@ -3008,9 +3095,9 @@
    origin
    -

    This argument is the relevant settings object's origin, as determined by the -calling get() implementation, i.e., CredentialsContainer's Request a Credential abstract operation.

    -
    options +

    This argument is the relevant settings object's origin, as determined by the +calling get() implementation, i.e., CredentialsContainer's Request a Credential abstract operation.

    +
    options

    This argument is a CredentialRequestOptions object whose options.publicKey member contains a PublicKeyCredentialRequestOptions object specifying the desired attributes of the public key credential to discover.

    sameOriginWithAncestors @@ -3019,7 +3106,7 @@
    Note: Invocation of this internal method indicates that it was allowed by permissions policy, which is evaluated at the [CREDENTIAL-MANAGEMENT-1] level. See § 5.9 Permissions Policy integration.

    -

    Note: This algorithm is synchronous: the Promise resolution/rejection is handled by navigator.credentials.get().

    +

    Note: This algorithm is synchronous: the Promise resolution/rejection is handled by navigator.credentials.get().

    Note: All BufferSource objects used in this algorithm must be snapshotted when the algorithm begins, to avoid potential synchronization issues. The algorithm implementations should get a copy of the bytes held by the buffer source and use that copy for relevant portions of the algorithm.

    @@ -3030,13 +3117,13 @@
    publicKey.

  • -

    If options.mediation is present with the value conditional:

    +

    If options.mediation is present with the value conditional:

    1. Let credentialIdFilter be the value of pkOptions.allowCredentials.

    2. Set pkOptions.allowCredentials to empty.

      -

      Note: This prevents non-discoverable credentials from being used during conditional requests.

      +

      Note: This prevents non-discoverable credentials from being used during conditional requests.

    3. Set a timer lifetimeTimer to a value of infinity.

      Note: lifetimeTimer is set to a value of infinity so that the user has the entire lifetime of @@ -3056,14 +3143,14 @@

      origin. If callerOrigin is -an opaque origin, throw a "NotAllowedError" DOMException.

      +an opaque origin, throw a "NotAllowedError" DOMException.

    4. Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then throw a -"SecurityError" DOMException.

      -

      Note: An effective domain may resolve to a host, which can be represented in various manners, +"SecurityError" DOMException.

      +

      Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. - Only the domain format of host is allowed here. This is for simplification and also is + Only the domain format of host is allowed here. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.

    5. @@ -3071,11 +3158,11 @@
      rpId is not a registrable domain suffix of and is not -equal to effectiveDomain, throw a "SecurityError" DOMException.

      +

      If pkOptions.rpId is not a registrable domain suffix of and is not +equal to effectiveDomain, throw a "SecurityError" DOMException.

    6. Set rpId to pkOptions.rpId.

      -

      Note: rpId represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set pkOptions.rpId when calling get().

      +

      Note: rpId represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set pkOptions.rpId when calling get().

  • Let clientExtensions be a new map and let authenticatorExtensions be a new map.

    @@ -3143,14 +3230,22 @@
    For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests.

    If the user exercises a user agent user-interface option to cancel the process,
    -

    For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Throw a "NotAllowedError" DOMException.

    +

    For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Throw a "NotAllowedError" DOMException.

    If options.signal is present and aborted,

    For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Then throw the options.signal’s abort reason.

    -
    If options.mediation is conditional and the user interacts with an input or textarea form control with an autocomplete attribute whose value - contains a "webauthn" autofill detail token, +
    If options.mediation is conditional and the user interacts with an input or textarea form control with an autocomplete attribute whose non-autofill credential type is "webauthn",
    +
    + Note: The "webauthn" autofill detail token must appear immediately after the last autofill detail token of type "Normal" or "Contact". For example: +
      +
    • +

      "username webauthn"

      +
    • +

      "current-password webauthn"

      +
    +

    1. If silentlyDiscoveredCredentials is not empty:

      @@ -3176,17 +3271,17 @@
      mediation is not conditional, issuedRequests is empty, pkOptions.allowCredentials is not empty, +
      If options.mediation is not conditional, issuedRequests is empty, pkOptions.allowCredentials is not empty, and no authenticator will become available for any public key credentials therein,
      -

      Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, throw a "NotAllowedError" DOMException.

      -

      Note: One way a client platform can determine that no authenticator will become available is by examining the transports members of the present PublicKeyCredentialDescriptor items of pkOptions.allowCredentials, if any. For example, if all PublicKeyCredentialDescriptor items list only internal, but all platform authenticators have been tried, then there is no possibility of satisfying the request. Alternatively, all PublicKeyCredentialDescriptor items may list transports that the client platform does not support.

      +

      Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, throw a "NotAllowedError" DOMException.

      +

      Note: One way a client platform can determine that no authenticator will become available is by examining the transports members of the present PublicKeyCredentialDescriptor items of pkOptions.allowCredentials, if any. For example, if all PublicKeyCredentialDescriptor items list only internal, but all platform authenticators have been tried, then there is no possibility of satisfying the request. Alternatively, all PublicKeyCredentialDescriptor items may list transports that the client platform does not support.

      If an authenticator becomes available on this client device,

      Note: This includes the case where an authenticator was available upon lifetimeTimer initiation.

      1. -

        If options.mediation is conditional and the authenticator supports the silentCredentialDiscovery operation:

        +

        If options.mediation is conditional and the authenticator supports the silentCredentialDiscovery operation:

        1. Let collectedDiscoveredCredentialMetadata be the result of invoking the silentCredentialDiscovery operation on authenticator with rpId as parameter.

          @@ -3206,7 +3301,7 @@
          issuing a credential request to an authenticator algorithm with authenticator, savedCredentialIds, pkOptions, rpId, clientDataHash, and authenticatorExtensions.

          If this returns false, continue.

          -

          Note: This branch is taken if options.mediation is conditional and the authenticator does not support the silentCredentialDiscovery operation to allow use of such authenticators during a conditional user mediation request.

          +

          Note: This branch is taken if options.mediation is conditional and the authenticator does not support the silentCredentialDiscovery operation to allow use of such authenticators during a conditional user mediation request.

        2. Append authenticator to issuedRequests.

        @@ -3253,10 +3348,6 @@
        authenticator returned a user handle, set the value of userHandleResult to be the bytes of the returned user handle. Otherwise, set the value of userHandleResult to null.

        -
        assertionAttestation -
        -

        If the authenticator returned an attestation, set the value of assertionAttestation to be the bytes of -the attestation statement. Otherwise set it to null.

        clientExtensionResults

        whose value is an AuthenticationExtensionsClientOutputs object containing extension identifierclient extension output entries. The entries are created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension in pkOptions.extensions.

        @@ -3269,7 +3360,7 @@
        global object global, and whose steps are:

        1. -

          Let pubKeyCred be a new PublicKeyCredential object associated with global whose fields are:

          +

          Let pubKeyCred be a new PublicKeyCredential object associated with global whose fields are:

          [[identifier]]
          @@ -3294,14 +3385,10 @@
          userHandleResult is null, set this field to null. Otherwise, set this field to a new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of assertionCreationData.userHandleResult.

          -
          attestationObject -
          -

          If assertionCreationData.assertionAttestation is null, set this -field to null. Otherwise, set this field to a new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of assertionCreationData.assertionAttestation.

          [[clientExtensionsResults]]
          -

          A new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of assertionCreationData.clientExtensionResults.

          +

          A new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of assertionCreationData.clientExtensionResults.

        2. Return pubKeyCred.

          @@ -3314,32 +3401,32 @@
          NotAllowedError" DOMException. In order to prevent information leak that could identify the +

          Throw a "NotAllowedError" DOMException. In order to prevent information leak that could identify the user without consent, this step MUST NOT be executed before lifetimeTimer has expired. See § 14.5.2 Authentication Ceremony Privacy for details.

    • 5.1.4.2. Issuing a Credential Request to an Authenticator

    This sub-algorithm of [[DiscoverFromExternalSource]]() encompasses the specific UI context-independent -steps necessary for requesting a credential from a given authenticator, using given PublicKeyCredentialRequestOptions. -It is called by [[DiscoverFromExternalSource]]() from various points depending on which user mediation the present authentication ceremony is subject to (e.g.: conditional mediation).

    +steps necessary for requesting a credential from a given authenticator, using given PublicKeyCredentialRequestOptions. +It is called by [[DiscoverFromExternalSource]]() from various points depending on which user mediation the present authentication ceremony is subject to (e.g.: conditional mediation).

    This algorithm accepts the following arguments:

    -
    authenticator +
    authenticator
    -

    A client platform-specific handle identifying an authenticator presently available on this client platform.

    -
    savedCredentialIds +

    A client platform-specific handle identifying an authenticator presently available on this client platform.

    +
    savedCredentialIds
    -

    A map containing authenticatorcredential ID. This argument will be modified in this algorithm.

    -
    pkOptions +

    A map containing authenticatorcredential ID. This argument will be modified in this algorithm.

    +
    pkOptions

    This argument is a PublicKeyCredentialRequestOptions object specifying the desired attributes of the public key credential to discover.

    -
    rpId +
    rpId

    The request RP ID.

    -
    clientDataHash +
    clientDataHash

    The hash of the serialized client data represented by clientDataJSON.

    -
    authenticatorExtensions +
    authenticatorExtensions

    A map containing extension identifiers to the base64url encoding of the client extension processing output for authenticator extensions.

    @@ -3348,7 +3435,7 @@
    issuing a credential request to an authenticator are as follows:

    1. -

      If pkOptions.userVerification is set to required and the authenticator is not capable of performing user verification, +

      If pkOptions.userVerification is set to required and the authenticator is not capable of performing user verification, return false.

    2. Let userVerification be the effective user verification requirement for assertion, a Boolean value, as @@ -3361,10 +3448,10 @@

      -
      is capable of user verification +
      is capable of user verification

      Let userVerification be true.

      -
      is not capable of user verification +
      is not capable of user verification

      Let userVerification be false.

      @@ -3372,25 +3459,6 @@
      attestation

      -
      -
      is set to enterprise -
      -

      Let enterpriseAttestationPossible be true if the user agent wishes to support enterprise attestation for rpId (see Step 7 of § 5.1.4.1 PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) Method). Otherwise false.

      -
      otherwise -
      -

      Let enterpriseAttestationPossible be false.

      -
      -
    3. -

      Let attestationFormats be a list of strings, initialized to the value of pkOptions.attestationFormats.

      -
    4. -

      If pkOptions.attestation

      -
      -
      is set to none -
      -

      Set attestationFormats be the single-element list containing the string “none”

      -

    5. If pkOptions.allowCredentials

      @@ -3412,7 +3480,7 @@
      here in § 6.3.3 The authenticatorGetAssertion Operation for more information).

    6. For each credential descriptor C in allowCredentialDescriptorList, append each value, if any, of C.transports to distinctTransports.

      -

      Note: This will aggregate only distinct values of transports (for this authenticator) in distinctTransports due to the properties of ordered sets.

      +

      Note: This will aggregate only distinct values of transports (for this authenticator) in distinctTransports due to the properties of ordered sets.

    7. If distinctTransports

      @@ -3421,21 +3489,22 @@
      authenticatorGetAssertion operation on authenticator, with rpId, clientDataHash, allowCredentialDescriptorList, userVerification, enterpriseAttestationPossible, attestationFormats, +

      Then, using transport, invoke the authenticatorGetAssertion operation on authenticator, with rpId, clientDataHash, allowCredentialDescriptorList, userVerification, and authenticatorExtensions as parameters.

      is empty

      Using local configuration knowledge of the appropriate transport to use with authenticator, -invoke the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, allowCredentialDescriptorList, userVerification, enterpriseAttestationPossible, attestationFormats, and authenticatorExtensions as parameters.

      +invoke the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, allowCredentialDescriptorList, userVerification, +and authenticatorExtensions as parameters.

    is empty
    -

    Using local configuration knowledge of the appropriate transport to use with authenticator, invoke the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, userVerification, enterpriseAttestationPossible, attestationFormats, +

    Using local configuration knowledge of the appropriate transport to use with authenticator, invoke the authenticatorGetAssertion operation on authenticator with rpId, clientDataHash, userVerification, and authenticatorExtensions as parameters.

    -

    Note: In this case, the Relying Party did not supply a list of acceptable credential descriptors. Thus, the +

    Note: In this case, the Relying Party did not supply a list of acceptable credential descriptors. Thus, the authenticator is being asked to exercise any credential it may possess that is scoped to - the Relying Party, as identified by rpId.

    + the Relying Party, as identified by rpId.

  • Return true.

    @@ -3443,161 +3512,158 @@
    5.1.5. Store an Existing Credential - PublicKeyCredential’s [[Store]](credential, sameOriginWithAncestors) Method

    The [[Store]](credential, sameOriginWithAncestors) method is not supported -for Web Authentication’s PublicKeyCredential type, +for Web Authentication’s PublicKeyCredential type, so its implementation of the [[Store]](credential, sameOriginWithAncestors) internal method always throws an error.

    Note: This algorithm is synchronous; the Promise resolution/rejection is handled by navigator.credentials.store().

    This internal method accepts two arguments:

    -
    credential +
    credential
    -

    This argument is a PublicKeyCredential object.

    -
    sameOriginWithAncestors +

    This argument is a PublicKeyCredential object.

    +
    sameOriginWithAncestors

    This argument is a Boolean value which is true if and only if the caller’s environment settings object is same-origin with its ancestors.

    When this method is invoked, the user agent MUST execute the following algorithm:

    1. -

      Throw a "NotSupportedError" DOMException.

      +

      Throw a "NotSupportedError" DOMException.

    -

    5.1.6. Preventing Silent Access to an Existing Credential - PublicKeyCredential’s [[preventSilentAccess]](credential, sameOriginWithAncestors) Method

    -
    -

    Calling the [[preventSilentAccess]](credential, sameOriginWithAncestors) method -will have no effect on authenticators that require an authorization gesture, -but setting that flag may potentially exclude authenticators that can operate without user intervention.

    -

    This internal method accepts no arguments.

    -
    -

    5.1.7. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method

    +

    5.1.6. Availability of User-Verifying Platform Authenticator - PublicKeyCredential’s isUserVerifyingPlatformAuthenticatorAvailable() Method

    WebAuthn Relying Parties use this method to determine whether they can create a new credential using a user-verifying platform authenticator. Upon invocation, the client employs a client platform-specific procedure to discover available user-verifying platform authenticators. If any are discovered, the promise is resolved with the value of true. Otherwise, the promise is resolved with the value of false. -Based on the result, the Relying Party can take further actions to guide the user to create a credential.

    +Based on the result, the Relying Party can take further actions to guide the user to create a credential.

    This method has no arguments and returns a Boolean value.

    -
    partial interface PublicKeyCredential {
+
    partial interface PublicKeyCredential {
     static Promise<boolean> isUserVerifyingPlatformAuthenticatorAvailable();
 };
 
    
-    
    Note: Invoking this method from a browsing context where the Web Authentication API is "disabled" according to the allowed to use algorithm—i.e., by a permissions policy—will result in the promise being rejected with a DOMException whose name is "NotAllowedError". See also § 5.9 Permissions Policy integration.
    
+    
    Note: Invoking this method from a browsing context where the Web Authentication API is "disabled" according to the allowed to use algorithm—i.e., by a permissions policy—will result in the promise being rejected with a DOMException whose name is "NotAllowedError". See also § 5.9 Permissions Policy integration.
    -

    5.1.8. Availability of a passkey platform authenticator - PublicKeyCredential’s isPasskeyPlatformAuthenticatorAvailable() Method

    -
    -

    WebAuthn Relying Parties use this method to determine whether they can create a new passkey using a user-verifying platform authenticator or a hybrid authenticator. -Upon invocation, the client employs a client platform-specific procedure to discover available user-verifying platform authenticators and the -availability of hybrid transport. -If one or both are discovered, the promise is resolved with the value of true. -If neither is discovered, the promise is resolved with the value of false. -Based on the result, the Relying Party can take further actions to guide the user to create a passkey.

    -

    This method has no arguments and returns a Boolean value.

    -
    partial interface PublicKeyCredential {
-    static Promise<boolean> isPasskeyPlatformAuthenticatorAvailable();
+   
    5.1.7. Availability of client capabilities - PublicKeyCredential’s getClientCapabilities() Method
    
+   
    
+    
    WebAuthn Relying Parties use this method to determine the availability of a limited set of client capabilities to offer certain workflows and experiences to users. For example, an RP may offer a sign in button on clients where only hybrid transport is available or where conditional mediation is unavailable (instead of showing a username field).
    
+    
    Upon invocation, the client employs a client platform-specific procedure to discover availablity of these capabilities.
    
+    
    This method has no arguments and returns a record of capability keys to Boolean values.
    
+
    partial interface PublicKeyCredential {
+    static Promise<PublicKeyCredentialClientCapabilities> getClientCapabilities();
 };
+
+typedef record<DOMString, boolean> PublicKeyCredentialClientCapabilities;
 
    
-    
    Note: Invoking this method from a browsing context where the Web Authentication API is "disabled" according to the allowed to use algorithm—i.e., by a permissions policy—will result in the promise being rejected with a DOMException whose name is "NotAllowedError". See also § 5.9 Permissions Policy integration.
    
+    
    Keys in PublicKeyCredentialClientCapabilities MUST be sorted in ascending lexicographical order.
+The set of keys SHOULD contain the set of enumeration values of ClientCapability,
+but the client MAY omit keys as it deems necessary; see § 14.5.4 Disclosing Client Capabilities.
    
+    
    When the value for a given capability is true, the feature is known to be currently supported by the client.
+When the value for a given capability is false, the feature is known to be not currently supported by the client.
+When a capability does not exist as a key, the availability of the client feature is not known.
    
+    
    The set of keys SHOULD also contain a key for each extension implemented by the client, where the key is formed by prefixing the string extension: to the extension identifier. The associated value for each implemented extension SHOULD be true. If getClientCapabilities() is supported by a client, but an extension is not mapped to the value true, then a Relying Party MAY assume that client processing steps for that extension will not be carried out by this client and that the extension MAY not be forwarded to the authenticator.
    
+    
    Note: Even if an extension is mapped to true, the authenticator used for any given operation may not support that extension, so Relying Parties MUST NOT assume that the authenticator processing steps for that extension will be performed on that basis.
    
+    
    Note: Invoking this method from a browsing context where the Web Authentication API is "disabled" according to the allowed to use algorithm—i.e., by a permissions policy—will result in the promise being rejected with a DOMException whose name is "NotAllowedError". See also § 5.9 Permissions Policy integration.
    
    
    
-   
    5.1.9. Deserialize Registration ceremony options - PublicKeyCredential’s parseCreationOptionsFromJSON() Method
    
+   
    5.1.8. Deserialize Registration ceremony options - PublicKeyCredential’s parseCreationOptionsFromJSON() Method
    
    
    
-    
    WebAuthn Relying Parties use this method to convert JSON type representations of options for navigator.credentials.create() into PublicKeyCredentialCreationOptions.
    
-    
    Upon invocation, the client MUST convert the options argument into a new,
-identically-structured PublicKeyCredentialCreationOptions object, using base64url encoding to decode any DOMString attributes in PublicKeyCredentialCreationOptionsJSON that correspond
+    
    WebAuthn Relying Parties use this method to convert JSON type representations of options for navigator.credentials.create() into PublicKeyCredentialCreationOptions.
    
+    
    Upon invocation, the client MUST convert the options argument into a new,
+identically-structured PublicKeyCredentialCreationOptions object, using base64url encoding to decode any DOMString attributes in PublicKeyCredentialCreationOptionsJSON that correspond
 to buffer source type attributes in PublicKeyCredentialCreationOptions. This conversion MUST
-also apply to any client extension inputs processed by the client.
    
+also apply to any client extension inputs processed by the client.
    
     
    AuthenticationExtensionsClientInputsJSON MAY include extensions registered in the IANA
 "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] but not defined in § 9 WebAuthn Extensions.
    
-    
    If the client encounters any issues parsing any of the JSON type representations then it
-MUST throw an "EncodingError" DOMException with a description of the incompatible
+    
    If the client encounters any issues parsing any of the JSON type representations then it
+MUST throw an "EncodingError" DOMException with a description of the incompatible
 value and terminate the operation.
    
-
    partial interface PublicKeyCredential {
-    static PublicKeyCredentialCreationOptions parseCreationOptionsFromJSON(PublicKeyCredentialCreationOptionsJSON options);
+
    partial interface PublicKeyCredential {
+    static PublicKeyCredentialCreationOptions parseCreationOptionsFromJSON(PublicKeyCredentialCreationOptionsJSON options);
 };
 
 dictionary PublicKeyCredentialCreationOptionsJSON {
-    required PublicKeyCredentialRpEntity                    rp;
-    required PublicKeyCredentialUserEntityJSON              user;
-    required Base64URLString                                challenge;
-    required sequence<PublicKeyCredentialParameters>        pubKeyCredParams;
-    unsigned long                                           timeout;
-    sequence<PublicKeyCredentialDescriptorJSON>             excludeCredentials = [];
-    AuthenticatorSelectionCriteria                          authenticatorSelection;
-    sequence<DOMString>                                     hints = [];
-    DOMString                                               attestation = "none";
-    sequence<DOMString>                                     attestationFormats = [];
-    AuthenticationExtensionsClientInputsJSON                extensions;
+    required PublicKeyCredentialRpEntity                    rp;
+    required PublicKeyCredentialUserEntityJSON              user;
+    required Base64URLString                                challenge;
+    required sequence<PublicKeyCredentialParameters>        pubKeyCredParams;
+    unsigned long                                           timeout;
+    sequence<PublicKeyCredentialDescriptorJSON>             excludeCredentials = [];
+    AuthenticatorSelectionCriteria                          authenticatorSelection;
+    sequence<DOMString>                                     hints = [];
+    DOMString                                               attestation = "none";
+    sequence<DOMString>                                     attestationFormats = [];
+    AuthenticationExtensionsClientInputsJSON                extensions;
 };
 
 dictionary PublicKeyCredentialUserEntityJSON {
-    required Base64URLString        id;
-    required DOMString              name;
-    required DOMString              displayName;
+    required Base64URLString        id;
+    required DOMString              name;
+    required DOMString              displayName;
 };
 
 dictionary PublicKeyCredentialDescriptorJSON {
-    required Base64URLString        id;
-    required DOMString              type;
-    sequence<DOMString>             transports;
+    required Base64URLString        id;
+    required DOMString              type;
+    sequence<DOMString>             transports;
 };
 
 dictionary AuthenticationExtensionsClientInputsJSON {
 };
 
    
    
    
-   
    5.1.10. Deserialize Authentication ceremony options - PublicKeyCredential’s parseRequestOptionsFromJSON() Methods
    
+   
    5.1.9. Deserialize Authentication ceremony options - PublicKeyCredential’s parseRequestOptionsFromJSON() Methods
    
    
    
-    
    WebAuthn Relying Parties use this method to convert JSON type representations of options for navigator.credentials.get() into PublicKeyCredentialRequestOptions.
    
-    
    Upon invocation, the client MUST convert the options argument into a new,
-identically-structured PublicKeyCredentialRequestOptions object, using base64url encoding to decode any DOMString attributes in PublicKeyCredentialRequestOptionsJSON that correspond
+    
    WebAuthn Relying Parties use this method to convert JSON type representations of options for navigator.credentials.get() into PublicKeyCredentialRequestOptions.
    
+    
    Upon invocation, the client MUST convert the options argument into a new,
+identically-structured PublicKeyCredentialRequestOptions object, using base64url encoding to decode any DOMString attributes in PublicKeyCredentialRequestOptionsJSON that correspond
 to buffer source type attributes in PublicKeyCredentialRequestOptions. This conversion MUST
-also apply to any client extension inputs processed by the client.
    
+also apply to any client extension inputs processed by the client.
    
     
    AuthenticationExtensionsClientInputsJSON MAY include extensions registered in the IANA
 "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] but not defined in § 9 WebAuthn Extensions.
    
-    
    If the client encounters any issues parsing any of the JSON type representations then it
-MUST throw an "EncodingError" DOMException with a description of the incompatible
+    
    If the client encounters any issues parsing any of the JSON type representations then it
+MUST throw an "EncodingError" DOMException with a description of the incompatible
 value and terminate the operation.
    
-
    partial interface PublicKeyCredential {
-    static PublicKeyCredentialRequestOptions parseRequestOptionsFromJSON(PublicKeyCredentialRequestOptionsJSON options);
+
    partial interface PublicKeyCredential {
+    static PublicKeyCredentialRequestOptions parseRequestOptionsFromJSON(PublicKeyCredentialRequestOptionsJSON options);
 };
 
 dictionary PublicKeyCredentialRequestOptionsJSON {
-    required Base64URLString                                challenge;
-    unsigned long                                           timeout;
-    DOMString                                               rpId;
-    sequence<PublicKeyCredentialDescriptorJSON>             allowCredentials = [];
-    DOMString                                               userVerification = "preferred";
-    sequence<DOMString>                                     hints = [];
-    DOMString                                               attestation = "none";
-    sequence<DOMString>                                     attestationFormats = [];
-    AuthenticationExtensionsClientInputsJSON                extensions;
+    required Base64URLString                                challenge;
+    unsigned long                                           timeout;
+    DOMString                                               rpId;
+    sequence<PublicKeyCredentialDescriptorJSON>             allowCredentials = [];
+    DOMString                                               userVerification = "preferred";
+    sequence<DOMString>                                     hints = [];
+    AuthenticationExtensionsClientInputsJSON                extensions;
 };
 
    
    
    
    
    5.2. Authenticator Responses (interface AuthenticatorResponse)
    
-   
    Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface:
    
+   
    Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface:
    
 
    [SecureContext, Exposed=Window]
 interface AuthenticatorResponse {
-    [SameObject] readonly attribute ArrayBuffer      clientDataJSON;
+    [SameObject] readonly attribute ArrayBuffer      clientDataJSON;
 };
 
    
    
    
     
    
-     
    clientDataJSON,  of type ArrayBuffer, readonly
+     
    clientDataJSON,  of type ArrayBuffer, readonly
      
    
       
    This attribute contains a JSON-compatible serialization of the client data, the hash of which is passed to the
-authenticator by the client in its call to either create() or get() (i.e., the client data itself is not sent to the authenticator).
    
+authenticator by the client in its call to either create() or get() (i.e., the client data itself is not sent to the authenticator).
    
     
    
    
    
    
    5.2.1. Information About Public Key Credential (interface AuthenticatorAttestationResponse)
    
-   
    The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request
+   
    The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request
 for the creation of a new public key credential. It contains information about the new credential that can be used to
 identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential
 during registration.
    
 
    [SecureContext, Exposed=Window]
 interface AuthenticatorAttestationResponse : AuthenticatorResponse {
-    [SameObject] readonly attribute ArrayBuffer      attestationObject;
-    sequence<DOMString>                              getTransports();
-    ArrayBuffer                                      getAuthenticatorData();
-    ArrayBuffer?                                     getPublicKey();
+    [SameObject] readonly attribute ArrayBuffer      attestationObject;
+    sequence<DOMString>                              getTransports();
+    ArrayBuffer                                      getAuthenticatorData();
+    ArrayBuffer?                                     getPublicKey();
     COSEAlgorithmIdentifier                          getPublicKeyAlgorithm();
 };
 
    
@@ -3608,12 +3674,12 @@ 
    AuthenticatorResponse, contains the JSON-compatible serialization of client data (see § 6.5 Attestation) passed to the authenticator by the client in order to generate this credential. The
 exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed
 over it.
    
-     
    attestationObject,  of type ArrayBuffer, readonly
+     
    attestationObject,  of type ArrayBuffer, readonly
      
    
       
    This attribute contains an attestation object, which is opaque to, and cryptographically protected against
-tampering by, the client. The attestation object contains both authenticator data and an attestation
+tampering by, the client. The attestation object contains both authenticator data and an attestation
 statement. The former contains the AAGUID, a unique credential ID, and the credential public key. The
-contents of the attestation statement are determined by the attestation statement format used by the authenticator. It also contains any additional information that the Relying Party's server requires to validate the attestation statement, as well as to decode and validate the authenticator data along with the JSON-compatible serialization of client data. For more details, see § 6.5 Attestation, § 6.5.5 Generating an Attestation Object,
+contents of the attestation statement are determined by the attestation statement format used by the authenticator. It also contains any additional information that the Relying Party's server requires to validate the attestation statement, as well as to decode and validate the authenticator data along with the JSON-compatible serialization of client data. For more details, see § 6.5 Attestation, § 6.5.4 Generating an Attestation Object,
 and Figure 6.
    
      
    getTransports()
      
    
@@ -3629,13 +3695,13 @@ 
    COSEAlgorithmIdentifier of the new credential. See § 5.2.1.1 Easily accessing credential data.
    
      
    [[transports]]
      
    
-      
    This internal slot contains a sequence of zero or more unique DOMStrings in lexicographical order. These values are the transports that the authenticator is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of AuthenticatorTransport but Relying Parties SHOULD accept and store unknown values.
    
+      
    This internal slot contains a sequence of zero or more unique DOMStrings in lexicographical order. These values are the transports that the authenticator is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of AuthenticatorTransport but Relying Parties SHOULD accept and store unknown values.
    5.2.1.1. Easily accessing credential data
    -

    Every user of the [[Create]](origin, options, sameOriginWithAncestors) method will need to parse and store the returned credential public key in order to verify future authentication assertions. However, the credential public key is in COSE format [RFC9052], inside the credentialPublicKey member of the attestedCredentialData, inside the authenticator data, inside the attestation object conveyed by AuthenticatorAttestationResponse.attestationObject. Relying Parties wishing to use attestation are obliged to do the work of parsing the attestationObject and obtaining the credential public key because that public key copy is the one the authenticator signed. However, many valid WebAuthn use cases do not require attestation. For those uses, user agents can do the work of parsing, expose the authenticator data directly, and translate the credential public key into a more convenient format.

    -

    The getPublicKey() operation thus returns the credential public key as a SubjectPublicKeyInfo. This ArrayBuffer can, for example, be passed to Java’s java.security.spec.X509EncodedKeySpec, .NET’s System.Security.Cryptography.ECDsa.ImportSubjectPublicKeyInfo, or Go’s crypto/x509.ParsePKIXPublicKey.

    -

    Use of getPublicKey() does impose some limitations: by using pubKeyCredParams, a Relying Party can negotiate with the authenticator to use public key algorithms that the user agent may not understand. However, if the Relying Party does so, the user agent will not be able to translate the resulting credential public key into SubjectPublicKeyInfo format and the return value of getPublicKey() will be null.

    +

    Every user of the [[Create]](origin, options, sameOriginWithAncestors) method will need to parse and store the returned credential public key in order to verify future authentication assertions. However, the credential public key is in COSE format [RFC9052], inside the credentialPublicKey member of the attestedCredentialData, inside the authenticator data, inside the attestation object conveyed by AuthenticatorAttestationResponse.attestationObject. Relying Parties wishing to use attestation are obliged to do the work of parsing the attestationObject and obtaining the credential public key because that public key copy is the one the authenticator signed. However, many valid WebAuthn use cases do not require attestation. For those uses, user agents can do the work of parsing, expose the authenticator data directly, and translate the credential public key into a more convenient format.

    +

    The getPublicKey() operation thus returns the credential public key as a SubjectPublicKeyInfo. This ArrayBuffer can, for example, be passed to Java’s java.security.spec.X509EncodedKeySpec, .NET’s System.Security.Cryptography.ECDsa.ImportSubjectPublicKeyInfo, or Go’s crypto/x509.ParsePKIXPublicKey.

    +

    Use of getPublicKey() does impose some limitations: by using pubKeyCredParams, a Relying Party can negotiate with the authenticator to use public key algorithms that the user agent may not understand. However, if the Relying Party does so, the user agent will not be able to translate the resulting credential public key into SubjectPublicKeyInfo format and the return value of getPublicKey() will be null.

    User agents MUST be able to return a non-null value for getPublicKey() when the credential public key has a COSEAlgorithmIdentifier value of:

    • @@ -3646,19 +3712,18 @@
      -8 (EdDSA), where crv is 6 (Ed25519).

    A SubjectPublicKeyInfo does not include information about the signing algorithm (for example, which hash function to use) that is included in the COSE public key. To provide this, getPublicKeyAlgorithm() returns the COSEAlgorithmIdentifier for the credential public key.

    -

    To remove the need to parse CBOR at all in many cases, getAuthenticatorData() returns the authenticator data from attestationObject. The authenticator data contains other fields that are encoded in a binary format. However, helper functions are not provided to access them because Relying Parties already need to extract those fields when getting an assertion. In contrast to credential creation, where signature verification is optional, Relying Parties should always be verifying signatures from an assertion and thus must extract fields from the signed authenticator data. The same functions used there will also serve during credential creation.

    -

    Note: getPublicKey() and getAuthenticatorData() were only added in level two of this spec. Relying Parties SHOULD use feature detection before using these functions by testing the value of 'getPublicKey' in AuthenticatorAttestationResponse.prototype. Relying Parties that require this function to exist may not interoperate with older user-agents.

    +

    To remove the need to parse CBOR at all in many cases, getAuthenticatorData() returns the authenticator data from attestationObject. The authenticator data contains other fields that are encoded in a binary format. However, helper functions are not provided to access them because Relying Parties already need to extract those fields when getting an assertion. In contrast to credential creation, where signature verification is optional, Relying Parties should always be verifying signatures from an assertion and thus must extract fields from the signed authenticator data. The same functions used there will also serve during credential creation.

    +

    Note: getPublicKey() and getAuthenticatorData() were only added in level two of this spec. Relying Parties SHOULD use feature detection before using these functions by testing the value of 'getPublicKey' in AuthenticatorAttestationResponse.prototype. Relying Parties that require this function to exist may not interoperate with older user-agents.

    5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)

    -

    The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for +

    The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction.

    [SecureContext, Exposed=Window]
 interface AuthenticatorAssertionResponse : AuthenticatorResponse {
-    [SameObject] readonly attribute ArrayBuffer      authenticatorData;
-    [SameObject] readonly attribute ArrayBuffer      signature;
-    [SameObject] readonly attribute ArrayBuffer?     userHandle;
-    [SameObject] readonly attribute ArrayBuffer?     attestationObject;
+    [SameObject] readonly attribute ArrayBuffer      authenticatorData;
+    [SameObject] readonly attribute ArrayBuffer      signature;
+    [SameObject] readonly attribute ArrayBuffer?     userHandle;
 };
    @@ -3668,32 +3733,29 @@

    AuthenticatorResponse, contains the JSON-compatible serialization of client data (see § 5.8.1 Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)) passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

    -
    authenticatorData, of type ArrayBuffer, readonly +
    authenticatorData, of type ArrayBuffer, readonly

    This attribute contains the authenticator data returned by the authenticator. See § 6.1 Authenticator Data.

    -
    signature, of type ArrayBuffer, readonly +
    signature, of type ArrayBuffer, readonly

    This attribute contains the raw signature returned from the authenticator. See § 6.3.3 The authenticatorGetAssertion Operation.

    -
    userHandle, of type ArrayBuffer, readonly, nullable +
    userHandle, of type ArrayBuffer, readonly, nullable

    This attribute contains the user handle returned from the authenticator, or null if the authenticator did not return a user handle. See § 6.3.3 The authenticatorGetAssertion Operation. The authenticator MUST always return a user handle if the allowCredentials option used in the authentication ceremony is empty, and MAY return one otherwise.

    -
    attestationObject, of type ArrayBuffer, readonly, nullable -
    -

    This OPTIONAL attribute contains an attestation object, if the authenticator supports attestation in assertions. The attestation object, if present, includes an attestation statement. Unlike the attestationObject in an AuthenticatorAttestationResponse, it does not contain an authData key because the authenticator data is provided directly in an AuthenticatorAssertionResponse structure. For more details on attestation, see § 6.5 Attestation, § 6.5.1 Attestation in assertions, § 6.5.5 Generating an Attestation Object, and Figure 6.

    5.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)

    dictionary PublicKeyCredentialParameters {
-    required DOMString                    type;
-    required COSEAlgorithmIdentifier      alg;
+    required DOMString                    type;
+    required COSEAlgorithmIdentifier      alg;
 };
    This dictionary is used to supply additional parameters when creating a new credential.
    -
    type, of type DOMString +
    type, of type DOMString

    This member specifies the type of credential to be created. The value SHOULD be a member of PublicKeyCredentialType but client platforms MUST ignore unknown values, ignoring any PublicKeyCredentialParameters with an unknown type.

    alg, of type COSEAlgorithmIdentifier @@ -3706,49 +3768,49 @@

    <

    5.4. Options for Credential Creation (dictionary PublicKeyCredentialCreationOptions)

    dictionary PublicKeyCredentialCreationOptions {
-    required PublicKeyCredentialRpEntity         rp;
-    required PublicKeyCredentialUserEntity       user;
-
-    required BufferSource                             challenge;
-    required sequence<PublicKeyCredentialParameters>  pubKeyCredParams;
-
-    unsigned long                                timeout;
-    sequence<PublicKeyCredentialDescriptor>      excludeCredentials = [];
-    AuthenticatorSelectionCriteria               authenticatorSelection;
-    sequence<DOMString>                          hints = [];
-    DOMString                                    attestation = "none";
-    sequence<DOMString>                          attestationFormats = [];
-    AuthenticationExtensionsClientInputs         extensions;
+    required PublicKeyCredentialRpEntity         rp;
+    required PublicKeyCredentialUserEntity       user;
+
+    required BufferSource                             challenge;
+    required sequence<PublicKeyCredentialParameters>  pubKeyCredParams;
+
+    unsigned long                                timeout;
+    sequence<PublicKeyCredentialDescriptor>      excludeCredentials = [];
+    AuthenticatorSelectionCriteria               authenticatorSelection;
+    sequence<DOMString>                          hints = [];
+    DOMString                                    attestation = "none";
+    sequence<DOMString>                          attestationFormats = [];
+    AuthenticationExtensionsClientInputs         extensions;
 };
    rp, of type PublicKeyCredentialRpEntity
    -

    This member contains a name and an identifier for the Relying Party responsible for the request.

    +

    This member contains a name and an identifier for the Relying Party responsible for the request.

    Its value’s name member is REQUIRED. See § 5.4.1 Public Key Entity Description (dictionary PublicKeyCredentialEntity) for further details.

    Its value’s id member specifies the RP ID the credential -should be scoped to. If omitted, its value will be the CredentialsContainer object’s relevant +should be scoped to. If omitted, its value will be the CredentialsContainer object’s relevant settings object's origin's effective domain. See § 5.4.2 Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity) for further details.

    user, of type PublicKeyCredentialUserEntity

    This member contains names and an identifier for the user account performing the registration.

    Its value’s name, displayName and id members are REQUIRED. id can be returned as the userHandle in some future authentication ceremonies, -and is used to overwrite existing discoverable credentials that have the same rp.id and user.id on the same authenticator. name and displayName MAY be used by the authenticator and client in future authentication ceremonies to help the user select a credential, but are not returned to the Relying Party as a result of future authentication ceremonies

    +and is used to overwrite existing discoverable credentials that have the same rp.id and user.id on the same authenticator. name and displayName MAY be used by the authenticator and client in future authentication ceremonies to help the user select a credential, but are not returned to the Relying Party as a result of future authentication ceremonies

    For further details, see § 5.4.1 Public Key Entity Description (dictionary PublicKeyCredentialEntity) and § 5.4.3 User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity).

    challenge, of type BufferSource
    -

    This member specifies a challenge that the authenticator signs, along with other data, -when producing an attestation object for the newly created credential. +

    This member specifies a challenge that the authenticator signs, along with other data, +when producing an attestation object for the newly created credential. See the § 13.4.3 Cryptographic Challenges security consideration.

    pubKeyCredParams, of type sequence<PublicKeyCredentialParameters>
    -

    This member lists the key types and signature algorithms the Relying Party supports, +

    This member lists the key types and signature algorithms the Relying Party supports, ordered from most preferred to least preferred. -The client and authenticator make a best-effort to create a credential of the most preferred type possible. -If none of the listed types can be created, the create() operation fails.

    -

    Relying Parties that wish to support a wide range of authenticators SHOULD include at least the following COSEAlgorithmIdentifier values:

    +The client and authenticator make a best-effort to create a credential of the most preferred type possible. +If none of the listed types can be created, the create() operation fails.

    +

    Relying Parties that wish to support a wide range of authenticators SHOULD include at least the following COSEAlgorithmIdentifier values:

    5.4.4. Authenticator Selection Criteria (dictionary AuthenticatorSelectionCriteria)

    WebAuthn Relying Parties may use the AuthenticatorSelectionCriteria dictionary to specify their requirements regarding authenticator attributes.

    dictionary AuthenticatorSelectionCriteria {
-    DOMString                    authenticatorAttachment;
-    DOMString                    residentKey;
-    boolean                      requireResidentKey = false;
-    DOMString                    userVerification = "preferred";
+    DOMString                    authenticatorAttachment;
+    DOMString                    residentKey;
+    boolean                      requireResidentKey = false;
+    DOMString                    userVerification = "preferred";
 };
    -
    authenticatorAttachment, of type DOMString +
    authenticatorAttachment, of type DOMString
    -

    If this member is present, eligible authenticators are filtered to be only those authenticators attached with the specified authenticator attachment modality (see also § 6.2.1 Authenticator Attachment Modality). +

    If this member is present, eligible authenticators are filtered to be only those authenticators attached with the specified authenticator attachment modality (see also § 6.2.1 Authenticator Attachment Modality). If this member is absent, then any attachment modality is acceptable. The value SHOULD be a member of AuthenticatorAttachment but client platforms MUST ignore unknown values, -treating an unknown value as if the member does not exist.

    -

    See also the authenticatorAttachment member of PublicKeyCredential, +treating an unknown value as if the member does not exist.

    +

    See also the authenticatorAttachment member of PublicKeyCredential, which can tell what authenticator attachment modality was used -in a successful create() or get() operation.

    -
    residentKey, of type DOMString +in a successful create() or get() operation.

    +
    residentKey, of type DOMString
    -

    Specifies the extent to which the Relying Party desires to create a client-side discoverable credential. For historical reasons the naming retains the deprecated “resident” terminology. The value SHOULD be a member of ResidentKeyRequirement but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist. If no value is given then the effective value is required if requireResidentKey is true or discouraged if it is false or absent.

    +

    Specifies the extent to which the Relying Party desires to create a client-side discoverable credential. For historical reasons the naming retains the deprecated “resident” terminology. The value SHOULD be a member of ResidentKeyRequirement but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist. If no value is given then the effective value is required if requireResidentKey is true or discouraged if it is false or absent.

    See ResidentKeyRequirement for the description of residentKey's values and semantics.

    requireResidentKey, of type boolean, defaulting to false
    -

    This member is retained for backwards compatibility with WebAuthn Level 1 and, for historical reasons, its naming retains the deprecated “resident” terminology for discoverable credentials. Relying Parties SHOULD set it to true if, and only if, residentKey is set to required.

    -
    userVerification, of type DOMString, defaulting to "preferred" +

    This member is retained for backwards compatibility with WebAuthn Level 1 and, for historical reasons, its naming retains the deprecated “resident” terminology for discoverable credentials. Relying Parties SHOULD set it to true if, and only if, residentKey is set to required.

    +
    userVerification, of type DOMString, defaulting to "preferred"
    -

    This member specifies the Relying Party's requirements regarding user verification for the create() operation. -The value SHOULD be a member of UserVerificationRequirement but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist.

    +

    This member specifies the Relying Party's requirements regarding user verification for the create() operation. +The value SHOULD be a member of UserVerificationRequirement but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist.

    See UserVerificationRequirement for the description of userVerification's values and semantics.

    5.4.5. Authenticator Attachment Enumeration (enum AuthenticatorAttachment)

    -

    This enumeration’s values describe authenticators' attachment modalities. Relying Parties use this to express a preferred authenticator attachment modality when calling navigator.credentials.create() to create a credential, and clients use this to report the authenticator attachment modality used to complete a registration or authentication ceremony.

    +

    This enumeration’s values describe authenticators' attachment modalities. Relying Parties use this to express a preferred authenticator attachment modality when calling navigator.credentials.create() to create a credential, and clients use this to report the authenticator attachment modality used to complete a registration or authentication ceremony.

    enum AuthenticatorAttachment {
     "platform",
     "cross-platform"
@@ -3962,9 +4026,9 @@ 
    
    
    
    Note: An authenticator attachment modality selection option is available only in the [[Create]](origin, options,
-sameOriginWithAncestors) operation. The Relying Party may use it to, for example, ensure the user has a roaming credential for
+sameOriginWithAncestors) operation. The Relying Party may use it to, for example, ensure the user has a roaming credential for
 authenticating on another client device; or to specifically register a platform credential for easier reauthentication using a
-particular client device. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operation has no authenticator attachment modality selection option, so the Relying Party SHOULD accept any of the user’s registered credentials. The client and user will then use whichever is available and convenient at the time.
    
+particular client device. The [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) operation has no authenticator attachment modality selection option, so the Relying Party SHOULD accept any of the user’s registered credentials. The client and user will then use whichever is available and convenient at the time.
    
    
    5.4.6. Resident Key Requirement Enumeration (enum ResidentKeyRequirement)
    
 
    enum ResidentKeyRequirement {
     "discouraged",
@@ -3973,34 +4037,34 @@ 
    
 };
 
    
    
    Note: The ResidentKeyRequirement enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
    
-   
    This enumeration’s values describe the Relying Party's requirements for client-side discoverable credentials (formerly known as resident credentials or resident keys):
    
+   
    This enumeration’s values describe the Relying Party's requirements for client-side discoverable credentials (formerly known as resident credentials or resident keys):
    
    
    
     
    
      
    discouraged
      
    
-      
    The Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential.
-The client and authenticator SHOULD create a server-side credential if possible.
    
-      
    Note: A Relying Party cannot require that a created credential is a server-side credential and the Credential Properties Extension may not return a value for the rk property. Because of this, it may be the case that it does not know if a credential is a server-side credential or not and thus does not know whether creating a second credential with the same user handle will evict the first.
    
+      
    The Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential.
+The client and authenticator SHOULD create a server-side credential if possible.
    
+      
    Note: A Relying Party cannot require that a created credential is a server-side credential and the Credential Properties Extension may not return a value for the rk property. Because of this, it may be the case that it does not know if a credential is a server-side credential or not and thus does not know whether creating a second credential with the same user handle will evict the first.
    
      
    preferred
      
    
-      
    The Relying Party strongly prefers creating a client-side discoverable credential, but will accept a server-side credential.
-The client and authenticator SHOULD create a discoverable credential if possible.
-For example, the client SHOULD guide the user through setting up user verification if needed to create a discoverable credential. This takes precedence over the setting of userVerification.
    
+      
    The Relying Party strongly prefers creating a client-side discoverable credential, but will accept a server-side credential.
+The client and authenticator SHOULD create a discoverable credential if possible.
+For example, the client SHOULD guide the user through setting up user verification if needed to create a discoverable credential. This takes precedence over the setting of userVerification.
    
      
    required
      
    
-      
    The Relying Party requires a client-side discoverable credential.
-The client MUST return an error if a client-side discoverable credential cannot be created.
    
+      
    The Relying Party requires a client-side discoverable credential.
+The client MUST return an error if a client-side discoverable credential cannot be created.
    
     
    
    
    
-   
    Note: The Relying Party can seek information on whether or not the authenticator created a client-side discoverable credential using the resident key credential property of the Credential Properties Extension.
-This is useful when values of discouraged or preferred are used for options.authenticatorSelection.residentKey, because in those cases it is possible for an authenticator to create either a client-side discoverable credential or a server-side credential.
    
+   
    Note: The Relying Party can seek information on whether or not the authenticator created a client-side discoverable credential using the resident key credential property of the Credential Properties Extension.
+This is useful when values of discouraged or preferred are used for options.authenticatorSelection.residentKey, because in those cases it is possible for an authenticator to create either a client-side discoverable credential or a server-side credential.
    
    
    5.4.7. Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference)
    
    
    WebAuthn Relying Parties may use AttestationConveyancePreference to specify their preference regarding attestation conveyance during credential generation.
    
 
    enum AttestationConveyancePreference {
-    "none",
+    "none",
     "indirect",
     "direct",
-    "enterprise"
+    "enterprise"
 };
 
    
    
    Note: The AttestationConveyancePreference enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
    
@@ -4008,108 +4072,94 @@ 
    
      
    none
      
    
-      
    The Relying Party is not interested in authenticator attestation. For example, in order to
-potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a
+      
    The Relying Party is not interested in authenticator attestation. For example, in order to
+potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a
 roundtrip to an Attestation CA or Anonymization CA.
-If the authenticator generates an attestation statement that is not a self attestation,
-the client will replace it with a None attestation statement.
    
+If the authenticator generates an attestation statement that is not a self attestation,
+the client will replace it with a None attestation statement.
    
       
    This is the default, and unknown values fall back to the behavior of this value.
    
      
    indirect
      
    
-      
    The Relying Party wants to receive a verifiable attestation statement,
-but allows the client to decide how to obtain such an attestation statement.
-The client MAY replace an authenticator-generated attestation statement with one generated by an Anonymization CA,
-in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.
    
-      
    Note: There is no guarantee that the Relying Party will obtain a verifiable attestation statement in this case.
-For example, in the case that the authenticator employs self attestation and the client passes the attestation statement through unmodified.
    
+      
    The Relying Party wants to receive a verifiable attestation statement,
+but allows the client to decide how to obtain such an attestation statement.
+The client MAY replace an authenticator-generated attestation statement with one generated by an Anonymization CA,
+in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.
    
+      
    Note: There is no guarantee that the Relying Party will obtain a verifiable attestation statement in this case.
+For example, in the case that the authenticator employs self attestation and the client passes the attestation statement through unmodified.
    
      
    direct
      
    
-      
    The Relying Party wants to receive the attestation statement as generated by the authenticator.
    
+      
    The Relying Party wants to receive the attestation statement as generated by the authenticator.
    
      
    enterprise
      
    
-      
    The Relying Party wants to receive an attestation statement that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested RP ID.
    
-      
    If permitted, the user agent SHOULD signal to the authenticator (at invocation time) that enterprise attestation is requested, and convey the resulting AAGUID and attestation statement, unaltered, to the Relying Party.
    
+      
    The Relying Party wants to receive an attestation statement that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested RP ID.
    
+      
    If permitted, the user agent SHOULD signal to the authenticator (at invocation time) that enterprise attestation is requested, and convey the resulting AAGUID and attestation statement, unaltered, to the Relying Party.
    
     
    
    
    5.5. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)
    
-   
    The PublicKeyCredentialRequestOptions dictionary supplies get() with the data it needs to generate
+   
    The PublicKeyCredentialRequestOptions dictionary supplies get() with the data it needs to generate
 an assertion. Its challenge member MUST be present, while its other members are OPTIONAL.
    
 
    dictionary PublicKeyCredentialRequestOptions {
-    required BufferSource                challenge;
-    unsigned long                        timeout;
-    USVString                            rpId;
-    sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
-    DOMString                            userVerification = "preferred";
-    sequence<DOMString>                  hints = [];
-    DOMString                            attestation = "none";
-    sequence<DOMString>                  attestationFormats = [];
-    AuthenticationExtensionsClientInputs extensions;
+    required BufferSource                challenge;
+    unsigned long                        timeout;
+    USVString                            rpId;
+    sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
+    DOMString                            userVerification = "preferred";
+    sequence<DOMString>                  hints = [];
+    AuthenticationExtensionsClientInputs extensions;
 };
 
    
    
    
     
    challenge,  of type BufferSource
     
    
-     
    This member specifies a challenge that the authenticator signs, along with other data, when producing an authentication assertion. See the § 13.4.3 Cryptographic Challenges security consideration.
    
+     
    This member specifies a challenge that the authenticator signs, along with other data, when producing an authentication assertion. See the § 13.4.3 Cryptographic Challenges security consideration.
    
     
    timeout,  of type unsigned long
     
    
-     
    This OPTIONAL member specifies a time, in milliseconds, that the Relying Party is willing to wait for the call to complete.
-The value is treated as a hint, and MAY be overridden by the client.
    
+     
    This OPTIONAL member specifies a time, in milliseconds, that the Relying Party is willing to wait for the call to complete.
+The value is treated as a hint, and MAY be overridden by the client.
    
     
    rpId,  of type USVString
     
    
-     
    This OPTIONAL member specifies the RP ID claimed by the Relying Party.
-The client MUST verify that the Relying Party's origin matches the scope of this RP ID.
-The authenticator MUST verify
+     
    This OPTIONAL member specifies the RP ID claimed by the Relying Party.
+The client MUST verify that the Relying Party's origin matches the scope of this RP ID.
+The authenticator MUST verify
 that this RP ID exactly equals the rpId of the credential to be used for the authentication ceremony.
    
      
    If not specified, its value will
-be the CredentialsContainer object’s relevant settings object's origin's effective domain.
    
+be the CredentialsContainer object’s relevant settings object's origin's effective domain.
    
     
    allowCredentials,  of type sequence<PublicKeyCredentialDescriptor>, defaulting to []
     
    
-     
    This OPTIONAL member is used by the client to find authenticators eligible for this authentication ceremony.
+     
    This OPTIONAL member is used by the client to find authenticators eligible for this authentication ceremony.
 It can be used in two ways:
    
      
      
    If not empty, the client MUST return an error if none of the listed credentials can be used.
    
      
    The list is ordered in descending order of preference: the first item in the list is the most
 preferred credential, and the last is the least preferred.
    
-    
    userVerification,  of type DOMString, defaulting to "preferred"
+    
    userVerification,  of type DOMString, defaulting to "preferred"
     
    
-     
    This OPTIONAL member specifies the Relying Party's requirements regarding user verification for the get() operation. The value SHOULD be a member of UserVerificationRequirement but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist. Eligible authenticators are filtered to only those capable of satisfying this requirement.
    
+     
    This OPTIONAL member specifies the Relying Party's requirements regarding user verification for the get() operation. The value SHOULD be a member of UserVerificationRequirement but client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist. Eligible authenticators are filtered to only those capable of satisfying this requirement.
    
      
    See UserVerificationRequirement for the description of userVerification's values and semantics.
    
-    
    hints,  of type sequence<DOMString>, defaulting to []
+    
    hints,  of type sequence<DOMString>, defaulting to []
     
    
      
    This OPTIONAL member contains zero or more elements from PublicKeyCredentialHints to guide the user agent in interacting with the user. Note that the elements have type DOMString despite being taken from that enumeration. See § 2.1.1 Enumerations as DOMString types.
    
-    
    attestation,  of type DOMString, defaulting to "none"
-    
    
-     
    The Relying Party MAY use this OPTIONAL member to specify a preference regarding attestation conveyance.
-Its value SHOULD be a member of AttestationConveyancePreference. Client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist.
    
-     
    The default value is none.
    
-    
    attestationFormats,  of type sequence<DOMString>, defaulting to []
-    
    
-     
    The Relying Party MAY use this OPTIONAL member to specify a preference regarding the attestation statement format used by the authenticator.
-Values SHOULD be taken from the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
-Values are ordered from most preferable to least preferable.
-This parameter is advisory and the authenticator MAY use an attestation statement not enumerated in this parameter.
    
-     
    The default value is the empty list, which indicates no preference.
    
     
    extensions,  of type AuthenticationExtensionsClientInputs
     
    
-     
    The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting additional processing by the client and authenticator.
    
+     
    The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting additional processing by the client and authenticator.
    
      
    The extensions framework is defined in § 9 WebAuthn Extensions.
 Some extensions are defined in § 10 Defined Extensions;
 consult the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809] for an up-to-date list
@@ -4131,7 +4181,7 @@ 
    WHATWG HTML WG Issue #2711 for more details.
    
    
    5.7. WebAuthn Extensions Inputs and Outputs
    
    
    The subsections below define the data types used for conveying WebAuthn extension inputs and outputs.
    
-   
    Note: Authenticator extension outputs are conveyed as a part of authenticator data (see Table 1).
    
+   
    Note: Authenticator extension outputs are conveyed as a part of authenticator data (see Table 1).
    
    
    Note: The types defined below — AuthenticationExtensionsClientInputs and AuthenticationExtensionsClientOutputs — are applicable to both registration extensions and authentication extensions. The "Authentication..." portion of their names should be regarded as meaning "WebAuthentication..."
    
    
    5.7.1. Authentication Extensions Client Inputs (dictionary AuthenticationExtensionsClientInputs)
    
 
    dictionary AuthenticationExtensionsClientInputs {
@@ -4151,7 +4201,7 @@ 
    CDDL type AuthenticationExtensionsAuthenticatorInputs defines a CBOR map
 containing the authenticator extension input values for zero or more WebAuthn Extensions.
 Extensions can add members as described in § 9.3 Extending Request Parameters.
    
-   
    This type is not exposed to the Relying Party, but is used by the client and authenticator.
    
+   
    This type is not exposed to the Relying Party, but is used by the client and authenticator.
    
    
    5.7.4. Authentication Extensions Authenticator Outputs (CDDL type AuthenticationExtensionsAuthenticatorOutputs)
    
 
    AuthenticationExtensionsAuthenticatorOutputs = {
   * $$extensionOutput .within ( tstr => any )
@@ -4164,40 +4214,40 @@ 
    public key credential type uses certain data structures that are specified in supporting specifications. These are as
 follows.
    
    
    5.8.1. Client Data Used in WebAuthn Signatures (dictionary CollectedClientData)
    
-   
    The client data represents the contextual bindings of both the WebAuthn Relying Party and the client. It is a key-value
+   
    The client data represents the contextual bindings of both the WebAuthn Relying Party and the client. It is a key-value
 mapping whose keys are strings. Values can be any type that has a valid encoding in JSON. Its structure is defined by the
 following Web IDL.
    
    
    Note: The CollectedClientData may be extended in the future. Therefore it’s critical when parsing to be tolerant of unknown keys and of any reordering of the keys. See also § 5.8.1.2 Limited Verification Algorithm.
    
 
    dictionary CollectedClientData {
-    required DOMString           type;
-    required DOMString           challenge;
-    required DOMString           origin;
-    DOMString                    topOrigin;
-    boolean                      crossOrigin;
+    required DOMString           type;
+    required DOMString           challenge;
+    required DOMString           origin;
+    DOMString                    topOrigin;
+    boolean                      crossOrigin;
 };
 
-dictionary TokenBinding {
-    required DOMString status;
-    DOMString id;
+dictionary TokenBinding {
+    required DOMString status;
+    DOMString id;
 };
 
 enum TokenBindingStatus { "present", "supported" };
 
    
    
    
     
    
-     
    type,  of type DOMString
+     
    type,  of type DOMString
      
    
       
    This member contains the string "webauthn.create" when creating new credentials, and "webauthn.get" when getting an
 assertion from an existing credential. The purpose of this member is to prevent certain types of signature confusion
 attacks (where an attacker substitutes one legitimate signature for another).
    
-     
    challenge,  of type DOMString
+     
    challenge,  of type DOMString
      
    
-      
    This member contains the base64url encoding of the challenge provided by the Relying Party. See the § 13.4.3 Cryptographic Challenges security consideration.
    
-     
    origin,  of type DOMString
+      
    This member contains the base64url encoding of the challenge provided by the Relying Party. See the § 13.4.3 Cryptographic Challenges security consideration.
    
+     
    origin,  of type DOMString
      
    
-      
    This member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in
+      
    This member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in
 the syntax defined by [RFC6454].
    
-     
    topOrigin,  of type DOMString
+     
    topOrigin,  of type DOMString
      
    
       
    This OPTIONAL member contains the fully qualified top-level origin of the requester, in the syntax defined
 by [RFC6454]. It is set only if the call was made from context that is not same-origin with its
@@ -4205,35 +4255,35 @@ 
    crossOrigin,  of type boolean
      
    
       
    This OPTIONAL member contains the inverse of the sameOriginWithAncestors argument value
-that was passed into the internal method.
    
-     
    [RESERVED] tokenBinding
+that was passed into the internal method.
    
+     
    [RESERVED] tokenBinding
      
    
       
    This OPTIONAL member contains information about the state of the Token Binding protocol [TokenBinding] used when communicating
-with the Relying Party. Its absence indicates that the client doesn’t support token binding
    
-      
    Note: While Token Binding was present in Level 1 and Level 2 of WebAuthn, its use is not expected in Level 3. The tokenBinding field is reserved so that it will not be reused for a different purpose.
    
+with the Relying Party. Its absence indicates that the client doesn’t support token binding
    
+      
    Note: While Token Binding was present in Level 1 and Level 2 of WebAuthn, its use is not expected in Level 3. The tokenBinding field is reserved so that it will not be reused for a different purpose.
    
       
    
        
    
-        
    status,  of type DOMString
+        
    status,  of type DOMString
         
    
-         
    This member SHOULD be a member of TokenBindingStatus but client platforms MUST ignore unknown values, treating an unknown value as if the tokenBinding member does not exist. When known, this member is one of the following:
    
+         
    This member SHOULD be a member of TokenBindingStatus but client platforms MUST ignore unknown values, treating an unknown value as if the tokenBinding member does not exist. When known, this member is one of the following:
    
          
    
           
    
            
    supported
            
    
-            
    Indicates the client supports token binding, but it was not negotiated when communicating with the Relying Party.
    
+            
    Indicates the client supports token binding, but it was not negotiated when communicating with the Relying Party.
    
            
    present
            
    
-            
    Indicates token binding was used when communicating with the Relying Party. In this case, the id member MUST be present.
    
+            
    Indicates token binding was used when communicating with the Relying Party. In this case, the id member MUST be present.
    
           
    
          
    
          
    Note: The TokenBindingStatus enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
    
-        
    id,  of type DOMString
+        
    id,  of type DOMString
         
    
          
    This member MUST be present if status is present, and MUST be a base64url
-encoding of the Token Binding ID that was used when communicating with the Relying Party.
    
+encoding of the Token Binding ID that was used when communicating with the Relying Party.
    
        
    
       
    
-      
    Note: Obtaining a Token Binding ID is a client platform-specific operation.
    
+      
    Note: Obtaining a Token Binding ID is a client platform-specific operation.
    
     
    
     
    The CollectedClientData structure is used by the client to compute the following quantities:
    
     
    
@@ -4419,36 +4469,35 @@ 
    
    
    5.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)
    
 
    dictionary PublicKeyCredentialDescriptor {
-    required DOMString                    type;
-    required BufferSource                 id;
-    sequence<DOMString>                   transports;
+    required DOMString                    type;
+    required BufferSource                 id;
+    sequence<DOMString>                   transports;
 };
 
    
    
    This dictionary identifies a specific public key credential.
-It is used in create() to prevent creating duplicate credentials on the same authenticator,
-and in get() to determine if and how the credential can currently be reached by the client.
-It mirrors some fields of the PublicKeyCredential object returned by create() and get().
    
+It is used in create() to prevent creating duplicate credentials on the same authenticator,
+and in get() to determine if and how the credential can currently be reached by the client.
    
+   
    The credential descriptor for a credential record is a subset of the properties of that credential record,
+and mirrors some fields of the PublicKeyCredential object returned by create() and get().
    
    
    
     
    
-     
    type,  of type DOMString
+     
    type,  of type DOMString
      
    
-      
    This member contains the type of the public key credential the caller is referring to. The value SHOULD be a member of PublicKeyCredentialType but client platforms MUST ignore any PublicKeyCredentialDescriptor with an unknown type.
    
-      
    This mirrors the type field of PublicKeyCredential.
    
+      
    This member contains the type of the public key credential the caller is referring to. The value SHOULD be a member of PublicKeyCredentialType but client platforms MUST ignore any PublicKeyCredentialDescriptor with an unknown type.
    
+      
    This SHOULD be set to the value of the type item of the credential record representing the identified public key credential source.
+This mirrors the type field of PublicKeyCredential.
    
       
    Note: If all PublicKeyCredentialDescriptor elements in allowCredentials are ignored then that MUST result in an error since an empty allowCredentials is semantically distinct.
    
      
    id,  of type BufferSource
      
    
       
    This member contains the credential ID of the public key credential the caller is referring to.
    
-      
    This mirrors the rawId field of PublicKeyCredential.
    
-     
    transports,  of type sequence<DOMString>
+      
    This SHOULD be set to the value of the id item of the credential record representing the identified public key credential source.
+This mirrors the rawId field of PublicKeyCredential.
    
+     
    transports,  of type sequence<DOMString>
      
    
-      
    This OPTIONAL member contains a hint as to how the client might communicate with the managing authenticator of the public key credential the caller is referring to. The values SHOULD be members of AuthenticatorTransport but client platforms MUST ignore unknown values.
    
-      
    This mirrors the response.getTransports() method
-of a PublicKeyCredential structure created by a create() operation.
-When registering a new credential,
-the Relying Party SHOULD store the value returned from getTransports().
-When creating a PublicKeyCredentialDescriptor for that credential,
-the Relying Party SHOULD retrieve that stored value
-and set it as the value of the transports member.
    
+      
    This OPTIONAL member contains a hint as to how the client might communicate with the managing authenticator of the public key credential the caller is referring to. The values SHOULD be members of AuthenticatorTransport but client platforms MUST ignore unknown values.
    
+      
    This SHOULD be set to the value of the transports item of the credential record representing the identified public key credential source.
+This mirrors the response.getTransports() method
+of the PublicKeyCredential structure created by a create() operation.
    
     
    
    
    
    
    5.8.4. Authenticator Transport Enumeration (enum AuthenticatorTransport)
    
@@ -4457,35 +4506,35 @@ 
    "nfc",
     "ble",
     "smart-card",
-    "hybrid",
+    "hybrid",
     "internal"
 };
 
    
    
    Note: The AuthenticatorTransport enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
    
    
    
-     Authenticators may implement various transports for communicating with clients. This enumeration
+     Authenticators may implement various transports for communicating with clients. This enumeration
     defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a
-    specific credential. Note that these hints represent the WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party will typically learn of the supported transports for a public key credential via getTransports(). 
+    specific credential. Note that these hints represent the WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party will typically learn of the supported transports for a public key credential via getTransports(). 
     
    
      
    usb
      
    
-      
    Indicates the respective authenticator can be contacted over removable USB.
    
+      
    Indicates the respective authenticator can be contacted over removable USB.
    
      
    nfc
      
    
-      
    Indicates the respective authenticator can be contacted over Near Field Communication (NFC).
    
+      
    Indicates the respective authenticator can be contacted over Near Field Communication (NFC).
    
      
    ble
      
    
-      
    Indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
    
+      
    Indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
    
      
    smart-card
      
    
-      
    Indicates the respective authenticator can be contacted over ISO/IEC 7816 smart card with contacts.
    
+      
    Indicates the respective authenticator can be contacted over ISO/IEC 7816 smart card with contacts.
    
      
    hybrid
      
    
-      
    Indicates the respective authenticator can be contacted using a combination of (often separate) data-transport and proximity mechanisms. This supports, for example, authentication on a desktop computer using a smartphone.
    
+      
    Indicates the respective authenticator can be contacted using a combination of (often separate) data-transport and proximity mechanisms. This supports, for example, authentication on a desktop computer using a smartphone.
    
      
    internal
      
    
-      
    Indicates the respective authenticator is contacted using a client device-specific transport,
-i.e., it is a platform authenticator.
+      
    Indicates the respective authenticator is contacted using a client device-specific transport,
+i.e., it is a platform authenticator.
 These authenticators are not removable from the client device.
    
     
    
    
    
@@ -4517,27 +4566,57 @@ 
    "discouraged"
 };
 
    
-   
    A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its
+   
    A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its
 needs.
    
    
    Note: The UserVerificationRequirement enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
    
    
    
     
    
      
    required
      
    
-      
    The Relying Party requires user verification for the operation and will fail the overall ceremony if the
+      
    The Relying Party requires user verification for the operation and will fail the overall ceremony if the
 response does not have the UV flag set.
-The client MUST return an error if user verification cannot be performed.
    
+The client MUST return an error if user verification cannot be performed.
    
      
    preferred
      
    
-      
    The Relying Party prefers user verification for the operation if possible, but will not fail the
+      
    The Relying Party prefers user verification for the operation if possible, but will not fail the
 operation if the response does not have the UV flag set.
    
      
    discouraged
      
    
-      
    The Relying Party does not want user verification employed during the operation (e.g., in the
+      
    The Relying Party does not want user verification employed during the operation (e.g., in the
 interest of minimizing disruption to the user interaction flow).
    
     
    
    
    
-   
    5.8.7. User-agent Hints Enumeration (enum PublicKeyCredentialHints)
    
+   
    5.8.7. Client Capability Enumeration (enum ClientCapability)
    
+
    enum ClientCapability {
+    "conditionalCreate",
+    "conditionalGet",
+    "hybridTransport",
+    "passkeyPlatformAuthenticator",
+    "userVerifyingPlatformAuthenticator",
+};
+
    
+   
    This enumeration defines a limited set of client capabilities which a WebAuthn Relying Party may evaluate to offer certain workflows and experiences to users.
    
+   
    Note: The ClientCapability enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
    
+   
    
+    
    
+     
    conditionalCreate
+     
    
+      
    The WebAuthn Client is capable of conditional mediation for registration ceremonies..
    
+     
    conditionalGet
+     
    
+      
    The WebAuthn Client is capable of conditional mediation for authentication ceremonies.
    
+     
    hybridTransport
+     
    
+      
    The WebAuthn Client supports usage of the hybrid transport.
    
+     
    passkeyPlatformAuthenticator
+     
    
+      
    The WebAuthn Client supports usage of a passkey platform authenticator, locally and/or via hybrid transport.
    
+     
    userVerifyingPlatformAuthenticator
+     
    
+      
    The WebAuthn Client supports usage of a user-verifying platform authenticator.
    
+    
    
+   
    
+   
    5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHints)
    
 
    enum PublicKeyCredentialHints {
     "security-key",
     "client-device",
@@ -4546,49 +4625,49 @@ 
    Note: The PublicKeyCredentialHints enumeration is deliberately not referenced, see § 2.1.1 Enumerations as DOMString types.
    
    
    
-     WebAuthn Relying Parties may use this enumeration to communicate hints to the user-agent about how a request may be best completed. These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones. 
-    
    Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence. (Note that transports values are not provided when using discoverable credentials, leaving hints as the only avenue for expressing some aspects of such a request.)
    
+     WebAuthn Relying Parties may use this enumeration to communicate hints to the user-agent about how a request may be best completed. These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the Relying Party has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones. 
+    
    Hints MAY contradict information contained in credential transports and authenticatorAttachment. When this occurs, the hints take precedence. (Note that transports values are not provided when using discoverable credentials, leaving hints as the only avenue for expressing some aspects of such a request.)
    
     
    
      
    security-key
      
    
-      
    Indicates that the Relying Party believes that users will satisfy this request with a physical security key. For example, an enterprise Relying Party may set this hint if they have issued security keys to their employees and will only accept those authenticators for registration and authentication.
    
+      
    Indicates that the Relying Party believes that users will satisfy this request with a physical security key. For example, an enterprise Relying Party may set this hint if they have issued security keys to their employees and will only accept those authenticators for registration and authentication.
    
       
    For compatibility with older user agents, when this hint is used in PublicKeyCredentialCreationOptions, the authenticatorAttachment SHOULD be set to cross-platform.
    
      
    client-device
      
    
-      
    Indicates that the Relying Party believes that users will satisfy this request with a platform authenticator attached to the client device.
    
+      
    Indicates that the Relying Party believes that users will satisfy this request with a platform authenticator attached to the client device.
    
       
    For compatibility with older user agents, when this hint is used in PublicKeyCredentialCreationOptions, the authenticatorAttachment SHOULD be set to platform.
    
      
    hybrid
      
    
-      
    Indicates that the Relying Party believes that users will satisfy this request with general-purpose authenticators such as smartphones. For example, a consumer Relying Party may believe that only a small fraction of their customers possesses dedicated security keys. This option also implies that the local platform authenticator should not be promoted in the UI.
    
+      
    Indicates that the Relying Party believes that users will satisfy this request with general-purpose authenticators such as smartphones. For example, a consumer Relying Party may believe that only a small fraction of their customers possesses dedicated security keys. This option also implies that the local platform authenticator should not be promoted in the UI.
    
       
    For compatibility with older user agents, when this hint is used in PublicKeyCredentialCreationOptions, the authenticatorAttachment SHOULD be set to cross-platform.
    
     
    
    
    
    
    5.9. Permissions Policy integration
    
    
    This specification defines two policy-controlled features identified by
-the feature-identifier tokens "publickey-credentials-create"
+the feature-identifier tokens "publickey-credentials-create"
 and "publickey-credentials-get".
 Their default allowlists are both 'self'. [Permissions-Policy]
    
-   
    A Document's permissions policy determines whether any content in that document is allowed to successfully invoke the Web Authentication API, i.e., via navigator.credentials.create({publicKey:..., ...}) or navigator.credentials.get({publicKey:..., ...}) If disabled in any document, no content in the document will be allowed to use the foregoing methods: attempting to do so will return an error.
    
-   
    Note: Algorithms specified in [CREDENTIAL-MANAGEMENT-1] perform the actual permissions policy evaluation. This is because such policy evaluation needs to occur when there is access to the current settings object. The [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) internal methods does not have such access since they are invoked in parallel by CredentialsContainer's Create a Credential and Request a Credential abstract operations [CREDENTIAL-MANAGEMENT-1].
    
+   
    A Document's permissions policy determines whether any content in that document is allowed to successfully invoke the Web Authentication API, i.e., via navigator.credentials.create({publicKey:..., ...}) or navigator.credentials.get({publicKey:..., ...}) If disabled in any document, no content in the document will be allowed to use the foregoing methods: attempting to do so will return an error.
    
+   
    Note: Algorithms specified in [CREDENTIAL-MANAGEMENT-1] perform the actual permissions policy evaluation. This is because such policy evaluation needs to occur when there is access to the current settings object. The [[Create]](origin, options, sameOriginWithAncestors) and [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) internal methods does not have such access since they are invoked in parallel by CredentialsContainer's Create a Credential and Request a Credential abstract operations [CREDENTIAL-MANAGEMENT-1].
    
    
    5.10. Using Web Authentication within iframe elements
    
-   
    The Web Authentication API is disabled by default in cross-origin iframes.
-To override this default policy and indicate that a cross-origin iframe is allowed to invoke the Web Authentication API's [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) method, specify the allow attribute on the iframe element and include the publickey-credentials-get feature-identifier token in the allow attribute’s value.
    
-   
    Relying Parties utilizing the WebAuthn API in an embedded context should review § 13.4.2 Visibility Considerations for Embedded Usage regarding UI redressing and its possible mitigations.
    
+   
    The Web Authentication API is disabled by default in cross-origin iframes.
+To override this default policy and indicate that a cross-origin iframe is allowed to invoke the Web Authentication API's [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) method, specify the allow attribute on the iframe element and include the publickey-credentials-get feature-identifier token in the allow attribute’s value.
    
+   
    Relying Parties utilizing the WebAuthn API in an embedded context should review § 13.4.2 Visibility Considerations for Embedded Usage regarding UI redressing and its possible mitigations.
    
    
    6. WebAuthn Authenticator Model
    
    
    The Web Authentication API implies a specific abstract functional model for a WebAuthn Authenticator. This section
 describes that authenticator model.
    
-   
    Client platforms MAY implement and expose this abstract model in any way desired. However, the behavior of the client’s Web
-Authentication API implementation, when operating on the authenticators supported by that client platform, MUST be indistinguishable
+   
    Client platforms MAY implement and expose this abstract model in any way desired. However, the behavior of the client’s Web
+Authentication API implementation, when operating on the authenticators supported by that client platform, MUST be indistinguishable
 from the behavior specified in § 5 Web Authentication API.
    
-   
    Note: [FIDO-CTAP] is an example of a concrete instantiation of this model, but it is one in which there are differences in the data it returns and those expected by the WebAuthn API's algorithms. The CTAP2 response messages are CBOR maps constructed using integer keys rather than the string keys defined in this specification for the same objects. The client is expected to perform any needed transformations on such data. The [FIDO-CTAP] specification details the mapping between CTAP2 integer keys and WebAuthn string keys, in section §6.2. Responses.
    
+   
    Note: [FIDO-CTAP] is an example of a concrete instantiation of this model, but it is one in which there are differences in the data it returns and those expected by the WebAuthn API's algorithms. The CTAP2 response messages are CBOR maps constructed using integer keys rather than the string keys defined in this specification for the same objects. The client is expected to perform any needed transformations on such data. The [FIDO-CTAP] specification details the mapping between CTAP2 integer keys and WebAuthn string keys in Section §6. Authenticator API.
    
    
    For authenticators, this model defines the logical operations that they MUST support, and the data formats that they expose to
-the client and the WebAuthn Relying Party. However, it does not define the details of how authenticators communicate with the client device,
-unless they are necessary for interoperability with Relying Parties. For instance, this abstract model does not define protocols for
+the client and the WebAuthn Relying Party. However, it does not define the details of how authenticators communicate with the client device,
+unless they are necessary for interoperability with Relying Parties. For instance, this abstract model does not define protocols for
 connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific
 error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore,
 specific error codes are mentioned as a means of showing which error conditions MUST be distinguishable (or not) from each other
 in order to enable a compliant and secure client implementation.
    
-   
    Relying Parties may influence authenticator selection, if they deem necessary, by stipulating various authenticator characteristics
+   
    Relying Parties may influence authenticator selection, if they deem necessary, by stipulating various authenticator characteristics
 when creating credentials and/or when generating assertions, through use of credential creation options or assertion generation options,
 respectively. The algorithms underlying the WebAuthn API marshal these options and pass them to the applicable authenticator operations defined below.
    
    
    In this abstract model, the authenticator provides key management and cryptographic signatures. It can be embedded in the
@@ -4596,20 +4675,20 @@ 
    
-   
    Each authenticator stores a credentials map, a map from (rpId, userHandle) to public key credential source.
    
+   
    Each authenticator stores a credentials map, a map from (rpId, userHandle) to public key credential source.
    
    
    Additionally, each authenticator has an Authenticator Attestation Globally Unique Identifier or AAGUID, which is a 128-bit identifier
-indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical 
-authenticators made by that maker, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type 
-of authenticator SHOULD be randomly generated to ensure this. The Relying Party MAY use the AAGUID to infer certain properties of the authenticator, such as 
-certification level and strength of key protection, using information from other sources. The Relying Party MAY use the AAGUID to attempt to identify the maker of 
-the authenticator without requesting and verifying attestation, but the AAGUID is not provably authentic without attestation.
    
+indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical
+authenticators made by that maker, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type
+of authenticator SHOULD be randomly generated to ensure this. The Relying Party MAY use the AAGUID to infer certain properties of the authenticator, such as
+certification level and strength of key protection, using information from other sources. The Relying Party MAY use the AAGUID to attempt to identify the maker of
+the authenticator without requesting and verifying attestation, but the AAGUID is not provably authentic without attestation.
    
    
    The primary function of the authenticator is to provide WebAuthn signatures, which are bound to various contextual data. These
 data are observed and added at different levels of the stack as a signature request passes from the server to the
 authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings
-are divided in two: Those added by the Relying Party or the client, referred to as client data; and those added by the authenticator,
-referred to as the authenticator data. The authenticator signs over the client data, but is otherwise not interested in
+are divided in two: Those added by the Relying Party or the client, referred to as client data; and those added by the authenticator,
+referred to as the authenticator data. The authenticator signs over the client data, but is otherwise not interested in
 its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the client data and
-sends only the result to the authenticator. The authenticator signs over the combination of the hash of the serialized client data, and its own authenticator data.
    
+sends only the result to the authenticator. The authenticator signs over the combination of the hash of the serialized client data, and its own authenticator data.
    
    
    The goals of this design can be summarized as follows.
    
    
      
     
    • 
@@ -4619,7 +4698,7 @@ 
      The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators
 should not have to parse high-level encodings such as JSON.
      
     
    • 
-     
      Both the client and the authenticator should have the flexibility to add contextual bindings as needed.
      
+     
      Both the client and the authenticator should have the flexibility to add contextual bindings as needed.
      
     
    • 
      
      The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.
      
    
    
@@ -4627,29 +4706,29 @@ 
    
     
  • 
      
    An attestation signature is produced when a new public key credential is created via an authenticatorMakeCredential operation. An attestation signature provides cryptographic
-proof of certain properties of the authenticator and the credential. For instance, an attestation signature asserts the authenticator type (as denoted by its AAGUID) and the credential public key. The attestation
-signature is signed by an attestation private key, which is chosen depending on the type of attestation desired.
-For more details on attestation, see § 6.5 Attestation.
    
+proof of certain properties of the authenticator and the credential. For instance, an attestation signature asserts the authenticator type (as denoted by its AAGUID) and the credential public key. The attestation
+signature is signed by an attestation private key, which is chosen depending on the type of attestation desired.
+For more details on attestation, see § 6.5 Attestation.
    
     
  • 
      
    An assertion signature is produced when the authenticatorGetAssertion method is invoked. It represents an
-assertion by the authenticator that the user has consented to a specific transaction, such as logging
-in, or completing a purchase. Thus, an assertion signature asserts that the authenticator possessing a particular credential private key has established, to the best of its ability, that the user requesting this transaction is the
+assertion by the authenticator that the user has consented to a specific transaction, such as logging
+in, or completing a purchase. Thus, an assertion signature asserts that the authenticator possessing a particular credential private key has established, to the best of its ability, that the user requesting this transaction is the
 same user who consented to creating that particular public key credential. It also asserts additional
 information, termed client data, that may be useful to the caller, such as the means by which user consent was
-provided, and the prompt shown to the user by the authenticator. The assertion signature format is illustrated in Figure 4, below.
    
+provided, and the prompt shown to the user by the authenticator. The assertion signature format is illustrated in Figure 4, below.
    
    
    
    The term WebAuthn signature refers to both attestation signatures and assertion signatures.
 The formats of these signatures, as well as the procedures for generating them, are specified below.
    
    
    6.1. Authenticator Data
    
-   
    The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are
-controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the
+   
    The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are
+controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the
 authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy
 than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and
-software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same
+software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same
 format, and uses its knowledge of the authenticator to make trust decisions.
    
-   
    The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with
-limited capabilities and low power requirements, with much simpler software stacks than the client platform.
    
-   
    The authenticator data structure is a byte array of 37 bytes or more,
+   
    The authenticator data has a compact but extensible encoding. This is desired since authenticators can be devices with
+limited capabilities and low power requirements, with much simpler software stacks than the client platform.
    
+   
    The authenticator data structure is a byte array of 37 bytes or more,
 laid out as shown in Table .
    
    
    
     
@@ -4690,17 +4769,17 @@ 
    Bit 3: Backup Eligibility (BE).
    
           
          
  • 
           
    Bit 4: Backup State (BS).
    
           
          
  • 
           
    Bit 5: Reserved for future use (RFU2).
    
@@ -4714,7 +4793,7 @@ 
    Bit 7: Extension data included (ED).
    
           
         
       
    • 
@@ -4724,33 +4803,33 @@ 
    
        
    attestedCredentialData
        variable (if present)
-        attested credential data (if present). See § 6.5.2 Attested Credential Data for details. Its length depends on
+        attested credential data (if present). See § 6.5.1 Attested Credential Data for details. Its length depends on
                 the length of the credential ID and credential public
                 key being attested. 
       
    
        extensions
        variable (if present)
-        Extension-defined authenticator data. This is a CBOR [RFC8949] map with extension identifiers as keys,
+        Extension-defined authenticator data. This is a CBOR [RFC8949] map with extension identifiers as keys,
                 and authenticator extension outputs as values. See § 9 WebAuthn Extensions for details. 
     
    
-    
     Authenticator data layout. The names in the Name column are only for reference within this document, and are not
-        present in the actual representation of the authenticator data. 
    
+    
     Authenticator data layout. The names in the Name column are only for reference within this document, and are not
+        present in the actual representation of the authenticator data. 
    
    
    
-   
    The RP ID is originally received from the client when the credential is created, and again when an assertion is generated.
+   
    The RP ID is originally received from the client when the credential is created, and again when an assertion is generated.
 However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a
 credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is
 validated by the authenticator during the authenticatorGetAssertion operation, by verifying that the RP ID that
-the requested credential is scoped to exactly matches the RP ID supplied by the client.
    
-   
    Authenticators perform the following steps to generate an authenticator data structure:
    
+the requested credential is scoped to exactly matches the RP ID supplied by the client.
    
+   
    Authenticators perform the following steps to generate an authenticator data structure:
    
    
-   
    Figure  shows a visual representation of the authenticator data structure.
    
+   
    Figure  shows a visual representation of the authenticator data structure.
    
    
    
       
-    
    Authenticator data layout.
    
+    
    Authenticator data layout.
    
    
    
    
    
-     Note: authenticator data describes its own length: If the AT and ED flags are not set, it is always 37 bytes long.
+     Note: authenticator data describes its own length: If the AT and ED flags are not set, it is always 37 bytes long.
     The attested credential data (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the total length is 37 bytes plus the length of the attested credential data (if the AT flag is set), plus the length of the extensions output (a CBOR map) that
     follows. 
     
    Determining attested credential data's length, which is variable, involves determining credentialPublicKey’s beginning location given the preceding credentialId’s length, and then determining the credentialPublicKey’s length (see also Section 7 of [RFC9052]).
    
    
    
    
    6.1.1. Signature Counter Considerations
    
    
    Authenticators SHOULD implement a signature counter feature. These counters are conceptually stored for each credential
-by the authenticator, or globally for the authenticator as a whole. The initial value of a credential’s signature counter is specified in the signCount value of the authenticator data returned by authenticatorMakeCredential. The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value, and subsequent values are returned to the WebAuthn Relying Party within the authenticator data again. The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators. Clone
+by the authenticator, or globally for the authenticator as a whole. The initial value of a credential’s signature counter is specified in the signCount value of the authenticator data returned by authenticatorMakeCredential. The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value, and subsequent values are returned to the WebAuthn Relying Party within the authenticator data again. The signature counter's purpose is to aid Relying Parties in detecting cloned authenticators. Clone
 detection is more important for authenticators with limited protection measures.
    
-   
    Authenticators that do not implement a signature counter leave the signCount in the authenticator data constant at zero.
    
-   
    A Relying Party stores the signature counter of the most recent authenticatorGetAssertion operation. (Or the counter from the authenticatorMakeCredential operation if no authenticatorGetAssertion has ever been performed on a credential.) In subsequent authenticatorGetAssertion operations, the Relying Party compares the stored signature counter value with the new signCount value returned in the assertion’s authenticator data. If either is non-zero, and the new signCount value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.
    
-   
    Detecting a signature counter mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. Relying Parties should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.
    
+   
    Authenticators that do not implement a signature counter leave the signCount in the authenticator data constant at zero.
    
+   
    A Relying Party stores the signature counter of the most recent authenticatorGetAssertion operation. (Or the counter from the authenticatorMakeCredential operation if no authenticatorGetAssertion has ever been performed on a credential.) In subsequent authenticatorGetAssertion operations, the Relying Party compares the stored signature counter value with the new signCount value returned in the assertion’s authenticator data. If either is non-zero, and the new signCount value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.
    
+   
    Detecting a signature counter mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator. Relying Parties should address this situation appropriately relative to their individual situations, i.e., their risk tolerance.
    
    
    Authenticators:
    
    
    
    6.1.2. FIDO U2F Signature Format Compatibility
    
-   
    The format for assertion signatures, which sign over the concatenation of an authenticator data structure and the hash
+   
    The format for assertion signatures, which sign over the concatenation of an authenticator data structure and the hash
 of the serialized client data, are compatible with the FIDO U2F authentication signature format (see Section 5.4 of [FIDO-U2F-Message-Formats]).
    
-   
    This is because the first 37 bytes of the signed data in a FIDO U2F authentication response message constitute a valid authenticator data structure, and the remaining 32 bytes are the hash of the serialized client data. In this authenticator data structure, the rpIdHash is the FIDO U2F application parameter, all flags except UP are always zero, and the attestedCredentialData and extensions are never present. FIDO U2F authentication signatures can therefore be verified by
+   
    This is because the first 37 bytes of the signed data in a FIDO U2F authentication response message constitute a valid authenticator data structure, and the remaining 32 bytes are the hash of the serialized client data. In this authenticator data structure, the rpIdHash is the FIDO U2F application parameter, all flags except UP are always zero, and the attestedCredentialData and extensions are never present. FIDO U2F authentication signatures can therefore be verified by
 the same procedure as other assertion signatures generated by the authenticatorGetAssertion operation.
    
    
    6.1.3. Credential Backup State
    
-   
    Credential backup eligibility and current backup state is conveyed by the BE and BS flags in the authenticator data, as
+   
    Credential backup eligibility and current backup state is conveyed by the BE and BS flags in the authenticator data, as
 defined in Table .
    
    
    The value of the BE flag is set during authenticatorMakeCredential operation and MUST NOT change.
    
-   
    The value of the BS flag may change over time based on the current state of the public key credential source. Table  below defines
+   
    The value of the BS flag may change over time based on the current state of the public key credential source. Table  below defines
 valid combinations and their meaning.
    
    
    
     
@@ -4823,31 +4902,31 @@ 
    
     
     BE and BS flag combinations 
    
    
-   
    It is RECOMMENDED that Relying Parties store the most recent value of these flags with the user account for future evaluation.
    
-   
    The following is a non-exhaustive list of how Relying Parties might use these flags:
    
+   
    It is RECOMMENDED that Relying Parties store the most recent value of these flags with the user account for future evaluation.
    
+   
    The following is a non-exhaustive list of how Relying Parties might use these flags:
    
    
    
    6.2. Authenticator Taxonomy
    
-   
    Many use cases are dependent on the capabilities of the authenticator used.
+   
    Many use cases are dependent on the capabilities of the authenticator used.
 This section defines some terminology for those capabilities, their most important combinations,
 and which use cases those combinations enable.
    
    
    For example:
    
@@ -4856,12 +4935,12 @@ 
    When authenticating for the first time on a particular client device, a roaming authenticator is typically needed
 since the user doesn’t yet have a platform credential on that client device.
    
     
  • 
-     
    For subsequent re-authentication on the same client device, a platform authenticator is likely the most convenient
+     
    For subsequent re-authentication on the same client device, a platform authenticator is likely the most convenient
 since it’s built directly into the client device rather than being a separate device that the user may have to locate.
    
     
  • 
-     
    For second-factor authentication in addition to a traditional username and password, any authenticator can be used.
    
+     
    For second-factor authentication in addition to a traditional username and password, any authenticator can be used.
    
     
  • 
-     
    Passwordless multi-factor authentication requires an authenticator capable of user verification, and in some cases also discoverable credential capable.
    
+     
    Passwordless multi-factor authentication requires an authenticator capable of user verification, and in some cases also discoverable credential capable.
    
     
  • 
      
    A laptop computer might support connecting to roaming authenticators via USB and Bluetooth,
 while a mobile phone might only support NFC.
    
@@ -4869,11 +4948,11 @@ 
    The above examples illustrate the primary authenticator type characteristics:
    
    
@@ -4910,7 +4989,7 @@ 
     Multi-factor capable 
       
    • 
         Passkey platform authenticator 
-        platform (transport = internal) or cross-platform (transport = hybrid)
+        platform (transport = internal) or cross-platform (transport = hybrid)
         Client-side storage 
         Multi-factor capable 
     
    
@@ -4921,97 +5000,97 @@ 
    second-factor roaming authenticator is more likely to be used
 to authenticate on a particular client device for the first time,
 or on a client device shared between multiple users.
    
-   
    User-verifying platform authenticators and first-factor roaming authenticators enable passwordless multi-factor authentication.
+   
    User-verifying platform authenticators and first-factor roaming authenticators enable passwordless multi-factor authentication.
 In addition to the proof of possession of the credential private key,
-these authenticators support user verification as a second authentication factor,
+these authenticators support user verification as a second authentication factor,
 typically a PIN or biometric recognition.
-The authenticator can thus act as two kinds of authentication factor,
-which enables multi-factor authentication while eliminating the need to share a password with the Relying Party.
    
+The authenticator can thus act as two kinds of authentication factor,
+which enables multi-factor authentication while eliminating the need to share a password with the Relying Party.
    
    
    The combinations not named in Table  have less distinguished use cases:
    
    
    
    The following subsections define the aspects authenticator attachment modality, credential storage modality and authentication factor capability in more depth.
    
    
    6.2.1. Authenticator Attachment Modality
    
-   
    Clients can communicate with authenticators using a variety of mechanisms. For example, a client MAY use a client device-specific API to communicate with an authenticator which is physically bound to a client device. On the other hand, a client can use a variety of standardized cross-platform transport protocols such as Bluetooth (see § 5.8.4 Authenticator Transport Enumeration (enum AuthenticatorTransport)) to discover
-and communicate with cross-platform attached authenticators. We refer to authenticators that
+   
    Clients can communicate with authenticators using a variety of mechanisms. For example, a client MAY use a client device-specific API to communicate with an authenticator which is physically bound to a client device. On the other hand, a client can use a variety of standardized cross-platform transport protocols such as Bluetooth (see § 5.8.4 Authenticator Transport Enumeration (enum AuthenticatorTransport)) to discover
+and communicate with cross-platform attached authenticators. We refer to authenticators that
 are part of the client device as platform authenticators, while those that are reachable via cross-platform
 transport protocols are referred to as roaming authenticators.
    
    
-   
    Some platform authenticators could possibly also act as roaming authenticators depending on context. For example, a platform authenticator integrated into a mobile device could make itself available as a roaming authenticator via
+   
    Some platform authenticators could possibly also act as roaming authenticators depending on context. For example, a platform authenticator integrated into a mobile device could make itself available as a roaming authenticator via
 Bluetooth.
-In this case clients running on the mobile device would recognise the authenticator as a platform authenticator,
-while clients running on a different client device and communicating with the same authenticator via Bluetooth
+In this case clients running on the mobile device would recognise the authenticator as a platform authenticator,
+while clients running on a different client device and communicating with the same authenticator via Bluetooth
 would recognize it as a roaming authenticator.
    
-   
    The primary use case for platform authenticators is to register a particular client device as a "trusted device",
+   
    The primary use case for platform authenticators is to register a particular client device as a "trusted device",
 so the client device itself acts as a something you have authentication factor for future authentication.
 This gives the user the convenience benefit
-of not needing a roaming authenticator for future authentication ceremonies, e.g., the user will not have to dig around in
+of not needing a roaming authenticator for future authentication ceremonies, e.g., the user will not have to dig around in
 their pocket for their key fob or phone.
    
    
    Use cases for roaming authenticators include: authenticating on a new client device for the first time,
 on rarely used client devices, client devices shared between multiple users,
-or client devices that do not include a platform authenticator;
-and when policy or preference dictates that the authenticator be kept separate from the client devices it is used with.
+or client devices that do not include a platform authenticator;
+and when policy or preference dictates that the authenticator be kept separate from the client devices it is used with.
 A roaming authenticator can also be used to hold
-backup credentials in case another authenticator is lost.
    
+backup credentials in case another authenticator is lost.
    
    
    6.2.2. Credential Storage Modality
    
-   
    An authenticator can store a public key credential source in one of two ways:
    
+   
    An authenticator can store a public key credential source in one of two ways:
    
    
      
     
    1. 
-     
      In persistent storage embedded in the authenticator, client or client device, e.g., in a secure element.
+     
      In persistent storage embedded in the authenticator, client or client device, e.g., in a secure element.
 This is a technical requirement for a client-side discoverable public key credential source.
      
     
    2. 
-     
      By encrypting (i.e., wrapping) the credential private key such that only this authenticator can decrypt (i.e., unwrap) it and letting the resulting
-ciphertext be the credential ID for the public key credential source. The credential ID is stored by the Relying Party and returned to the authenticator via the allowCredentials option of get(), which allows the authenticator to decrypt and use the credential private key.
      
-     
      This enables the authenticator to have unlimited storage capacity for credential private keys, since the encrypted credential private keys are stored by the Relying Party instead of by the authenticator - but it means that a credential stored in this way must be retrieved from the Relying Party before the authenticator can use it.
      
+     
      By encrypting (i.e., wrapping) the public key credential source such that only this authenticator can decrypt (i.e., unwrap) it and letting the resulting
+ciphertext be the credential ID of the public key credential source. The credential ID is stored by the Relying Party and returned to the authenticator via the allowCredentials option of get(), which allows the authenticator to decrypt and use the public key credential source.
      
+     
      This enables the authenticator to have unlimited credential storage capacity, since the encrypted public key credential sources are stored by the Relying Party instead of by the authenticator - but it means that a credential stored in this way must be retrieved from the Relying Party before the authenticator can use it.
      
    
    
-   
    Which of these storage strategies an authenticator supports defines the authenticator's credential storage
+   
    Which of these storage strategies an authenticator supports defines the authenticator's credential storage
 modality as follows:
    
    
-   
    Note that a discoverable credential capable authenticator MAY support both storage strategies. In this case, the authenticator MAY
-at its discretion use different storage strategies for different credentials, though subject to the residentKey or requireResidentKey options of create().
    
+   
    Note that a discoverable credential capable authenticator MAY support both storage strategies. In this case, the authenticator MAY
+at its discretion use different storage strategies for different credentials, though subject to the residentKey and requireResidentKey options of create().
    
    
    6.2.3. Authentication Factor Capability
    
-   
    There are three broad classes of authentication factors that can be used to prove an identity during an authentication
+   
    There are three broad classes of authentication factors that can be used to prove an identity during an authentication
 ceremony: something you have, something you know and something you are. Examples include a physical key, a password,
 and a fingerprint, respectively.
    
-   
    All WebAuthn Authenticators belong to the something you have class, but an authenticator that supports user
-verification can also act as one or two additional kinds of authentication factor. For example, if the authenticator can
-verify a PIN, the PIN is something you know, and a biometric authenticator can verify something you are. Therefore, an authenticator that supports user verification is multi-factor capable. Conversely, an authenticator that is
-not multi-factor capable is single-factor capable. Note that a single multi-factor capable authenticator could support several modes of user verification, meaning it could act as all three kinds of authentication factor.
    
-   
    Although user verification is performed locally on the authenticator and not by the Relying Party, the authenticator indicates if user verification was performed by setting the UV flag in the signed response returned to the Relying Party.
-The Relying Party can therefore use the UV flag to verify that additional authentication factors were used in a registration or authentication ceremony. The authenticity of the UV flag can in turn be assessed by inspecting the authenticator's attestation statement.
    
+   
    All WebAuthn Authenticators belong to the something you have class, but an authenticator that supports user
+verification can also act as one or two additional kinds of authentication factor. For example, if the authenticator can
+verify a PIN, the PIN is something you know, and a biometric authenticator can verify something you are. Therefore, an authenticator that supports user verification is multi-factor capable. Conversely, an authenticator that is
+not multi-factor capable is single-factor capable. Note that a single multi-factor capable authenticator could support several modes of user verification, meaning it could act as all three kinds of authentication factor.
    
+   
    Although user verification is performed locally on the authenticator and not by the Relying Party, the authenticator indicates if user verification was performed by setting the UV flag in the signed response returned to the Relying Party.
+The Relying Party can therefore use the UV flag to verify that additional authentication factors were used in a registration or authentication ceremony. The authenticity of the UV flag can in turn be assessed by inspecting the authenticator's attestation statement.
    
    
    6.3. Authenticator Operations
    
-   
    A WebAuthn Client MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
+   
    A WebAuthn Client MUST connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
 defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one
 session to exist at any particular time, or by providing more complicated session management.
    
    
    The following operations can be invoked by the client in an authenticator session.
    
    
    6.3.1. Lookup Credential Source by Credential ID Algorithm
    
-   
    The result of looking up a credential id credentialId in an authenticator authenticator is the result of the following algorithm:
    
+   
    The result of looking up a credential id credentialId in an authenticator authenticator is the result of the following algorithm:
    
    
      
     
    1. 
-     
      If authenticator can decrypt credentialId into a public key credential source credSource:
      
+     
      If authenticator can decrypt credentialId into a public key credential source credSource:
      
      
        
       
      1. 
        
        Set credSource.id to credentialId.
        
@@ -5019,7 +5098,7 @@ 
        For each public key credential source credSource of authenticator’s credentials map:
        
+     
        For each public key credential source credSource of authenticator’s credentials map:
        
      
          
       
        1. 
        
          If credSource.id is credentialId, return credSource.
          
@@ -5035,28 +5114,26 @@ 
          The hash of the serialized client data, provided by the client.
          
     
          rpEntity
     
          
-     
          The Relying Party's PublicKeyCredentialRpEntity.
          
+     
          The Relying Party's PublicKeyCredentialRpEntity.
          
     
          userEntity
     
          
-     
          The user account’s PublicKeyCredentialUserEntity, containing the user handle given by the Relying Party.
          
+     
          The user account’s PublicKeyCredentialUserEntity, containing the user handle given by the Relying Party.
          
     
          requireResidentKey
     
          
-     
          The effective resident key requirement for credential creation, a Boolean value determined by the client.
          
+     
          The effective resident key requirement for credential creation, a Boolean value determined by the client.
          
     
          requireUserPresence
     
          
-     
          The constant Boolean value true.
-It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may
-wish to make a test of user presence optional although WebAuthn does not.
          
+     
          The constant Boolean value true, or FALSE when options.mediation is set to conditional and the user agent previously collected consent from the user.
          
     
          requireUserVerification
     
          
-     
          The effective user verification requirement for credential creation, a Boolean value determined by the client.
          
+     
          The effective user verification requirement for credential creation, a Boolean value determined by the client.
          
     
          credTypesAndPubKeyAlgs
     
          
-     
          A sequence of pairs of PublicKeyCredentialType and public key algorithms (COSEAlgorithmIdentifier) requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The authenticator makes a best-effort to create the most
+     
          A sequence of pairs of PublicKeyCredentialType and public key algorithms (COSEAlgorithmIdentifier) requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The authenticator makes a best-effort to create the most
 preferred credential that it can.
          
     
          excludeCredentialDescriptorList
     
          
-     
          An OPTIONAL list of PublicKeyCredentialDescriptor objects provided by the Relying Party with the intention that, if any of
+     
          An OPTIONAL list of PublicKeyCredentialDescriptor objects provided by the Relying Party with the intention that, if any of
 these are known to the authenticator, it SHOULD NOT create a new credential. excludeCredentialDescriptorList contains a
 list of known credentials.
          
     
          enterpriseAttestationPossible
@@ -5064,15 +5141,15 @@ 
          A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator.
          
     
          attestationFormats
     
          
-     
          A sequence of strings that expresses the Relying Party's preference for attestation statement formats, from most to least preferable. If the authenticator returns attestation, then it makes a best-effort attempt to use the most preferable format that it supports.
          
+     
          A sequence of strings that expresses the Relying Party's preference for attestation statement formats, from most to least preferable. If the authenticator returns attestation, then it makes a best-effort attempt to use the most preferable format that it supports.
          
     
          extensions
     
          
-     
          A CBOR map from extension identifiers to their authenticator extension inputs, created by the client based on
-the extensions requested by the Relying Party, if any.
          
+     
          A CBOR map from extension identifiers to their authenticator extension inputs, created by the client based on
+the extensions requested by the Relying Party, if any.
          
    
    • 
    
    Note: Before performing this operation, all other operations in progress in the authenticator session MUST be aborted by
 running the authenticatorCancel operation.
    
-   
    When this operation is invoked, the authenticator MUST perform the following procedure:
    
+   
    When this operation is invoked, the authenticator MUST perform the following procedure:
    
    
      
     
    1. 
      
      Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
@@ -5086,8 +5163,8 @@ 
      
        
      If looking up descriptor.id in this authenticator
 returns non-null, and the returned item's RP ID and type match rpEntity.id and excludeCredentialDescriptorList.type respectively,
-then collect an authorization gesture confirming user
-consent for creating a new credential. The authorization gesture MUST include a test
+then collect an authorization gesture confirming user
+consent for creating a new credential. The authorization gesture MUST include a test
 of user presence. If the user
      
        
      
         
      confirms consent to create a new credential
@@ -5095,31 +5172,31 @@ 
      return an error code equivalent to "InvalidStateError" and terminate the operation.
      
         
      does not consent to create a new credential
         
      
-         
      return an error code equivalent to "NotAllowedError" and terminate the operation.
      
+         
      return an error code equivalent to "NotAllowedError" and terminate the operation.
      
        
      
-       
      Note: The purpose of this authorization gesture is not to proceed with creating a credential,
-but for privacy reasons to authorize disclosure of the fact that descriptor.id is bound to this authenticator.
-If the user consents, the client and Relying Party can detect this and guide the user to use a different authenticator.
+       
      Note: The purpose of this authorization gesture is not to proceed with creating a credential,
+but for privacy reasons to authorize disclosure of the fact that descriptor.id is bound to this authenticator.
+If the user consents, the client and Relying Party can detect this and guide the user to use a different authenticator.
 If the user does not consent,
-the authenticator does not reveal that descriptor.id is bound to it,
+the authenticator does not reveal that descriptor.id is bound to it,
 and responds as if the user simply declined consent to create a credential.
      
      
    
     
  • 
      
    If requireResidentKey is true and the authenticator cannot store a client-side discoverable public key credential source,
-return an error code equivalent to "ConstraintError" and terminate the operation.
    
+return an error code equivalent to "ConstraintError" and terminate the operation.
    
     
  • 
-     
    If requireUserVerification is true and the authenticator cannot perform user verification, return an error code
-equivalent to "ConstraintError" and terminate the operation.
    
+     
    If requireUserVerification is true and the authenticator cannot perform user verification, return an error code
+equivalent to "ConstraintError" and terminate the operation.
    
     
  • 
-     
    Once the authorization gesture has been completed and user consent has been obtained, generate a new credential object:
    
+      Collect an authorization gesture confirming user consent for creating a new credential.
+    The prompt for the authorization gesture is shown by the
+    authenticator if it has its own output capability, or by the user agent otherwise. The prompt SHOULD display rpEntity.id, rpEntity.name, userEntity.name and userEntity.displayName, if possible. 
+     
    If requireUserVerification is true, the authorization gesture MUST include user verification.
    
+     
    If requireUserPresence is true, the authorization gesture MUST include a test of user presence.
    
+     
    If the user does not consent or if user verification fails, return an error code equivalent to
+    "NotAllowedError" and terminate the operation.
    
+    
  • 
+     
    Once the authorization gesture has been completed and user consent has been obtained, generate a new credential object:
    
      
      
       
    1. 
        
      Let (publicKey, privateKey) be a new pair of cryptographic keys using the combination of PublicKeyCredentialType and cryptographic parameters represented by the first item in credTypesAndPubKeyAlgs that is supported by
@@ -5127,7 +5204,7 @@ 
      
        
      Let userHandle be userEntity.id.
      
       
    2. 
-       
      Let credentialSource be a new public key credential source with the fields:
      
+       
      Let credentialSource be a new public key credential source with the fields:
      
        
      
         
      type
         
      
@@ -5169,17 +5246,17 @@ 
      If any error occurred while creating the new credential object, return an error code equivalent to "UnknownError" and
 terminate the operation.
      
     
    3. 
-     
      Let processedExtensions be the result of authenticator extension processing for each supported extension
+     
      Let processedExtensions be the result of authenticator extension processing for each supported extension
 identifierauthenticator extension input in extensions.
      
     
    4. 
-     
      If the authenticator:
      
+     
      If the authenticator:
      
      
      
       
      is a U2F device
       
      
        
      let the signature counter value for the new credential be zero. (U2F devices may support signature counters but do not return a counter when making a credential. See [FIDO-U2F-Message-Formats].)
      
       
      supports a global signature counter
       
      
-       
      Use the global signature counter's actual value when generating authenticator data.
      
+       
      Use the global signature counter's actual value when generating authenticator data.
      
       
      supports a per credential signature counter
       
      
        
      allocate the counter, associate it with the new credential, and initialize the counter value as zero.
      
@@ -5195,9 +5272,9 @@ 
      
      
      Let authenticatorData be the byte array specified in § 6.1 Authenticator Data, including attestedCredentialData as the attestedCredentialData and processedExtensions, if any, as the extensions.
      
     
    5. 
-     
      Create an attestation object for the new credential using the procedure specified in § 6.5.5 Generating an Attestation Object, the attestation statement format attestationFormat, and the values authenticatorData and hash, as well as taking into account the value of enterpriseAttestationPossible. For more details on attestation, see § 6.5 Attestation.
      
+     
      Create an attestation object for the new credential using the procedure specified in § 6.5.4 Generating an Attestation Object, the attestation statement format attestationFormat, and the values authenticatorData and hash, as well as taking into account the value of enterpriseAttestationPossible. For more details on attestation, see § 6.5 Attestation.
      
    
    
-   
    On successful completion of this operation, the authenticator returns the attestation object to the client.
    
+   
    On successful completion of this operation, the authenticator returns the attestation object to the client.
    
    
    6.3.3. The authenticatorGetAssertion Operation
    
    
    It takes the following input parameters:
    
    
    
@@ -5209,35 +5286,29 @@ 
    The hash of the serialized client data, provided by the client.
    
     
    allowCredentialDescriptorList
     
    
-     
    An OPTIONAL list of PublicKeyCredentialDescriptors describing credentials acceptable to the Relying Party (possibly filtered
+     
    An OPTIONAL list of PublicKeyCredentialDescriptors describing credentials acceptable to the Relying Party (possibly filtered
 by the client), if any.
    
     
    requireUserPresence
     
    
      
    The constant Boolean value true.
 It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may
-wish to make a test of user presence optional although WebAuthn does not.
    
+wish to make a test of user presence optional although WebAuthn does not.
    
     
    requireUserVerification
     
    
      
    The effective user verification requirement for assertion, a Boolean value provided by the client.
    
-    
    enterpriseAttestationPossible
-    
    
-     
    A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator.
    
-    
    attestationFormats
-    
    
-     
    A sequence of strings that expresses the Relying Party's preference for attestation statement formats, from most to least preferable. If the authenticator returns attestation, then it makes a best-effort attempt to use the most preferable format that it supports.
    
     
    extensions
     
    
-     
    A CBOR map from extension identifiers to their authenticator extension inputs, created by the client based on
-the extensions requested by the Relying Party, if any.
    
+     
    A CBOR map from extension identifiers to their authenticator extension inputs, created by the client based on
+the extensions requested by the Relying Party, if any.
    
    
    
    
    Note: Before performing this operation, all other operations in progress in the authenticator session MUST be aborted by running the authenticatorCancel operation.
    
-   
    When this method is invoked, the authenticator MUST perform the following procedure:
    
+   
    When this method is invoked, the authenticator MUST perform the following procedure:
    
    
      
     
    1. 
      
      Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
 equivalent to "UnknownError" and terminate the operation.
      
     
    2. 
-     
      Let credentialOptions be a new empty set of public key credential sources.
      
+     
      Let credentialOptions be a new empty set of public key credential sources.
      
     
    3. 
      
      If allowCredentialDescriptorList was supplied, then for each descriptor of allowCredentialDescriptorList:
      
      
        
@@ -5253,50 +5324,39 @@ 
        
      
        Remove any items from credentialOptions whose rpId is not equal to rpId.
        
     
      1. 
-     
        If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation.
        
+     
        If credentialOptions is now empty, return an error code equivalent to "NotAllowedError" and terminate the operation.
        
     
      2. 
-      Prompt the user to select a public key credential source selectedCredential from credentialOptions.
-    Collect an authorization gesture confirming user consent for using selectedCredential.
-    The prompt for the authorization gesture may be shown
-    by the authenticator if it has its own output capability, or by the user agent otherwise. 
-     
        If requireUserVerification is true, the authorization gesture MUST include user verification.
        
-     
        If requireUserPresence is true, the authorization gesture MUST include a test of user presence.
        
+      Prompt the user to select a public key credential source selectedCredential from credentialOptions.
+    Collect an authorization gesture confirming user consent for using selectedCredential.
+    The prompt for the authorization gesture may be shown
+    by the authenticator if it has its own output capability, or by the user agent otherwise. 
+     
        If requireUserVerification is true, the authorization gesture MUST include user verification.
        
+     
        If requireUserPresence is true, the authorization gesture MUST include a test of user presence.
        
      
        If the user does not consent, return an error code equivalent to
-    "NotAllowedError" and terminate the operation.
        
+    "NotAllowedError" and terminate the operation.
        
     
      3. 
-     
        Let processedExtensions be the result of authenticator extension processing for each supported extension
+     
        Let processedExtensions be the result of authenticator extension processing for each supported extension
 identifierauthenticator extension input in extensions.
        
     
      4. 
      
        Increment the credential associated signature counter or the global signature counter value, depending on
-which approach is implemented by the authenticator, by some positive value.
-If the authenticator does not implement a signature counter, let the signature counter value remain constant at
+which approach is implemented by the authenticator, by some positive value.
+If the authenticator does not implement a signature counter, let the signature counter value remain constant at
 zero.
        
-    
      5. 
-     
        If attestationFormats:
        
-     
        
-      
        is not empty
-      
        
-       
        let attestationFormat be the first supported attestation statement format from attestationFormats, taking into account enterpriseAttestationPossible. If none are supported, fallthrough to:
        
-      
        is empty
-      
        
-       
        let attestationFormat be the attestation statement format most preferred by this authenticator. If it does not support attestation during assertion then let this be none.
        
-     
        
     
      6. 
      
        Let authenticatorData be the byte array specified in § 6.1 Authenticator Data including processedExtensions, if any, as
-the extensions and excluding attestedCredentialData. This authenticatorData MUST include attested credential data if, and only if, attestationFormat is not none.
        
+the extensions and excluding attestedCredentialData.
        
     
      7. 
      
        Let signature be the assertion signature of the concatenation authenticatorData || hash using the privateKey of selectedCredential as shown in Figure , below. A simple,
 undelimited
-concatenation is safe to use here because the authenticator data describes its own length. The hash of the serialized
+concatenation is safe to use here because the authenticator data describes its own length. The hash of the serialized
 client data (which potentially has a variable length) is always the last element.
        
      
        
         
       
        Generating an assertion signature.
        
      
        
     
      8. 
-     
        The attestationFormat is not none then create an attestation object for the new credential using the procedure specified in § 6.5.5 Generating an Attestation Object, the attestation statement format attestationFormat, and the values authenticatorData and hash, as well as taking into account the value of enterpriseAttestationPossible. For more details on attestation, see § 6.5 Attestation.
        
-    
      9. 
-     
        If any error occurred then return an error code equivalent to "UnknownError" and terminate the operation.
        
+     
        If any error occurred while generating the assertion signature, return an error code equivalent to "UnknownError" and
+terminate the operation.
        
     
      10. 
       Return to the user agent: 
      
          
@@ -5310,14 +5370,12 @@ 
          authenticatorData
          
       
        • 
        
          signature
          
-      
        • 
-       
          The attestation object, if an attestation object was created for this assertion.
          
       
        • 
        
          selectedCredential.userHandle
          
        
          Note: In cases where allowCredentialDescriptorList was supplied the returned userHandle value may be null, see: userHandleResult.
          
      
        
    
      
-   
      If the authenticator cannot find any credential corresponding to the specified Relying Party that
+   
      If the authenticator cannot find any credential corresponding to the specified Relying Party that
 matches the specified criteria, it terminates the operation and returns an error.
      
    
      6.3.4. The authenticatorCancel Operation
      
    
      This operation takes no input parameters and returns no result.
      
@@ -5326,14 +5384,14 @@ 
      authenticator session which does not have an authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress.
      
    
      6.3.5. The silentCredentialDiscovery operation
      
-   
      This is an OPTIONAL operation authenticators MAY support to enable conditional user mediation.
      
+   
      This is an OPTIONAL operation authenticators MAY support to enable conditional user mediation.
      
    
      It takes the following input parameter:
      
    
      
     
      rpId
     
      
-     
      The caller’s RP ID, as determined by the client.
      
+     
      The caller’s RP ID, as determined by the client.
      
    
      
-   
      When this operation is invoked, the authenticator MUST perform the following procedure:
      
+   
      When this operation is invoked, the authenticator MUST perform the following procedure:
      
    
        
     
      1. 
      
        Let collectedDiscoverableCredentialMetadata be a new list whose items are DiscoverableCredentialMetadata structs with the following items:
        
@@ -5352,10 +5410,10 @@ 
        A user handle.
        
       
        otherUI
       
        
-       
        Other information used by the authenticator to inform its UI.
        
+       
        Other information used by the authenticator to inform its UI.
        
      
     
      2. 
-     
        For each public key credential source credSource of authenticator’s credentials map:
        
+     
        For each public key credential source credSource of authenticator’s credentials map:
        
      
          
       
        1. 
        
          If credSource is not a client-side discoverable credential, continue.
          
@@ -5370,25 +5428,54 @@ 
          Return collectedDiscoverableCredentialMetadata.
          
    
        
    
        6.4. String Handling
        
-   
        Authenticators may be required to store arbitrary strings chosen by a Relying Party, for example the name and displayName in a PublicKeyCredentialUserEntity. This section discusses some practical consequences of handling arbitrary strings that may be presented to humans.
        
+   
        Authenticators may be required to store arbitrary strings chosen by a Relying Party, for example the name and displayName in a PublicKeyCredentialUserEntity. This section discusses some practical consequences of handling arbitrary strings that may be presented to humans.
        
    
        6.4.1. String Truncation
        
-   
        Each arbitrary string in the API will have some accommodation for the potentially limited resources available to an authenticator. If string value truncation is the chosen accommodation then authenticators MAY truncate in order to make the string fit within a length equal or greater than the specified minimum supported length. Such truncation SHOULD also respect UTF-8 sequence boundaries or grapheme cluster boundaries [UAX29]. This defines the maximum truncation permitted and authenticators MUST NOT truncate further.
        
-   
        For example, in figure  the string is 65 bytes long. If truncating to 64 bytes then the final 0x88 byte must be removed purely because of space reasons. Since that leaves a partial UTF-8 sequence the remainder of that sequence may also be removed. Since that leaves a partial grapheme cluster an authenticator may remove the remainder of that cluster.
        
+   
        Each arbitrary string in the API will have some accommodation for the potentially limited resources available to an authenticator.
+When the chosen accommodation is string truncation, care needs to be taken to not corrupt the string value.
        
+   
        For example, truncation based on Unicode code points alone may cause a grapheme cluster to be truncated.
+This could make the grapheme cluster render as a different glyph,
+potentially changing the meaning of the string, instead of removing the glyph entirely.
+For example, figure  shows the end of a UTF-8 encoded string whose encoding is 65 bytes long.
+If truncating to 64 bytes then the final 0x88 byte is removed first to satisfy the size limit.
+Since that leaves a partial UTF-8 code point, the remainder of that code point must also be removed.
+Since that leaves a partial grapheme cluster, the remainder of that cluster should also be removed.
        
    
        
       
     
        The end of a UTF-8 encoded string showing the positions of different truncation boundaries.
        
    
        
-   
        Conforming User Agents are responsible for ensuring that the authenticator behavior observed by Relying Parties conforms to this specification with respect to string handling. For example, if an authenticator is known to behave incorrectly when asked to store large strings, the user agent SHOULD perform the truncation for it in order to maintain the model from the point of view of the Relying Party. User-agents that do this SHOULD truncate at grapheme cluster boundaries.
        
-   
        Truncation based on UTF-8 sequences alone may cause a grapheme cluster to be truncated. This could make the grapheme cluster render as a different glyph, potentially changing the meaning of the string, instead of removing the glyph entirely.
        
-   
        In addition to that, truncating on byte boundaries alone causes a known issue that user agents should be aware of: if the authenticator is using [FIDO-CTAP] then future messages from the authenticator may contain invalid CBOR since the value is typed as a CBOR string and thus is required to be valid UTF-8. User agents are tasked with handling this to avoid burdening authenticators with understanding character encodings and Unicode character properties. Thus, when dealing with authenticators, user agents SHOULD:
        
+   
        The responsibility for handling these concerns falls primarily on the client,
+to avoid burdening authenticators with understanding character encodings and Unicode character properties.
+The following subsections define requirements for how clients and authenticators,
+respectively, may perform string truncation.
        
+   
        6.4.1.1. String Truncation by Clients
        
+   
        When a WebAuthn Client truncates a string,
+the truncation behaviour observable by the Relying Party MUST satisfy the following requirements:
        
+   
        Choose a size limit equal to or greater than the specified minimum supported length.
+The string MAY be truncated so that its length in bytes in the UTF-8 character encoding satisfies that limit.
+This truncation MUST respect UTF-8 code point boundaries, and SHOULD respect grapheme cluster boundaries [UAX29].
+The resulting truncated value MAY be shorter than the chosen size limit
+but MUST NOT be shorter than the longest prefix substring that satisfies the size limit and ends on a grapheme cluster boundary.
        
+   
        The client MAY let the authenticator perform the truncation if it satisfies these requirements;
+otherwise the client MUST perform the truncation before relaying the string value to the authenticator.
        
+   
        In addition to the above, truncating on byte boundaries alone causes a known issue that user agents should be aware of: if the authenticator is using [FIDO-CTAP] then future messages from the authenticator may contain invalid CBOR since the value is typed as a CBOR string and thus is required to be valid UTF-8. Thus, when dealing with authenticators, user agents SHOULD:
        
    
          
     
        1. 
      
          Ensure that any strings sent to authenticators are validly encoded.
          
     
        2. 
      
          Handle the case where strings have been truncated resulting in an invalid encoding. For example, any partial code point at the end may be dropped or replaced with U+FFFD.
          
    
        
+   
        6.4.1.2. String Truncation by Authenticators
        
+   
        Because a WebAuthn Authenticator may be implemented in a constrained environment,
+the requirements on authenticators are relaxed compared to those for clients.
        
+   
        When a WebAuthn Authenticator truncates a string,
+the truncation behaviour MUST satisfy the following requirements:
        
+   
        Choose a size limit equal to or greater than the specified minimum supported length.
+The string MAY be truncated so that its length in bytes in the UTF-8 character encoding satisfies that limit.
+This truncation SHOULD respect UTF-8 code point boundaries, and MAY respect grapheme cluster boundaries [UAX29].
+The resulting truncated value MAY be shorter than the chosen size limit
+but MUST NOT be shorter than the longest prefix substring that satisfies the size limit and ends on a grapheme cluster boundary.
        
    
        6.4.2. Language and Direction Encoding
        
-   
        In order to be correctly displayed in context, the language and base direction of a string may be required. Strings in this API may have to be written to fixed-function authenticators and then later read back and displayed on a different platform. Thus language and direction metadata is encoded in the string itself to ensure that it is transported atomically.
        
+   
        In order to be correctly displayed in context, the language and base direction of a string may be required. Strings in this API may have to be written to fixed-function authenticators and then later read back and displayed on a different platform. Thus language and direction metadata is encoded in the string itself to ensure that it is transported atomically.
        
    
        To encode language and direction metadata in a string that is documented as permitting it, suffix its code points with two sequences of code points:
        
    
        The first encodes a language tag with the code point U+E0001 followed by the ASCII values of the language tag each shifted up by U+E0000. For example, the language tag “en-US” becomes the code points U+E0001, U+E0065, U+E006E, U+E002D, U+E0055, U+E0053.
        
    
        The second consists of a single code point which is either U+200E (“LEFT-TO-RIGHT MARK”), U+200F (“RIGHT-TO-LEFT MARK”), or U+E007F (“CANCEL TAG”). The first two can be used to indicate directionality but SHOULD only be used when neccessary to produce the correct result. (E.g. an RTL string that starts with LTR-strong characters.) The value U+E007F is a direction-agnostic indication of the end of the language tag.
        
@@ -5401,69 +5488,58 @@ 
        
    
        Consumers of strings that may have language and direction encoded should be aware that truncation could truncate a language tag into a different, but still valid, language. The final directionality marker or CANCEL TAG code point provide an unambigous indication of truncation.
        
    
        6.5. Attestation
        
-   
        Authenticators SHOULD also provide some form of attestation, if possible.
-If an authenticator does, the basic requirement is that the authenticator can
-produce, for each credential public key, an attestation statement verifiable by the WebAuthn Relying Party. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and
+   
        Authenticators SHOULD also provide some form of attestation, if possible.
+If an authenticator does, the basic requirement is that the authenticator can
+produce, for each credential public key, an attestation statement verifiable by the WebAuthn Relying Party. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and
 a challenge, as well as a certificate or similar data providing provenance information for the attestation public key,
-enabling the Relying Party to make a trust decision. However, if an attestation key pair is not available, then the authenticator
-MAY either perform self attestation of the credential public key with the corresponding credential private key,
-or otherwise perform no attestation.
        
-   
        All this information is returned by authenticators any time a new public key credential is generated, and optionally when exercised, in the overall form of an attestation object. The relationship of the attestation object with authenticator data (containing attested credential data) and the attestation statement is illustrated in figure , below.
        
-   
        If an authenticator employs self attestation or no attestation, then no provenance information is provided
-for the Relying Party to base a trust decision on.
-In these cases, the authenticator provides no guarantees about its operation to the Relying Party.
        
+enabling the Relying Party to make a trust decision. However, if an attestation key pair is not available, then the authenticator
+MAY either perform self attestation of the credential public key with the corresponding credential private key,
+or otherwise perform no attestation. All this information is returned by authenticators any time a new public key credential is generated, in the overall form of an attestation object. The relationship of the attestation object with authenticator data (containing attested credential data) and the attestation statement is illustrated in figure , below.
        
+   
        If an authenticator employs self attestation or no attestation, then no provenance information is provided
+for the Relying Party to base a trust decision on.
+In these cases, the authenticator provides no guarantees about its operation to the Relying Party.
        
    
        
       
-    
        Attestation object layout illustrating the included authenticator data from a create() operation (containing attested credential
-    data) and the attestation statement.
        
+    
        Attestation object layout illustrating the included authenticator data (containing attested credential
+    data) and the attestation statement.
        
    
        
-   
         This figure illustrates only the packed attestation statement format. Several additional attestation statement
+   
         This figure illustrates only the packed attestation statement format. Several additional attestation statement
   formats are defined in § 8 Defined Attestation Statement Formats. 
        
-   
        An important component of the attestation object is the attestation statement. This is a specific type of signed
-data object, containing statements about a public key credential itself and the authenticator that created it. It
+   
        An important component of the attestation object is the attestation statement. This is a specific type of signed
+data object, containing statements about a public key credential itself and the authenticator that created it. It
 contains an attestation signature created using the key of the attesting authority (except for the case of self
-attestation, when it is created using the credential private key). In order to correctly interpret an attestation
-statement, a Relying Party needs to understand these two aspects of attestation:
        
+attestation, when it is created using the credential private key). In order to correctly interpret an attestation
+statement, a Relying Party needs to understand these two aspects of attestation:
        
    
          
     
        1. 
      
          The attestation statement format is the manner in which the signature is represented and the various contextual
-bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the
-syntax of the statement. Various existing components and OS platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. This specification supports a variety of such formats in an extensible way, as defined in § 6.5.3 Attestation Statement Formats. The formats themselves are identified by strings, as described in § 8.1 Attestation Statement Format Identifiers.
          
+bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the
+syntax of the statement. Various existing components and OS platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. This specification supports a variety of such formats in an extensible way, as defined in § 6.5.2 Attestation Statement Formats. The formats themselves are identified by strings, as described in § 8.1 Attestation Statement Format Identifiers.
          
     
        2. 
-     
          The attestation type defines the semantics of attestation statements and their underlying trust models.
-Specifically, it defines how a Relying Party establishes trust in a particular attestation statement, after verifying that it
-is cryptographically valid. This specification supports a number of attestation types, as described in § 6.5.4 Attestation Types.
          
+     
          The attestation type defines the semantics of attestation statements and their underlying trust models.
+Specifically, it defines how a Relying Party establishes trust in a particular attestation statement, after verifying that it
+is cryptographically valid. This specification supports a number of attestation types, as described in § 6.5.3 Attestation Types.
          
    
        
-   
        In general, there is no simple mapping between attestation statement formats and attestation types. For example, the
-"packed" attestation statement format defined in § 8.2 Packed Attestation Statement Format can be used in conjunction with all attestation
+   
        In general, there is no simple mapping between attestation statement formats and attestation types. For example, the
+"packed" attestation statement format defined in § 8.2 Packed Attestation Statement Format can be used in conjunction with all attestation
 types, while other formats and types have more limited applicability.
        
-   
        The privacy, security and operational characteristics of attestation depend on:
        
+   
        The privacy, security and operational characteristics of attestation depend on:
        
    
-   
        The attestation type and attestation statement format is chosen by the authenticator; Relying Parties can only signal their preferences by setting the attestation and attestationFormats parameters, or those with the same names in PublicKeyCredentialRequestOptions.
        
-   
        It is expected that most authenticators will support a small number of attestation types and attestation statement
-formats, while Relying Parties will decide what attestation types are acceptable to them by policy. Relying Parties will also need to
-understand the characteristics of the authenticators that they trust, based on information they have about these authenticators. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.
        
-   
        6.5.1. Attestation in assertions
        
-   
        Attestation is most commonly provided during credential creation. However, if supported by the authenticator and requested by the Relying Party using the attestation parameter, attestation MAY be provided in assertions.
        
-   
        Attestations in assertions could be helpful in at least the following situations:
        
-   
          
-    
        1. 
-     
          For multi-device credentials, the generating authenticator may have returned a meaningfully different attestation than the authenticator currently exercising the credential. Thus returning an attestation for each use of the credential allows the Relying Party to observe these changes.
          
-    
        2. 
-     
          If the attestation statement format involves a 3rd-party attesting to the state of the authenticator, then returning an attestation with each use of the credential allows for the continued good health of the authenticator to be attested.
          
-   
        
-   
        Attestation objects provided in an AuthenticatorAttestationResponse structure (i.e. as the result of a create() operation) contain at least the three keys shown in the previous figure: fmt, attStmt, and authData. The authData key is not included when an attestation object is provided in an AuthenticatorAssertionResponse (i.e. as the result of a get() operation). That is because the authenticator data is provided directly in the authenticatorData member of the AuthenticatorAssertionResponse. Otherwise, processing of the attestation object is identical.
        
-   
        6.5.2. Attested Credential Data
        
-   
        Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation
+   
        The attestation type and attestation statement format is chosen by the authenticator; Relying Parties can only signal their preferences by setting the attestation and attestationFormats parameters.
        
+   
        It is expected that most authenticators will support a small number of attestation types and attestation statement
+formats, while Relying Parties will decide what attestation types are acceptable to them by policy. Relying Parties will also need to
+understand the characteristics of the authenticators that they trust, based on information they have about these authenticators. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.
        
+   
        6.5.1. Attested Credential Data
        
+   
        Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation
 object for a credential. Its format is shown in Table .
        
    
        
     
@@ -5488,18 +5564,17 @@ 
        credentialPublicKey
        
        variable
         The credential public key encoded in COSE_Key format,
-                as defined in Section 7 of [RFC9052], using the CTAP2 canonical CBOR encoding form.
+                as defined in Section 7 of [RFC9052], using the CTAP2 canonical CBOR encoding form.
                 The COSE_Key-encoded credential public key MUST contain the "alg" parameter and MUST NOT
                 contain any other OPTIONAL parameters. The "alg" parameter MUST contain a COSEAlgorithmIdentifier value.
                 The encoded credential public key MUST also contain any additional REQUIRED parameters stipulated by the
                 relevant key type specification, i.e., REQUIRED for the key type "kty" and algorithm "alg"
                 (see Section 2 of [RFC9053]). 
     
        
-    
         Attested credential data layout. The names in the Name column are only for reference within this document, and are not
-        present in the actual representation of the attested credential data. 
        
+    
         Attested credential data layout. The names in the Name column are only for reference within this document, and are not
+        present in the actual representation of the attested credential data. 
        
    
        
-   
        Attested credential data is always present in any authenticator data that results from a create() operation. It MUST be present in an authenticator data resulting from a get() operation if, and only if, the attestationObject attribute is present in the assertion result.
        
-   
        6.5.2.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format
        
+   
        6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format
        
    
        This section provides examples of COSE_Key-encoded Elliptic Curve and RSA public keys for the ES256, PS256, and RS256
 signature algorithms. These examples adhere to the rules defined above for the credentialPublicKey value, and are presented in CDDL [RFC8610] for clarity.
        
    
        Section 7 of [RFC9052] defines the general framework for all COSE_Key-encoded keys.
@@ -5518,7 +5593,7 @@ 
        CTAP2 canonical CBOR encoding form, whitespace and line breaks
+   
        Below is the above Elliptic Curve public key encoded in the CTAP2 canonical CBOR encoding form, whitespace and line breaks
 are included here for clarity and to match the CDDL [RFC8610] presentation above:
        
 
        A5
    01  02
@@ -5554,8 +5629,8 @@ 
        6.5.3. Attestation Statement Formats
        
-   
        As described above, an attestation statement format is a data format which represents a cryptographic signature by an authenticator over a set of contextual bindings. Each attestation statement format MUST be defined using the following
+   
        6.5.2. Attestation Statement Formats
        
+   
        As described above, an attestation statement format is a data format which represents a cryptographic signature by an authenticator over a set of contextual bindings. Each attestation statement format MUST be defined using the following
 template:
        
    
    
-   
        The initial list of specified attestation statement formats is in § 8 Defined Attestation Statement Formats.
        
-   
        6.5.4. Attestation Types
        
-   
        WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust
+   
        The initial list of specified attestation statement formats is in § 8 Defined Attestation Statement Formats.
        
+   
        6.5.3. Attestation Types
        
+   
        WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust
 models:
        
-   
        Note: This specification does not define any data structures explicitly expressing the attestation types employed by authenticators. Relying Parties engaging in attestation statement verification — i.e., when
-calling navigator.credentials.create() they select an attestation conveyance other than none and verify the received attestation statement — will determine the employed attestation type as a part of verification. See the "Verification procedure" subsections of § 8 Defined Attestation Statement Formats. See also § 14.4.1 Attestation Privacy. For all attestation types defined in this
-section other than Self and None, Relying Party verification is followed by
-matching the trust path to an acceptable root certificate per step 23 of § 7.1 Registering a New Credential.
-Differentiating these attestation types becomes useful primarily as a means for determining if the attestation is acceptable
-under Relying Party policy.
        
+   
        Note: This specification does not define any data structures explicitly expressing the attestation types employed by authenticators. Relying Parties engaging in attestation statement verification — i.e., when
+calling navigator.credentials.create() they select an attestation conveyance other than none and verify the received attestation statement — will determine the employed attestation type as a part of verification. See the "Verification procedure" subsections of § 8 Defined Attestation Statement Formats. See also § 14.4.1 Attestation Privacy. For all attestation types defined in this
+section other than Self and None, Relying Party verification is followed by
+matching the trust path to an acceptable root certificate per step 24 of § 7.1 Registering a New Credential.
+Differentiating these attestation types becomes useful primarily as a means for determining if the attestation is acceptable
+under Relying Party policy.
        
    
        
     
        Basic Attestation (Basic)
     
        
@@ -5608,49 +5683,49 @@ 
        Self Attestation (Self)
     
        
      
        In the case of self attestation, also known as surrogate basic attestation [UAFProtocol], the Authenticator does not have
-any specific attestation key pair. Instead it uses the credential private key to create the attestation signature.
+any specific attestation key pair. Instead it uses the credential private key to create the attestation signature.
 Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.
        
     
        Attestation CA (AttCA)
     
        
-     
        In this case, an authenticator is based on a Trusted Platform Module (TPM) and holds an authenticator-specific
-"endorsement key" (EK). This key is used to securely communicate with a trusted third party, the Attestation CA [TCG-CMCProfile-AIKCertEnroll] (formerly known as a "Privacy CA"). The authenticator can generate multiple
+     
        In this case, an authenticator is based on a Trusted Platform Module (TPM) and holds an authenticator-specific
+"endorsement key" (EK). This key is used to securely communicate with a trusted third party, the Attestation CA [TCG-CMCProfile-AIKCertEnroll] (formerly known as a "Privacy CA"). The authenticator can generate multiple
 attestation identity key pairs (AIK) and requests an Attestation CA to issue an AIK certificate
-for each. Using this approach, such an authenticator can limit the exposure of the EK (which is a global correlation
-handle) to Attestation CA(s). AIKs can be requested for each authenticator-generated public key credential individually, and conveyed to Relying Parties as attestation certificates.
        
+for each. Using this approach, such an authenticator can limit the exposure of the EK (which is a global correlation
+handle) to Attestation CA(s). AIKs can be requested for each authenticator-generated public key credential individually, and conveyed to Relying Parties as attestation certificates.
        
      
        Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently
     is called "active".
        
     
        Anonymization CA (AnonCA)
     
        
-     
        In this case, the authenticator uses an Anonymization CA which dynamically generates per-credential attestation certificates such that the attestation statements presented to Relying Parties do not provide uniquely identifiable information, e.g., that might be used for tracking purposes.
        
-     
        Note: Attestation statements conveying attestations of type AttCA or AnonCA use the same data structure
+     
        In this case, the authenticator uses an Anonymization CA which dynamically generates per-credential attestation certificates such that the attestation statements presented to Relying Parties do not provide uniquely identifiable information, e.g., that might be used for tracking purposes.
        
+     
        Note: Attestation statements conveying attestations of type AttCA or AnonCA use the same data structure
     as those of type Basic, so the three attestation types
     are, in general, distinguishable only with externally provided knowledge regarding the contents of the attestation
-    certificates conveyed in the attestation statement.
        
+    certificates conveyed in the attestation statement.
        
     
        No attestation statement (None)
     
        
      
        In this case, no attestation information is available. See also § 8.7 None Attestation Statement Format.
        
    
        
-   
        6.5.5. Generating an Attestation Object
        
-   
        To generate an attestation object (see: Figure 6) given:
        
+   
        6.5.4. Generating an Attestation Object
        
+   
        To generate an attestation object (see: Figure 6) given:
        
    
        
     
        attestationFormat
     
        
-     
        An attestation statement format.
        
+     
        An attestation statement format.
        
     
        authData
     
        
-     
        A byte array containing authenticator data.
        
+     
        A byte array containing authenticator data.
        
     
        hash
     
        
      
        The hash of the serialized client data.
        
    
        
-   
        the authenticator MUST:
        
+   
        the authenticator MUST:
        
    
          
     
        1. 
      
          Let attStmt be the result of running attestationFormat’s signing procedure given authData and hash.
          
     
        2. 
      
          Let fmt be attestationFormat’s attestation statement format identifier
          
     
        3. 
-     
          Return the attestation object as a CBOR map with the following syntax, filled in with variables initialized by this
+     
          Return the attestation object as a CBOR map with the following syntax, filled in with variables initialized by this
 algorithm:
          
 
          attObj = {
             authData: bytes,
@@ -5666,7 +5741,7 @@ 
          6.5.6. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
          
+   
          6.5.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
          
    
            
     
          • 
      
            For COSEAlgorithmIdentifier -7 (ES256),  and other ECDSA-based algorithms, the sig value MUST be encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [RFC3279] section 2.2.3.
            
@@ -5679,7 +5754,7 @@ 
            Note: As CTAP1/U2F authenticators are already producing signatures values in this format, CTAP2 authenticators will also produce signatures values in the same format, for consistency reasons.
            
+     
            Note: As CTAP1/U2F authenticators are already producing signatures values in this format, CTAP2 authenticators will also produce signatures values in the same format, for consistency reasons.
            
    
          
    
          It is RECOMMENDED that any new attestation formats defined not use ASN.1 encodings,
     but instead represent signatures as equivalent fixed-length byte arrays without internal structure,
@@ -5688,35 +5763,35 @@ 
          [RFC8017] with SHA-256 as the hash function.
+RSASSA-PKCS1-v1_5 signature scheme defined in Section 8.2.1 of [RFC8017] with SHA-256 as the hash function.
 The signature is not ASN.1 wrapped.
          
     
        4. 
      
          For COSEAlgorithmIdentifier -37 (PS256), sig MUST contain the signature generated using the
-RSASSA-PSS signature scheme defined in section 8.1.1 in [RFC8017] with SHA-256 as the hash function.
+RSASSA-PSS signature scheme defined in Section 8.1.1 of [RFC8017] with SHA-256 as the hash function.
 The signature is not ASN.1 wrapped.
          
    
-   
          7. WebAuthn Relying Party Operations
          
-   
          A registration or authentication ceremony begins with the WebAuthn Relying Party creating a PublicKeyCredentialCreationOptions or PublicKeyCredentialRequestOptions object, respectively, which encodes the parameters for the ceremony. The Relying Party SHOULD take care to not leak sensitive information during this stage; see § 14.6.2 Username Enumeration for details.
          
-   
          Upon successful execution of create() or get(), the Relying Party's script receives
-a PublicKeyCredential containing an AuthenticatorAttestationResponse or AuthenticatorAssertionResponse structure,
-respectively, from the client. It must then deliver the contents of this structure to the Relying Party server, using methods outside
-the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these
+   
          7. WebAuthn Relying Party Operations
          
+   
          A registration or authentication ceremony begins with the WebAuthn Relying Party creating a PublicKeyCredentialCreationOptions or PublicKeyCredentialRequestOptions object, respectively, which encodes the parameters for the ceremony. The Relying Party SHOULD take care to not leak sensitive information during this stage; see § 14.6.2 Username Enumeration for details.
          
+   
          Upon successful execution of create() or get(), the Relying Party's script receives
+a PublicKeyCredential containing an AuthenticatorAttestationResponse or AuthenticatorAssertionResponse structure,
+respectively, from the client. It must then deliver the contents of this structure to the Relying Party server, using methods outside
+the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these
 structures.
          
    
          7.1. Registering a New Credential
          
-   
          In order to perform a registration ceremony, the Relying Party MUST proceed as follows:
          
+   
          In order to perform a registration ceremony, the Relying Party MUST proceed as follows:
          
    
            
     
          1. 
-     
            Let options be a new PublicKeyCredentialCreationOptions structure configured to the Relying Party's needs for the ceremony.
            
+     
            Let options be a new PublicKeyCredentialCreationOptions structure configured to the Relying Party's needs for the ceremony.
            
     
          2. 
-     
            Call navigator.credentials.create() and pass options as the publicKey option.
+     
            Call navigator.credentials.create() and pass options as the publicKey option.
 Let credential be the result of the successfully resolved promise.
 If the promise is rejected, abort the ceremony with a user-visible error, or otherwise guide the user experience as
 might be determinable from the context available in the rejected promise. For example if the promise is rejected with
-an error code equivalent to "InvalidStateError", the user might be instructed to use a different authenticator.
+an error code equivalent to "InvalidStateError", the user might be instructed to use a different authenticator.
 For information on different error contexts and the circumstances leading to them, see § 6.3.2 The authenticatorMakeCredential Operation.
            
     
          3. 
      
            Let response be credential.response.
-If response is not an instance of AuthenticatorAttestationResponse, abort the ceremony with a user-visible error.
            
+If response is not an instance of AuthenticatorAttestationResponse, abort the ceremony with a user-visible error.
            
     
          4. 
      
            Let clientExtensionResults be the result of calling credential.getClientExtensionResults().
            
     
          5. 
@@ -5734,49 +5809,49 @@ 
            challenge equals
 the base64url encoding of options.challenge.
            
-    
          6.  Verify that the value of C.origin is an origin expected by the Relying Party.
+    
          7.  Verify that the value of C.origin is an origin expected by the Relying Party.
   See § 13.4.9 Validating the origin of a credential for guidance. 
     
          8. 
      
            If C.topOrigin is present:
            
      
              
       
            1. 
-       
              Verify that the Relying Party expects that this credential would have been created within an iframe that is
+       
              Verify that the Relying Party expects that this credential would have been created within an iframe that is
 not same-origin with its ancestors.
              
       
            2. 
-       
              Verify that the value of C.topOrigin matches the origin of a page
-that the Relying Party expects to be sub-framed within.
+       
              Verify that the value of C.topOrigin matches the origin of a page
+that the Relying Party expects to be sub-framed within.
 See § 13.4.9 Validating the origin of a credential for guidance.
              
      
            
     
          9. 
      
            Let hash be the result of computing a hash over response.clientDataJSON using SHA-256.
            
     
          10. 
-     
            Perform CBOR decoding on the attestationObject field of the AuthenticatorAttestationResponse structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt.
            
+     
            Perform CBOR decoding on the attestationObject field of the AuthenticatorAttestationResponse structure to obtain the attestation statement format fmt, the authenticator data authData, and the attestation statement attStmt.
            
     
          11. 
-     
            Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party.
            
+     
            Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party.
            
     
          12. 
-     
            Verify that the UP bit of the flags in authData is set.
            
+     
            Verify that the UP bit of the flags in authData is set, unless options.mediation is set to conditional.
            
     
          13. 
-     
            If the Relying Party requires user verification for this registration,
+     
            If the Relying Party requires user verification for this registration,
 verify that the UV bit of the flags in authData is set.
            
     
          14. 
      
            If the BE bit of the flags in authData is not set, verify that the BS bit is not set.
            
     
          15. 
-     
            If the Relying Party uses the credential’s backup eligibility to inform its user experience flows and/or policies, evaluate the BE bit of the flags in authData.
            
+     
            If the Relying Party uses the credential’s backup eligibility to inform its user experience flows and/or policies, evaluate the BE bit of the flags in authData.
            
     
          16. 
-     
            If the Relying Party uses the credential’s backup state to inform its user experience flows and/or policies, evaluate the BS bit of the flags in authData.
            
+     
            If the Relying Party uses the credential’s backup state to inform its user experience flows and/or policies, evaluate the BS bit of the flags in authData.
            
     
          17. 
      
            Verify that the "alg" parameter in the credential public key in authData matches the alg attribute of one of the items in options.pubKeyCredParams.
            
     
          18. 
       Verify that the values of the client extension outputs in clientExtensionResults and the authenticator extension
     outputs in the extensions in authData are as expected, considering the client
-    extension input values that were given in options.extensions and any specific policy of the Relying Party regarding unsolicited extensions, i.e., those that were not specified as part of options.extensions.
-    In the general case, the meaning of "are as expected" is specific to the Relying Party and which extensions are in use. 
-     
            Note: Client platforms MAY enact local policy that sets additional authenticator extensions or client extensions and thus cause values to appear in the authenticator extension outputs or client extension outputs that were not originally specified as part of options.extensions. Relying Parties MUST be prepared to handle such
-    situations, whether it be to ignore the unsolicited extensions or reject the attestation. The Relying Party can make this
+    extension input values that were given in options.extensions and any specific policy of the Relying Party regarding unsolicited extensions, i.e., those that were not specified as part of options.extensions.
+    In the general case, the meaning of "are as expected" is specific to the Relying Party and which extensions are in use. 
+     
            Note: Client platforms MAY enact local policy that sets additional authenticator extensions or client extensions and thus cause values to appear in the authenticator extension outputs or client extension outputs that were not originally specified as part of options.extensions. Relying Parties MUST be prepared to handle such
+    situations, whether it be to ignore the unsolicited extensions or reject the attestation. The Relying Party can make this
     decision based on local policy and the extensions in use.
            
-     
            Note: Since all extensions are OPTIONAL for both the client and the authenticator, the Relying Party MUST also be
+     
            Note: Since all extensions are OPTIONAL for both the client and the authenticator, the Relying Party MUST also be
     prepared to handle cases where none or not all of the requested extensions were acted upon.
            
-     
            Note: The supplementalPubKeys extension has explicit verification procedures, see § 10.2.2.3.1 Registration (create()).
            
+     
            Note: The supplementalPubKeys extension has explicit verification procedures, see § 10.2.1.3.1 Registration (create()).
            
     
          19. 
      
            Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against the set of
 supported WebAuthn Attestation Statement Format Identifier values.
@@ -5784,40 +5859,40 @@ 
            [IANA-WebAuthn-Registries] established by [RFC8809].
            
     
          20. 
-      Verify that attStmt is a correct attestation statement, conveying a valid attestation signature, by using the attestation statement format fmt’s verification procedure given attStmt, authData and hash. 
-     
            Note: Each attestation statement format specifies its own verification procedure. See § 8 Defined Attestation Statement Formats for
+      Verify that attStmt is a correct attestation statement, conveying a valid attestation signature, by using the attestation statement format fmt’s verification procedure given attStmt, authData and hash. 
+     
            Note: Each attestation statement format specifies its own verification procedure. See § 8 Defined Attestation Statement Formats for
     the initially-defined formats, and [IANA-WebAuthn-Registries] for the up-to-date list.
            
     
          21.  If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates)
     for that attestation type and attestation statement format fmt, from a trusted source or from policy. For
     example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in authData. 
     
          22. 
-      Assess the attestation trustworthiness using the outputs of the verification procedure in step 21, as follows: 
+      Assess the attestation trustworthiness using the outputs of the verification procedure in step 22, as follows: 
      
     
          23. 
-     
            Verify that the credentialId is ≤ 1023 bytes. Credential IDs larger than this many bytes SHOULD cause the RP to fail this registration ceremony.
            
+     
            Verify that the credentialId is ≤ 1023 bytes. Credential IDs larger than this many bytes SHOULD cause the RP to fail this registration ceremony.
            
     
          24. 
-     
            Verify that the credentialId is not yet registered for any user. If the credentialId is already known then the Relying Party SHOULD fail this registration ceremony.
            
-     
            NOTE: The rationale for Relying Parties rejecting duplicate credential IDs is as follows: credential IDs contain sufficient entropy that accidental duplication is very unlikely. However, attestation types other than self attestation do not include a self-signature to explicitly prove possession of the credential private key at registration time. Thus an attacker who has managed to obtain a user’s credential ID and credential public key for a site (this could be potentially accomplished in various ways), could attempt to register a victim’s credential as their own at that site. If the Relying Party accepts this new registration and replaces the victim’s existing credential registration, and the credentials are discoverable, then the victim could be forced to sign into the attacker’s account at their next attempt. Data saved to the site by the victim in that state would then be available to the attacker.
            
+     
            Verify that the credentialId is not yet registered for any user. If the credentialId is already known then the Relying Party SHOULD fail this registration ceremony.
            
+     
            NOTE: The rationale for Relying Parties rejecting duplicate credential IDs is as follows: credential IDs contain sufficient entropy that accidental duplication is very unlikely. However, attestation types other than self attestation do not include a self-signature to explicitly prove possession of the credential private key at registration time. Thus an attacker who has managed to obtain a user’s credential ID and credential public key for a site (this could be potentially accomplished in various ways), could attempt to register a victim’s credential as their own at that site. If the Relying Party accepts this new registration and replaces the victim’s existing credential registration, and the credentials are discoverable, then the victim could be forced to sign into the attacker’s account at their next attempt. Data saved to the site by the victim in that state would then be available to the attacker.
            
     
          25. 
       If the attestation statement attStmt verified successfully and is found to be trustworthy,
-    then create and store a new credential record in the user account that was denoted in options.user,
+    then create and store a new credential record in the user account that was denoted in options.user,
     with the following contents: 
      
            
-      
            type
+      
            type
       
            
        
            credential.type.
            
-      
            id
+      
            id
       
            
        
            credential.id or credential.rawId,
-whichever format is preferred by the Relying Party.
            
+whichever format is preferred by the Relying Party.
            
       
            publicKey
       
            
        
            The credential public key in authData.
            
@@ -5827,9 +5902,9 @@ 
            uvInitialized
       
            
        
            The value of the UV flag in authData.
            
-      
            transports
+      
            transports
       
            
-       
            The value returned from response.getTransports().
            
+       
            The value returned from response.getTransports().
            
       
            backupEligible
       
            
        
            The value of the BE flag in authData.
            
@@ -5837,33 +5912,33 @@ 
            BS flag in authData.
            
      
            
-     
            The new credential record MAY also include the following OPTIONAL contents:
            
+     
            The new credential record MAY also include the following OPTIONAL contents:
            
      
            
       
            attestationObject
       
            
-       
            response.attestationObject.
            
+       
            response.attestationObject.
            
       
            attestationClientDataJSON
       
            
        
            response.clientDataJSON.
            
      
            
     
          26. 
-     
            If the attestation statement attStmt successfully verified but is not trustworthy per step 23 above,
-the Relying Party SHOULD fail the registration ceremony.
            
-     
            NOTE: However, if permitted by policy, the Relying Party MAY register the credential ID and credential public key but treat the
-    credential as one with self attestation (see § 6.5.4 Attestation Types). If doing so, the Relying Party is asserting there
-    is no cryptographic proof that the public key credential has been generated by a particular authenticator model.
+     
            If the attestation statement attStmt successfully verified but is not trustworthy per step 24 above,
+the Relying Party SHOULD fail the registration ceremony.
            
+     
            NOTE: However, if permitted by policy, the Relying Party MAY register the credential ID and credential public key but treat the
+    credential as one with self attestation (see § 6.5.3 Attestation Types). If doing so, the Relying Party is asserting there
+    is no cryptographic proof that the public key credential has been generated by a particular authenticator model.
     See [FIDOSecRef] and [UAFProtocol] for a more detailed discussion.
            
    
          
-   
          Verification of attestation objects requires that the Relying Party has a trusted method of determining acceptable trust anchors
-in step 22 above.
-Also, if certificates are being used, the Relying Party MUST have access to certificate status information for the
-intermediate CA certificates. The Relying Party MUST also be able to build the attestation certificate chain if the client did not
+   
          Verification of attestation objects requires that the Relying Party has a trusted method of determining acceptable trust anchors
+in step 23 above.
+Also, if certificates are being used, the Relying Party MUST have access to certificate status information for the
+intermediate CA certificates. The Relying Party MUST also be able to build the attestation certificate chain if the client did not
 provide this chain in the attestation information.
          
    
          7.2. Verifying an Authentication Assertion
          
-   
          In order to perform an authentication ceremony, the Relying Party MUST proceed as follows:
          
+   
          In order to perform an authentication ceremony, the Relying Party MUST proceed as follows:
          
    
            
     
          1. 
-     
            Let options be a new PublicKeyCredentialRequestOptions structure configured to the Relying Party's needs for the ceremony.
            
+     
            Let options be a new PublicKeyCredentialRequestOptions structure configured to the Relying Party's needs for the ceremony.
            
     
          2. 
      
            Call navigator.credentials.get() and pass options as the publicKey option.
 Let credential be the result of the successfully resolved promise.
@@ -5872,29 +5947,29 @@ 
            § 6.3.3 The authenticatorGetAssertion Operation.
            
     
          3. 
      
            Let response be credential.response.
-If response is not an instance of AuthenticatorAssertionResponse, abort the ceremony with a user-visible error.
            
+If response is not an instance of AuthenticatorAssertionResponse, abort the ceremony with a user-visible error.
            
     
          4. 
      
            Let clientExtensionResults be the result of calling credential.getClientExtensionResults().
            
     
          5. 
-     
            If options.allowCredentials is not empty,
+     
            If options.allowCredentials is not empty,
 verify that credential.id identifies one of the public key credentials listed in options.allowCredentials.
            
     
          6. 
-     
            Identify the user being authenticated and let credentialRecord be the credential record for the credential:
            
+     
            Identify the user being authenticated and let credentialRecord be the credential record for the credential:
            
      
            
-      
            If the user was identified before the authentication ceremony was initiated, e.g., via a username or cookie,
+      
            If the user was identified before the authentication ceremony was initiated, e.g., via a username or cookie,
       
            
-       
            verify that the identified user account contains a credential record whose id equals credential.rawId.
-Let credentialRecord be that credential record.
+       
            verify that the identified user account contains a credential record whose id equals credential.rawId.
+Let credentialRecord be that credential record.
 If response.userHandle is present,
 verify that it equals the user handle of the user account.
            
-      
            If the user was not identified before the authentication ceremony was initiated,
+      
            If the user was not identified before the authentication ceremony was initiated,
       
            
        
            verify that response.userHandle is present.
-Verify that the user account identified by response.userHandle contains a credential record whose id equals credential.rawId.
-Let credentialRecord be that credential record.
            
+Verify that the user account identified by response.userHandle contains a credential record whose id equals credential.rawId.
+Let credentialRecord be that credential record.
            
      
            
     
          7. 
-     
            Let cData, authData and sig denote the value of response’s clientDataJSON, authenticatorData, and signature respectively.
            
+     
            Let cData, authData and sig denote the value of response’s clientDataJSON, authenticatorData, and signature respectively.
            
     
          8. 
      
            Let JSONtext be the result of running UTF-8 decode on the value of cData.
            
      
            Note: Using any implementation of UTF-8 decode is acceptable as long as it yields the same result as that yielded by
@@ -5909,32 +5984,32 @@ 
            
      
            Verify that the value of C.challenge equals
 the base64url encoding of options.challenge.
            
-    
          9.  Verify that the value of C.origin is an origin expected by the Relying Party.
+    
          10.  Verify that the value of C.origin is an origin expected by the Relying Party.
   See § 13.4.9 Validating the origin of a credential for guidance. 
     
          11. 
      
            If C.topOrigin is present:
            
      
              
       
            1. 
-       
              Verify that the Relying Party expects this credential to be used within an iframe that is not same-origin with its ancestors.
              
+       
              Verify that the Relying Party expects this credential to be used within an iframe that is not same-origin with its ancestors.
              
       
            2. 
-       
              Verify that the value of C.topOrigin matches the origin of a page
-that the Relying Party expects to be sub-framed within.
+       
              Verify that the value of C.topOrigin matches the origin of a page
+that the Relying Party expects to be sub-framed within.
 See § 13.4.9 Validating the origin of a credential for guidance.
              
      
            
     
          12. 
-      Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party. 
+      Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party. 
      
            Note: If using the appid extension, this step needs some special logic. See § 10.1.1 FIDO AppID Extension (appid) for details.
            
     
          13. 
      
            Verify that the UP bit of the flags in authData is set.
            
     
          14. 
-     
            Determine whether user verification is required for this assertion. User verification SHOULD be required if, and only if, options.userVerification is set to required.
            
-     
            If user verification was determined to be required,
+     
            Determine whether user verification is required for this assertion. User verification SHOULD be required if, and only if, options.userVerification is set to required.
            
+     
            If user verification was determined to be required,
 verify that the UV bit of the flags in authData is set.
 Otherwise, ignore the value of the UV flag.
            
     
          15. 
      
            If the BE bit of the flags in authData is not set, verify that the BS bit is not set.
            
     
          16. 
-     
            If the credential backup state is used as part of Relying Party business logic or policy,
+     
            If the credential backup state is used as part of Relying Party business logic or policy,
 let currentBe and currentBs be the values of the BE and BS bits, respectively,
 of the flags in authData.
 Compare currentBe and currentBs with credentialRecord.backupEligible and credentialRecord.backupState:
            
@@ -5944,20 +6019,20 @@ 
            
        
            If credentialRecord.backupEligible is not set, verify that currentBe is not set.
            
       
          17. 
-       
            Apply Relying Party policy, if any.
            
+       
            Apply Relying Party policy, if any.
            
      
          
-     
          Note: See § 6.1.3 Credential Backup State for examples of how a Relying Party might process the BS flag values.
          
+     
          Note: See § 6.1.3 Credential Backup State for examples of how a Relying Party might process the BS flag values.
          
     
        5. 
       Verify that the values of the client extension outputs in clientExtensionResults and the authenticator extension
     outputs in the extensions in authData are as expected, considering the client
-    extension input values that were given in options.extensions and any specific policy of the Relying Party regarding unsolicited extensions, i.e., those that were not specified as part of options.extensions.
-    In the general case, the meaning of "are as expected" is specific to the Relying Party and which extensions are in use. 
-     
          Note: Client platforms MAY enact local policy that sets additional authenticator extensions or client extensions and thus cause values to appear in the authenticator extension outputs or client extension outputs that were not originally specified as part of options.extensions. Relying Parties MUST be prepared to handle such
-    situations, whether it be to ignore the unsolicited extensions or reject the assertion. The Relying Party can make this
+    extension input values that were given in options.extensions and any specific policy of the Relying Party regarding unsolicited extensions, i.e., those that were not specified as part of options.extensions.
+    In the general case, the meaning of "are as expected" is specific to the Relying Party and which extensions are in use. 
+     
          Note: Client platforms MAY enact local policy that sets additional authenticator extensions or client extensions and thus cause values to appear in the authenticator extension outputs or client extension outputs that were not originally specified as part of options.extensions. Relying Parties MUST be prepared to handle such
+    situations, whether it be to ignore the unsolicited extensions or reject the assertion. The Relying Party can make this
     decision based on local policy and the extensions in use.
          
-     
          Note: Since all extensions are OPTIONAL for both the client and the authenticator, the Relying Party MUST also be
+     
          Note: Since all extensions are OPTIONAL for both the client and the authenticator, the Relying Party MUST also be
     prepared to handle cases where none or not all of the requested extensions were acted upon.
          
-     
          Note: The supplementalPubKeys extension has explicit verification procedures, see § 10.2.2.3.2 Authentication (get()).
          
+     
          Note: The supplementalPubKeys extension has explicit verification procedures, see § 10.2.1.3.2 Authentication (get()).
          
     
        6. 
      
          Let hash be the result of computing a hash over the cData using SHA-256.
          
     
        7. 
@@ -5976,27 +6051,12 @@ 
          less than or equal to credentialRecord.signCount:
         
          This is a signal that
           the authenticator may be cloned, i.e. at least
-          two copies of the credential private key may exist and are
-          being used in parallel. Relying Parties should incorporate this information
+          two copies of the credential private key may exist and are
+          being used in parallel. Relying Parties should incorporate this information
           into their risk scoring.
-          Whether the Relying Party updates credentialRecord.signCount below in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific. 
+          Whether the Relying Party updates credentialRecord.signCount below in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific. 
        
      
-    
        8. 
-     
          If response.attestationObject is present and the Relying Party wishes to verify the attestation then perform CBOR decoding on attestationObject to obtain the attestation statement format fmt, and the attestation statement attStmt.
          
-     
            
-      
          1. 
-       
            Verify that the AT bit in the flags field of authData is set, indicating that attested credential data is included.
            
-      
          2. 
-       
            Verify that the credentialPublicKey and credentialId fields of the attested credential data in authData match credentialRecord.publicKey and credentialRecord.id, respectively.
            
-      
          3. 
-       
            Determine the attestation statement format by performing a USASCII case-sensitive match on fmt against the set of supported WebAuthn Attestation Statement Format Identifier values. An up-to-date list of registered WebAuthn Attestation Statement Format Identifier values is maintained in the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
            
-      
          4. 
-       
            Verify that attStmt is a correct attestation statement, conveying a valid attestation signature, by using the attestation statement format fmt’s verification procedure given attStmt, authData and hash.
            
-       
            Note: Each attestation statement format specifies its own verification procedure. See § 8 Defined Attestation Statement Formats for the initially-defined formats, and [IANA-WebAuthn-Registries] for the up-to-date list.
            
-      
          5. 
-       
            If validation is successful, obtain a list of acceptable trust anchors (i.e. attestation root certificates) for that attestation type and attestation statement format fmt, from a trusted source or from policy. The aaguid in the attested credential data can be used to guide this lookup.
            
-     
          
     
        9. 
       Update credentialRecord with new state values: 
      
            
@@ -6006,23 +6066,20 @@ 
            Update credentialRecord.backupState to the value of currentBs.
            
       
          1. 
        
            If credentialRecord.uvInitialized is false,
-update it to the value of the UV bit in the flags in authData.
-This change SHOULD require authorization by an additional authentication factor equivalent to WebAuthn user verification;
+update it to the value of the UV bit in the flags in authData.
+This change SHOULD require authorization by an additional authentication factor equivalent to WebAuthn user verification;
 if not authorized, skip this step.
            
-      
          2. 
-       
            OPTIONALLY, if response.attestationObject is present,
-update credentialRecord.attestationObject to the value of response.attestationObject and update credentialRecord.attestationClientDataJSON to the value of response.clientDataJSON.
            
      
          
-     
          If the Relying Party performs additional security checks beyond these WebAuthn authentication ceremony steps,
+     
          If the Relying Party performs additional security checks beyond these WebAuthn authentication ceremony steps,
     the above state updates SHOULD be deferred to after those additional checks are completed successfully.
          
     
        10. 
-     
          If all the above steps are successful, continue with the authentication ceremony as appropriate. Otherwise, fail the authentication ceremony.
          
+     
          If all the above steps are successful, continue with the authentication ceremony as appropriate. Otherwise, fail the authentication ceremony.
          
    
        
    
        8. Defined Attestation Statement Formats
        
    
        WebAuthn supports pluggable attestation statement formats. This section defines an initial set of such formats.
        
    
        8.1. Attestation Statement Format Identifiers
        
    
        Attestation statement formats are identified by a string, called an attestation statement format identifier, chosen by
-the author of the attestation statement format.
        
+the author of the attestation statement format.
        
    
        Attestation statement format identifiers SHOULD be registered in the
 IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
 All registered attestation statement format identifiers are unique amongst themselves as a matter of course.
        
@@ -6039,7 +6096,7 @@ 
        [IANA-WebAuthn-Registries] established by [RFC8809].
        
    
        8.2. Packed Attestation Statement Format
        
    
        This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is
-implementable by authenticators with limited resources (e.g., secure elements).
        
+implementable by authenticators with limited resources (e.g., secure elements).
        
    
        
     
        Attestation statement format identifier
     
        
@@ -6069,10 +6126,10 @@ 
        
       
        alg
       
        
-       
        A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
        
+       
        A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
        
       
        sig
       
        
-       
        A byte string containing the attestation signature.
        
+       
        A byte string containing the attestation signature.
        
       
        x5c
       
        
        
        The elements of this array contain attestnCert and its certificate chain (if any), each encoded in X.509 format. The attestation
@@ -6090,7 +6147,7 @@ 
        Let authenticatorData denote the authenticator data for the attestation,
 and let clientDataHash denote the hash of the serialized client data.
        
       
      3. 
-       
        If Basic or AttCA attestation is in use, the authenticator produces the sig by concatenating authenticatorData and clientDataHash, and signing the result using an attestation private key selected through an authenticator-specific
+       
        If Basic or AttCA attestation is in use, the authenticator produces the sig by concatenating authenticatorData and clientDataHash, and signing the result using an attestation private key selected through an authenticator-specific
 mechanism. It sets x5c to attestnCert followed by the related certificate chain (if any). It sets alg to the algorithm of the
 attestation private key.
        
       
      4. 
@@ -6100,7 +6157,7 @@ 
        
     
        Verification procedure
     
        
-     
        Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
+     
        Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
 as follows:
        
      
          
       
        1. 
@@ -6116,7 +6173,7 @@ 
          Verify that attestnCert meets the requirements in § 8.2.1 Packed Attestation Statement Certificate Requirements.
          
         
        2. 
          
          If attestnCert contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that the
-value of this extension matches the aaguid in authenticatorData.
          
+value of this extension matches the aaguid in authenticatorData.
          
         
        3. 
          
          Optionally, inspect x5c and consult externally provided knowledge to determine whether attStmt conveys a Basic or AttCA attestation.
          
         
        4. 
@@ -6127,7 +6184,7 @@ 
          If x5c is not present, self attestation is in use.
          
        
            
         
          • 
-         
            Validate that alg matches the algorithm of the credentialPublicKey in authenticatorData.
            
+         
            Validate that alg matches the algorithm of the credentialPublicKey in authenticatorData.
            
         
          • 
          
            Verify that sig is a valid signature over the concatenation of authenticatorData and clientDataHash using the
 credential public key with alg.
            
@@ -6160,21 +6217,46 @@ 
            Relying Parties may not know if the attestation root
+certificate is used for multiple authenticator models, it is suggested that Relying Parties check if the extension
+is present, and if it is, then validate that it contains that same AAGUID as presented in the attestation object.
            
      
            Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
-Thus, the AAGUID MUST be wrapped in two OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:
            
-
            30 21                                     -- SEQUENCE
-  06 0b 2b 06 01 04 01 82 e5 1c 01 01 04  -- 1.3.6.1.4.1.45724.1.1.4
-  04 12                                   -- OCTET STRING
-    04 10                                 -- OCTET STRING
-      cd 8c 39 5c 26 ed ee de             -- AAGUID
-      65 3b 00 79 7d 03 ca 3c
-
            
+Thus, the AAGUID MUST be wrapped in two OCTET STRINGS to be valid.
            
     
          • 
      
            The Basic Constraints extension MUST have the CA component set to false.
            
-    
          • 
-     
            An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services.
-See, for example, the FIDO Metadata Service [FIDOMetadataService].
            
    
          
+   
          Additionally, an Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata
+    services. See, for example, the FIDO Metadata Service [FIDOMetadataService].
          
+   
          The firmware of a particular authenticator model MAY be differentiated using the Extension OID 1.3.6.1.4.1.45724.1.1.5 (id-fido-gen-ce-fw-version). When present, this attribute contains an INTEGER with a non-negative value which is incremented for new
+    firmware release versions. The extension MUST NOT be marked as critical.
          
+   
          For example, the following is an attestation certificate containing the above extension OIDs as well as required fields:
          
+
          -----BEGIN CERTIFICATE----- <!-- bikeshed emdash workaround -->
+MIIBzTCCAXOgAwIBAgIUYHS3FJEL/JTfFqafuAHvlAS+hDYwCgYIKoZIzj0EAwIw
+QTELMAkGA1UEBhMCVVMxFDASBgNVBAoMC1dlYkF1dGhuIFdHMRwwGgYDVQQDDBNF
+eGFtcGxlIEF0dGVzdGF0aW9uMCAXDTI0MDEwMzE3NDUyMVoYDzIwNTAwMTA2MTc0
+NTIxWjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLV2ViQXV0aG4gV0cxHDAaBgNV
+BAMME0V4YW1wbGUgQXR0ZXN0YXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AATDQN9uaFFH4BKBjthHTM1drpb7gIuPod67qyF6UdL4qah6XUp6tE7Prl+DfQ7P
+YH9yMOOcci3nr+Q/jOBaWVERo0cwRTAhBgsrBgEEAYLlHAEBBAQSBBDNjDlcJu3u
+3mU7AHl9A8o8MBIGCysGAQQBguUcAQEFBAMCASowDAYDVR0TAQH/BAIwADAKBggq
+hkjOPQQDAgNIADBFAiA3k3aAUVtLhDHLXOgY2kRnK2hrbRgf2EKdTDLJ1Ds/RAIh
+AOmIblhI3ALCHOaO0IO7YlMpw/lSTvFYv3qwO3m7H8Dc
+-----END CERTIFICATE----- <!-- bikeshed emdash workaround -->
+
          
+   
          The attributes above are structured within this certificate as such:
          
+
          30 21                                    -- SEQUENCE
+  06 0B 2B 06 01 04 01 82 E5 1C 01 01 04 -- OID 1.3.6.1.4.1.45724.1.1.4
+  04 12                                  -- OCTET STRING
+    04  10                               -- OCTET STRING
+      CD 8C 39 5C 26 ED EE DE            -- AAGUID cd8c395c-26ed-eede-653b-00797d03ca3c
+      65 3B 00 79 7D 03 CA 3C 
+
+30 12                                    -- SEQUENCE
+  06 0B 2B 06 01 04 01 82 E5 1C 01 01 05 -- OID 1.3.6.1.4.1.45724.1.1.5
+  04 03                                  -- OCTET STRING
+    02 01                                -- INTEGER
+      2A                                 -- Firmware version: 42
+
          
    
          8.3. TPM Attestation Statement Format
          
    
          This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic
 engine.
          
@@ -6211,7 +6293,7 @@ 
          The version of the TPM specification to which the signature conforms.
          
       
          alg
       
          
-       
          A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
          
+       
          A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
          
       
          x5c
       
          
        
          aikCert followed by its certificate chain, in X.509 encoding.
          
@@ -6220,7 +6302,7 @@ 
          The AIK certificate used for the attestation, in X.509 encoding.
          
       
          sig
       
          
-       
          The attestation signature, in the form of a TPMT_SIGNATURE structure as specified in [TPMv2-Part2] section 11.3.4.
          
+       
          The attestation signature, in the form of a TPMT_SIGNATURE structure as specified in [TPMv2-Part2] section 11.3.4.
          
       
          certInfo
       
          
        
          The TPMS_ATTEST structure over which the above signature was computed, as specified in [TPMv2-Part2] section 10.12.8.
          
@@ -6239,11 +6321,11 @@ 
          sig field to the signature obtained from the above procedure.
          
     
          Verification procedure
     
          
-     
          Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
+     
          Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
 as follows:
          
      
          Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the
 contained fields.
          
-     
          Verify that the public key specified by the parameters and unique fields of pubArea is identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
          
+     
          Verify that the public key specified by the parameters and unique fields of pubArea is identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
          
      
          Concatenate authenticatorData and clientDataHash to form attToBeSigned.
          
      
          Validate that certInfo is valid:
          
      
    
          8.4. Android Key Attestation Statement Format
          
-   
          When the authenticator in question is a platform authenticator on the Android "N" or later platform, the
+   
          When the authenticator in question is a platform authenticator on the Android "N" or later platform, the
 attestation statement is based on the Android key
 attestation. In these cases, the attestation statement
 is produced by a component running in a secure operating environment, but the authenticator data for the attestation is
-produced outside this environment. The WebAuthn Relying Party is expected to check that the authenticator data claimed to have been used for
+produced outside this environment. The WebAuthn Relying Party is expected to check that the authenticator data claimed to have been used for
 the attestation is consistent with the fields of the attestation certificate’s extension data.
          
    
          
     
          Attestation statement format identifier
@@ -6333,7 +6415,7 @@ 
          <
 and signing the result using the credential private key. It sets alg to the algorithm of the signature format.
          
     
          Verification procedure
     
          
-     
          Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
+     
          Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
 as follows:
          
      
          
     
          Signing procedure
     
          
@@ -6479,7 +6561,7 @@ 
          x5c.
          
     
          Verification procedure
     
          
-     
          Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
+     
          Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
 as follows:
          
      
            
       
          1. 
@@ -6519,9 +6601,9 @@ 
            
    
        5. 
    
        8.7. None Attestation Statement Format
        
-   
        The none attestation statement format is used to replace any authenticator-provided attestation statement when a WebAuthn Relying Party indicates it does not wish to receive attestation information, see § 5.4.7 Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference).
        
-   
        The authenticator MAY also directly generate attestation statements of this format
-if the authenticator does not support attestation.
        
+   
        The none attestation statement format is used to replace any authenticator-provided attestation statement when a WebAuthn Relying Party indicates it does not wish to receive attestation information, see § 5.4.7 Attestation Conveyance Preference Enumeration (enum AttestationConveyancePreference).
        
+   
        The authenticator MAY also directly generate attestation statements of this format
+if the authenticator does not support attestation.
        
    
        
     
        Attestation statement format identifier
     
        
@@ -6616,7 +6698,7 @@ 
        compound
        
     
        Attestation types supported
     
        
-     
        Any. See § 6.5.4 Attestation Types.
        
+     
        Any. See § 6.5.3 Attestation Types.
        
     
        Syntax
     
        
      
        The syntax of a compound attestation statement is defined as follows:
        
@@ -6632,15 +6714,15 @@ 
        Not applicable
        
     
        Verification procedure
     
        
-     
        Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
+     
        Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is
 as follows:
        
      
          
       
        1. 
-       
          For each subStmt of attStmt, evaluate the verification procedure corresponding to the attestation statement format identifier subStmt.fmt with verification procedure inputs subStmt, authenticatorData and clientDataHash.
          
-       
          If validation fails for one or more subStmt, decide the appropriate result based on Relying Party policy.
          
+       
          For each subStmt of attStmt, evaluate the verification procedure corresponding to the attestation statement format identifier subStmt.fmt with verification procedure inputs subStmt, authenticatorData and clientDataHash.
          
+       
          If validation fails for one or more subStmt, decide the appropriate result based on Relying Party policy.
          
       
        2. 
-       
          If sufficiently many (as determined by Relying Party policy) items of attStmt verify successfully,
-return implementation-specific values representing any combination of outputs from successful verification procedures.
          
+       
          If sufficiently many (as determined by Relying Party policy) items of attStmt verify successfully,
+return implementation-specific values representing any combination of outputs from successful verification procedures.
          
      
        
    
        
    
        9. WebAuthn Extensions
        
@@ -6651,16 +6733,16 @@ 
        Client extensions define the following steps and data:
        
    
-   
        When creating a public key credential or requesting an authentication assertion, a WebAuthn Relying Party can request the use of a set
-of extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the WebAuthn Authenticator. The Relying Party sends the client extension input for each extension in the get() call
-(for authentication extensions) or create() call (for registration extensions) to the client.
-The client performs client extension processing for each extension that the client platform supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.
        
+   
        When creating a public key credential or requesting an authentication assertion, a WebAuthn Relying Party can request the use of a set
+of extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the WebAuthn Authenticator. The Relying Party sends the client extension input for each extension in the get() call
+(for authentication extensions) or create() call (for registration extensions) to the client.
+The client performs client extension processing for each extension that the client platform supports, and augments the client data as specified by each extension, by including the extension identifier and client extension output values.
        
    
        An extension can also be an authenticator extension, meaning that the extension involves communication with and
 processing by the authenticator. Authenticator extensions define the following steps and data:
        
    
    
        For authenticator extensions, as part of the client extension processing, the client also creates the CBOR authenticator extension input value for each extension (often based on the corresponding client extension input value),
-and passes them to the authenticator in the create() call (for registration extensions) or the get() call (for authentication extensions). These authenticator extension input values are
-represented in CBOR and passed as name-value pairs, with the extension identifier as the name, and the corresponding authenticator extension input as the value. The authenticator, in turn, performs additional processing for the extensions
+and passes them to the authenticator in the create() call (for registration extensions) or the get() call (for authentication extensions). These authenticator extension input values are
+represented in CBOR and passed as name-value pairs, with the extension identifier as the name, and the corresponding authenticator extension input as the value. The authenticator, in turn, performs additional processing for the extensions
 that it supports, and returns the CBOR authenticator extension output for each as specified by the extension.
-Since authenticator extension output is returned as part of the signed authenticator data, authenticator extensions
-MAY also specify an unsigned extension output, e.g. for cases where an output itself depends on authenticator data.
+Since authenticator extension output is returned as part of the signed authenticator data, authenticator extensions
+MAY also specify an unsigned extension output, e.g. for cases where an output itself depends on authenticator data.
 Part of the client extension processing for authenticator extensions is to use the authenticator extension output and unsigned extension output as an input to creating the client extension output.
        
-   
        All WebAuthn Extensions are OPTIONAL for both clients and authenticators. Thus, any extensions requested by a Relying Party MAY be
+   
        All WebAuthn Extensions are OPTIONAL for both clients and authenticators. Thus, any extensions requested by a Relying Party MAY be
 ignored by the client browser or OS and not passed to the authenticator at all, or they MAY be ignored by the authenticator.
-Ignoring an extension is never considered a failure in WebAuthn API processing, so when Relying Parties include extensions with any
+Ignoring an extension is never considered a failure in WebAuthn API processing, so when Relying Parties include extensions with any
 API calls, they MUST be prepared to handle cases where some or all of those extensions are ignored.
        
-   
        All WebAuthn Extensions MUST be defined in such a way that lack of support for them by the client or authenticator does not endanger the user’s security or privacy.
+   
        All WebAuthn Extensions MUST be defined in such a way that lack of support for them by the client or authenticator does not endanger the user’s security or privacy.
 For instance, if an extension requires client processing, it could be defined in a manner that ensures
 that a naïve pass-through that simply transcodes client extension inputs from JSON to CBOR
 will produce a semantically invalid authenticator extension input value, resulting in the extension
@@ -6704,28 +6786,28 @@ 
        § 10 Defined Extensions defines an additional set of extensions and their identifiers.
 See the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809] for an up-to-date list of registered WebAuthn Extension Identifiers.
        
    
        9.2. Defining Extensions
        
-   
        A definition of an extension MUST specify an extension identifier, a client extension input argument
-to be sent via the get() or create() call,
+   
        A definition of an extension MUST specify an extension identifier, a client extension input argument
+to be sent via the get() or create() call,
 the client extension processing rules, and a client extension output value.
 If the extension communicates with the authenticator (meaning it is an authenticator extension),
 it MUST also specify the CBOR authenticator extension input argument
 sent via the authenticatorGetAssertion or authenticatorMakeCredential call,
 the authenticator extension processing rules, and the CBOR authenticator extension output value.
 Extensions MAY specify unsigned extension outputs.
        
-   
        Any client extension that is processed by the client MUST return a client extension output value so that the WebAuthn Relying Party knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST return
-an authenticator extension output to let the Relying Party know that the extension was honored by the authenticator. If an
+   
        Any client extension that is processed by the client MUST return a client extension output value so that the WebAuthn Relying Party knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST return
+an authenticator extension output to let the Relying Party know that the extension was honored by the authenticator. If an
 extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean client extension
 output result, set to true to signify that the extension was understood and processed. Likewise, any authenticator
 extension that does not otherwise require any result values MUST return a value and SHOULD return a CBOR Boolean authenticator extension output result, set to true to signify that the extension was understood and processed.
        
    
        9.3. Extending Request Parameters
        
    
        An extension defines one or two request arguments. The client extension input,
-which is a value that can be encoded in JSON, is passed from the WebAuthn Relying Party to the client
-in the get() or create() call,
+which is a value that can be encoded in JSON, is passed from the WebAuthn Relying Party to the client
+in the get() or create() call,
 while the CBOR authenticator extension input is
 passed from the client to the authenticator for authenticator extensions during the processing of these calls.
        
-   
        A Relying Party simultaneously requests the use of an extension and sets its client extension input by including an entry in the extensions option to the create() or get() call.
-The entry key is the extension identifier and the value is the client extension input.
        
-   
        Note: Other documents have specified extensions where the extension input does not always use the extension identifier as the entry key.
+   
        A Relying Party simultaneously requests the use of an extension and sets its client extension input by including an entry in the extensions option to the create() or get() call.
+The entry key is the extension identifier and the value is the client extension input.
        
+   
        Note: Other documents have specified extensions where the extension input does not always use the extension identifier as the entry key.
 New extensions SHOULD follow the above convention.
        
 
        var assertionPromise = navigator.credentials.get({
     publicKey: {
@@ -6742,16 +6824,16 @@ 
        client extension input. Clients SHOULD ignore extensions with
-an invalid client extension input. If an extension does not require any parameters from the Relying Party, it SHOULD be defined
-as taking a Boolean client argument, set to true to signify that the extension is requested by the Relying Party.
        
+an invalid client extension input. If an extension does not require any parameters from the Relying Party, it SHOULD be defined
+as taking a Boolean client argument, set to true to signify that the extension is requested by the Relying Party.
        
    
        Extensions that only affect client processing need not specify authenticator extension input. Extensions that have
 authenticator processing MUST specify the method of computing the authenticator extension input from the client extension
 input,
-and MUST define extensions for the CDDL types AuthenticationExtensionsAuthenticatorInputs and AuthenticationExtensionsAuthenticatorOutputs by defining an additional choice for the $$extensionInput and $$extensionOutput group sockets using the extension identifier as the entry key.
+and MUST define extensions for the CDDL types AuthenticationExtensionsAuthenticatorInputs and AuthenticationExtensionsAuthenticatorOutputs by defining an additional choice for the $$extensionInput and $$extensionOutput group sockets using the extension identifier as the entry key.
 Extensions that do not require input parameters, and are thus defined as taking a Boolean client extension input value set to true,
 SHOULD define the authenticator extension input also as the constant Boolean value true (CBOR major type
 7, value 21).
        
-   
        The following example defines that an extension with identifier webauthnExample_foobar takes an unsigned integer as authenticator extension input,
+   
        The following example defines that an extension with identifier webauthnExample_foobar takes an unsigned integer as authenticator extension input,
 and returns an array of at least one byte string as authenticator extension output:
        
 
        $$extensionInput //= (
   webauthnExample_foobar: uint
@@ -6763,10 +6845,10 @@ 
        Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
     over low-bandwidth links such as Bluetooth Low-Energy or NFC.
        
    
        9.4. Client Extension Processing
        
-   
        Extensions MAY define additional processing requirements on the client during the creation of credentials or the
+   
        Extensions MAY define additional processing requirements on the client during the creation of credentials or the
 generation of an assertion. The client extension input for the extension is used as an input to this client processing.
-For each supported client extension, the client adds an entry to the clientExtensions map with the extension identifier as the key, and the extension’s client extension input as the value.
        
-   
        Likewise, the client extension outputs are represented as a dictionary in the result of getClientExtensionResults() with extension identifiers as keys, and the client extension output value of each extension as the value.
+For each supported client extension, the client adds an entry to the clientExtensions map with the extension identifier as the key, and the extension’s client extension input as the value.
        
+   
        Likewise, the client extension outputs are represented as a dictionary in the result of getClientExtensionResults() with extension identifiers as keys, and the client extension output value of each extension as the value.
 Like the client extension input, the client extension output is a value that can be encoded in JSON.
 There MUST NOT be any values returned for ignored extensions.
        
    
        Extensions that require authenticator processing MUST define
@@ -6774,11 +6856,13 @@ 
        CBOR authenticator extension output, and the unsigned extension output if used, can be
 used to determine the client extension output.
        
    
        9.5. Authenticator Extension Processing
        
-   
        The CBOR authenticator extension input value of each processed authenticator extension is included in the extensions parameter of the authenticatorMakeCredential and authenticatorGetAssertion operations. The extensions parameter is a CBOR map where each key is an extension identifier and the corresponding value is the authenticator extension input for that extension.
        
-   
        Likewise, the extension output is represented in the extensions part of the authenticator data. The extensions part of the authenticator data is a CBOR map where each key is an extension identifier and the corresponding value is the authenticator extension output for that extension.
        
-   
        Unsigned extension outputs are represented independently from authenticator data and returned by authenticators
-as a separate map, keyed with the same extension identifier. This map only contains entries for authenticator
-extensions that make use of unsigned outputs.
        
+   
        The CBOR authenticator extension input value of each processed authenticator extension is included in the extensions parameter of the authenticatorMakeCredential and authenticatorGetAssertion operations. The extensions parameter is a CBOR map where each key is an extension identifier and the corresponding value is the authenticator extension input for that extension.
        
+   
        Likewise, the extension output is represented in the extensions part of the authenticator data. The extensions part of the authenticator data is a CBOR map where each key is an extension identifier and the corresponding value is the authenticator extension output for that extension.
        
+   
        Unsigned extension outputs are represented independently from authenticator data and returned by authenticators
+as a separate map, keyed with the same extension identifier. This map only contains entries for authenticator
+extensions that make use of unsigned outputs. Unsigned outputs are useful when extensions output a signature over
+the authenticator data (because otherwise a signature would have to sign over itself, which isn’t possible) or when
+some extension outputs should not be sent to the Relying Party.
        
    
        Note: In [FIDO-CTAP] unsigned extension outputs are returned as a CBOR map in a top-level field named unsignedExtensionOutputs from both authenticatorMakeCredential and authenticatorGetAssertion.
        
    
        For each supported extension, the authenticator extension processing rule for that extension is used create the authenticator extension output, and unsigned extension output if used, from the authenticator extension input and possibly also other inputs.
 There MUST NOT be any values returned for ignored extensions.
        
@@ -6789,13 +6873,13 @@ 
        10.1. Client Extensions
        
    
        This section defines extensions that are only client extensions.
        
    
        10.1.1. FIDO AppID Extension (appid)
        
-   
        This extension allows WebAuthn Relying Parties that have previously registered a
-credential using the legacy FIDO U2F JavaScript API [FIDOU2FJavaScriptAPI] to request an assertion. The
-FIDO APIs use an alternative identifier for Relying Parties called an AppID [FIDO-APPID], and any credentials created using those APIs will be scoped to
+   
        This extension allows WebAuthn Relying Parties that have previously registered a
+credential using the legacy FIDO U2F JavaScript API [FIDOU2FJavaScriptAPI] to request an assertion. The
+FIDO APIs use an alternative identifier for Relying Parties called an AppID [FIDO-APPID], and any credentials created using those APIs will be scoped to
 that identifier. Without this extension, they would need to be re-registered in
 order to be scoped to an RP ID.
        
    
        In addition to setting the appid extension input,
-using this extension requires some additional processing by the Relying Party in order to allow users to authenticate using their registered U2F credentials:
        
+using this extension requires some additional processing by the Relying Party in order to allow users to authenticate using their registered U2F credentials:
        
    
          
     
        1. 
      
          List the desired U2F credentials in the allowCredentials option
@@ -6818,8 +6902,8 @@ 
          
    
          Note: appid should be set to the AppID
-that the Relying Party previously used in the legacy FIDO APIs.
-This might not be the same as the result of translating the Relying Party's WebAuthn RP ID to the AppID format,
+that the Relying Party previously used in the legacy FIDO APIs.
+This might not be the same as the result of translating the Relying Party's WebAuthn RP ID to the AppID format,
 e.g., the previously used AppID may have been "https://accounts.example.com"
 but the currently used RP ID might be "example.com".
          
    
          
@@ -6833,20 +6917,20 @@ 
          
      
          A single USVString specifying a FIDO AppID.
          
 
          partial dictionary AuthenticationExtensionsClientInputs {
-  USVString appid;
+  USVString appid;
 };
 
          
     
          Client extension processing
     
          
      
            
       
          1. 
-       
            Let facetId be the result of passing the caller’s origin to the
+       
            Let facetId be the result of passing the caller’s origin to the
 FIDO algorithm for determining the FacetID of a calling application.
            
       
          2. 
        
            Let appId be the extension input.
            
       
          3. 
        
            Pass facetId and appId to the FIDO algorithm for determining if a
-caller’s FacetID is authorized for an AppID. If that algorithm rejects appId then return a "SecurityError" DOMException.
            
+caller’s FacetID is authorized for an AppID. If that algorithm rejects appId then return a "SecurityError" DOMException.
            
       
          4. 
        
            When building allowCredentialDescriptorList,
 if a U2F authenticator indicates that a credential is inapplicable (i.e. by
@@ -6857,18 +6941,18 @@ 
            Let output be the Boolean value false.
            
       
          5. 
        
            When creating assertionCreationData,
-if the assertion was created by a U2F authenticator with the U2F application parameter set to the SHA-256 hash of appId instead of the SHA-256 hash of the RP ID, set output to true.
            
+if the assertion was created by a U2F authenticator with the U2F application parameter set to the SHA-256 hash of appId instead of the SHA-256 hash of the RP ID, set output to true.
            
      
          
    
          
    
          Note: In practice, several implementations do not implement steps four and onward of the
 algorithm for determining if a caller’s FacetID is authorized for an AppID.
-Instead, in step three, the comparison on the host is relaxed to accept hosts on the same site.
          
+Instead, in step three, the comparison on the host is relaxed to accept hosts on the same site.
          
    
          
     
          Client extension output
     
          
-     
          Returns the value of output. If true, the AppID was used and thus, when verifying the assertion, the Relying Party MUST expect the rpIdHash to be the hash of the AppID, not the RP ID.
          
+     
          Returns the value of output. If true, the AppID was used and thus, when verifying the assertion, the Relying Party MUST expect the rpIdHash to be the hash of the AppID, not the RP ID.
          
 
          partial dictionary AuthenticationExtensionsClientOutputs {
-  boolean appid;
+  boolean appid;
 };
 
          
     
          Authenticator extension input
@@ -6882,8 +6966,8 @@ 
          None.
          
    
          
    
          10.1.2. FIDO AppID Exclusion Extension (appidExclude)
          
-   
          This registration extension allows WebAuthn Relying Parties to exclude authenticators that contain specified credentials that were created with the legacy FIDO U2F JavaScript API [FIDOU2FJavaScriptAPI].
          
-   
          During a transition from the FIDO U2F JavaScript API, a Relying Party may have a population of users with legacy credentials already registered. The appid extension allows the sign-in flow to be transitioned smoothly but, when transitioning the registration flow, the excludeCredentials field will not be effective in excluding authenticators with legacy credentials because its contents are taken to be WebAuthn credentials. This extension directs client platforms to consider the contents of excludeCredentials as both WebAuthn and legacy FIDO credentials. Note that U2F key handles commonly use base64url encoding but must be decoded to their binary form when used in excludeCredentials.
          
+   
          This registration extension allows WebAuthn Relying Parties to exclude authenticators that contain specified credentials that were created with the legacy FIDO U2F JavaScript API [FIDOU2FJavaScriptAPI].
          
+   
          During a transition from the FIDO U2F JavaScript API, a Relying Party may have a population of users with legacy credentials already registered. The appid extension allows the sign-in flow to be transitioned smoothly but, when transitioning the registration flow, the excludeCredentials field will not be effective in excluding authenticators with legacy credentials because its contents are taken to be WebAuthn credentials. This extension directs client platforms to consider the contents of excludeCredentials as both WebAuthn and legacy FIDO credentials. Note that U2F key handles commonly use base64url encoding but must be decoded to their binary form when used in excludeCredentials.
          
    
          
     
          Extension identifier
     
          
@@ -6895,7 +6979,7 @@ 
          partial dictionary AuthenticationExtensionsClientInputs {
-  USVString appidExclude;
+  USVString appidExclude;
 };
 
        
     
        Client extension processing
@@ -6906,15 +6990,15 @@ 
        establishing the RP ID perform these steps:
        
        
          
         
        1. 
-         
          Let facetId be the result of passing the caller’s origin to the FIDO algorithm
+         
          Let facetId be the result of passing the caller’s origin to the FIDO algorithm
 for determining the FacetID of a calling application.
          
         
        2. 
          
          Let appId be the value of the extension input appidExclude.
          
         
        3. 
          
          Pass facetId and appId to the FIDO algorithm for determining if a caller’s
 FacetID is authorized for an AppID. If the latter algorithm rejects appId then
-return a "SecurityError" DOMException and terminate the creating a new credential algorithm as well as these steps.
          
-         
          Note: In practice, several implementations do not implement steps four and onward of the algorithm for determining if a caller’s FacetID is authorized for an AppID. Instead, in step three, the comparison on the host is relaxed to accept hosts on the same site.
          
+return a "SecurityError" DOMException and terminate the creating a new credential algorithm as well as these steps.
          
+         
          Note: In practice, several implementations do not implement steps four and onward of the algorithm for determining if a caller’s FacetID is authorized for an AppID. Instead, in step three, the comparison on the host is relaxed to accept hosts on the same site.
          
         
        4. 
          
          Otherwise, continue with normal processing.
          
        
        
@@ -6922,7 +7006,7 @@ 
        invoking authenticatorMakeCredential perform these steps:
        
        
          
         
        1. 
-         
          If authenticator supports the U2F protocol [FIDO-U2F-Message-Formats], then for each credential descriptor C in excludeCredentialDescriptorList:
          
+         
          If authenticator supports the U2F protocol [FIDO-U2F-Message-Formats], then for each credential descriptor C in excludeCredentialDescriptorList:
          
          
            
           
          1. 
            
            Check whether C was created using U2F on authenticator by sending a U2F_AUTHENTICATE message to authenticator whose "five parts" are set to the following values:
            
@@ -6958,9 +7042,9 @@ 
            Relying Party that the extension was acted upon.
            
+     
            Returns the value true to indicate to the Relying Party that the extension was acted upon.
            
 
            partial dictionary AuthenticationExtensionsClientOutputs {
-  boolean appidExclude;
+  boolean appidExclude;
 };
 
            
     
            Authenticator extension input
@@ -6974,61 +7058,73 @@ 
            10.1.3. Credential Properties Extension (credProps)
            
-   
            This client registration extension facilitates reporting certain credential properties known by the client to the requesting WebAuthn Relying Party upon creation of a public key credential source as a result of a registration ceremony.
            
+   
            This client registration extension and authentication extension facilitates reporting certain credential properties known by the client to the requesting WebAuthn Relying Party upon creation or use of a public key credential source.
            
    
            
     
            Extension identifier
     
            
      
            credProps
            
     
            Operation applicability
     
            
-     
            Registration
            
+     
            Registration and authentication
            
     
            Client extension input
     
            
-     
            The Boolean value true to indicate that this extension is requested by the Relying Party.
            
+     
            The Boolean value true to indicate that this extension is requested by the Relying Party.
            
 
            partial dictionary AuthenticationExtensionsClientInputs {
-    boolean credProps;
+    boolean credProps;
 };
 
            
     
            Client extension processing
     
            
-     
            None, other than to report on credential properties in the output.
            
+     
              
+      
            1. 
+       
              If processed during a registration ceremony:
              
+       
                
+        
              1. 
+         
                Set rk to the value of the requireResidentKey parameter that was used in the invocation of the authenticatorMakeCredential operation.
                
+       
              
+      
            2. 
+       
              Set authenticatorDisplayName as described in its definition, using some client-specific procedure.
+If no suitable value is found, let authenticatorDisplayName be undefined.
              
+     
            
     
            Client extension output
     
            
-     
            Set clientExtensionResults["credProps"]["rk"] to the value of the requireResidentKey parameter that was used in the invocation of the authenticatorMakeCredential operation.
            
 
            dictionary CredentialPropertiesOutput {
-    boolean rk;
-    USVString authenticatorDisplayName;
+    boolean rk;
+    USVString authenticatorDisplayName;
 };
 
 partial dictionary AuthenticationExtensionsClientOutputs {
-    CredentialPropertiesOutput credProps;
+    CredentialPropertiesOutput credProps;
 };
 
            
      
            
       
            
        
            rk,  of type boolean
        
            
-        
            This OPTIONAL property, known abstractly as the resident key credential property (i.e., client-side discoverable credential property),
-is a Boolean value indicating whether the PublicKeyCredential returned as a result of a registration ceremony is a client-side discoverable credential.
-If rk is true, the credential is a discoverable credential.
-If rk is false, the credential is a server-side credential.
-If rk is not present, it is not known whether the credential is a discoverable credential or a server-side credential.
            
-        
            Note: some authenticators create discoverable credentials even when not requested by the client platform. Because of this, client platforms may be forced to omit the rk property because they lack the assurance to be able to set it to false. Relying Parties should assume that, if the credProps extension is supported, then client platforms will endeavour to populate the rk property. Therefore a missing rk indicates that the created credential is most likely a non-discoverable credential.
            
+        
            This OPTIONAL property, known abstractly as the resident key credential property,
+is a Boolean value indicating whether the PublicKeyCredential returned as a result of a registration ceremony is a client-side discoverable credential.
+If rk is true, the credential is a discoverable credential.
+If rk is false, the credential is a server-side credential.
+If rk is not present, it is not known whether the credential is a discoverable credential or a server-side credential.
            
+        
            Note: some authenticators create discoverable credentials even when not requested by the client platform. Because of this, client platforms may be forced to omit the rk property because they lack the assurance to be able to set it to false. Relying Parties should assume that, if the credProps extension is supported, then client platforms will endeavour to populate the rk property. Therefore a missing rk indicates that the created credential is most likely a non-discoverable credential.
            
        
            authenticatorDisplayName,  of type USVString
        
            
         
            This OPTIONAL property is a human-palatable description of the credential’s managing authenticator,
 chosen by the user.
            
-        
            The client MUST allow the user to choose this value,
-MAY or MAY not present that choice during registration ceremonies,
-and MAY reuse the same value for multiple credentials with the same managing authenticator across multiple Relying Parties.
            
-        
            The client MAY query the authenticator, by some unspecified mechanism, for this value.
-The authenticator MAY allow the user to configure the response to such a query.
-The authenticator vendor MAY provide a default response to such a query.
-The client MAY consider a user-configured response chosen by the user,
+        
            The client MUST allow the user to choose this value.
+That choice MAY be presented during the registration or authentication ceremony or MAY be made available outside
+the ceremony, for example in client settings. The client MAY reuse the same value
+for multiple credentials with the same managing authenticator across multiple Relying Parties.
            
+        
            The client MAY query the authenticator, by some unspecified mechanism, for this
+value. The authenticator MAY allow the user to configure the response to such a
+query. The authenticator vendor MAY provide a default response to such a query.
+The client MAY consider a user-configured response chosen by the user,
 and SHOULD allow the user to modify a vendor-provided default response.
            
-        
            If the Relying Party includes an authenticatorDisplayName item in credential records,
-the Relying Party MAY offer this value, if present,
-as a default value for the authenticatorDisplayName of the new credential record.
            
+        
            If the Relying Party includes an authenticatorDisplayName item in its credential records,
+the Relying Party MAY offer this authenticatorDisplayName extension output,
+if present, as a default value for the authenticatorDisplayName of the new credential record it stores after a registration ceremony.
            
+        
            If the authenticatorDisplayName extension output from an authentication ceremony is different from the authenticatorDisplayName of the credential record,
+the Relying Party MAY offer the user to update the authenticatorDisplayName of the credential record.
            
       
            
      
            
     
            Authenticator extension input
@@ -7042,49 +7138,49 @@ 
            10.1.4. Pseudo-random function extension (prf)
            
-   
            This client registration extension and authentication extension allows a Relying Party to evaluate outputs from a pseudo-random function (PRF) associated with a credential. The PRFs provided by this extension map from BufferSources of any length to 32-byte BufferSources.
            
-   
            As a motivating example, PRF outputs could be used as symmetric keys to encrypt user data. Such encrypted data would be inaccessible without the ability to get assertions from the associated credential. By using the provision below to evaluate the PRF at two inputs in a single assertion operation, the encryption key could be periodically rotated during assertions by choosing a fresh, random input and reencrypting under the new output. If the evaluation inputs are unpredictable then even an attacker who could satisfy user verification, and who had time-limited access to the authenticator, could not learn the encryption key without also knowing the correct PRF input.
            
+   
            This client registration extension and authentication extension allows a Relying Party to evaluate outputs from a pseudo-random function (PRF) associated with a credential. The PRFs provided by this extension map from BufferSources of any length to 32-byte BufferSources.
            
+   
            As a motivating example, PRF outputs could be used as symmetric keys to encrypt user data. Such encrypted data would be inaccessible without the ability to get assertions from the associated credential. By using the provision below to evaluate the PRF at two inputs in a single assertion operation, the encryption key could be periodically rotated during assertions by choosing a fresh, random input and reencrypting under the new output. If the evaluation inputs are unpredictable then even an attacker who could satisfy user verification, and who had time-limited access to the authenticator, could not learn the encryption key without also knowing the correct PRF input.
            
    
            This extension is implemented on top of the [FIDO-CTAP] hmac-secret extension. It is a separate client extension because hmac-secret requires that inputs and outputs be encrypted in a manner that only the user agent can perform, and to provide separation between uses by WebAuthn and any uses by the underlying platform. This separation is achieved by hashing the provided PRF inputs with a context string to prevent evaluation of the PRFs for arbitrary inputs.
            
-   
            The hmac-secret extension provides two PRFs per credential: one which is used for requests where user verification is performed and another for all other requests. This extension only exposes a single PRF per credential and, when implementing on top of hmac-secret, that PRF MUST be the one used for when user verification is performed. This overrides the UserVerificationRequirement if neccessary.
            
-   
            Note: this extension may be implemented for authenticators that do not use [FIDO-CTAP] so long as the behavior observed by a Relying Party is identical.
            
+   
            The hmac-secret extension provides two PRFs per credential: one which is used for requests where user verification is performed and another for all other requests. This extension only exposes a single PRF per credential and, when implementing on top of hmac-secret, that PRF MUST be the one used for when user verification is performed. This overrides the UserVerificationRequirement if neccessary.
            
+   
            Note: this extension may be implemented for authenticators that do not use [FIDO-CTAP] so long as the behavior observed by a Relying Party is identical.
            
    
            
     
            Extension identifier
     
            
      
            prf
            
     
            Operation applicability
     
            
-     
            Registration and authentication
            
+     
            Registration and authentication
            
     
            Client extension input
     
            
 
            dictionary AuthenticationExtensionsPRFValues {
-    required BufferSource first;
-    BufferSource second;
+    required BufferSource first;
+    BufferSource second;
 };
 
 dictionary AuthenticationExtensionsPRFInputs {
-    AuthenticationExtensionsPRFValues eval;
-    record<USVString, AuthenticationExtensionsPRFValues> evalByCredential;
+    AuthenticationExtensionsPRFValues eval;
+    record<USVString, AuthenticationExtensionsPRFValues> evalByCredential;
 };
 
 partial dictionary AuthenticationExtensionsClientInputs {
-    AuthenticationExtensionsPRFInputs prf;
+    AuthenticationExtensionsPRFInputs prf;
 };
 
            
      
            
       
            
        
            eval,  of type AuthenticationExtensionsPRFValues
        
            
-        
            One or two inputs on which to evaluate PRF. Not all authenticators support evaluating the PRFs during credential creation so outputs may, or may not, be provided. If not, then an assertion is needed in order to obtain the outputs.
            
+        
            One or two inputs on which to evaluate PRF. Not all authenticators support evaluating the PRFs during credential creation so outputs may, or may not, be provided. If not, then an assertion is needed in order to obtain the outputs.
            
        
            evalByCredential,  of type record<USVString, AuthenticationExtensionsPRFValues>
        
            
-        
            A record mapping base64url encoded credential IDs to PRF inputs to evaluate for that credential. Only applicable during assertions when allowCredentials is not empty.
            
+        
            A record mapping base64url encoded credential IDs to PRF inputs to evaluate for that credential. Only applicable during assertions when allowCredentials is not empty.
            
       
            
      
            
     
            Client extension processing (registration)
     
            
      
              
       
            1. 
-       
              If evalByCredential is present, return a DOMException whose name is “NotSupportedError”.
              
+       
              If evalByCredential is present, return a DOMException whose name is “NotSupportedError”.
              
       
            2. 
        
              Set hmac-secret to true in the authenticator extensions input.
              
       
            3. 
@@ -7100,13 +7196,13 @@ 
              results to the decrypted PRF result(s), if any.
              
      
            
-    
            Client extension processing (authentication)
+    
            Client extension processing (authentication)
     
            
      
              
       
            1. 
-       
              If evalByCredential is not empty but allowCredentials is empty, return a DOMException whose name is “NotSupportedError”.
              
+       
              If evalByCredential is not empty but allowCredentials is empty, return a DOMException whose name is “NotSupportedError”.
              
       
            2. 
-       
              If any key in evalByCredential is the empty string, or is not a valid base64url encoding, or does not equal the id of some element of allowCredentials after performing base64url decoding, then return a DOMException whose name is “SyntaxError”.
              
+       
              If any key in evalByCredential is the empty string, or is not a valid base64url encoding, or does not equal the id of some element of allowCredentials after performing base64url decoding, then return a DOMException whose name is “SyntaxError”.
              
       
            3. 
        
              Initialize the prf extension output to an empty dictionary.
              
       
            4. 
@@ -7125,23 +7221,23 @@ 
              second is present, let salt2 be the value of SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || ev.second).
              
         
            5. 
-         
              Send an hmac-secret extension to the authenticator using the values of salt1 and, if set, salt2 as the parameters of the same name in that process.
              
+         
              Send an hmac-secret extension to the authenticator using the values of salt1 and, if set, salt2 as the parameters of the same name in that process.
              
         
            6. 
          
              Decrypt the extension result and set results to the PRF result(s), if any.
              
        
            
      
          
     
          Authenticator extension input / processing / output
     
          
-     
          This extension uses the [FIDO-CTAP] hmac-secret extension when communicating with the authenticator. It thus does not specify any direct authenticator interaction for Relying Parties.
          
+     
          This extension uses the [FIDO-CTAP] hmac-secret extension when communicating with the authenticator. It thus does not specify any direct authenticator interaction for Relying Parties.
          
     
          Client extension output
     
          
 
          dictionary AuthenticationExtensionsPRFOutputs {
-    boolean enabled;
-    AuthenticationExtensionsPRFValues results;
+    boolean enabled;
+    AuthenticationExtensionsPRFValues results;
 };
 
 partial dictionary AuthenticationExtensionsClientOutputs {
-    AuthenticationExtensionsPRFOutputs prf;
+    AuthenticationExtensionsPRFOutputs prf;
 };
 
          
      
          
@@ -7156,25 +7252,25 @@ 
          10.1.5. Large blob storage extension (largeBlob)
          
-   
          This client registration extension and authentication extension allows a Relying Party to store opaque data associated with a credential. Since authenticators can only store small amounts of data, and most Relying Parties are online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For example, the Relying Party might wish to issue certificates rather than run a centralised authentication service.
          
-   
          Note: Relying Parties can assume that the opaque data will be compressed when being written to a space-limited device and so need not compress it themselves.
          
-   
          Since a certificate system needs to sign over the public key of the credential, and that public key is only available after creation, this extension does not add an ability to write blobs in the registration context. However, Relying Parties SHOULD use the registration extension when creating the credential if they wish to later use the authentication extension.
          
+   
          This client registration extension and authentication extension allows a Relying Party to store opaque data associated with a credential. Since authenticators can only store small amounts of data, and most Relying Parties are online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For example, the Relying Party might wish to issue certificates rather than run a centralised authentication service.
          
+   
          Note: Relying Parties can assume that the opaque data will be compressed when being written to a space-limited device and so need not compress it themselves.
          
+   
          Since a certificate system needs to sign over the public key of the credential, and that public key is only available after creation, this extension does not add an ability to write blobs in the registration context. However, Relying Parties SHOULD use the registration extension when creating the credential if they wish to later use the authentication extension.
          
    
          Since certificates are sizable relative to the storage capabilities of typical authenticators, user agents SHOULD consider what indications and confirmations are suitable to best guide the user in allocating this limited resource and prevent abuse.
          
-   
          Note: In order to interoperate, user agents storing large blobs on authenticators using [FIDO-CTAP] are expected to use the provisions detailed in that specification for storing large, per-credential blobs.
          
+   
          Note: In order to interoperate, user agents storing large blobs on authenticators using [FIDO-CTAP] are expected to use the provisions detailed in that specification for storing large, per-credential blobs.
          
    
          Note: Roaming authenticators that use [FIDO-CTAP] as their cross-platform transport protocol only support this Large Blob extension for discoverable credentials,
 and might return an error unless authenticatorSelection.residentKey is set to preferred or required.
-However, authenticators that do not utilize [FIDO-CTAP] do not necessarily restrict this extension to discoverable credentials.
          
+However, authenticators that do not utilize [FIDO-CTAP] do not necessarily restrict this extension to discoverable credentials.
          
    
          
     
          Extension identifier
     
          
      
          largeBlob
          
     
          Operation applicability
     
          
-     
          Registration and authentication
          
+     
          Registration and authentication
          
     
          Client extension input
     
          
 
          partial dictionary AuthenticationExtensionsClientInputs {
-    AuthenticationExtensionsLargeBlobInputs largeBlob;
+    AuthenticationExtensionsLargeBlobInputs largeBlob;
 };
 
 enum LargeBlobSupport {
@@ -7183,22 +7279,22 @@ 
          <
 };
 
 dictionary AuthenticationExtensionsLargeBlobInputs {
-    DOMString support;
-    boolean read;
-    BufferSource write;
+    DOMString support;
+    boolean read;
+    BufferSource write;
 };
 
          
      
          
       
          
-       
          support,  of type DOMString
+       
          support,  of type DOMString
        
          
         
          A DOMString that takes one of the values of LargeBlobSupport. (See § 2.1.1 Enumerations as DOMString types.) Only valid during registration.
          
        
          read,  of type boolean
        
          
-        
          A boolean that indicates that the Relying Party would like to fetch the previously-written blob associated with the asserted credential. Only valid during authentication.
          
+        
          A boolean that indicates that the Relying Party would like to fetch the previously-written blob associated with the asserted credential. Only valid during authentication.
          
        
          write,  of type BufferSource
        
          
-        
          An opaque byte string that the Relying Party wishes to store with the existing credential. Only valid during authentication.
          
+        
          An opaque byte string that the Relying Party wishes to store with the existing credential. Only valid during authentication.
          
       
          
      
          
     
          Client extension processing (registration)
@@ -7208,7 +7304,7 @@ 
          <
        
          If read or write is present:
          
        
            
         
          1. 
-         
            Return a DOMException whose name is “NotSupportedError”.
            
+         
            Return a DOMException whose name is “NotSupportedError”.
            
        
          
       
        2. 
        
          If support is present and has the value required:
          
@@ -7216,10 +7312,10 @@ 
          <
         
        3. 
          
          Set supported to true.
          
          
          Note: This is in anticipation of an authenticator capable of storing large blobs becoming available.
-   It occurs during extension processing in Step 12 of [[Create]]().
+   It occurs during extension processing in step 12 of [[Create]]().
    The AuthenticationExtensionsLargeBlobOutputs will be abandoned if no satisfactory authenticator becomes available.
          
         
        4. 
-         
          If a candidate authenticator becomes available (Step 20 of [[Create]]()) then,
+         
          If a candidate authenticator becomes available (step 21 of [[Create]]()) then,
   before evaluating any options, continue (i.e. ignore the candidate authenticator)
   if the candidate authenticator is not capable of storing large blobs.
          
        
        
@@ -7230,20 +7326,20 @@ 
        <
          
        If an authenticator is selected and the selected authenticator supports large blobs, set supported to true, and false otherwise.
        
        
      
      
    
-    
    Client extension processing (authentication)
+    
    Client extension processing (authentication)
     
    
      
      
       
    1. 
        
      If support is present:
      
        
        
         
      1. 
-         
        Return a DOMException whose name is “NotSupportedError”.
        
+         
        Return a DOMException whose name is “NotSupportedError”.
        
        
      
       
    2. 
        
      If both read and write are present:
      
        
        
         
      1. 
-         
        Return a DOMException whose name is “NotSupportedError”.
        
+         
        Return a DOMException whose name is “NotSupportedError”.
        
        
      
       
    3. 
        
      If read is present and has the value true:
      
@@ -7263,10 +7359,10 @@ 
      <
          
      If allowCredentials does not contain exactly one element:
      
          
        
           
      1. 
-           
        Return a DOMException whose name is “NotSupportedError”.
        
+           
        Return a DOMException whose name is “NotSupportedError”.
        
          
      
         
    4. 
-         
      If the assertion operation is successful, attempt to store the contents of write on the authenticator, associated with the indicated credential.
      
+         
      If the assertion operation is successful, attempt to store the contents of write on the authenticator, associated with the indicated credential.
      
         
    5. 
          
      Set written to true if successful and false otherwise.
      
        
    
@@ -7274,13 +7370,13 @@ 
    <
     
    Client extension output
     
    
 
    partial dictionary AuthenticationExtensionsClientOutputs {
-    AuthenticationExtensionsLargeBlobOutputs largeBlob;
+    AuthenticationExtensionsLargeBlobOutputs largeBlob;
 };
 
 dictionary AuthenticationExtensionsLargeBlobOutputs {
-    boolean supported;
-    ArrayBuffer blob;
-    boolean written;
+    boolean supported;
+    ArrayBuffer blob;
+    boolean written;
 };
 
    
      
    
@@ -7288,164 +7384,74 @@ 
    <
        
    supported,  of type boolean
        
    
         
    true if, and only if, the created credential supports storing large blobs. Only present in registration outputs.
    
-       
    blob,  of type ArrayBuffer
+       
    blob,  of type ArrayBuffer
        
    
         
    The opaque byte string that was associated with the credential identified by rawId. Only valid if read was true.
    
        
    written,  of type boolean
        
    
-        
    A boolean that indicates that the contents of write were successfully stored on the authenticator, associated with the specified credential.
    
+        
    A boolean that indicates that the contents of write were successfully stored on the authenticator, associated with the specified credential.
    
       
      
    
     
    Authenticator extension processing
     
    
-     
    This extension directs the user-agent to cause the large blob to be stored on, or retrieved from, the authenticator. It thus does not specify any direct authenticator interaction for Relying Parties.
    
+     
    This extension directs the user-agent to cause the large blob to be stored on, or retrieved from, the authenticator. It thus does not specify any direct authenticator interaction for Relying Parties.
    
    
    
    10.2. Authenticator Extensions
    
    
    This section defines extensions that are both client extensions and authenticator extensions.
    
-   
    10.2.1. User Verification Method Extension (uvm)
    
-   
    This extension enables use of a user verification method.
    
-   
    
-    
    Extension identifier
-    
    
-     
    uvm
    
-    
    Operation applicability
-    
    
-     
    Registration and Authentication
    
-    
    Client extension input
-    
    
-     
    The Boolean value true to indicate that this extension is requested by the Relying Party.
    
-
    partial dictionary AuthenticationExtensionsClientInputs {
-  boolean uvm;
-};
-
    
-    
    Client extension processing
-    
    
-     
    None, except creating the authenticator extension input from the client extension input.
    
-    
    Client extension output
-    
    
-     
    Returns a JSON array of 3-element arrays of numbers that encodes the factors in the authenticator extension output.
    
-
    typedef sequence<unsigned long> UvmEntry;
-typedef sequence<UvmEntry> UvmEntries;
-
-partial dictionary AuthenticationExtensionsClientOutputs {
-  UvmEntries uvm;
-};
-
    
-    
    Authenticator extension input
-    
    
-     
    The Boolean value true, encoded in CBOR (major type 7, value 21).
    
-
    $$extensionInput //= (
-  uvm: true,
-)
-
    
-    
    Authenticator extension processing
-    
    
-     
    The authenticator sets the authenticator extension output to be one or more user verification methods indicating the method(s) used
-by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.
    
-    
    Authenticator extension output
-    
    
-     
    Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance,
-using the CBOR syntax defined below:
    
-
    $$extensionOutput //= (
-  uvm: [ 1*3 uvmEntry ],
-)
-
-uvmEntry = [
-               userVerificationMethod: uint .size 4,
-               keyProtectionType: uint .size 2,
-               matcherProtectionType: uint .size 2
-           ]
-
    
-     
    The semantics of the fields in each uvmEntry are as follows:
    
-     
    
-      
    userVerificationMethod
-      
    
-       
    The authentication method/factor used by the authenticator to verify the user. Available values are defined in Section 3.1 User Verification Methods of [FIDO-Registry].
    
-      
    keyProtectionType
-      
    
-       
    The method used by the authenticator to protect the FIDO registration private key material. Available values are defined
-in Section 3.2 Key Protection Types of [FIDO-Registry].
    
-      
    matcherProtectionType
-      
    
-       
    The method used by the authenticator to protect the matcher that performs user verification. Available values are defined
-in Section 3.3 Matcher Protection Types of [FIDO-Registry].
    
-     
    
-     
    If >3 factors can be used in an authentication instance the authenticator vendor MUST select the 3 factors it believes
-will be most relevant to the Server to include in the UVM.
    
-     
    Example for authenticator data containing one UVM extension for a multi-factor authentication instance where 2 factors
-were used:
    
-
    ...                    -- RP ID hash (32 bytes)
-81                     -- UP and ED set
-00 00 00 01            -- (initial) signature counter
-...                    -- all public key alg etc.
-A1                     -- extension: CBOR map of one element
-    63                 -- Key 1: CBOR text string of 3 bytes
-        75 76 6d       -- "uvm" [=UTF-8 encoded=] string
-    82                 -- Value 1: CBOR array of length 2 indicating two factor usage
-        83              -- Item 1: CBOR array of length 3
-            02           -- Subitem 1: CBOR integer for User Verification Method Fingerprint
-            04           -- Subitem 2: CBOR short for Key Protection Type TEE
-            02           -- Subitem 3: CBOR short for Matcher Protection Type TEE
-        83              -- Item 2: CBOR array of length 3
-            04           -- Subitem 1: CBOR integer for User Verification Method Passcode
-            01           -- Subitem 2: CBOR short for Key Protection Type Software
-            01           -- Subitem 3: CBOR short for Matcher Protection Type Software
-
    
-   
    
-   
    10.2.2. Supplemental public keys extension (supplementalPubKeys)
    
-   
    This authenticator registration extension and authentication extension provides a Relying Party with additional public key(s) for credentials. This is done by creating user credential-specific key pairs on the authenticator, when required key pairs do not already exist for the user credential being created or exercised, and returning these supplemental keys (along with signatures by them) to the Relying Party. This is done each time this supplementalPubKeys extension is included with either a navigator.credentials.create() or navigator.credentials.get() call.
    
-   
    If the authenticator is incapable of generating a supplemental key pair, or the registration or authentication operation fails for any reason, that key pair is omitted from the output. If no supplemental key pairs remain then this extension is ignored. In this case, there is no supplementalPubKeys extension output generated.
    
-   
    Supplemental keys are not user credentials and they do not have their own credential IDs. Instead, any returned keys are a contextual attribute of their associated user credential. That is, when that user credential is used—along with the supplementalPubKeys extension—on a particular authenticator, a particular set of supplemental keys are returned by the extension, along with signatures demonstrating proof-of-possession of those keys.
    
+   
    10.2.1. Supplemental public keys extension (supplementalPubKeys)
    
+   
    This authenticator registration extension and authentication extension provides a Relying Party with additional public key(s) for credentials. This is done by creating user credential-specific key pairs on the authenticator, when required key pairs do not already exist for the user credential being created or exercised, and returning these supplemental keys (along with signatures by them) to the Relying Party. This is done each time this supplementalPubKeys extension is included with either a navigator.credentials.create() or navigator.credentials.get() call.
    
+   
    If the authenticator is incapable of generating a supplemental key pair, or the registration or authentication operation fails for any reason, that key pair is omitted from the output. If no supplemental key pairs remain then this extension is ignored. In this case, there is no supplementalPubKeys extension output generated.
    
+   
    Supplemental keys are not user credentials and they do not have their own credential IDs. Instead, any returned keys are a contextual attribute of their associated user credential. That is, when that user credential is used—along with the supplementalPubKeys extension—on a particular authenticator, a particular set of supplemental keys are returned by the extension, along with signatures demonstrating proof-of-possession of those keys.
    
    
    Supplemental keys never have a scope that is larger than the user credential. That is, they are never shared between any two user credentials and can never be used to link two user credentials together. They only communicate continuity of some property of their associated user credential.
    
-   
    10.2.2.1. Relying Party Usage
    
-   
    This extension is intended for use by those Relying Parties employing risk-analysis systems informing their sign-in decisions. This extension signals the continuity of some property when used consistently with both navigator.credentials.create() and navigator.credentials.get() operations. The property being signaled depends on the scope of the supplemental key and its attestation statement, if any. The clearest example of a supplemental key is one that is device-bound. Repeated observation of a device-bound supplemental key indicates that a credential is being used repeatedly from the same device. (Which cannot be otherwise assumed in the case of backup eligible credentials.) But supplemental keys with wider scopes are also defined and the exact properties that they communicate depend on the attestation included along with them.
    
-   
    When a Relying Party uses the supplementalPubKeys extension with a create() call to create a new user credential, a signature by one or more new supplemental keys may be returned along with the new supplemental public keys themselves. For the sake of example, assume that a single supplemental public key is returned, called “SPK1”. For as long as the user credential is exercised within the scope of the supplemental key, the Relying Party's subsequent get() operations for that credential will likely generate assertions including further signatures by “SPK1”.
    
+   
    10.2.1.1. Relying Party Usage
    
+   
    This extension is intended for use by those Relying Parties employing risk-analysis systems informing their sign-in decisions. This extension signals the continuity of some property when used consistently with both navigator.credentials.create() and navigator.credentials.get() operations. The property being signaled depends on the scope of the supplemental key and its attestation statement, if any. The clearest example of a supplemental key is one that is device-bound. Repeated observation of a device-bound supplemental key indicates that a credential is being used repeatedly from the same device. (Which cannot be otherwise assumed in the case of backup eligible credentials.) But supplemental keys with wider scopes are also defined and the exact properties that they communicate depend on the attestation included along with them.
    
+   
    When a Relying Party uses the supplementalPubKeys extension with a create() call to create a new user credential, a signature by one or more new supplemental keys may be returned along with the new supplemental public keys themselves. For the sake of example, assume that a single supplemental public key is returned, called “SPK1”. For as long as the user credential is exercised within the scope of the supplemental key, the Relying Party's subsequent get() operations for that credential will likely generate assertions including further signatures by “SPK1”.
    
    
    The credential may move beyond the scope of that supplemental key (for example, by being exported and imported elsewhere, if backup eligible) and, if used in this new domain, the get() operation will return a new supplemental key, SPK2, and its signature. Subsequent get() operations may observe either SPK1 or SPK2, depending on the context in which the user credential is being used.
    
    
    A usage example is thus:
    
    
    
-    
    A sign-in request is received by a website that, by regulation, must require certain authentication standards. The sign-in is done with a multi-device credential, but also includes a supplemental key with an attestation that states that the supplemental key is only synced after a user has met or exceeded those standards. Since that supplemental key has been seen before, and was initially verified to meet the site’s authentication standards, additional sign-in challenges are not required.
    
+    
    A sign-in request is received by a website that, by regulation, must require certain authentication standards. The sign-in is done with a multi-device credential, but also includes a supplemental key with an attestation that states that the supplemental key is only synced after a user has met or exceeded those standards. Since that supplemental key has been seen before, and was initially verified to meet the site’s authentication standards, additional sign-in challenges are not required.
    
    
    
    
    Another example of supplemental keys:
    
    
    
-    
    Say that a sign-in request appears at a website along with some geolocation signal that has not been seen for this user account before, and is outside of the typical usage hours observed for the account. The risk may be deemed high enough not to allow the request, even with an assertion by a multi-device credential on its own. But if a signature from a supplemental key that is device-bound, and that is well established for this user can also be presented, then that may tip the balance.
    
+    
    Say that a sign-in request appears at a website along with some geolocation signal that has not been seen for this user account before, and is outside of the typical usage hours observed for the account. The risk may be deemed high enough not to allow the request, even with an assertion by a multi-device credential on its own. But if a signature from a supplemental key that is device-bound, and that is well established for this user can also be presented, then that may tip the balance.
    
    
    
-   
    The weight that Relying Parties give to the presence of a signature from a supplemental key may be based on information learned from its optional attestation. An attestation can indicate the level of protection enjoyed by a hardware-bound key, or the policies for other types of supplemental key.
    
-   
    10.2.2.2. Extension Definition
    
+   
    The weight that Relying Parties give to the presence of a signature from a supplemental key may be based on information learned from its optional attestation. An attestation can indicate the level of protection enjoyed by a hardware-bound key, or the policies for other types of supplemental key.
    
+   
    10.2.1.2. Extension Definition
    
    
    
     
    Extension identifier
     
    
      
    supplementalPubKeys
    
     
    Operation applicability
     
    
-     
    Registration and authentication
    
+     
    Registration and authentication
    
     
    Client extension input
     
    
 
    dictionary AuthenticationExtensionsSupplementalPubKeysInputs {
-    required sequence<DOMString> scopes;
-    DOMString attestation = "indirect";
-    sequence<DOMString> attestationFormats = [];
+    required sequence<DOMString> scopes;
+    DOMString attestation = "indirect";
+    sequence<DOMString> attestationFormats = [];
 };
 
-partial dictionary AuthenticationExtensionsClientInputs {
-    AuthenticationExtensionsSupplementalPubKeysInputs supplementalPubKeys;
+partial dictionary AuthenticationExtensionsClientInputs {
+    AuthenticationExtensionsSupplementalPubKeysInputs supplementalPubKeys;
 };
 
    
      
    
       
    
-       
    scopes,  of type sequence<DOMString>
+       
    scopes,  of type sequence<DOMString>
        
    
-        
    This required member MUST be non-empty. It specifies the scopes of supplemental public keys that the Relying Party requests. Values are taken from the CDDL below (i.e., currently defined values are provider and device); authenticators silently ignore unrecognized values. Specifying the scopes that a Relying Party can use allows an authenticator to avoid the work of generating superfluous supplemental keys.
    
-       
    attestation,  of type DOMString, defaulting to "indirect"
+        
    This required member MUST be non-empty. It specifies the scopes of supplemental public keys that the Relying Party requests. Values are taken from the CDDL below (i.e., currently defined values are provider and device); authenticators silently ignore unrecognized values. Specifying the scopes that a Relying Party can use allows an authenticator to avoid the work of generating superfluous supplemental keys.
    
+       
    attestation,  of type DOMString, defaulting to "indirect"
        
    
-        
    The Relying Party MAY use this OPTIONAL member to specify a preference regarding attestation conveyance.
-Its value SHOULD be a member of AttestationConveyancePreference. Client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist.
    
+        
    The Relying Party MAY use this OPTIONAL member to specify a preference regarding attestation conveyance.
+Its value SHOULD be a member of AttestationConveyancePreference. Client platforms MUST ignore unknown values, treating an unknown value as if the member does not exist.
    
         
    The default value is indirect.
    
-       
    attestationFormats,  of type sequence<DOMString>, defaulting to []
+       
    attestationFormats,  of type sequence<DOMString>, defaulting to []
        
    
-        
    The Relying Party MAY use this OPTIONAL member to specify a preference regarding the attestation statement format used by the authenticator.
+        
    The Relying Party MAY use this OPTIONAL member to specify a preference regarding the attestation statement format used by the authenticator.
 Values SHOULD be taken from the IANA "WebAuthn Attestation Statement Format Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
 Values are ordered from most preferable to least preferable.
-This parameter is advisory and the authenticator MAY use an attestation statement not enumerated in this parameter.
    
+This parameter is advisory and the authenticator MAY use an attestation statement not enumerated in this parameter.
    
         
    The default value is the empty list, which indicates no preference.
    
       
    
      
    
@@ -7454,13 +7460,13 @@ 
    supplementalPubKeys is present, the client creates the authenticator extension input from the client extension input.
    
     
    Client extension output
     
    
-     
    A sequence of ArrayBuffers containing the signatures returned as the unsigned extension output.
    
+     
    A sequence of ArrayBuffers containing the signatures returned as the unsigned extension output.
    
 
    dictionary AuthenticationExtensionsSupplementalPubKeysOutputs {
-    sequence<ArrayBuffer> signatures;
+    required sequence<ArrayBuffer> signatures;
 };
 
-partial dictionary AuthenticationExtensionsClientOutputs {
-    AuthenticationExtensionsSupplementalPubKeysOutputs supplementalPubKeys;
+partial dictionary AuthenticationExtensionsClientOutputs {
+    AuthenticationExtensionsSupplementalPubKeysOutputs supplementalPubKeys;
 };
 
    
     
    Authenticator extension input
@@ -7510,7 +7516,7 @@ 
    authenticatorMakeCredential and authenticatorGetAssertion operations:
    
      
      
       
    1. 
-       
      Create or select the public key credential source as usual (see § 6.3.2 The authenticatorMakeCredential Operation, or § 6.3.3 The authenticatorGetAssertion Operation as appropriate).
      
+       
      Create or select the public key credential source as usual (see § 6.3.2 The authenticatorMakeCredential Operation, or § 6.3.3 The authenticatorGetAssertion Operation as appropriate).
      
       
    2. 
-       
      Let scopes be the set of all supplemental public key scopes that the authenticator supports. Update scopes to be the intersection of itself and scopes. If scopes is empty, terminate these processing steps with no extension output.
      
+       
      Let scopes be the set of all supplemental public key scopes that the authenticator supports. Update scopes to be the intersection of itself and scopes. If scopes is empty, terminate these processing steps with no extension output.
      
       
    3. 
        
      Let spks and spkSigs be empty arrays.
      
       
    4. 
@@ -7572,31 +7578,31 @@ 
      For each scope in scopes:
      
        
        
         
      1. 
-         
        If a supplemental key with scope scope does not already exist for this {Credential ID, RP ID, userHandle} tuple on the authenticator, create it using the same public key algorithm as that used by the user credential's credential key pair, otherwise locate the existing supplemental key.
        
+         
        If a supplemental key with scope scope does not already exist for this {Credential ID, RP ID, userHandle} tuple on the authenticator, create it using the same public key algorithm as that used by the user credential's credential key pair, otherwise locate the existing supplemental key.
        
         
      2. 
-         
        Let attFormat be the chosen attestation statement format, and attAaguid be a 16-byte value, based on the value of attestation in the extension input:
        
+         
        Let attFormat be the chosen attestation statement format, and attAaguid be a 16-byte value, based on the value of attestation in the extension input:
        
          
        
           
        none
           
        
-           
        attFormat is "none" or "self", at the authenticator’s discretion, and attAaguid is 16 zero bytes. (Note that, since the supplemental public key is already exercised during navigator.credentials.create() calls, the proof-of-possession property provided by "self" attestation is superfluous in that context.)
        
+           
        attFormat is "none" or "self", at the authenticator’s discretion, and attAaguid is 16 zero bytes. (Note that, since the supplemental public key is already exercised during navigator.credentials.create() calls, the proof-of-possession property provided by "self" attestation is superfluous in that context.)
        
           
        indirect, direct
           
        
-           
        attFormat is an attestation statement format appropriate for this authenticator based on attestationFormats, and attAaguid is the corresponding AAGUID, which MAY be the authenticator’s AAGUID. (Since the supplemental public key's scope is different from the user credential, it will often have a different attestation. For example, the attestation for a supplemental public key with “device” scope can be tied to hardware roots of trust, although it does not have to be.)
        
+           
        attFormat is an attestation statement format appropriate for this authenticator based on attestationFormats, and attAaguid is the corresponding AAGUID, which MAY be the authenticator’s AAGUID. (Since the supplemental public key's scope is different from the user credential, it will often have a different attestation. For example, the attestation for a supplemental public key with “device” scope can be tied to hardware roots of trust, although it does not have to be.)
        
           
        enterprise
           
        
-           
        The Relying Party wants to receive an attestation statement that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. Authenticators MUST NOT provide such an attestation unless the user agent or authenticator configuration expressly permits it for the requested RP ID. If not permitted, then follow the steps for direct attestation. Otherwise attFormat is an attestation statement format appropriate for this authenticator based on attestationFormats, and attAaguid is the corresponding AAGUID, which MAY be the authenticator’s AAGUID.
        
-           
        Note: CTAP2 does not currently provide for an enterpriseAttestation signal during an authenticatorGetAssertion call. Until that is changed, platform-managed enterprise attestation will not work in that context with CTAP2 authenticators.
        
+           
        The Relying Party wants to receive an attestation statement that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. Authenticators MUST NOT provide such an attestation unless the user agent or authenticator configuration expressly permits it for the requested RP ID. If not permitted, then follow the steps for direct attestation. Otherwise attFormat is an attestation statement format appropriate for this authenticator based on attestationFormats, and attAaguid is the corresponding AAGUID, which MAY be the authenticator’s AAGUID.
        
+           
        Note: CTAP2 does not currently provide for an enterpriseAttestation signal during an authenticatorGetAssertion call. Until that is changed, platform-managed enterprise attestation will not work in that context with CTAP2 authenticators.
        
          
        
         
      3. 
-         
        Let spk be the newly created or existing supplemental public key, in COSE_Key format in the same fashion as for the user credential’s credentialPublicKey when the latter is conveyed in attested credential data.
        
+         
        Let spk be the newly created or existing supplemental public key, in COSE_Key format in the same fashion as for the user credential’s credentialPublicKey when the latter is conveyed in attested credential data.
        
         
      4. 
          
        Let supplementalPrivateKey be the newly created or existing private key corresponding to spk.
        
         
      5. 
          
        Let randomNonce be a fresh randomly-generated byte string of 32 bytes maximum length, or a zero length byte string if the authenticator chooses to not generate a nonce.
        
-         
        Note: randomNonce’s purpose is to randomize the attestation signature value for supplemental public keys. If this is not done, then an attestation signature value remains constant for all such signatures issued on behalf of this user credential, possibly exposing the authenticator's attestation private key to side-channel attacks. The randomness-generation mechanism should be carefully chosen by the authenticator implementer.
        
+         
        Note: randomNonce’s purpose is to randomize the attestation signature value for supplemental public keys. If this is not done, then an attestation signature value remains constant for all such signatures issued on behalf of this user credential, possibly exposing the authenticator's attestation private key to side-channel attacks. The randomness-generation mechanism should be carefully chosen by the authenticator implementer.
        
         
      6. 
          
        Let supplementalPubKey be a CBOR map as defined by attObjForSupplementalPubKey above, with keys and values as follows:
        
-         
        Note: as with all CBOR structures used in this specification, the CTAP2 canonical CBOR encoding form MUST be used.
        
+         
        Note: as with all CBOR structures used in this specification, the CTAP2 canonical CBOR encoding form MUST be used.
        
          
          
           
        1. 
            
          Set a key and value for the scope group based on the value of scope.
          
@@ -7607,30 +7613,30 @@ 
          group socket be the result of generating an attestation statement with the attestation statement format, attFormat. See § 10.2.2.2.2 Attestation calculations.
          
-           
          Note: The details of the $$attStmtType values are dependent upon the particular attestation statement format. See § 6.5.3 Attestation Statement Formats.
          
+           
          Let the values of the $$attStmtType group socket be the result of generating an attestation statement with the attestation statement format, attFormat. See § 10.2.1.2.2 Attestation calculations.
          
+           
          Note: The details of the $$attStmtType values are dependent upon the particular attestation statement format. See § 6.5.2 Attestation Statement Formats.
          
           
        2. 
            
          If the $$attStmtType group socket contains uniquely identifying information then let epAtt be true. Otherwise omit the epAtt field. (This field can only be true when the attestation field of the extension input is "enterprise" and either the user-agent or the authenticator permits uniquely identifying attestation for the requested RP ID.)
          
          
        
         
      7. 
          
        Append supplementalPubKey to spks.
        
         
      8. 
-         
        Let spkSig be the result of signing the assertion signature input with supplementalPrivateKey.
        
-         
        Note: the assertion signature input, and thus spkSig, covers the Relying Party's challenge because it includes the hash of the serialized client data. Thus the Relying Party knows that spkSig is a fresh signature.
        
+         
        Let spkSig be the result of signing the assertion signature input with supplementalPrivateKey.
        
+         
        Note: the assertion signature input, and thus spkSig, covers the Relying Party's challenge because it includes the hash of the serialized client data. Thus the Relying Party knows that spkSig is a fresh signature.
        
         
      9. 
          
        Append spkSig to spkSigs.
        
        
      
       
    5. 
-       
      Let the supplementalPubKeys authenticator extension output value be the CBOR array spks.
      
+       
      Let the supplementalPubKeys authenticator extension output value be the CBOR array spks.
      
       
    6. 
        
      Let the CBOR encoding of spkSigs be the extension’s unsigned extension output.
      
-       
      Note: spkSigs cannot be included in the authenticator extension output because it is returned inside the authenticator data and that would imply that the signature signs over itself.
      
+       
      Note: spkSigs cannot be included in the authenticator extension output because it is returned inside the authenticator data and that would imply that the signature signs over itself.
      
      
    
    
    
-   
    10.2.2.2.1. AAGUIDs
    
-   
    Any non-zero AAGUIDs included in the supplementalPubKeys extension output aid a Relying Party in validating the attestation statement of the supplemental public key. The interpretation of each AAGUID depends on the scope of the corresponding key. Some or all may differ from the aaguid in the attested credential data of a multi-device credential. Thus the AAGUID of a supplemental public key MAY be different in a single response and either, or both, may be zero depending on the options requested and authenticator behaviour.
    
-   
    10.2.2.2.2. Attestation calculations
    
-   
    When computing attestations, the process in § 6.5.5 Generating an Attestation Object takes two inputs: authData and hash. When calculating an attestation for a supplemental public key, the typical value for authData contains the attestation signature itself, which is impossible. Also the attestation of a supplemental public key is potentially used repeatedly, thus may want to be cached. But signing over values that include Relying Party-chosen nonces, like the hash of the serialized client data, makes that impossible.
    
+   
    10.2.1.2.1. AAGUIDs
    
+   
    Any non-zero AAGUIDs included in the supplementalPubKeys extension output aid a Relying Party in validating the attestation statement of the supplemental public key. The interpretation of each AAGUID depends on the scope of the corresponding key. Some or all may differ from the aaguid in the attested credential data of a multi-device credential. Thus the AAGUID of a supplemental public key MAY be different in a single response and either, or both, may be zero depending on the options requested and authenticator behaviour.
    
+   
    10.2.1.2.2. Attestation calculations
    
+   
    When computing attestations, the process in § 6.5.4 Generating an Attestation Object takes two inputs: authData and hash. When calculating an attestation for a supplemental public key, the typical value for authData contains the attestation signature itself, which is impossible. Also the attestation of a supplemental public key is potentially used repeatedly, thus may want to be cached. But signing over values that include Relying Party-chosen nonces, like the hash of the serialized client data, makes that impossible.
    
    
    Therefore when calculating an attestation for a supplemental public key, the inputs are:
    
    
    
    12.3. WebAuthn Extension Identifier Registrations Updates
    
-   
    This section updates the below-listed extension identifier values defined in Section § 10 Defined Extensions in the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809], originally registered in [WebAuthn-1], to point to this specification.
    
+   
    This section updates the below-listed extension identifier values defined in Section § 10 Defined Extensions in the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809], originally registered in [WebAuthn-1], to point to this specification.
    
    
    
    12.4. WebAuthn Extension Identifier Registrations
    
-   
    This section registers the below-listed extension identifier values, newly defined in Section § 10 Defined Extensions, in the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
    
+   
    This section registers the below-listed extension identifier values, newly defined in Section § 10 Defined Extensions, in the IANA "WebAuthn Extension Identifiers" registry [IANA-WebAuthn-Registries] established by [RFC8809].
    
    
    
    13. Security Considerations
    
    
    This specification defines a Web API and a cryptographic peer-entity authentication protocol.
-The Web Authentication API allows Web developers (i.e., "authors") to utilize the Web Authentication protocol in their registration and authentication ceremonies.
-The entities comprising the Web Authentication protocol endpoints are user-controlled WebAuthn Authenticators and a WebAuthn Relying Party's
-computing environment hosting the Relying Party's web application.
-In this model, the user agent, together with the WebAuthn Client, comprise an intermediary between authenticators and Relying Parties.
-Additionally, authenticators can attest to Relying Parties as to their provenance.
    
+The Web Authentication API allows Web developers (i.e., "authors") to utilize the Web Authentication protocol in their registration and authentication ceremonies.
+The entities comprising the Web Authentication protocol endpoints are user-controlled WebAuthn Authenticators and a WebAuthn Relying Party's
+computing environment hosting the Relying Party's web application.
+In this model, the user agent, together with the WebAuthn Client, comprise an intermediary between authenticators and Relying Parties.
+Additionally, authenticators can attest to Relying Parties as to their provenance.
    
    
    At this time, this specification does not feature detailed security considerations. However, the [FIDOSecRef] document provides a security analysis which is overall applicable to this specification.
-Also, the [FIDOAuthnrSecReqs] document suite provides useful information about authenticator security characteristics.
    
+Also, the [FIDOAuthnrSecReqs] document suite provides useful information about authenticator security characteristics.
    
    
    The below subsections comprise the current Web Authentication-specific security considerations.
 They are divided by audience;
 general security considerations are direct subsections of this section,
-while security considerations specifically for authenticator, client and Relying Party implementers
+while security considerations specifically for authenticator, client and Relying Party implementers
 are grouped into respective subsections.
    
    
    13.1. Credential ID Unsigned
    
-   
    The credential ID is not signed.
-This is not a problem because all that would happen if an authenticator returns
-the wrong credential ID, or if an attacker intercepts and manipulates the credential ID, is that the WebAuthn Relying Party would not look up the correct credential public key with which to verify the returned signed authenticator data (a.k.a., assertion), and thus the interaction would end in an error.
    
+   
    The credential ID accompanying an authentication assertion is not signed.
+This is not a problem because all that would happen if an authenticator returns
+the wrong credential ID, or if an attacker intercepts and manipulates the credential ID, is that the WebAuthn Relying Party would not look up the correct credential public key with which to verify the returned signed authenticator data (a.k.a., assertion), and thus the interaction would end in an error.
    
    
    13.2. Physical Proximity between Client and Authenticator
    
-   
    In the WebAuthn authenticator model, it is generally assumed that roaming authenticators are physically close to, and communicate directly with, the client.
+   
    In the WebAuthn authenticator model, it is generally assumed that roaming authenticators are physically close to, and communicate directly with, the client.
 This arrangement has some important advantages.
    
-   
    The promise of physical proximity between client and authenticator is a key strength of a something you have authentication factor.
+   
    The promise of physical proximity between client and authenticator is a key strength of a something you have authentication factor.
 For example, if a roaming authenticator can communicate only via USB or Bluetooth,
 the limited range of these transports ensures that any malicious actor
-must physically be within that range in order to interact with the authenticator.
-This is not necessarily true of an authenticator that can be invoked remotely —
-even if the authenticator verifies user presence,
+must physically be within that range in order to interact with the authenticator.
+This is not necessarily true of an authenticator that can be invoked remotely —
+even if the authenticator verifies user presence,
 users can be tricked into authorizing remotely initiated malicious requests.
    
-   
    Direct communication between client and authenticator means the client can enforce the scope restrictions for credentials.
-By contrast, if the communication between client and authenticator is mediated by some third party,
-then the client has to trust the third party to
-enforce the scope restrictions and control access to the authenticator.
+   
    Direct communication between client and authenticator means the client can enforce the scope restrictions for credentials.
+By contrast, if the communication between client and authenticator is mediated by some third party,
+then the client has to trust the third party to
+enforce the scope restrictions and control access to the authenticator.
 Failure to do either could result in
-a malicious Relying Party receiving authentication assertions valid for other Relying Parties,
-or in a malicious user gaining access to authentication assertions for other users.
    
-   
    If designing a solution where the authenticator does not need to be physically close to the client,
-or where client and authenticator do not communicate directly,
+a malicious Relying Party receiving authentication assertions valid for other Relying Parties,
+or in a malicious user gaining access to authentication assertions for other users.
    
+   
    If designing a solution where the authenticator does not need to be physically close to the client,
+or where client and authenticator do not communicate directly,
 designers SHOULD consider how this affects the enforcement of scope restrictions
-and the strength of the authenticator as a something you have authentication factor.
    
-   
    13.3. Security considerations for authenticators 
    
+and the strength of the authenticator as a something you have authentication factor.
    
+   
    13.3. Security considerations for authenticators 
    
    
    13.3.1. Attestation Certificate Hierarchy
    
    
    A 3-tier hierarchy for attestation certificates is RECOMMENDED (i.e., Attestation Root, Attestation Issuing CA, Attestation
-Certificate). It is also RECOMMENDED that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is
+Certificate). It is also RECOMMENDED that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is
 used to help facilitate isolating problems with a specific version of an authenticator model.
    
-   
    If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
+   
    If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
 SHOULD be specified in the attestation certificate itself, so that it can be verified against the authenticator data.
    
    
    13.3.2. Attestation Certificate and Attestation Certificate CA Compromise
    
-   
    When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn Authenticator attestation key pairs are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that
-has recorded the attestation public keys for their authenticator models can issue new attestation certificates for these keys from a new
+   
    When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn Authenticator attestation key pairs are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that
+has recorded the attestation public keys for their authenticator models can issue new attestation certificates for these keys from a new
 intermediate CA or from a new root CA. If the root CA changes, the WebAuthn Relying Parties MUST update their trusted root certificates
 accordingly.
    
-   
    A WebAuthn Authenticator attestation certificate MUST be revoked by the issuing CA if its private key has been compromised. A WebAuthn
+   
    A WebAuthn Authenticator attestation certificate MUST be revoked by the issuing CA if its private key has been compromised. A WebAuthn
 Authenticator manufacturer may need to ship a firmware update and inject new attestation private keys and certificates into already
-manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of
-scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be
-possible for Relying Parties to trust any further attestation statements from the affected WebAuthn Authenticators.
    
-   
    See also the related security consideration for Relying Parties in § 13.4.5 Revoked Attestation Certificates.
    
-   
    13.4. Security considerations for Relying Parties
    
+manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of
+scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be
+possible for Relying Parties to trust any further attestation statements from the affected WebAuthn Authenticators.
    
+   
    See also the related security consideration for Relying Parties in § 13.4.5 Revoked Attestation Certificates.
    
+   
    13.4. Security considerations for Relying Parties
    
    
    13.4.1. Security Benefits for WebAuthn Relying Parties
    
    
    The main benefits offered to WebAuthn Relying Parties by this specification include:
    
    
      
     
    1. 
      
      Users and accounts can be secured using widely compatible, easy-to-use multi-factor authentication.
      
     
    2. 
-     
      The Relying Party does not need to provision authenticator hardware to its users. Instead, each user can independently obtain
-any conforming authenticator and use that same authenticator with any number of Relying Parties. The Relying Party can optionally
-enforce requirements on authenticators' security properties by inspecting the attestation statements returned from the authenticators.
      
+     
      The Relying Party does not need to provision authenticator hardware to its users. Instead, each user can independently obtain
+any conforming authenticator and use that same authenticator with any number of Relying Parties. The Relying Party can optionally
+enforce requirements on authenticators' security properties by inspecting the attestation statements returned from the authenticators.
      
     
    3. 
-     
      Authentication ceremonies are resistant to man-in-the-middle attacks.
-Regarding registration ceremonies, see § 13.4.4 Attestation Limitations, below.
      
+     
      Authentication ceremonies are resistant to man-in-the-middle attacks.
+Regarding registration ceremonies, see § 13.4.4 Attestation Limitations, below.
      
     
    4. 
-     
      The Relying Party can automatically support multiple types of user verification - for example PIN, biometrics and/or future
-methods - with little or no code change, and can let each user decide which they prefer to use via their choice of authenticator.
      
+     
      The Relying Party can automatically support multiple types of user verification - for example PIN, biometrics and/or future
+methods - with little or no code change, and can let each user decide which they prefer to use via their choice of authenticator.
      
     
    5. 
-     
      The Relying Party does not need to store additional secrets in order to gain the above benefits.
      
+     
      The Relying Party does not need to store additional secrets in order to gain the above benefits.
      
    
    
-   
    As stated in the Conformance section, the Relying Party MUST behave as described in § 7 WebAuthn Relying Party Operations to obtain all of the above security benefits. However, one notable use case that departs slightly from this is described below in § 13.4.4 Attestation Limitations.
    
+   
    As stated in the Conformance section, the Relying Party MUST behave as described in § 7 WebAuthn Relying Party Operations to obtain all of the above security benefits. However, one notable use case that departs slightly from this is described below in § 13.4.4 Attestation Limitations.
    
    
    13.4.2. Visibility Considerations for Embedded Usage
    
-   
    Simplistic use of WebAuthn in an embedded context, e.g., within iframes as described in § 5.10 Using Web Authentication within iframe elements, may make users vulnerable to UI Redressing attacks, also known as "Clickjacking". This is where an attacker overlays their own UI on top of a Relying Party's intended UI and attempts to trick the user into performing unintended actions with the Relying Party. For example, using these techniques, an attacker might be able to trick users into purchasing items, transferring money, etc.
    
-   
    Even though WebAuthn-specific UI is typically handled by the client platform and thus is not vulnerable to UI Redressing, it is likely important for an Relying Party having embedded WebAuthn-wielding content to ensure that their content’s UI is visible to the user. An emerging means to do so is by observing the status of the experimental Intersection Observer v2's isVisible attribute. For example, the Relying Party's script running in the embedded context could pre-emptively load itself in a popup window if it detects isVisble being set to false, thus side-stepping any occlusion of their content.
    
+   
    Simplistic use of WebAuthn in an embedded context, e.g., within iframes as described in § 5.10 Using Web Authentication within iframe elements, may make users vulnerable to UI Redressing attacks, also known as "Clickjacking". This is where an attacker overlays their own UI on top of a Relying Party's intended UI and attempts to trick the user into performing unintended actions with the Relying Party. For example, using these techniques, an attacker might be able to trick users into purchasing items, transferring money, etc.
    
+   
    Even though WebAuthn-specific UI is typically handled by the client platform and thus is not vulnerable to UI Redressing, it is likely important for an Relying Party having embedded WebAuthn-wielding content to ensure that their content’s UI is visible to the user. An emerging means to do so is by observing the status of the experimental Intersection Observer v2's isVisible attribute. For example, the Relying Party's script running in the embedded context could pre-emptively load itself in a popup window if it detects isVisble being set to false, thus side-stepping any occlusion of their content.
    
    
    13.4.3. Cryptographic Challenges
    
    
    As a cryptographic protocol, Web Authentication is dependent upon randomized challenges
-to avoid replay attacks. Therefore, the values of both PublicKeyCredentialCreationOptions.challenge and PublicKeyCredentialRequestOptions.challenge MUST be randomly generated
-by Relying Parties in an environment they trust (e.g., on the server-side), and the
+to avoid replay attacks. Therefore, the values of both PublicKeyCredentialCreationOptions.challenge and PublicKeyCredentialRequestOptions.challenge MUST be randomly generated
+by Relying Parties in an environment they trust (e.g., on the server-side), and the
 returned challenge value in the client’s
 response MUST match what was generated. This SHOULD be done in a fashion that does not rely
-upon a client’s behavior, e.g., the Relying Party SHOULD store the challenge temporarily
+upon a client’s behavior, e.g., the Relying Party SHOULD store the challenge temporarily
 until the operation is complete. Tolerating a mismatch will compromise the security
 of the protocol.
    
    
    Challenges SHOULD be valid for a duration similar to the
@@ -8547,92 +8632,92 @@ 
    13.4.4. Attestation Limitations
    
    
    This section is not normative.
    
-   
    When registering a new credential, the attestation statement, if present,
-may allow the WebAuthn Relying Party to derive assurances about various authenticator qualities.
-For example, the authenticator model, or how it stores and protects credential private keys.
-However, it is important to note that an attestation statement, on its own,
-provides no means for a Relying Party to verify that an attestation object was generated
-by the authenticator the user intended, and not by a man-in-the-middle attacker.
-For example, such an attacker could use malicious code injected into Relying Party script.
-The Relying Party must therefore rely on other means, e.g., TLS and related technologies,
-to protect the attestation object from man-in-the-middle attacks.
    
-   
    Under the assumption that a registration ceremony is completed securely, and that the authenticator maintains
-confidentiality of the credential private key, subsequent authentication ceremonies using that public key
+   
    When registering a new credential, the attestation statement, if present,
+may allow the WebAuthn Relying Party to derive assurances about various authenticator qualities.
+For example, the authenticator model, or how it stores and protects credential private keys.
+However, it is important to note that an attestation statement, on its own,
+provides no means for a Relying Party to verify that an attestation object was generated
+by the authenticator the user intended, and not by a man-in-the-middle attacker.
+For example, such an attacker could use malicious code injected into Relying Party script.
+The Relying Party must therefore rely on other means, e.g., TLS and related technologies,
+to protect the attestation object from man-in-the-middle attacks.
    
+   
    Under the assumption that a registration ceremony is completed securely, and that the authenticator maintains
+confidentiality of the credential private key, subsequent authentication ceremonies using that public key
 credential are resistant to tampering by man-in-the-middle attacks.
    
-   
    The discussion above holds for all attestation types. In all cases it is possible for a man-in-the-middle attacker to replace the PublicKeyCredential object, including the attestation statement and the credential public key to be registered, and subsequently tamper with future authentication assertions scoped for the
-same Relying Party and passing through the same attacker.
    
-   
    Such an attack would potentially be detectable; since the Relying Party has registered the attacker’s credential public key rather
-than the user’s, the attacker must tamper with all subsequent authentication ceremonies with that Relying Party: unscathed
+   
    The discussion above holds for all attestation types. In all cases it is possible for a man-in-the-middle attacker to replace the PublicKeyCredential object, including the attestation statement and the credential public key to be registered, and subsequently tamper with future authentication assertions scoped for the
+same Relying Party and passing through the same attacker.
    
+   
    Such an attack would potentially be detectable; since the Relying Party has registered the attacker’s credential public key rather
+than the user’s, the attacker must tamper with all subsequent authentication ceremonies with that Relying Party: unscathed
 ceremonies will fail, potentially revealing the attack.
    
-   
    Attestation types other than Self Attestation and None can increase the difficulty of such attacks, since Relying Parties can possibly display authenticator information, e.g., model designation, to the user. An attacker might therefore need to use
-a genuine authenticator of the same model as the user’s authenticator, or the user might notice that the Relying Party reports
-a different authenticator model than the user expects.
    
+   
    Attestation types other than Self Attestation and None can increase the difficulty of such attacks, since Relying Parties can possibly display authenticator information, e.g., model designation, to the user. An attacker might therefore need to use
+a genuine authenticator of the same model as the user’s authenticator, or the user might notice that the Relying Party reports
+a different authenticator model than the user expects.
    
    
    Note: All variants of man-in-the-middle attacks described above are more difficult for an attacker to mount
 than a man-in-the-middle attack against conventional password authentication.
    
    
    13.4.5. Revoked Attestation Certificates
    
-   
    If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the Relying Party's policy
-requires rejecting the registration/authentication request in these situations, then it is RECOMMENDED that the Relying Party also
+   
    If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the Relying Party's policy
+requires rejecting the registration/authentication request in these situations, then it is RECOMMENDED that the Relying Party also
 un-registers (or marks with a trust level equivalent to "self attestation") public key credentials that were registered
 after the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus RECOMMENDED
-that Relying Parties remember intermediate attestation CA certificates during registration in order to un-register
+that Relying Parties remember intermediate attestation CA certificates during registration in order to un-register
 related public key credentials if the registration was performed after revocation of such certificates.
    
-   
    See also the related security consideration for authenticators in § 13.3.2 Attestation Certificate and Attestation Certificate CA Compromise.
    
+   
    See also the related security consideration for authenticators in § 13.3.2 Attestation Certificate and Attestation Certificate CA Compromise.
    
    
    13.4.6. Credential Loss and Key Mobility
    
-   
    This specification defines no protocol for backing up credential private keys, or for sharing them between authenticators.
-In general, it is expected that a credential private key never leaves the authenticator that created it. Losing an authenticator therefore, in general, means losing all credentials bound to the
-lost authenticator, which could lock the user out of an account if the user has only one credential registered with the Relying Party. Instead of backing up or sharing private keys, the Web Authentication API allows registering
+   
    This specification defines no protocol for backing up credential private keys, or for sharing them between authenticators.
+In general, it is expected that a credential private key never leaves the authenticator that created it. Losing an authenticator therefore, in general, means losing all credentials bound to the
+lost authenticator, which could lock the user out of an account if the user has only one credential registered with the Relying Party. Instead of backing up or sharing private keys, the Web Authentication API allows registering
 multiple credentials for the same user. For example, a user might register platform credentials on
 frequently used client devices, and one or more roaming credentials for use as backup and with new or rarely used client
 devices.
    
-   
    Relying Parties SHOULD allow and encourage users to register multiple credentials to the same user account. Relying Parties SHOULD make use of the excludeCredentials and user.id options to ensure that these
-different credentials are bound to different authenticators.
    
+   
    Relying Parties SHOULD allow and encourage users to register multiple credentials to the same user account. Relying Parties SHOULD make use of the excludeCredentials and user.id options to ensure that these
+different credentials are bound to different authenticators.
    
    
    13.4.7. Unprotected account detection
    
    
    This section is not normative.
    
-   
    This security consideration applies to Relying Parties that support authentication ceremonies with a non-empty allowCredentials argument as the first authentication step.
+   
    This security consideration applies to Relying Parties that support authentication ceremonies with a non-empty allowCredentials argument as the first authentication step.
 For example, if using authentication with server-side credentials as the first authentication step.
    
    
    In this case the allowCredentials argument risks leaking information
 about which user accounts have WebAuthn credentials registered and which do not,
 which may be a signal of account protection strength.
-For example, say an attacker can initiate an authentication ceremony by providing only a username,
-and the Relying Party responds with a non-empty allowCredentials for some user accounts,
+For example, say an attacker can initiate an authentication ceremony by providing only a username,
+and the Relying Party responds with a non-empty allowCredentials for some user accounts,
 and with failure or a password challenge for other user accounts.
-The attacker can then conclude that the latter user accounts likely do not require a WebAuthn assertion for successful authentication,
+The attacker can then conclude that the latter user accounts likely do not require a WebAuthn assertion for successful authentication,
 and thus focus an attack on those likely weaker accounts.
    
    
    This issue is similar to the one described in § 14.6.2 Username Enumeration and § 14.6.3 Privacy leak via credential IDs, and can be mitigated in similar ways.
    
    
    13.4.8. Code injection attacks
    
-   
    Any malicious code executing on an origin within the scope of a Relying Party's public key credentials has the potential to invalidate any and all security guarantees WebAuthn may provide. WebAuthn Clients only expose the WebAuthn API in secure contexts,
-which mitigates the most basic attacks but SHOULD be combined with additional precautions by Relying Parties.
    
+   
    Any malicious code executing on an origin within the scope of a Relying Party's public key credentials has the potential to invalidate any and all security guarantees WebAuthn may provide. WebAuthn Clients only expose the WebAuthn API in secure contexts,
+which mitigates the most basic attacks but SHOULD be combined with additional precautions by Relying Parties.
    
    
    Code injection can happen in several ways;
 this section attempts to point out some likely scenarios and suggest suitable mitigations,
 but is not an exhaustive list.
    
    
    
    13.4.9. Validating the origin of a credential
    
    
    When registering a credential and
 when verifying an assertion,
-the Relying Party MUST validate the origin member of the client data.
    
-   
    The Relying Party MUST NOT accept unexpected values of origin,
+the Relying Party MUST validate the origin member of the client data.
    
+   
    The Relying Party MUST NOT accept unexpected values of origin,
 as doing so could allow a malicious website to obtain valid credentials.
-Although the scope of WebAuthn credentials prevents their use on domains
+Although the scope of WebAuthn credentials prevents their use on domains
 outside the RP ID they were registered for,
-the Relying Party's origin validation serves as an additional layer of protection
-in case a faulty authenticator fails to enforce credential scope.
+the Relying Party's origin validation serves as an additional layer of protection
+in case a faulty authenticator fails to enforce credential scope.
 See also § 13.4.8 Code injection attacks for discussion of potentially malicious subdomains.
    
-   
    Validation MAY be performed by exact string matching or any other method as needed by the Relying Party.
+   
    Validation MAY be performed by exact string matching or any other method as needed by the Relying Party.
 For example:
    
    
      
     
    • 
@@ -8647,11 +8732,11 @@ 
      Note: See § 13.4.8 Code injection attacks for a discussion of the risks of allowing any subdomain of the RP ID.
      
     
    • 
      
      A web application with a companion native application might allow origin to be an operating system dependent
-identifier for the native application. For example, such a Relying Party might require that origin exactly equals some element of the list ["https://example.org", "example-os:appid:204ffa1a5af110ac483f131a1bef8a841a7adb0d8d135908bbd964ed05d2653b"].
      
+identifier for the native application. For example, such a Relying Party might require that origin exactly equals some element of the list ["https://example.org", "example-os:appid:204ffa1a5af110ac483f131a1bef8a841a7adb0d8d135908bbd964ed05d2653b"].
      
    
    
    
    Similar considerations apply when validating the topOrigin member of the client data.
-When topOrigin is present, the Relying Party MUST validate that its value is expected.
-This validation MAY be performed by exact string matching or any other method as needed by the Relying Party.
+When topOrigin is present, the Relying Party MUST validate that its value is expected.
+This validation MAY be performed by exact string matching or any other method as needed by the Relying Party.
 For example:
    
    
    
  • attestation key pair, in § 4
    
  • attestation object, in § 6.5
@@ -9012,9 +9095,7 @@ 
    abstract-op for credential record, in § 4
-     
  • attribute for AuthenticatorAssertionResponse, in § 5.2.2
      
  • attribute for AuthenticatorAttestationResponse, in § 5.2.1
-     
  • dict-member for AuthenticatorAssertionResponseJSON, in § 5.1
      
  • dict-member for AuthenticatorAttestationResponseJSON, in § 5.1
     
    
  • attestationObjectResult, in § 5.1.3
@@ -9024,17 +9105,17 @@ 
    attestation statement, in § 6.5
    
  • attestation statement format, in § 6.5
    
  • attestation statement format identifier, in § 8.1
-   
  • attestation trust path, in § 6.5.3
+   
  • attestation trust path, in § 6.5.2
    
  • attestation type, in § 6.5
-   
  • Attested credential data, in § 6.5.2
+   
  • Attested credential data, in § 6.5.1
    
  • attestedCredentialData, in § 6.1
-   
  • attStmt, in § 10.2.2.3
+   
  • attStmt, in § 10.2.1.3
    
  • Authentication, in § 4
    
  • Authentication Assertion, in § 4
    
  • Authentication Ceremony, in § 4
    
  • authentication extension, in § 9
    
  • AuthenticationExtensionsClientInputs, in § 5.7.1
-   
  • AuthenticationExtensionsClientInputsJSON, in § 5.1.9
+   
  • AuthenticationExtensionsClientInputsJSON, in § 5.1.8
    
  • AuthenticationExtensionsClientOutputs, in § 5.7.2
    
  • AuthenticationExtensionsClientOutputsJSON, in § 5.1
    
  • AuthenticationExtensionsLargeBlobInputs, in § 10.1.5
@@ -9042,8 +9123,8 @@ 
    AuthenticationExtensionsPRFInputs, in § 10.1.4
    
  • AuthenticationExtensionsPRFOutputs, in § 10.1.4
    
  • AuthenticationExtensionsPRFValues, in § 10.1.4
-   
  • AuthenticationExtensionsSupplementalPubKeysInputs, in § 10.2.2.2
-   
  • AuthenticationExtensionsSupplementalPubKeysOutputs, in § 10.2.2.2
+   
  • AuthenticationExtensionsSupplementalPubKeysInputs, in § 10.2.1.2
+   
  • AuthenticationExtensionsSupplementalPubKeysOutputs, in § 10.2.1.2
    
  • Authentication Factor Capability, in § 6.2.3
    
  • AuthenticationResponseJSON, in § 5.1
    
  • Authenticator, in § 4
@@ -9071,8 +9152,8 @@ 
    dict-member for AuthenticatorAssertionResponseJSON, in § 5.1
      
  • dict-member for AuthenticatorAttestationResponseJSON, in § 5.1
     
-   
  • authenticator data claimed to have been used for the attestation, in § 6.5.3
-   
  • authenticator data for the attestation, in § 6.5.3
+   
  • authenticator data claimed to have been used for the attestation, in § 6.5.2
+   
  • authenticator data for the attestation, in § 6.5.2
    
  • authenticatorDataResult, in § 5.1.4.1
    
  • 
     authenticatorDisplayName
@@ -9095,7 +9176,7 @@ 
    dict-member for PublicKeyCredentialCreationOptions, in § 5.4
-     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
     
    
  • AuthenticatorSelectionCriteria, in § 5.4.4
    
  • authenticator session, in § 6.3
@@ -9110,9 +9191,9 @@ 
    backupState, in § 4
    
  • Base64url Encoding, in § 3
    
  • Base64URLString, in § 5.1
-   
  • Basic, in § 6.5.4
-   
  • Basic Attestation, in § 6.5.4
-   
  • batch attestation, in § 6.5.4
+   
  • Basic, in § 6.5.3
+   
  • Basic Attestation, in § 6.5.3
+   
  • batch attestation, in § 6.5.3
    
  • BE, in § 6.1
    
  • Biometric Authenticator, in § 4
    
  • Biometric Recognition, in § 4
@@ -9131,11 +9212,12 @@ 
    dict-member for CollectedClientData, in § 5.8.1
      
  • dict-member for PublicKeyCredentialCreationOptions, in § 5.4
-     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
      
  • dict-member for PublicKeyCredentialRequestOptions, in § 5.5
-     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.10
+     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.9
     
    
  • Client, in § 4
+   
  • ClientCapability, in § 5.8.7
    
  • client data, in § 5.8.1
    
  • 
     clientDataJSON
@@ -9150,9 +9232,9 @@ 
    dfn for assertionCreationData, in § 5.1.4.1
      
  • dfn for credentialCreationData, in § 5.1.3
     
-   
  • "client-device", in § 5.8.7
+   
  • "client-device", in § 5.8.8
    
  • Client Device, in § 4
-   
  • client-device, in § 5.8.7
+   
  • client-device, in § 5.8.8
    
  • client extension, in § 9
    
  • client extension input, in § 9.3
    
  • client extension output, in § 9.4
@@ -9170,20 +9252,23 @@ 
    Client-Side, in § 4
    
  • client-side credential storage modality, in § 6.2.2
    
  • Client-side discoverable Credential, in § 4
-   
  • client-side discoverable credential property, in § 10.1.3
    
  • Client-side discoverable Public Key Credential Source, in § 4
    
  • CollectedClientData, in § 5.8.1
    
  • [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors), in § 5.1.4
+   
  • "conditionalCreate", in § 5.8.7
+   
  • conditionalCreate, in § 5.8.7
+   
  • "conditionalGet", in § 5.8.7
+   
  • conditionalGet, in § 5.8.7
    
  • Conforming User Agent, in § 4
    
  • contains, in § 4
    
  • COSEAlgorithmIdentifier, in § 5.8.5
-   
  • Create a new supplemental public key record, in § 10.2.2.3.2
+   
  • Create a new supplemental public key record, in § 10.2.1.3.2
    
  • created on, in § 4
    
  • [[Create]](origin, options, sameOriginWithAncestors), in § 5.1.3
    
  • credential descriptor for a credential record, in § 4
    
  • Credential ID, in § 4
-   
  • credentialId, in § 6.5.2
-   
  • credentialIdLength, in § 6.5.2
+   
  • credentialId, in § 6.5.1
+   
  • credentialIdLength, in § 6.5.1
    
  • credentialIdResult, in § 5.1.4.1
    
  • Credential Key Pair, in § 4
    
  • Credential Parameters, in § 11.5
@@ -9191,7 +9276,7 @@ 
    Credential Properties, in § 4
    
  • CredentialPropertiesOutput, in § 10.1.3
    
  • Credential Public Key, in § 4
-   
  • credentialPublicKey, in § 6.5.2
+   
  • credentialPublicKey, in § 6.5.1
    
  • Credential Record, in § 4
    
  • credentials map, in § 6
    
  • credential storage modality, in § 6.2.2
@@ -9230,7 +9315,7 @@ 
    dict-member for PublicKeyCredentialUserEntity, in § 5.4.3
-     
  • dict-member for PublicKeyCredentialUserEntityJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialUserEntityJSON, in § 5.1.8
     
    
  • ED, in § 6.1
    
  • effective resident key requirement for credential creation, in § 5.1.3
@@ -9245,7 +9330,7 @@ 
    dict-member for PublicKeyCredentialCreationOptions, in § 5.4
-     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
     
    
  • extension identifier, in § 9.1
    
  • 
@@ -9253,16 +9338,17 @@ 
    dfn for authData, in § 6.1
      
  • dict-member for PublicKeyCredentialCreationOptions, in § 5.4
-     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
      
  • dict-member for PublicKeyCredentialRequestOptions, in § 5.5
-     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.10
+     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.9
     
    
  • first, in § 10.1.4
    
  • First-factor roaming authenticator, in § 6.2
    
  • flags, in § 6.1
-   
  • fmt, in § 10.2.2.3
+   
  • fmt, in § 10.2.1.3
    
  • Generating Authenticator, in § 4
    
  • getAuthenticatorData(), in § 5.2.1
+   
  • getClientCapabilities(), in § 5.1.7
    
  • getClientExtensionResults(), in § 5.1
    
  • Get Credentials, in § 11.6
    
  • getPublicKey(), in § 5.2.1
@@ -9273,23 +9359,25 @@ 
    dict-member for PublicKeyCredentialCreationOptions, in § 5.4
-     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
      
  • dict-member for PublicKeyCredentialRequestOptions, in § 5.5
-     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.10
+     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.9
     
    
  • Human Palatability, in § 4
    
  • 
     "hybrid"
     
    
  • 
     hybrid
     
+   
  • "hybridTransport", in § 5.8.7
+   
  • hybridTransport, in § 5.8.7
    
  • 
     id
     
@@ -9311,9 +9399,8 @@ 
    "internal", in § 5.8.4
    
  • internal, in § 5.8.4
    
  • isConditionalMediationAvailable(), in § 5.1
-   
  • isPasskeyPlatformAuthenticatorAvailable(), in § 5.1.8
    
  • Issuing a Credential Request to an Authenticator, in § 5.1.4.2
-   
  • isUserVerifyingPlatformAuthenticatorAvailable(), in § 5.1.7
+   
  • isUserVerifyingPlatformAuthenticatorAvailable(), in § 5.1.6
    
  • JSON-compatible serialization of client data, in § 5.8.1
    
  • 
     largeBlob
@@ -9332,13 +9419,13 @@ 
    dict-member for PublicKeyCredentialEntity, in § 5.4.1
-     
  • dict-member for PublicKeyCredentialUserEntityJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialUserEntityJSON, in § 5.1.8
     
    
  • "nfc", in § 5.8.4
    
  • nfc, in § 5.8.4
    
  • Non-Discoverable Credential, in § 4
    
  • "none", in § 5.4.7
-   
  • None, in § 6.5.4
+   
  • None, in § 6.5.3
    
  • none, in § 5.4.7
    
  • Non-Resident Credential, in § 4
    
  • origin, in § 5.8.1
@@ -9348,10 +9435,12 @@ 
    dfn for DiscoverableCredentialMetadata, in § 6.3.5
      
  • dfn for public key credential source, in § 4
     
-   
  • parseCreationOptionsFromJSON(options), in § 5.1.9
-   
  • parseRequestOptionsFromJSON(options), in § 5.1.10
+   
  • parseCreationOptionsFromJSON(options), in § 5.1.8
+   
  • parseRequestOptionsFromJSON(options), in § 5.1.9
    
  • Passkey, in § 4
+   
  • "passkeyPlatformAuthenticator", in § 5.8.7
    
  • Passkey platform authenticator, in § 6.2
+   
  • passkeyPlatformAuthenticator, in § 5.8.7
    
  • perform the following steps to generate an authenticator data structure, in § 6.1
    
  • "platform", in § 5.4.5
    
  • platform, in § 5.4.5
@@ -9373,7 +9462,6 @@ 
    "present", in § 5.8.1
    
  • present, in § 5.8.1
-   
  • [[preventSilentAccess]](credential, sameOriginWithAncestors), in § 5.1.6
    
  • 
     prf
     
    
  • "public-key", in § 5.8.2
    
  • public-key, in § 5.8.2
@@ -9401,23 +9489,24 @@ 
    publicKeyAlgorithm, in § 5.1
    
  • Public Key Credential, in § 4
    
  • PublicKeyCredential, in § 5.1
+   
  • PublicKeyCredentialClientCapabilities, in § 5.1.7
    
  • PublicKeyCredentialCreationOptions, in § 5.4
-   
  • PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+   
  • PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
    
  • PublicKeyCredentialDescriptor, in § 5.8.3
-   
  • PublicKeyCredentialDescriptorJSON, in § 5.1.9
+   
  • PublicKeyCredentialDescriptorJSON, in § 5.1.8
    
  • PublicKeyCredentialEntity, in § 5.4.1
-   
  • PublicKeyCredentialHints, in § 5.8.7
+   
  • PublicKeyCredentialHints, in § 5.8.8
    
  • PublicKeyCredentialJSON, in § 5.1
    
  • PublicKeyCredentialParameters, in § 5.3
    
  • PublicKeyCredentialRequestOptions, in § 5.5
-   
  • PublicKeyCredentialRequestOptionsJSON, in § 5.1.10
+   
  • PublicKeyCredentialRequestOptionsJSON, in § 5.1.9
    
  • PublicKeyCredentialRpEntity, in § 5.4.2
    
  • publickey-credentials-create-feature, in § 5.9
    
  • publickey-credentials-get-feature, in § 5.9
    
  • Public Key Credential Source, in § 4
    
  • PublicKeyCredentialType, in § 5.8.2
    
  • PublicKeyCredentialUserEntity, in § 5.4.3
-   
  • PublicKeyCredentialUserEntityJSON, in § 5.1.9
+   
  • PublicKeyCredentialUserEntityJSON, in § 5.1.8
    
  • Rate Limiting, in § 4
    
  • 
     rawId
@@ -9471,7 +9560,7 @@ 
    dict-member for PublicKeyCredentialCreationOptions, in § 5.4
-     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
     
    
  • RP ID, in § 4
    
  • 
@@ -9479,27 +9568,29 @@ 
    dfn for public key credential source, in § 4
      
  • dict-member for PublicKeyCredentialRequestOptions, in § 5.5
-     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.10
+     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.9
     
    
  • rpIdHash, in § 6.1
    
  • 
     scope
     
-   
  • scopes, in § 10.2.2.2
+   
  • scopes, in § 10.2.1.2
    
  • second, in § 10.1.4
    
  • Second-factor platform authenticator, in § 6.2
    
  • Second-factor roaming authenticator, in § 6.2
-   
  • "security-key", in § 5.8.7
-   
  • security-key, in § 5.8.7
+   
  • "security-key", in § 5.8.8
+   
  • security-key, in § 5.8.8
    
  • selected authenticator, in § 5.1.3
-   
  • Self, in § 6.5.4
-   
  • Self Attestation, in § 6.5.4
+   
  • Self, in § 6.5.3
+   
  • Self Attestation, in § 6.5.3
    
  • Server-side Credential, in § 4
    
  • server-side credential storage modality, in § 6.2.2
    
  • Server-side Public Key Credential Source, in § 4
+   
  • Set Credential Properties, in § 11.10
+   
  • Set Credential Properties Parameters, in § 11.10
    
  • Set User Verified, in § 11.9
    
  • 
     signature
@@ -9509,32 +9600,32 @@ 
    Signature Counter, in § 6.1.1
    
  • signatureResult, in § 5.1.4.1
-   
  • signatures, in § 10.2.2.2
+   
  • signatures, in § 10.2.1.2
    
  • 
     signCount
     
-   
  • Signing procedure, in § 6.5.3
+   
  • Signing procedure, in § 6.5.2
    
  • silentCredentialDiscovery, in § 6.3.5
    
  • single-device credential, in § 4
    
  • single-factor capable, in § 6.2.3
    
  • "smart-card", in § 5.8.4
    
  • smart-card, in § 5.8.4
-   
  • spk, in § 10.2.2.3
+   
  • spk, in § 10.2.1.3
    
  • status, in § 5.8.1
    
  • [[Store]](credential, sameOriginWithAncestors), in § 5.1.5
    
  • 
     supplementalPubKeys
     
    
  • Supplemental public key, in § 4
-   
  • supplemental public key record, in § 10.2.2.3
+   
  • supplemental public key record, in § 10.2.1.3
    
  • support, in § 10.1.5
    
  • "supported", in § 5.8.1
    
  • 
@@ -9548,13 +9639,13 @@ 
    dict-member for PublicKeyCredentialCreationOptions, in § 5.4
-     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
      
  • dict-member for PublicKeyCredentialRequestOptions, in § 5.5
-     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.10
+     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.9
     
    
  • toJSON(), in § 5.1
    
  • TokenBinding, in § 5.8.1
-   
  • tokenBinding, in § 5.8.1
+   
  • tokenBinding, in § 5.8.1
    
  • TokenBindingStatus, in § 5.8.1
    
  • topOrigin, in § 5.8.1
    
  • [[transports]], in § 5.2.1
@@ -9564,7 +9655,7 @@ 
    abstract-op for credential record, in § 4
      
  • dict-member for AuthenticatorAttestationResponseJSON, in § 5.1
      
  • dict-member for PublicKeyCredentialDescriptor, in § 5.8.3
-     
  • dict-member for PublicKeyCredentialDescriptorJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialDescriptorJSON, in § 5.1.8
     
    
  • [[type]], in § 5.1
    
  • 
@@ -9576,7 +9667,7 @@ 
    dict-member for AuthenticationResponseJSON, in § 5.1
      
  • dict-member for CollectedClientData, in § 5.8.1
      
  • dict-member for PublicKeyCredentialDescriptor, in § 5.8.3
-     
  • dict-member for PublicKeyCredentialDescriptorJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialDescriptorJSON, in § 5.1.8
      
  • dict-member for PublicKeyCredentialParameters, in § 5.3
      
  • dict-member for RegistrationResponseJSON, in § 5.1
     
@@ -9589,7 +9680,7 @@ 
    dict-member for PublicKeyCredentialCreationOptions, in § 5.4
-     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.9
+     
  • dict-member for PublicKeyCredentialCreationOptionsJSON, in § 5.1.8
     
    
  • User Account, in § 4
    
  • User Consent, in § 4
@@ -9611,24 +9702,17 @@ 
    dict-member for AuthenticatorSelectionCriteria, in § 5.4.4
      
  • dict-member for PublicKeyCredentialRequestOptions, in § 5.5
-     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.10
+     
  • dict-member for PublicKeyCredentialRequestOptionsJSON, in § 5.1.9
     
-   
  • User Verification Method, in § 10.2.1
    
  • UserVerificationRequirement, in § 5.8.6
    
  • User Verified, in § 4
+   
  • "userVerifyingPlatformAuthenticator", in § 5.8.7
    
  • User-verifying platform authenticator, in § 6.2
+   
  • userVerifyingPlatformAuthenticator, in § 5.8.7
    
  • UV, in § 6.1
    
  • uvInitialized, in § 4
-   
  • 
-    uvm
-    
-   
  • UvmEntries, in § 10.2.1
-   
  • UvmEntry, in § 10.2.1
-   
  • Verification procedure, in § 6.5.3
-   
  • verification procedure inputs, in § 6.5.3
+   
  • Verification procedure, in § 6.5.2
+   
  • verification procedure inputs, in § 6.5.2
    
  • Virtual Authenticator Database, in § 11.2
    
  • Virtual Authenticators, in § 11.2
    
  • web application, in § 4
@@ -9665,7 +9749,9 @@ 
    credential source
      
  • get()
      
  • id
-     
  • mediation
+     
  • mediation (for CredentialCreationOptions)
+     
  • mediation (for CredentialRequestOptions)
+     
  • preventSilentAccess()
      
  • remote
      
  • same-origin with its ancestors
      
  • signal (for CredentialCreationOptions)
@@ -9707,16 +9793,13 @@ 
    
     [FIDO-CTAP] defines the following terms:
     
      
-     
    • ctap2 canonical cbor encoding form
-     
    • large, per-credential blobs
-     
    • §6.2. responses
+     
    • ctap2 canonical cbor encoding form
+     
    • large, per-credential blobs
+     
    • §6. authenticator api
     
    
    
  • 
     [FIDO-Registry] defines the following terms:
     
      
-     
    • section 3.1 user verification methods
-     
    • section 3.2 key protection types
-     
    • section 3.3 matcher protection types
      
    • section 3.6.2 public key representation formats
     
    
    
  • 
@@ -9747,11 +9830,13 @@ 
    effective domain
      
  • environment settings object
      
  • global object
+     
  • host
      
  • iframe
      
  • in parallel
      
  • input
      
  • is a registrable domain suffix of or is equal to
      
  • is not a registrable domain suffix of and is not equal to
+     
  • non-autofill credential type
      
  • opaque origin
      
  • origin
      
  • origin (for environment settings object)
@@ -9759,11 +9844,11 @@ 
    relevant global object
      
  • relevant settings object
      
  • same site
+     
  • scheme
      
  • secure context
      
  • textarea
      
  • top-level origin
      
  • transient activation
-     
  • tuple origin
     
    
  • 
     [I18N-GLOSSARY] defines the following terms:
@@ -9790,6 +9875,7 @@ 
    item (for struct)
      
  • iterate
      
  • key
+     
  • keys
      
  • list
      
  • map
      
  • ordered set
@@ -9928,6 +10014,7 @@ 
    UnknownError
      
  • boolean
      
  • buffer source types
+     
  • enumeration value
      
  • get a copy of the bytes held by the buffer source
      
  • interface object
      
  • json type
@@ -9948,7 +10035,7 @@ 
    
   
    Normative References
    
   
    
    
    [CREDENTIAL-MANAGEMENT-1]
-   
    Mike West. Credential Management Level 1. URL: https://w3c.github.io/webappsec-credential-management/
+   
    Nina Satragno; Marcos Caceres. Credential Management Level 1. URL: https://w3c.github.io/webappsec-credential-management/
    
    [CSP2]
    
    Mike West; Adam Barth; Daniel Veditz. Content Security Policy Level 2. URL: https://w3c.github.io/webappsec-csp/
    
    [DOM4]
@@ -9960,7 +10047,7 @@ 
    N
    
    [FIDO-APPID]
    
    D. Balfanz; et al. FIDO AppID and Facet Specification. 27 February 2018. FIDO Alliance Implementation Draft. URL: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html
    
    [FIDO-CTAP]
-   
    J. Bradley; et al. Client to Authenticator Protocol (CTAP). 15 June 2021. FIDO Alliance Proposed Standard. URL: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html
+   
    J. Bradley; et al. Client to Authenticator Protocol (CTAP). June 21, 2022. FIDO Alliance Proposed Standard. URL: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html
    
    [FIDO-Privacy-Principles]
    
    FIDO Alliance. FIDO Privacy Principles. FIDO Alliance Whitepaper. URL: https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf
    
    [FIDO-Registry]
@@ -10005,6 +10092,8 @@ 
    N
    
    M. Jones; J. Bradley; N. Sakimura. JSON Web Signature (JWS). May 2015. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc7515
    
    [RFC8152]
    
    J. Schaad. CBOR Object Signing and Encryption (COSE). July 2017. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8152
+   
    [RFC8174]
+   
    B. Leiba. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
    
    [RFC8230]
    
    M. Jones. Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages. September 2017. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8230
    
    [RFC8264]
@@ -10104,57 +10193,56 @@ 
    I
 typedef object PublicKeyCredentialJSON;
 
 dictionary RegistrationResponseJSON {
-    required Base64URLString id;
-    required Base64URLString rawId;
-    required AuthenticatorAttestationResponseJSON response;
-    DOMString authenticatorAttachment;
-    required AuthenticationExtensionsClientOutputsJSON clientExtensionResults;
-    required DOMString type;
+    required Base64URLString id;
+    required Base64URLString rawId;
+    required AuthenticatorAttestationResponseJSON response;
+    DOMString authenticatorAttachment;
+    required AuthenticationExtensionsClientOutputsJSON clientExtensionResults;
+    required DOMString type;
 };
 
 dictionary AuthenticatorAttestationResponseJSON {
-    required Base64URLString clientDataJSON;
-    required Base64URLString authenticatorData;
-    required sequence<DOMString> transports;
+    required Base64URLString clientDataJSON;
+    required Base64URLString authenticatorData;
+    required sequence<DOMString> transports;
     // The publicKey field will be missing if pubKeyCredParams was used to
-    // negotiate a public-key algorithm that the user agent doesn’t
+    // negotiate a public-key algorithm that the user agent doesn't
     // understand. (See section “Easily accessing credential data” for a
     // list of which algorithms user agents must support.) If using such an
     // algorithm then the public key must be parsed directly from
     // attestationObject or authenticatorData.
-    Base64URLString publicKey;
-    required long long publicKeyAlgorithm;
+    Base64URLString publicKey;
+    required long long publicKeyAlgorithm;
     // This value contains copies of some of the fields above. See
     // section “Easily accessing credential data”.
-    required Base64URLString attestationObject;
+    required Base64URLString attestationObject;
 };
 
 dictionary AuthenticationResponseJSON {
-    required Base64URLString id;
-    required Base64URLString rawId;
-    required AuthenticatorAssertionResponseJSON response;
-    DOMString authenticatorAttachment;
-    required AuthenticationExtensionsClientOutputsJSON clientExtensionResults;
-    required DOMString type;
+    required Base64URLString id;
+    required Base64URLString rawId;
+    required AuthenticatorAssertionResponseJSON response;
+    DOMString authenticatorAttachment;
+    required AuthenticationExtensionsClientOutputsJSON clientExtensionResults;
+    required DOMString type;
 };
 
 dictionary AuthenticatorAssertionResponseJSON {
-    required Base64URLString clientDataJSON;
-    required Base64URLString authenticatorData;
-    required Base64URLString signature;
-    Base64URLString userHandle;
-    Base64URLString attestationObject;
+    required Base64URLString clientDataJSON;
+    required Base64URLString authenticatorData;
+    required Base64URLString signature;
+    Base64URLString userHandle;
 };
 
 dictionary AuthenticationExtensionsClientOutputsJSON {
 };
 
 partial dictionary CredentialCreationOptions {
-    PublicKeyCredentialCreationOptions      publicKey;
+    PublicKeyCredentialCreationOptions      publicKey;
 };
 
 partial dictionary CredentialRequestOptions {
-    PublicKeyCredentialRequestOptions      publicKey;
+    PublicKeyCredentialRequestOptions      publicKey;
 };
 
 partial interface PublicKeyCredential {
@@ -10162,37 +10250,39 @@ 
    I
 };
 
 partial interface PublicKeyCredential {
-    static Promise<boolean> isPasskeyPlatformAuthenticatorAvailable();
+    static Promise<PublicKeyCredentialClientCapabilities> getClientCapabilities();
 };
 
+typedef record<DOMString, boolean> PublicKeyCredentialClientCapabilities;
+
 partial interface PublicKeyCredential {
     static PublicKeyCredentialCreationOptions parseCreationOptionsFromJSON(PublicKeyCredentialCreationOptionsJSON options);
 };
 
 dictionary PublicKeyCredentialCreationOptionsJSON {
-    required PublicKeyCredentialRpEntity                    rp;
-    required PublicKeyCredentialUserEntityJSON              user;
-    required Base64URLString                                challenge;
-    required sequence<PublicKeyCredentialParameters>        pubKeyCredParams;
-    unsigned long                                           timeout;
-    sequence<PublicKeyCredentialDescriptorJSON>             excludeCredentials = [];
-    AuthenticatorSelectionCriteria                          authenticatorSelection;
-    sequence<DOMString>                                     hints = [];
-    DOMString                                               attestation = "none";
-    sequence<DOMString>                                     attestationFormats = [];
-    AuthenticationExtensionsClientInputsJSON                extensions;
+    required PublicKeyCredentialRpEntity                    rp;
+    required PublicKeyCredentialUserEntityJSON              user;
+    required Base64URLString                                challenge;
+    required sequence<PublicKeyCredentialParameters>        pubKeyCredParams;
+    unsigned long                                           timeout;
+    sequence<PublicKeyCredentialDescriptorJSON>             excludeCredentials = [];
+    AuthenticatorSelectionCriteria                          authenticatorSelection;
+    sequence<DOMString>                                     hints = [];
+    DOMString                                               attestation = "none";
+    sequence<DOMString>                                     attestationFormats = [];
+    AuthenticationExtensionsClientInputsJSON                extensions;
 };
 
 dictionary PublicKeyCredentialUserEntityJSON {
-    required Base64URLString        id;
-    required DOMString              name;
-    required DOMString              displayName;
+    required Base64URLString        id;
+    required DOMString              name;
+    required DOMString              displayName;
 };
 
 dictionary PublicKeyCredentialDescriptorJSON {
-    required Base64URLString        id;
-    required DOMString              type;
-    sequence<DOMString>             transports;
+    required Base64URLString        id;
+    required DOMString              type;
+    sequence<DOMString>             transports;
 };
 
 dictionary AuthenticationExtensionsClientInputsJSON {
@@ -10203,15 +10293,13 @@ 
    I
 };
 
 dictionary PublicKeyCredentialRequestOptionsJSON {
-    required Base64URLString                                challenge;
-    unsigned long                                           timeout;
-    DOMString                                               rpId;
-    sequence<PublicKeyCredentialDescriptorJSON>             allowCredentials = [];
-    DOMString                                               userVerification = "preferred";
-    sequence<DOMString>                                     hints = [];
-    DOMString                                               attestation = "none";
-    sequence<DOMString>                                     attestationFormats = [];
-    AuthenticationExtensionsClientInputsJSON                extensions;
+    required Base64URLString                                challenge;
+    unsigned long                                           timeout;
+    DOMString                                               rpId;
+    sequence<PublicKeyCredentialDescriptorJSON>             allowCredentials = [];
+    DOMString                                               userVerification = "preferred";
+    sequence<DOMString>                                     hints = [];
+    AuthenticationExtensionsClientInputsJSON                extensions;
 };
 
 [SecureContext, Exposed=Window]
@@ -10233,48 +10321,47 @@ 
    I
     [SameObject] readonly attribute ArrayBuffer      authenticatorData;
     [SameObject] readonly attribute ArrayBuffer      signature;
     [SameObject] readonly attribute ArrayBuffer?     userHandle;
-    [SameObject] readonly attribute ArrayBuffer?     attestationObject;
 };
 
 dictionary PublicKeyCredentialParameters {
-    required DOMString                    type;
-    required COSEAlgorithmIdentifier      alg;
+    required DOMString                    type;
+    required COSEAlgorithmIdentifier      alg;
 };
 
 dictionary PublicKeyCredentialCreationOptions {
-    required PublicKeyCredentialRpEntity         rp;
-    required PublicKeyCredentialUserEntity       user;
-
-    required BufferSource                             challenge;
-    required sequence<PublicKeyCredentialParameters>  pubKeyCredParams;
-
-    unsigned long                                timeout;
-    sequence<PublicKeyCredentialDescriptor>      excludeCredentials = [];
-    AuthenticatorSelectionCriteria               authenticatorSelection;
-    sequence<DOMString>                          hints = [];
-    DOMString                                    attestation = "none";
-    sequence<DOMString>                          attestationFormats = [];
-    AuthenticationExtensionsClientInputs         extensions;
+    required PublicKeyCredentialRpEntity         rp;
+    required PublicKeyCredentialUserEntity       user;
+
+    required BufferSource                             challenge;
+    required sequence<PublicKeyCredentialParameters>  pubKeyCredParams;
+
+    unsigned long                                timeout;
+    sequence<PublicKeyCredentialDescriptor>      excludeCredentials = [];
+    AuthenticatorSelectionCriteria               authenticatorSelection;
+    sequence<DOMString>                          hints = [];
+    DOMString                                    attestation = "none";
+    sequence<DOMString>                          attestationFormats = [];
+    AuthenticationExtensionsClientInputs         extensions;
 };
 
 dictionary PublicKeyCredentialEntity {
-    required DOMString    name;
+    required DOMString    name;
 };
 
 dictionary PublicKeyCredentialRpEntity : PublicKeyCredentialEntity {
-    DOMString      id;
+    DOMString      id;
 };
 
 dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity {
-    required BufferSource   id;
-    required DOMString      displayName;
+    required BufferSource   id;
+    required DOMString      displayName;
 };
 
 dictionary AuthenticatorSelectionCriteria {
-    DOMString                    authenticatorAttachment;
-    DOMString                    residentKey;
-    boolean                      requireResidentKey = false;
-    DOMString                    userVerification = "preferred";
+    DOMString                    authenticatorAttachment;
+    DOMString                    residentKey;
+    boolean                      requireResidentKey = false;
+    DOMString                    userVerification = "preferred";
 };
 
 enum AuthenticatorAttachment {
@@ -10296,15 +10383,13 @@ 
    I
 };
 
 dictionary PublicKeyCredentialRequestOptions {
-    required BufferSource                challenge;
-    unsigned long                        timeout;
-    USVString                            rpId;
-    sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
-    DOMString                            userVerification = "preferred";
-    sequence<DOMString>                  hints = [];
-    DOMString                            attestation = "none";
-    sequence<DOMString>                  attestationFormats = [];
-    AuthenticationExtensionsClientInputs extensions;
+    required BufferSource                challenge;
+    unsigned long                        timeout;
+    USVString                            rpId;
+    sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
+    DOMString                            userVerification = "preferred";
+    sequence<DOMString>                  hints = [];
+    AuthenticationExtensionsClientInputs extensions;
 };
 
 dictionary AuthenticationExtensionsClientInputs {
@@ -10314,16 +10399,16 @@ 
    I
 };
 
 dictionary CollectedClientData {
-    required DOMString           type;
-    required DOMString           challenge;
-    required DOMString           origin;
-    DOMString                    topOrigin;
-    boolean                      crossOrigin;
+    required DOMString           type;
+    required DOMString           challenge;
+    required DOMString           origin;
+    DOMString                    topOrigin;
+    boolean                      crossOrigin;
 };
 
 dictionary TokenBinding {
-    required DOMString status;
-    DOMString id;
+    required DOMString status;
+    DOMString id;
 };
 
 enum TokenBindingStatus { "present", "supported" };
@@ -10333,9 +10418,9 @@ 
    I
 };
 
 dictionary PublicKeyCredentialDescriptor {
-    required DOMString                    type;
-    required BufferSource                 id;
-    sequence<DOMString>                   transports;
+    required DOMString                    type;
+    required BufferSource                 id;
+    sequence<DOMString>                   transports;
 };
 
 enum AuthenticatorTransport {
@@ -10355,6 +10440,14 @@ 
    I
     "discouraged"
 };
 
+enum ClientCapability {
+    "conditionalCreate",
+    "conditionalGet",
+    "hybridTransport",
+    "passkeyPlatformAuthenticator",
+    "userVerifyingPlatformAuthenticator",
+};
+
 enum PublicKeyCredentialHints {
     "security-key",
     "client-device",
@@ -10362,59 +10455,59 @@ 
    I
 };
 
 partial dictionary AuthenticationExtensionsClientInputs {
-  USVString appid;
+  USVString appid;
 };
 
 partial dictionary AuthenticationExtensionsClientOutputs {
-  boolean appid;
+  boolean appid;
 };
 
 partial dictionary AuthenticationExtensionsClientInputs {
-  USVString appidExclude;
+  USVString appidExclude;
 };
 
 partial dictionary AuthenticationExtensionsClientOutputs {
-  boolean appidExclude;
+  boolean appidExclude;
 };
 
 partial dictionary AuthenticationExtensionsClientInputs {
-    boolean credProps;
+    boolean credProps;
 };
 
 dictionary CredentialPropertiesOutput {
-    boolean rk;
-    USVString authenticatorDisplayName;
+    boolean rk;
+    USVString authenticatorDisplayName;
 };
 
 partial dictionary AuthenticationExtensionsClientOutputs {
-    CredentialPropertiesOutput credProps;
+    CredentialPropertiesOutput credProps;
 };
 
 dictionary AuthenticationExtensionsPRFValues {
-    required BufferSource first;
-    BufferSource second;
+    required BufferSource first;
+    BufferSource second;
 };
 
 dictionary AuthenticationExtensionsPRFInputs {
-    AuthenticationExtensionsPRFValues eval;
-    record<USVString, AuthenticationExtensionsPRFValues> evalByCredential;
+    AuthenticationExtensionsPRFValues eval;
+    record<USVString, AuthenticationExtensionsPRFValues> evalByCredential;
 };
 
 partial dictionary AuthenticationExtensionsClientInputs {
-    AuthenticationExtensionsPRFInputs prf;
+    AuthenticationExtensionsPRFInputs prf;
 };
 
 dictionary AuthenticationExtensionsPRFOutputs {
-    boolean enabled;
-    AuthenticationExtensionsPRFValues results;
+    boolean enabled;
+    AuthenticationExtensionsPRFValues results;
 };
 
 partial dictionary AuthenticationExtensionsClientOutputs {
-    AuthenticationExtensionsPRFOutputs prf;
+    AuthenticationExtensionsPRFOutputs prf;
 };
 
 partial dictionary AuthenticationExtensionsClientInputs {
-    AuthenticationExtensionsLargeBlobInputs largeBlob;
+    AuthenticationExtensionsLargeBlobInputs largeBlob;
 };
 
 enum LargeBlobSupport {
@@ -10423,48 +10516,37 @@ 
    I
 };
 
 dictionary AuthenticationExtensionsLargeBlobInputs {
-    DOMString support;
-    boolean read;
-    BufferSource write;
+    DOMString support;
+    boolean read;
+    BufferSource write;
 };
 
 partial dictionary AuthenticationExtensionsClientOutputs {
-    AuthenticationExtensionsLargeBlobOutputs largeBlob;
+    AuthenticationExtensionsLargeBlobOutputs largeBlob;
 };
 
 dictionary AuthenticationExtensionsLargeBlobOutputs {
-    boolean supported;
-    ArrayBuffer blob;
-    boolean written;
-};
-
-partial dictionary AuthenticationExtensionsClientInputs {
-  boolean uvm;
-};
-
-typedef sequence<unsigned long> UvmEntry;
-typedef sequence<UvmEntry> UvmEntries;
-
-partial dictionary AuthenticationExtensionsClientOutputs {
-  UvmEntries uvm;
+    boolean supported;
+    ArrayBuffer blob;
+    boolean written;
 };
 
 dictionary AuthenticationExtensionsSupplementalPubKeysInputs {
-    required sequence<DOMString> scopes;
-    DOMString attestation = "indirect";
-    sequence<DOMString> attestationFormats = [];
+    required sequence<DOMString> scopes;
+    DOMString attestation = "indirect";
+    sequence<DOMString> attestationFormats = [];
 };
 
 partial dictionary AuthenticationExtensionsClientInputs {
-    AuthenticationExtensionsSupplementalPubKeysInputs supplementalPubKeys;
+    AuthenticationExtensionsSupplementalPubKeysInputs supplementalPubKeys;
 };
 
 dictionary AuthenticationExtensionsSupplementalPubKeysOutputs {
-    sequence<ArrayBuffer> signatures;
+    required sequence<ArrayBuffer> signatures;
 };
 
 partial dictionary AuthenticationExtensionsClientOutputs {
-    AuthenticationExtensionsSupplementalPubKeysOutputs supplementalPubKeys;
+    AuthenticationExtensionsSupplementalPubKeysOutputs supplementalPubKeys;
 };
    • @@ -10739,920 +10821,8 @@

    - mk.li({}, - ...section.refs.map((ref, refI)=> - [ - mk.a({ - href: `#${ref.id}` - }, - (refI == 0) ? section.title : `(${refI + 1})` - ), - " ", - ] - ), - ), - ), - ), - ); - } - - function genAllDfnPanels() { - for(const panelData of Object.values(window.dfnpanelData)) { - const dfnID = panelData.dfnID; - const dfn = document.getElementById(dfnID); - if(!dfn) { - console.log(`Can't find dfn#${dfnID}.`, panelData); - } else { - const panel = genDfnPanel(panelData); - append(document.body, panel); - insertDfnPopupAction(dfn, panel) - } - } - } - - document.addEventListener("DOMContentLoaded", ()=>{ - genAllDfnPanels(); - - // Add popup behavior to all dfns to show the corresponding dfn-panel. - var dfns = queryAll('.dfn-paneled'); - for(let dfn of dfns) { ; } - - document.body.addEventListener("click", (e) => { - // If not handled already, just hide all dfn panels. - hideAllDfnPanels(); - }); - }) - - - function hideAllDfnPanels() { - // Turn off any currently "on" or "activated" panels. - queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(el=>hideDfnPanel(el)); - } - - function showDfnPanel(dfnPanel, dfn) { - hideAllDfnPanels(); // Only display one at this time. - dfn.setAttribute("aria-expanded", "true"); - dfnPanel.classList.add("on"); - dfnPanel.style.left = "5px"; - dfnPanel.style.top = "0px"; - const panelRect = dfnPanel.getBoundingClientRect(); - const panelWidth = panelRect.right - panelRect.left; - if (panelRect.right > document.body.scrollWidth) { - // Panel's overflowing the screen. - // Just drop it below the dfn and flip it rightward instead. - // This still wont' fix things if the screen is *really* wide, - // but fixing that's a lot harder without 'anchor()'. - dfnPanel.style.top = "1.5em"; - dfnPanel.style.left = "auto"; - dfnPanel.style.right = "0px"; - } - } - - function pinDfnPanel(dfnPanel) { - // Switch it to "activated" state, which pins it. - dfnPanel.classList.add("activated"); - dfnPanel.style.left = null; - dfnPanel.style.top = null; - } - - function hideDfnPanel(dfnPanel, dfn) { - if(!dfn) { - dfn = document.getElementById(dfnPanel.getAttribute("data-for")); - } - dfn.setAttribute("aria-expanded", "false") - dfnPanel.classList.remove("on"); - dfnPanel.classList.remove("activated"); - } - - function toggleDfnPanel(dfnPanel, dfn) { - if(dfnPanel.classList.contains("on")) { - hideDfnPanel(dfnPanel, dfn); - } else { - showDfnPanel(dfnPanel, dfn); - } - } - - function insertDfnPopupAction(dfn, dfnPanel) { - // Find dfn panel - const panelWrapper = document.createElement('span'); - panelWrapper.appendChild(dfnPanel); - panelWrapper.style.position = "relative"; - panelWrapper.style.height = "0px"; - dfn.insertAdjacentElement("afterend", panelWrapper); - dfn.setAttribute('role', 'button'); - dfn.setAttribute('aria-expanded', 'false') - dfn.tabIndex = 0; - dfn.classList.add('has-dfn-panel'); - dfn.addEventListener('click', (event) => { - showDfnPanel(dfnPanel, dfn); - event.stopPropagation(); - }); - dfn.addEventListener('keypress', (event) => { - const kc = event.keyCode; - // 32->Space, 13->Enter - if(kc == 32 || kc == 13) { - toggleDfnPanel(dfnPanel, dfn); - event.stopPropagation(); - event.preventDefault(); - } - }); - - dfnPanel.addEventListener('click', (event) => { - if (event.target.nodeName == 'A') { - pinDfnPanel(dfnPanel); - } - event.stopPropagation(); - }); - - dfnPanel.addEventListener('keydown', (event) => { - if(event.keyCode == 27) { // Escape key - hideDfnPanel(dfnPanel, dfn); - event.stopPropagation(); - event.preventDefault(); - } - }) - } -} - - - + + \ No newline at end of file