Merge pull request #2163 from w3c/issue-2156-rp-ops-authenticatorDisp…

…layName

Add [credential record/authenticatorDisplayName] handling to RP operations

index.bs

@@ -1184,15 +1184,15 @@ BCP 14 [[!RFC2119]] [[!RFC8174]] when, and only when, they appear in all capital
             enables the [=[RP]=] to re-verify the [=attestation signature=] at a later time.
 
         :   <dfn>authenticatorDisplayName</dfn>
-        ::  A [=human palatability|human-palatable=] description of the [=public key credential source=].
+        ::  A [=human-palatable=] description of the [=public key credential source=].
 
             If used, the [=[RP]=] SHOULD use this to describe the [=credential record=] in the user's account settings.
             The [=[RP]=] SHOULD allow the user to choose this value, and MAY allow the user to modify it at will.
 
             The [=credProps|Credential Properties Extension=] defines the [=credential property=]
             {{CredentialPropertiesOutput/authenticatorDisplayName}}
             which, when available, MAY be offered as a default for this value.
-            The [=[RP]=] MAY also derive a default value from the authenticator's [=attestation statement=], if any.
+            The [=[RP]=] MAY alternatively derive a default value from the authenticator's [=attestation statement=], if any.
     </dl>
 
     [=WebAuthn extensions=] MAY define additional [=struct/items=] needed to process the extension.
@@ -1216,8 +1216,8 @@ BCP 14 [[!RFC2119]] [[!RFC8174]] when, and only when, they appear in all capital
     for [=single-device credentials=]. For [=multi-device credentials=], the generating authenticator may or may not be the same as the
     current [=managing authenticator=] participating in a given [=authentication=] operation.
 
-: <dfn>Human Palatability</dfn>
-:: An identifier that is [=human palatability|human-palatable=] is intended to be rememberable and reproducible by typical human
+: <dfn lt="human palatability|human-palatable">Human Palatability</dfn>
+:: An identifier that is [=human-palatable=] is intended to be rememberable and reproducible by typical human
     users, in contrast to identifiers that are, for example, randomly generated sequences of bits [[EduPersonObjectClassSpec]].
 
 : <dfn>Non-Discoverable Credential</dfn>
@@ -3593,9 +3593,9 @@ associated with or [=scoped=] to, respectively.
 </xmp>
 <div dfn-type="dict-member" dfn-for="PublicKeyCredentialEntity">
     :   <dfn>name</dfn>
-    ::  A [=human palatability|human-palatable=] name for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents:
+    ::  A [=human-palatable=] name for the entity. Its function depends on what the {{PublicKeyCredentialEntity}} represents:
 
-          - \[DEPRECATED] When inherited by {{PublicKeyCredentialRpEntity}} it is a [=human palatability|human-palatable=] identifier for the [=[RP]=], intended only
+          - \[DEPRECATED] When inherited by {{PublicKeyCredentialRpEntity}} it is a [=human-palatable=] identifier for the [=[RP]=], intended only
             for display. For example, "ACME Corporation", "Wonderful Widgets, Inc." or "ОАО Примертех".
 
             This member is deprecated because many [=clients=] do not display it,
@@ -3616,7 +3616,7 @@ associated with or [=scoped=] to, respectively.
                 including the value as a parameter of the [=authenticatorMakeCredential=] operation.
 
           - When inherited by {{PublicKeyCredentialUserEntity}}, it is a
-            [=human palatability|human-palatable=] identifier for a [=user account=]. This
+            [=human-palatable=] identifier for a [=user account=]. This
             identifier is the primary value displayed to users by [=Clients=] to help users
             understand with which [=user account=] a credential is associated.
 
@@ -3692,9 +3692,9 @@ credential.
         with more than one [=user account=] at the [=[RP]=].
 
     :   <dfn>displayName</dfn>
-    ::  A [=human palatability|human-palatable=] name for the [=user account=], intended only for
+    ::  A [=human-palatable=] name for the [=user account=], intended only for
         display. The [=[RP]=] SHOULD let the user choose this, and SHOULD NOT restrict the choice
-        more than necessary. If no suitable or [=human palatability|human-palatable=] name is
+        more than necessary. If no suitable or [=human-palatable=] name is
         available, the [=[RP]=] SHOULD set this value to an empty string.
 
         Examples of suitable values for this identifier include, "Alex Müller", "Alex Müller (ACME Co.)" or "田中倫".
@@ -6085,6 +6085,14 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
 
             :   [$credential record/attestationClientDataJSON$]
             ::  <code>|response|.{{AuthenticatorResponse/clientDataJSON}}</code>.
+
+            :   [$credential record/authenticatorDisplayName$]
+            ::  A [=human-palatable=] description of the [=public key credential source=].
+                This SHOULD be chosen by the user.
+
+                If <code>|clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}}</code> is present,
+                then its value MAY be offered as a default for this value.
+                The [=[RP]=] MAY alternatively derive a default value from the authenticator's [=attestation statement=], if any.
         </dl>
     </li>
 
@@ -6271,6 +6279,11 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
                 update it to the value of the [=authData/flags/UV=] bit in the [=flags=] in |authData|.
                 This change SHOULD require authorization by an additional [=authentication factor=] equivalent to WebAuthn [=user verification=];
                 if not authorized, skip this step.
+            1. If <code>|credentialRecord|.[$credential record/authenticatorDisplayName$]</code> is used,
+                and <code>|clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}}</code>
+                is present and not equal to <code>|credentialRecord|.[$credential record/authenticatorDisplayName$]</code>,
+                then OPTIONALLY offer the user to update <code>|credentialRecord|.[$credential record/authenticatorDisplayName$]</code>
+                to the value of <code>|clientExtensionResults|.{{AuthenticationExtensionsClientOutputs/credProps}}.{{CredentialPropertiesOutput/authenticatorDisplayName}}</code>.
 
         If the [=[RP]=] performs additional security checks beyond these WebAuthn [=authentication ceremony=] steps,
         the above state updates SHOULD be deferred to after those additional checks are completed successfully.
@@ -7385,7 +7398,7 @@ This [=client extension|client=] [=registration extension=] and [=authentication
             Note: some [=authenticators=] create [=discoverable credentials=] even when not requested by the [=client platform=]. Because of this, [=client platforms=] may be forced to omit the {{rk}} property because they lack the assurance to be able to set it to [FALSE]. [=[RPS]=] should assume that, if the `credProps` extension is supported, then [=client platforms=] will endeavour to populate the {{rk}} property. Therefore a missing {{rk}} indicates that the created credential is most likely a [=non-discoverable credential=].
 
         :   <dfn>authenticatorDisplayName</dfn>
-        ::  This OPTIONAL property is a [=human palatability|human-palatable=] description of the credential's [=managing authenticator=],
+        ::  This OPTIONAL property is a [=human-palatable=] description of the credential's [=managing authenticator=],
             chosen by the user.
 
             The [=client=] MUST allow the user to choose this value.