spec is missing baseline posture that credential source is bound to a particular authenticator

[equalsJeffH]

A reader asks:

Just a quick question on WebAuthn. My impression has always
been that the private key of a generated credential should never
leave the Authenticator.

But a casual read of w3c.github.io/webauthn/
doesn't give me any such language. There's "user deletes the
credential from the device" under Decommissioning, implicating that
the credential can only be on one device, but I fail to find anything
explicit on this topic. Am I missing something or am I mistaken about
credential export and import?

My brief answer:

Yes, that's the baseline posture.

Though, it is modulo some form of secure credentials migration/backup/recovery means, which we have not figured out yet and is a work in early progress. e.g. see issue #931

Yes, the spec is arguably missing something in terms of describing this and perhaps pointing to appropriate FIDO material.

[emlun]

There is one brief mention of this buried deep in the middle of §4. Terminology > Client-side-resident Public Key Credential Source:

[...] By definition, the credential private key is always exclusively controlled by the authenticator. [...]

[equalsJeffH]

Ok, great, thanks -- so we can hopefully address this issue by referring back to that statement from appropriate places elsewhere in the spec.

[jcjones]

It seems like this is addressed, per #1122 (comment) and #1122 (comment)

[emlun]

Unassigning myself from this since I see no clear call to action.

[nadalin]

@equalsJeffH can we close this ?