diff --git a/index.bs b/index.bs
index 6fdd386f9..ef7cf6d82 100644
--- a/index.bs
+++ b/index.bs
@@ -119,6 +119,11 @@ spec: FIDO-CTAP; urlPrefix: https://fidoalliance.org/specs/fido-v2.0-ps-20170927
type: dfn
text: CTAP canonical CBOR encoding form; url: message-encoding
+spec: FIDO-APPID; urlPrefix: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-appid-and-facets-v1.2-ps-20170411.html
+ type: dfn
+ text: determining the FacetID of a calling application; url: determining-the-facetid-of-a-calling-application
+ text: determining if a caller's FacetID is authorized for an AppID; url: determining-if-a-caller-s-facetid-is-authorized-for-an-appid
+
@@ -303,6 +308,11 @@ below and in [[#index-defined-elsewhere]].
the Web IDL standard adds support for {{Promise}}s, which are now the preferred mechanism for asynchronous
interaction in all new web APIs.
+: FIDO AppID
+:: The algorithms for [=determining the FacetID of a calling application=] and
+ [=determining if a caller's FacetID is authorized for an AppID=] (used only in
+ the `appid` extension) are defined by [[!FIDO-APPID]].
+
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in [[!RFC2119]].
@@ -1162,7 +1172,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. Let |userPresence| be a Boolean value set to the inverse of |userVerification|.
- 1. If |options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}
+ 1.
+ If |options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}
: [=list/is not empty=]
:: 1. Let |allowCredentialDescriptorList| be a new [=list=].
@@ -3530,33 +3541,45 @@ IANA "WebAuthn Extension Identifier" registry established by [[!WebAuthn-Registr
These are recommended for implementation by user agents targeting broad interoperability.
-## FIDO AppId Extension (appid) ## {#sctn-appid-extension}
+## FIDO AppID Extension (appid) ## {#sctn-appid-extension}
-This [=authentication extension=] allows [=[RPS]=] that have previously registered a
-credential using the legacy FIDO JavaScript APIs to request an assertion.
-Specifically, this extension allows [=[RPS]=] to specify an |appId| [[FIDO-APPID]]
-to overwrite the otherwise computed |rpId|. This extension is only valid if
-used during the {{CredentialsContainer/get()}} call; other usage will result in client
-error.
+This [=client extension=] allows [=[RPS]=] that have previously registered a
+credential using the legacy FIDO JavaScript APIs to request an [=assertion=]. The
+FIDO APIs use an alternative identifier for [=relying parties=] called an |AppID|
+[[FIDO-APPID]], and any credentials created using those APIs will be bound to
+that identifier. Without this extension they would need to be re-registered in
+order to be bound to an [=RP ID=].
+
+This extension does not allow FIDO-compatible credentials to be created. Thus
+credentials created with WebAuthn are not backwards compatible with the FIDO
+JavaScript APIs.
: Extension identifier
:: `appid`
: Client extension input
-:: A single JSON string specifying a FIDO |appId|.
+:: A single JSON string specifying a FIDO |AppID|.
: Client extension processing
-:: If {{PublicKeyCredentialRequestOptions/rpId}} is present, return a DOMException
- whose name is "{{NotAllowedError}}", and terminate this algorithm ([[#discover-from-external-source]]).
-
- Otherwise, replace the calculation of |rpId| in Step 6 of [[#discover-from-external-source]] with the
- following procedure: The client uses the value of |appid| to perform
- the AppId validation procedure (as defined by [[FIDO-APPID]]). If valid,
- the value of |rpId| for all client processing should be replaced by the
- value of |appid|.
+:: 1. If present in a {{CredentialsContainer/create()}} call, return a
+ "{{NotSupportedError}}" {{DOMException}}—this extension is only valid when
+ requesting an assertion.
+ 1. Let |facetId| be the result of passing the caller's [=origin=] to the
+ FIDO algorithm for [=determining the FacetID of a calling application=].
+ 1. Let |appId| be the extension input.
+ 1. Pass |facetId| and |appId| to the FIDO algorithm for [=determining if a
+ caller's FacetID is authorized for an AppID=]. If that algorithm rejects
+ |appId| then return a "{{SecurityError}}" {{DOMException}}.
+ 1. When [building allowCredentialDescriptorList](#allowCredentialDescriptorListCreation),
+ if a U2F authenticator indicates that a credential is inapplicable (i.e. by
+ returning `SW_WRONG_DATA`) then the client MUST retry with the U2F application
+ parameter set to the SHA-256 hash of |appId|. If this results in an applicable
+ credential, the client MUST include the credential in
+ |allowCredentialDescriptorList|. The value of |appId| then replaces the `rpId`
+ parameter of [=authenticatorGetAssertion=].
: Client extension output
-:: Returns the JSON value `true` to indicate to the RP that the extension was acted upon
+:: Returns the JSON value `true` to indicate to the RP that the extension was acted upon.
: Authenticator extension input
:: None.