Enforce rejection of be:0,bs:1 during auth

w3c · Jun 28, 2023 · 3e0395f · 3e0395f
1 parent 8a04cf7
commit 3e0395f
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -5519,6 +5519,8 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
     verify that the [=authData/flags/UV=] bit of the <code>[=flags=]</code> in |authData| is set.
     Otherwise, ignore the value of the [=authData/flags/UV=] [=flag=].
 
+1. If the [=authData/flags/BE=] bit of the <code>[=flags=]</code> in |authData| is not set, verify that the [=authData/flags/BS=] bit is not set.
+
 1. If the credential [=backup state=] is used as part of [=[RP]=] business logic or policy,
     let |currentBe| and |currentBs| be the values of the [=authData/flags/BE=] and [=authData/flags/BS=] bits, respectively,
     of the <code>[=flags=]</code> in |authData|.