added keyProtection to AuthenticatorSelectionCriteria. See #446

index.bs

@@ -1058,6 +1058,7 @@ associated.
         Attachment    attachment;
         boolean       requireResidentKey = false;
         sequence<AAGUID> aaguidList;
+        KeyProtection keyProtection;
     };
 </xmp>
 
@@ -1076,6 +1077,10 @@ associated.
         one AAGUID entry [[#aaguid]] included in the list.  Each AAGUID entry corresponds to an authenticator model that is 
         acceptable to the [RP] for this credential creation. The list is ordered by decreasing preference.
 
+    : <dfn>keyProtection</dfn>
+    ::  If this member is [=present|present=], eligible authenticators are filtered to the ones identified by matching
+        the keyProtection method as indicated.
+
 </div>
 
 ### AAGUID (typedef <dfn>AAGUID</dfn>) ### {#aaguid}
@@ -1120,6 +1125,15 @@ a minimum of friction, e.g., the user will not have to dig around in their pocke
 example of the latter, when the user is accessing the [RP] from a given client for the first time, they may be required to
 use a [=roaming authenticator=] which was originally registered with the [RP] using a different client.
 
+### Key Protection enumeration (enum <dfn enum>KeyProtection</dfn>) ### {#key-protection}
+
+<pre class="idl">
+    enum KeyProtection {
+       "SW",   // key protected by Rich-OS software
+       "HW",   // key protected by hardware, i.e. either TEE or SE.
+       "TEE",  // key protected by a Trusted-Execution-Environment
+       "SE"};  // key protected by a Secure Element
+</pre>
 
 ## Options for Assertion Generation (dictionary <dfn dictionary>PublicKeyCredentialRequestOptions</dfn>) ## {#assertion-options}