Merge branch 'main' into jeffh-fix-1658-device-bound-key-extension

index.bs

@@ -1618,8 +1618,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
     :: The inverse of the value of the
         {{PublicKeyCredential/[[Create]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}}
         argument passed to this [=internal method=].
-    : {{CollectedClientData/tokenBinding}}
-    :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
 
 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|.
 
@@ -2049,8 +2047,6 @@ When this method is invoked, the user agent MUST execute the following algorithm
     :: The inverse of the value of the
         {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)/sameOriginWithAncestors}}
         argument passed to this [=internal method=].
-    : {{CollectedClientData/tokenBinding}}
-    :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
 
 1. Let |clientDataJSON| be the [=JSON-compatible serialization of client data=] constructed from |collectedClientData|.
 
@@ -2409,7 +2405,7 @@ during registration.
     ::  This operation returns the {{COSEAlgorithmIdentifier}} of the new credential. See [[#sctn-public-key-easy]].
 
     :   <dfn>\[[transports]]</dfn>
-    ::  This [=internal slot=] contains a sequence of zero or more unique {{DOMString}}s in lexicographical order. These values are the transports that the [=authenticator=] is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of {{AuthenticatorTransport}} but [=[RPS]=] MUST ignore unknown values.
+    ::  This [=internal slot=] contains a sequence of zero or more unique {{DOMString}}s in lexicographical order. These values are the transports that the [=authenticator=] is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of {{AuthenticatorTransport}} but [=[RPS]=] SHOULD accept and store unknown values.
 </div>
 
 #### Easily accessing credential data #### {#sctn-public-key-easy}
@@ -2973,8 +2969,7 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
         required DOMString           type;
         required DOMString           challenge;
         required DOMString           origin;
-        boolean                      crossOrigin;
-        TokenBinding                 tokenBinding;
+        boolean                      crossOrigin;        
     };
 
     dictionary TokenBinding {
@@ -3000,12 +2995,14 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
         the syntax defined by [[!RFC6454]].
 
     :   <dfn>crossOrigin</dfn>
-    ::  This member contains the inverse of the `sameOriginWithAncestors` argument value
+    ::  This OPTIONAL member contains the inverse of the `sameOriginWithAncestors` argument value
         that was passed into the [=internal method=].
 
-    :   <dfn>tokenBinding</dfn>
+    :   \[RESERVED] <dfn dfn>tokenBinding</dfn>
     ::  This OPTIONAL member contains information about the state of the [=Token Binding=] protocol [[!TokenBinding]] used when communicating
-        with the [=[RP]=]. Its absence indicates that the client doesn't support token binding.
+        with the [=[RP]=]. Its absence indicates that the client doesn't support token binding
+
+        Note: While [=Token Binding=] was present in Level 1 and Level 2 of WebAuthn, its use is not expected in Level 3. The {{CollectedClientData/tokenBinding}} field is reserved so that it will not be reused for a different purpose.
 
         <div dfn-type="dict-member" dfn-for="TokenBinding">
             :   <dfn>status</dfn>
@@ -4439,8 +4436,6 @@ In order to perform a [=registration ceremony=], the [=[RP]=] MUST proceed as fo
 
 1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].
 
-1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.
-
 1. Let |hash| be the result of computing a hash over <code>|response|.{{AuthenticatorResponse/clientDataJSON}}</code> using SHA-256.
 
 1. Perform CBOR decoding on the {{AuthenticatorAttestationResponse/attestationObject}} field of the
@@ -4543,10 +4538,13 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as
 
     If <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> is present,
     the {{PublicKeyCredentialDescriptor/transports}} member of each [=list/item=] SHOULD be set to
-    the value returned by
+    the value that was returned by
     <code>|credential|.{{PublicKeyCredential/response}}.{{AuthenticatorAttestationResponse/getTransports()}}</code>
     when the corresponding credential was registered.
 
+    Note: Modifying or removing [=list/items=] from values returned from {{AuthenticatorAttestationResponse/getTransports()}}
+    could negatively impact user experience, or even prevent use of the corresponding credentials.
+
 1. Call {{CredentialsContainer/get()|navigator.credentials.get()}} and pass |options|
     as the <code>{{CredentialRequestOptions/publicKey}}</code> option.
     Let |credential| be the result of the successfully resolved promise.
@@ -4603,8 +4601,6 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as
 
 1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].
 
-1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.
-
 <!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to render it as
 a numbered step. If outdented, it (today) is rendered as a bullet in the midst of a numbered list :-/
 -->