diff --git a/index.bs b/index.bs
index e8963fe14..dca0018ce 100644
--- a/index.bs
+++ b/index.bs
@@ -1542,27 +1542,47 @@ When this operation is invoked, the authenticator must perform the following pro
so, return an error code equivalent to "{{NotAllowedError}}" and terminate the operation.
- If the |requireResidentKey| flag is set to |true| and the authenticator cannot store a [=Client-side-resident Credential
Private Key=], return an error code equivalent to "{{ConstraintError}}" and terminate the operation.
-- Prompt the user for consent to create a new credential. The prompt for obtaining this consent is shown by the authenticator
- if it has its own output capability, or by the user agent otherwise. If the user denies consent, return an error code
- equivalent to "{{NotAllowedError}}" and terminate the operation.
-- Once user consent has been obtained, generate a new credential object:
- - Generate a set of cryptographic keys using the most preferred combination of {{PublicKeyCredentialType}} and cryptographic
- parameters supported by this authenticator.
- - Generate an identifier for this credential, such that this identifier is globally unique with high probability across all
- credentials with the same type across all authenticators.
- - Associate the credential with the specified [=RP ID=] and the user's account identifier
- {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}.
- - Delete any older credentials with the same [=RP ID=] and {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}
- that are stored locally by the [=authenticator=].
-- If any error occurred while creating the new credential object, return an error code equivalent to "{{UnknownError}}" and
- terminate the operation.
-- Process all the supported extensions requested by the client, and generate the [=authenticator data=] with
- [=attestation data=] as specified in [[#sec-authenticator-data]]. Use this [=authenticator data=] and the
- [=hash of the serialized client data=] to create an [=attestation object=] for the new credential using the procedure
- specified in [[#generating-an-attestation-object]]. For more details on attestation, see [[#sctn-attestation]].
-
-On successful completion of this operation, the authenticator returns the [=attestation object=] to the client.
+- The [=authenticator=] must perform the following procedure depending on the PublicKeyCredentialType of the preferred combination of {{PublicKeyCredentialType}} and cryptographic parameters supported by this authenticator:
+
+ - "public-key"
+ -
+ - Prompt the user for consent to create a new credential. The prompt for obtaining this consent is shown by the authenticator
+ if it has its own output capability, or by the user agent otherwise. If the user denies consent, return an error code
+ equivalent to "{{NotAllowedError}}" and terminate the operation.
+ - Once user consent has been obtained, generate a new credential object:
+ - Generate a set of cryptographic keys using the most preferred combination of {{PublicKeyCredentialType}} and cryptographic
+ parameters supported by this authenticator.
+ - Generate an identifier for this credential, such that this identifier is globally unique with high probability across all
+ credentials with the same type across all authenticators.
+ - Associate the credential with the specified [=RP ID=] and the user's account identifier
+ {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}.
+ - Delete any older credentials with the same [=RP ID=] and {{MakeCredentialOptions/user}}.{{PublicKeyCredentialEntity/id}}
+ that are stored locally by the [=authenticator=].
+ - If any error occurred while creating the new credential object, return an error code equivalent to "{{UnknownError}}" and
+ terminate the operation.
+ - Process all the supported extensions requested by the client, and generate the [=authenticator data=] with
+ [=attestation data=] as specified in [[#sec-authenticator-data]]. Use this [=authenticator data=] and the
+ [=hash of the serialized client data=] to create an [=attestation object=] for the new credential using the procedure
+ specified in [[#generating-an-attestation-object]]. For more details on attestation, see [[#sctn-attestation]].
+
+ - On successful completion of this operation, the authenticator returns the [=attestation object=] to the client.
+
+
+ - "public-key-uaf"
+ -
+ - Follow the procedure as specified in [[FIDO-UAF-Authenticator-Commands]] section 6.2. Using
+ * The caller's RP ID as "AppID"
+ * The [=hash of the serialized client data=] as "Final Challenge Hash".
+ * The {{MakeCredentialOptions/user}}.{{PublicKeyCredentialUserEntity/displayName}} as "Username".
+ * Provide TAG_ATTESTATION_BASIC_FULL (0x3E07) as "Attestation Type".
+ * Provide a "KHAccessToken" as described in section 6.1. in [[FIDO-UAF-ASM]].
+ * Provide no "UserVerificationToken".
+ - On successful completion of this operation, the authenticator returns the registration assertion as [=attestation object=] to the client.
+
+
+
+
### The authenticatorGetAssertion operation ### {#op-get-assertion}
@@ -1583,14 +1603,15 @@ of the PublicKeyCredentialType of any related [=credential=]):
determined by an exact match of the [=RP ID=]).
- If the previous step resulted in an empty list, return an error code equivalent to "{{NotAllowedError}}" and terminate the
operation.
-- Prompt the user to select a [=public key credential|credential=] from among the above list. Obtain [=user consent=] for using
- this [=public key credential|credential=]. The prompt for obtaining this [=user consent|consent=] may be shown by the
- [=authenticator=] if it has its own output capability, or by the user agent otherwise.
+- Prompt the user to select a [=public key credential|credential=] from among the above list.
- The [=authenticator=] must perform the following procedure depending on the PublicKeyCredentialType of the [=credential=]:
- "public-key"
-
+ - Obtain [=user consent=] for using
+ this [=public key credential|credential=]. The prompt for obtaining this [=user consent|consent=] may be shown by the
+ [=authenticator=] if it has its own output capability, or by the user agent otherwise.
- Process all the supported extensions requested by the client, and generate the [=authenticator data=] as specified in
[[#sec-authenticator-data]], though without [=attestation data=]. Concatenate this [=authenticator data=] with the [=hash of
the serialized client data=] to generate an [=assertion signature=] using the [=credential private key|private key=] of the