Add “appidExclude” extension.

This change adds a registration-only “appidExclude” extension that
allows platforms to make excludeCredentials effective when transitioning
from U2F.

It's a separate extension from “appid” because that extension was
documented in level one as being authentication-only and some
implementations thus reject it for registration. Also, having an
“appid” extension that's effective during registration invites people to
believe that it does the “obvious” thing and allows the creation of U2F
credentials, which isn't true.

Fixes #1235.

index.bs

@@ -4675,6 +4675,45 @@ Instead, in step three, the comparison on the host is relaxed to accept hosts on
 : Authenticator extension output
 :: None.
 
+## FIDO AppID Exclusion Extension (appidExclude) ## {#sctn-appid-exclude-extension}
+
+This registration extension allows [=[WRPS]=] to exclude authenticators which contain specified credentials that were created with FIDO APIs.
+
+During a transition from legacy FIDO JavaScript APIs, a [=[RP]=] may have a population of users with legacy credentials already registered. The [appid](#sctn-appid-extension) extension allows the sign-in flow to be transitioned smoothly but, when transitioning the registration flow, the [excludeCredentials](#dom-publickeycredentialcreationoptions-excludecredentials) field will not be effective in excluding authenticators with legacy credentials because its contents are taken to be WebAuthn credentials. This extension directs [=client platforms=] to consider the contents of [excludeCredentials](#dom-publickeycredentialcreationoptions-excludecredentials) as both WebAuthn and legacy FIDO credentials.
+
+: Extension identifier
+:: `appidExclude`
+
+: Operation applicability
+:: [=registration extension|Registration=]
+
+: Client extension input
+:: A single USVString specifying a FIDO |AppID|.
+    <xmp class="idl">
+    partial dictionary AuthenticationExtensionsClientInputs {
+      USVString appidExclude;
+    };
+    </xmp>
+
+: Client extension processing
+::  1. Let |facetId| be the result of passing the caller's [=origin=] to the FIDO algorithm for [=determining the FacetID of a calling application=].
+    1. Let |appId| be the extension input.
+    1. Pass |facetId| and |appId| to the FIDO algorithm for [=determining if a caller's FacetID is authorized for an AppID=]. If that algorithm rejects |appId| then return a "{{SecurityError}}" {{DOMException}}.
+    1. For each authenticator that supports the U2F protocol, if |excludeCredentialDescriptorList| is not empty then, before invoking [=authenticatorMakeCredential=], attempt to obtain a U2F assertion (without user-presence), for each element of |excludeCredentialDescriptorList|, using the SHA-256 hash of |appId| as the application parameter. If unsuccessful, continue with invoking [=authenticatorMakeCredential=]. Otherwise, cease normal processing of this authenticator and indicate in a platform-specific manner that the authenticator is inapplicable. For example, this could be in the form of UI, or could involve requesting user-consent from the authenticator and, upon receipt, treating it as if the authenticator had returned {{InvalidStateError}}.
+
+Note: In practice, several implementations do not implement steps four and onward of the algorithm for [=determining if a caller's FacetID is authorized for an AppID=]. Instead, in step three, the comparison on the host is relaxed to accept hosts on the [=same site=].
+
+: Client extension output
+:: None.
+
+: Authenticator extension input
+:: None.
+
+: Authenticator extension processing
+:: None.
+
+: Authenticator extension output
+:: None.
 
 ## Simple Transaction Authorization Extension (txAuthSimple) ## {#sctn-simple-txauth-extension}