From 7d6abe2b2c52695b8cdeb5083a0c0fc1af1a2bd7 Mon Sep 17 00:00:00 2001
From: Nick Steele <nsteele@duosecurity.com>
Date: Mon, 29 Jun 2020 14:51:01 -0400
Subject: [PATCH] Clarify How Client Data is Sent to Authenticator (#1443)

* Clarify How Client Data is Sent to Authenticator

In #1442 some questions were brought up about the format in which the client data is sent to the authenticator, hopefully this will clarify it somewhat?

* Fix linking error

Co-authored-by: Emil Lundberg <emil@yubico.com>

* Update with Jeff's suggestions

Co-authored-by: =JeffH <jdhodges@google.com>

* Update 5.1.3 and 5.1.4 with proper references

* editorial: add code tag

Co-authored-by: Emil Lundberg <emil@yubico.com>

* editorial: add code tag

Co-authored-by: Emil Lundberg <emil@yubico.com>

Co-authored-by: Emil Lundberg <emil@yubico.com>
Co-authored-by: =JeffH <jdhodges@google.com>
---
 index.bs | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/index.bs b/index.bs
index e99c992ac..541a87255 100644
--- a/index.bs
+++ b/index.bs
@@ -1807,7 +1807,7 @@ a numbered step. If outdented, it (today) is rendered either as a bullet in the
                 ::  whose value is an {{AuthenticationExtensionsClientOutputs}} object containing [=extension identifier=] →
                     [=client extension output=] entries. The entries are created by running each extension's
                     [=client extension processing=] algorithm to create the [=client extension outputs=], for each
-                    [=client extension=] in <code>{{AuthenticatorResponse/clientDataJSON}}.clientExtensions</code>.
+                    [=client extension=] in <code>|options|.{{PublicKeyCredentialCreationOptions/extensions}}</code>.
 
 
             1.  Let |constructCredentialAlg| be an algorithm that takes a [=global object=]
@@ -2201,7 +2201,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
                 ::  whose value is an {{AuthenticationExtensionsClientOutputs}} object containing [=extension identifier=] →
                     [=client extension output=] entries. The entries are created by running each extension's
                     [=client extension processing=] algorithm to create the [=client extension outputs=], for each
-                    [=client extension=] in <code>{{AuthenticatorResponse/clientDataJSON}}.clientExtensions</code>.
+                    [=client extension=] in <code>|options|.{{PublicKeyCredentialRequestOptions/extensions}}</code>.
 
             1.  Let |constructAssertionAlg| be an algorithm that takes a [=global object=]
                 |global|, and whose steps are:
@@ -2329,8 +2329,9 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic
 </xmp>
 <div dfn-type="attribute" dfn-for="AuthenticatorResponse">
     :   <dfn>clientDataJSON</dfn>
-    ::  This attribute contains a [[#clientdatajson-serialization|JSON-compatible serialization]] of the [=client data=] passed to the
-        authenticator by the client in its call to either {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}}.
+    ::  This attribute contains a [[#clientdatajson-serialization|JSON-compatible serialization]] of the [=client data=], the [=hash of the serialized client data|hash of which=] is passed to the
+        authenticator by the client in its call to either {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}} (i.e., the 
+        [=client data=] itself is not sent to the authenticator).
 </div>
 
 ### Information About Public Key Credential (interface <dfn interface>AuthenticatorAttestationResponse</dfn>) ### {#iface-authenticatorattestationresponse}