Add attachment to authenticator selection

index.bs

@@ -564,11 +564,13 @@ When this method is invoked, the user agent MUST execute the following algorithm
 1. For each [=authenticator=] currently available on this platform, process each option in 
     |options|.{{MakeCredentialOptions/authenticatorSelection}} by checking if the [=authenticator=] is satisfies the 
     requirement of the option. 
-        1. If |requireResidentKey| is set to |true|, check if the 
-            |authenticator| is capable of storing [=Client-Side-Resident Credential Private Key=]. If not, return a 
-            {{DOMException}} whose name is "{{QuotaExceededError}}".
-        1. If the [=authenticator=] is capable of all criterias as listed in |options|.{{MakeCredentialOptions/authenticatorSelection}}, 
-            [=set/append=] [=authenticator=] to |currentlyAvailableAuthenticators|. 
+        1. Check if |attachment| is [=present|not present=] or its value matches
+            |authenticator|'s attachment modality, [=continue=].
+        1. If |requireResidentKey| is set to |true|, check if the |authenticator| is capable of storing 
+            [=Client-Side-Resident Credential Private Key=]. If so, [=continue=]. If not, return a {{DOMException}} whose name
+            is "{{QuotaExceededError}}".
+        1. If the [=authenticator=] is capable of all criterias as listed above, [=set/append=] [=authenticator=] to 
+            |currentlyAvailableAuthenticators|. 
         1. If there is no [=authenticator=] that satisfies the criterias listed in 
             |options|.{{MakeCredentialOptions/authenticatorSelection}}, return a {{DOMException}} whose name is 
             "{{ConstraintError}}", and terminate the algorithm.
@@ -893,7 +895,6 @@ optionally evidence of [=user consent=] to a specific transaction.
         unsigned long                        timeout;
         sequence<ScopedCredentialDescriptor> excludeList;
         AuthenticatorSelectionCriteria       authenticatorSelection;
-        Attachment                           attachment;
         AuthenticationExtensions             extensions;
     };
 </xmp>
@@ -937,11 +938,6 @@ optionally evidence of [=user consent=] to a specific transaction.
         account on a single authenticator. The platform is requested to return an error if the new credential would be created
         on an authenticator that also contains one of the credentials enumerated in this parameter.
 
-    :   <dfn>attachment</dfn>
-    ::  This member contains authenticator attachment descriptions, which are used as an additional constraint on which
-        authenticators are eligible to participate in a {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}}
-        operation. See [[#attachment]] for a description of the attachment values and their meanings.
-
     :   <dfn>authenticatorSelection</dfn>
     ::  This member is intended for use by [=[RPS]=] that wish to select the appropriate authenticators to participate in 
         the {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}} operation based on their unique needs. 
@@ -988,11 +984,17 @@ authenticator
 
 <xmp class="idl">
     dictionary AuthenticatorSelectionCriteria {
-        boolean   requireResidentKey;
+        Attachment    attachment;
+        boolean       requireResidentKey;
     };
 </xmp>
 
 <div dfn-type="dict-member" dfn-for="AuthenticatorSelectionCriteria">
+    :   <dfn>attachment</dfn>
+    ::  This member contains authenticator attachment descriptions, which are used as an additional constraint on which
+        authenticators are eligible to participate in a {{CredentialsContainer/create()}} or {{CredentialsContainer/get()}}
+        operation. See [[#attachment]] for a description of the attachment values and their meanings.
+
     :   <dfn>requireResidentKey</dfn>
     ::  This member describes the [=[RPS]=]' requirements regarding availability of the [=Client-side-resident Credential 
         Private Key=]. If the parameter is set to <a>true</a>, the authenticator SHOULD create a