Draft improved guidance for using appid extension

index.bs

@@ -4558,6 +4558,16 @@ FIDO APIs use an alternative identifier for [=[RPS]=] called an |AppID|
 that identifier. Without this extension, they would need to be re-registered in
 order to be [=scoped=] to an [=RP ID=].
 
+In order to use U2F credentials in WebAuthn, in addition to setting the [=appid=] extension
+the [=[RP]=] MUST also list the desired U2F credentials
+in the <code>{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> option
+of the {{CredentialsContainer/get()}} method.
+For U2F credentials, the {{PublicKeyCredentialDescriptor/type}} MUST be set to {{PublicKeyCredentialType/public-key}}
+and the {{PublicKeyCredentialDescriptor/id}} MUST be set to the U2F key handle of the credential.
+The [=authentication ceremony=] then proceeds as normal,
+with the exception that when [verifying the assertion](#sctn-verifying-assertion),
+the [=[RP]=] MUST accept that the <code>[=rpIdHash=]</code> MAY be the hash of the |AppID| instead of the [=RP ID=].
+
 This extension does not allow FIDO-compatible credentials to be created. Thus,
 credentials created with WebAuthn are not backwards compatible with the FIDO
 JavaScript APIs.