From 8a4e92ba2b059f366059ba62cecfb576aa0fc757 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 4 Jun 2019 14:22:14 +0200
Subject: [PATCH] Draft improved guidance for using appid extension

---
 index.bs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/index.bs b/index.bs
index 32159ab47..592953be3 100644
--- a/index.bs
+++ b/index.bs
@@ -4558,6 +4558,16 @@ FIDO APIs use an alternative identifier for [=[RPS]=] called an |AppID|
 that identifier. Without this extension, they would need to be re-registered in
 order to be [=scoped=] to an [=RP ID=].
 
+In order to use U2F credentials in WebAuthn, in addition to setting the [=appid=] extension
+the [=[RP]=] MUST also list the desired U2F credentials
+in the <code>{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> option
+of the {{CredentialsContainer/get()}} method.
+For U2F credentials, the {{PublicKeyCredentialDescriptor/type}} MUST be set to {{PublicKeyCredentialType/public-key}}
+and the {{PublicKeyCredentialDescriptor/id}} MUST be set to the U2F key handle of the credential.
+The [=authentication ceremony=] then proceeds as normal,
+with the exception that when [verifying the assertion](#sctn-verifying-assertion),
+the [=[RP]=] MUST accept that the <code>[=rpIdHash=]</code> MAY be the hash of the |AppID| instead of the [=RP ID=].
+
 This extension does not allow FIDO-compatible credentials to be created. Thus,
 credentials created with WebAuthn are not backwards compatible with the FIDO
 JavaScript APIs.