From a36e38c8f3080c9f15bc304415607d231090117c Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 27 Jul 2021 18:07:10 +0200
Subject: [PATCH] Fix inconsistency in RP directions for credential transports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

§7.1. Registering a New Credential, step 23 reads "This value SHOULD NOT be
modified", which conflicts with the definition of `getTransports()`: "The values
SHOULD be members of AuthenticatorTransport but Relying Parties MUST ignore
unknown values".
---
 index.bs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index e03c6dc95..a05445e61 100644
--- a/index.bs
+++ b/index.bs
@@ -2399,7 +2399,7 @@ during registration.
     ::  This operation returns the {{COSEAlgorithmIdentifier}} of the new credential. See [[#sctn-public-key-easy]].
 
     :   <dfn>\[[transports]]</dfn>
-    ::  This [=internal slot=] contains a sequence of zero or more unique {{DOMString}}s in lexicographical order. These values are the transports that the [=authenticator=] is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of {{AuthenticatorTransport}} but [=[RPS]=] MUST ignore unknown values.
+    ::  This [=internal slot=] contains a sequence of zero or more unique {{DOMString}}s in lexicographical order. These values are the transports that the [=authenticator=] is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of {{AuthenticatorTransport}} but [=[RPS]=] SHOULD accept and store unknown values.
 </div>
 
 #### Easily accessing credential data #### {#sctn-public-key-easy}
@@ -4533,10 +4533,13 @@ In order to perform an [=authentication ceremony=], the [=[RP]=] MUST proceed as
 
     If <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> is present,
     the {{PublicKeyCredentialDescriptor/transports}} member of each [=list/item=] SHOULD be set to
-    the value returned by
+    the value that was returned by
     <code>|credential|.{{PublicKeyCredential/response}}.{{AuthenticatorAttestationResponse/getTransports()}}</code>
     when the corresponding credential was registered.
 
+    Note: Modifying or removing [=list/items=] from values returned from {{AuthenticatorAttestationResponse/getTransports()}}
+    could negatively impact user experience, or even prevent use of the corresponding credentials.
+
 1. Call {{CredentialsContainer/get()|navigator.credentials.get()}} and pass |options|
     as the <code>{{CredentialRequestOptions/publicKey}}</code> option.
     Let |credential| be the result of the successfully resolved promise.