moved AAGUID into packed attestation core. Removed AAGUID extension. C…

…lose #132

index.bs

@@ -1016,6 +1016,14 @@ extensions. The first bytes before the extensions have a fixed layout as follows
             0xF1D0, fixed big-endian TAG to make sure this object won't be confused with other (non-WebAuthn) binary objects.
         </td>
     </tr>
+    <tr>
+        <td>2</td>
+        <td>Byte length l of AAGUID</td>
+    </tr>
+    <tr>
+        <td>(length)</td>
+        <td>AAGUID (l bytes)</td>
+    </tr>
     <tr>
         <td>1</td>
         <td>
@@ -1088,6 +1096,20 @@ extensions. The first bytes before the extensions have a fixed layout as follows
 The `TUP` flag SHALL be set if and only if the <a>authenticator</a> detected a user through an authenticator-specific gesture.
 The `RFU` bits in the flags byte SHALL be cleared (i.e., zeroed).
 
+<div class='note'>
+ Note: The authenticator model (identified by the AAGUID) can be derived from
+  - here, or
+  - from the attestation certificate (if we have an authenticator specific or authenticator model specific attestation
+    certificate), or
+  - from the claimed AAGUID in the client encoded attestation statement (if there is one attestation root certificate
+    per authenticator model).
+
+  In the case of DAA there is no need for an X.509 attestation certificate hierarchy. Instead the trust anchor being
+  known to the [RP] is the DAA root key (i.e., ECPoint2 X, Y).  This root key must be dedicated to a single
+  authenticator model.
+</div>
+
+
 If the authenticator does not wish to add extensions, it MUST clear the `ED` flag in the third byte.
 
 
@@ -1386,7 +1408,7 @@ Certificate). It is also recommended that for each WebAuthn Authenticator device
 used to help facilitate isolating problems with a specific version of a device.
 
 If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
-must be specified either in the attestation certificate itself or as an extension in the `rawData`.
+must be specified either in the attestation certificate itself or it must be specified in `rawData`.
 
 
 # WebAuthn Extensions # {#extensions}
@@ -1654,42 +1676,6 @@ credential. It is intended primarily for [RPS] that wish to tightly control the
 :: None.
 
 
-## AAGUID Extension ## {#aaguid-extension}
-
-: Extension identifier
-:: `webauthn.aaguid`
-
-: Client argument
-:: The Boolean value `true` to indicate that this extension is requested by the [RP].
-
-: Client processing
-:: None, except default forwarding of client argument to authenticator argument.
-
-: Authenticator argument
-:: The Boolean value `true`, encoded in CBOR (major type 7, value 21).
-
-: Authenticator processing
-:: The <a>authenticator</a> adds its AAGUID to the authenticator data, as defined below. This extension can be added to
-    attestation statements and assertions.
-
-: Authenticator data
-:: A 128-bit Authenticator Attestation GUID encoded as a CBOR byte string (major type 2). This AAGUID is used to identify the
-    Authenticator model (Authenticator Attestation GUID).
-
-    <div class='note'>
-        Note: The authenticator model (identified by the AAGUID) can be derived from
-            - here, or
-            - from the attestation certificate (if we have an authenticator specific or authenticator model specific attestation
-                certificate), or
-            - from the claimed AAGUID in the client encoded attestation statement (if we have one attestation root certificate
-                per authenticator model).
-
-            In the case of DAA there is no need for an X.509 attestation certificate hierarchy. Instead the trust anchor being
-            known to the [RP] is the DAA root key (i.e., ECPoint2 X, Y).  This root key must be dedicated to a single
-            authenticator model.
-    </div>
-
-
 ## SupportedExtensions Extension ## {#supported-extensions-extension}
 
 : Extension identifier