diff --git a/index.bs b/index.bs
index aeedc5d98..c0e7b8cf5 100644
--- a/index.bs
+++ b/index.bs
@@ -864,7 +864,7 @@ below and in [[#index-defined-elsewhere]].
as defined in [[!FIDO-CTAP]].
: CDDL
-:: This specification describes the syntax of all [=CBOR=]-encoded data using the CBOR Data Definition Language (CDDL) [[!RFC8610]].
+:: This specification describes the syntax of all [=CBOR=]-encoded data using the CBOR Data Definition Language (CDDL) [[!RFC8610]].
: COSE
:: CBOR Object Signing and Encryption (COSE) [[!RFC8152]]. The IANA COSE Algorithms registry established by this specification is also used.
@@ -2882,6 +2882,28 @@ This is a dictionary containing the [=client extension input=] values for zero o
This is a dictionary containing the [=client extension output=] values for zero or more [=WebAuthn Extensions=].
+### Authentication Extensions Authenticator Inputs (CDDL type `extensionInputs`) ### {#iface-authentication-extensions-authenticator-inputs}
+
+```
+extensionInputs = { * $$extensionInput .within ( tstr => any ) }
+```
+
+The [=CDDL=] type `extensionInputs` defines a [=CBOR=] map
+containing the [=authenticator extension input=] values for zero or more [=WebAuthn Extensions=].
+
+This type is not exposed to the [=[RP]=], but is used by the [=client=] and [=authenticator=].
+
+
+### Authentication Extensions Authenticator Outputs (CDDL type `extensionOutputs`) ### {#iface-authentication-extensions-authenticator-outputs}
+
+```
+extensionOutputs = { * $$extensionOutput .within ( tstr => any ) }
+```
+
+The [=CDDL=] type `extensionOutputs` defines a [=CBOR=] map
+containing the [=authenticator extension output=] values for zero or more [=WebAuthn Extensions=].
+
+
## Supporting Data Structures ## {#sctn-supporting-data-structures}
The [=public key credential=] type uses certain data structures that are specified in supporting specifications. These are as
@@ -5248,6 +5270,27 @@ input=]. For extensions that do not require input parameters and are defined as
value set to [TRUE], this method SHOULD consist of passing an [=authenticator extension input=] value of [TRUE] (CBOR major type
7, value 21).
+Extensions that have authenticator processing MUST define extensions for the [=CDDL=] types
+[[#iface-authentication-extensions-authenticator-inputs|extensionInputs]]
+and [[#iface-authentication-extensions-authenticator-outputs|extensionOutputs]]
+by defining an additional choice for the `$$extensionInput` and `$$extensionOutput` groups.
+If an extension does not require any parameters from the [=[RP]=],
+it SHOULD be defined as taking the Boolean value [TRUE] as its [=authenticator extension input=]
+to signify that the extension is requested by the [=[RP]=].
+
+The following example defines that an extension with [=extension identifier|identifier=] `webauthnExample_foobar`
+takes an unsigned integer as [=authenticator extension input=],
+and returns an array of at least one byte string as [=authenticator extension output=]:
+
+
+ $$extensionInput //= ( + webauthnExample_foobar: uint + ) + $$extensionOutput //= ( + webauthnExample_foobar: [+ bytes] + ) ++ Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate over low-bandwidth links such as Bluetooth Low-Energy or NFC. @@ -5501,6 +5544,12 @@ This extension enables use of a user verification method. : Authenticator extension input :: The Boolean value [TRUE], encoded in CBOR (major type 7, value 21). + ``` + $$extensionInput //= ( + uvm: true, + ) + ``` + : Authenticator extension processing :: The [=authenticator=] sets the [=authenticator extension output=] to be one or more user verification methods indicating the method(s) used by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions. @@ -5510,7 +5559,10 @@ This extension enables use of a user verification method. using the CBOR syntax defined below: ``` - uvmFormat = [ 1*3 uvmEntry ] + $$extensionOutput //= ( + uvm: [ 1*3 uvmEntry ], + ) + uvmEntry = [ userVerificationMethod: uint .size 4, keyProtectionType: uint .size 2,