Clarify user identification in RP assertion verification operation (#…

…1082)

Merging per review during 9-Jan-19 call

index.bs

@@ -3510,9 +3510,19 @@ When verifying a given {{PublicKeyCredential}} structure (|credential|) and an {
     initiated, verify that <code>|credential|.{{Credential/id}}</code> identifies one of the [=public key credentials=] that were
     listed in {{PublicKeyCredentialRequestOptions/allowCredentials}}.
 
-1. If <code>|credential|.{{PublicKeyCredential/response}}.{{AuthenticatorAssertionResponse/userHandle}}</code> is present, verify
-    that the user identified by this value is the owner of the [=public key credential=] identified by
-    <code>|credential|.{{Credential/id}}</code>.
+1. Identify the user being authenticated and verify that this user is the owner of the [=public key credential source=]
+    |credentialSource| identified by <code>|credential|.{{Credential/id}}</code>:
+
+    <dl class="switch">
+        :  If the user was identified before the [=authentication ceremony=] was initiated,
+        :: verify that the identified user is the owner of |credentialSource|. If
+            <code>|credential|.{{PublicKeyCredential/response}}.{{AuthenticatorAssertionResponse/userHandle}}</code> is present,
+            verify that this value identifies the same user as was previously identified.
+
+        :  If the user was not identified before the [=authentication ceremony=] was initiated,
+        :: verify that <code>|credential|.{{PublicKeyCredential/response}}.{{AuthenticatorAssertionResponse/userHandle}}</code> is
+            present, and that the user identified by this value is the owner of |credentialSource|.
+    </dl>
 
 1. Using |credential|'s {{Credential/id}} attribute (or the corresponding {{PublicKeyCredential/rawId}}, if
     [=base64url encoding=] is inappropriate for your use case), look up the corresponding credential public key.