update and link to working AAGUID definition

w3c · Sep 20, 2023 · c7de61b · c7de61b
1 parent 58d60d0
commit c7de61b
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/index.bs b/index.bs
@@ -4093,11 +4093,12 @@ considered more trustworthy than the rest of the authenticator.
 Each authenticator stores a <dfn for=authenticator>credentials map</dfn>, a [=map=] from ([=rpId=], [=public key credential source/userHandle=]) to
 [=public key credential source=].
 
-Additionally, each authenticator has an AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the
-authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators
-made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of authenticators.
-The AAGUID for a given type of authenticator SHOULD be randomly generated to ensure this. The [=[RP]=] MAY use the AAGUID to infer certain
-properties of the authenticator, such as certification level and strength of key protection, using information from other sources.
+Additionally, each authenticator has an Authenticator Attestation GUID or <dfn for=aaguid>AAGUID</dfn>, which is a 128-bit identifier indicating the type (e.g. make and model) of the
+authenticator. The AAGUID MUST be chosen by its maker to be identical across all substantially identical authenticators made by that maker, and 
+different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type of authenticator SHOULD be 
+randomly generated to ensure this. The [=[RP]=] MAY use the AAGUID to infer certain properties of the authenticator, such as certification level 
+and strength of key protection, using information from other sources. The [=RP=] MAY use the AAGUID to attempt to identify the maker of the authenticator 
+without performing [=attestation=], but would be unable to trust that inference unless [=attestation=] is performed.
 
 The primary function of the authenticator is to provide [=WebAuthn signatures=], which are bound to various contextual data. These
 data are observed and added at different levels of the stack as a signature request passes from the server to the
@@ -5071,7 +5072,7 @@ object=] for a credential. Its format is shown in <a href="#table-attestedCreden
             <th>Description</th>
         </tr>
         <tr>
-            <td><dfn>aaguid</dfn></td>
+            <td>AAGUID</td>
             <td>16</td>
             <td>The AAGUID of the authenticator.</td>
         </tr>