credentialList should be whitelist in step 6, 1st bullet, of getAssertion() processing rules

[equalsJeffH]

step 6 of getAssertion() processing rules says in part...

6. For each embedded or external authenticator currently available on this platform, perform 
the following steps:

  * If whitelist is undefined or empty, let credentialList be a list containing a single wildcard 
     entry.

  * If whitelist is defined and non-empty, optionally execute a platform-specific procedure to 
    determine which of these credentials can possibly be present on this authenticator. Set 
    credentialList to this filtered list. If credentialList is empty, ignore this authenticator and 
    do not perform any of the following per-authenticator steps.

It seems that the first bullet item ought to read...

  * If whitelist is undefined or empty, let whitelist be a list containing a single wildcard 
     entry.

..otherwise the processing in the 2nd rule does not make sense because whitelist may be undefined or empty, while a credentialList containing a wildcard has been created, which does not make sense in the 2nd bullet.