From 82197104a2bc91af872e43fbb62e969df244e1f2 Mon Sep 17 00:00:00 2001
From: JeffH <jdhodges@google.com>
Date: Wed, 3 Feb 2021 17:18:51 -0800
Subject: [PATCH 1/8] Add Accessibility Considerations section

Per feedback in issue #1557

fixes #1557
---
 index.bs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/index.bs b/index.bs
index 47d816f92..56ea72a2a 100644
--- a/index.bs
+++ b/index.bs
@@ -7052,6 +7052,14 @@ the [=[RP]=] could mitigate the privacy leak using the same approach of returnin
 as discussed in [[#sctn-username-enumeration]].
 
 
+# Accessibility Considerations # {#sctn-accessiblility-considerations}
+
+[=Client platforms=], at [=registration=] time, should provide affordances for users to complete [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions.
+
+[=Ceremonies=] relying on timing, e.g., during registration (see {{PublicKeyCredentialCreationOptions/timeout}}), ought to follow [WCAG Guideline 2.2 Enough Time](https://www.w3.org/WAI/WCAG21/Understanding/enough-time).
+
+
+
 # Acknowledgements # {#sctn-acknowledgements}
 We thank the following people for their reviews of, and contributions to, this specification:
 Yuriy Ackermann,

From b18853cd63f7901751bb1e98092a415b74fa25e0 Mon Sep 17 00:00:00 2001
From: JeffH <jdhodges@google.com>
Date: Thu, 4 Feb 2021 12:22:13 -0800
Subject: [PATCH 2/8] add authn ceremony & correct WCAG21 ref

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index 56ea72a2a..da48fd21a 100644
--- a/index.bs
+++ b/index.bs
@@ -7056,7 +7056,7 @@ as discussed in [[#sctn-username-enumeration]].
 
 [=Client platforms=], at [=registration=] time, should provide affordances for users to complete [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions.
 
-[=Ceremonies=] relying on timing, e.g., during registration (see {{PublicKeyCredentialCreationOptions/timeout}}), ought to follow [WCAG Guideline 2.2 Enough Time](https://www.w3.org/WAI/WCAG21/Understanding/enough-time).
+[=Ceremonies=] relying on timing, e.g., during a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or during an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time).
 
 
 

From 00a5760de7d0f762686ff145a41d0854b851e78e Mon Sep 17 00:00:00 2001
From: JeffH <jdhodges@google.com>
Date: Thu, 4 Feb 2021 12:35:56 -0800
Subject: [PATCH 3/8] add that platf may fixup RP-supplied timeouts

---
 index.bs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index da48fd21a..49ecba6e6 100644
--- a/index.bs
+++ b/index.bs
@@ -7056,8 +7056,7 @@ as discussed in [[#sctn-username-enumeration]].
 
 [=Client platforms=], at [=registration=] time, should provide affordances for users to complete [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions.
 
-[=Ceremonies=] relying on timing, e.g., during a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or during an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time).
-
+[=Ceremonies=] relying on timing, e.g., during a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or during an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[!WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time). If a [=client platform=] determines that a [=[RP]=]-supplied timeout does not appropriately adhere to the latter [[!WCAG21]] guidelines, then the [=client platform=] MAY adjust the timeout accordingly.
 
 
 # Acknowledgements # {#sctn-acknowledgements}

From 231b96ca0a0ac7fe3036faa6089fbc5c19514b8a Mon Sep 17 00:00:00 2001
From: =JeffH <jdhodges@google.com>
Date: Wed, 10 Feb 2021 15:17:41 -0800
Subject: [PATCH 4/8] incorp lgarron's suggestion, thx!

Co-authored-by: Lucas Garron <lgarron@github.com>
---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index 49ecba6e6..f3184f4d1 100644
--- a/index.bs
+++ b/index.bs
@@ -7056,7 +7056,7 @@ as discussed in [[#sctn-username-enumeration]].
 
 [=Client platforms=], at [=registration=] time, should provide affordances for users to complete [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions.
 
-[=Ceremonies=] relying on timing, e.g., during a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or during an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[!WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time). If a [=client platform=] determines that a [=[RP]=]-supplied timeout does not appropriately adhere to the latter [[!WCAG21]] guidelines, then the [=client platform=] MAY adjust the timeout accordingly.
+[=Ceremonies=] relying on timing, e.g., a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[!WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time). If a [=client platform=] determines that a [=[RP]=]-supplied timeout does not appropriately adhere to the latter [[!WCAG21]] guidelines, then the [=client platform=] MAY adjust the timeout accordingly.
 
 
 # Acknowledgements # {#sctn-acknowledgements}

From 82873d5ab0e9d2c9694f4e3311d68358d85348a4 Mon Sep 17 00:00:00 2001
From: JeffH <jdhodges@google.com>
Date: Thu, 11 Feb 2021 14:17:17 -0800
Subject: [PATCH 5/8] add suggestion to offer > 1 UV method

---
 index.bs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index f3184f4d1..fe3ae32f8 100644
--- a/index.bs
+++ b/index.bs
@@ -7054,7 +7054,9 @@ as discussed in [[#sctn-username-enumeration]].
 
 # Accessibility Considerations # {#sctn-accessiblility-considerations}
 
-[=Client platforms=], at [=registration=] time, should provide affordances for users to complete [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions.
+[=User verification=]-capable [=authenticators=], whether [=roaming authenticators|roaming=] or [=platform authenticators|platform=], should offer users more than one user verification method.  For example, both fingerprint sensing and PIN entry. This allows for fallback to further user verification means if the selected one is not working for some reason. Note that in the case of [=roaming authenticators=], the authenticator and platform can work together to provide an user verification method such as PIN entry.
+
+[=Client platforms=], at [=registration=] time, should provide affordances for users to complete [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
 
 [=Ceremonies=] relying on timing, e.g., a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[!WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time). If a [=client platform=] determines that a [=[RP]=]-supplied timeout does not appropriately adhere to the latter [[!WCAG21]] guidelines, then the [=client platform=] MAY adjust the timeout accordingly.
 

From ed234cc6214ebd46b0ece379030ec36ea989f9e3 Mon Sep 17 00:00:00 2001
From: JeffH <jdhodges@google.com>
Date: Thu, 11 Feb 2021 14:33:16 -0800
Subject: [PATCH 6/8] polish

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index fe3ae32f8..eeb33a56d 100644
--- a/index.bs
+++ b/index.bs
@@ -7054,7 +7054,7 @@ as discussed in [[#sctn-username-enumeration]].
 
 # Accessibility Considerations # {#sctn-accessiblility-considerations}
 
-[=User verification=]-capable [=authenticators=], whether [=roaming authenticators|roaming=] or [=platform authenticators|platform=], should offer users more than one user verification method.  For example, both fingerprint sensing and PIN entry. This allows for fallback to further user verification means if the selected one is not working for some reason. Note that in the case of [=roaming authenticators=], the authenticator and platform can work together to provide an user verification method such as PIN entry.
+[=User verification=]-capable [=authenticators=], whether [=roaming authenticators|roaming=] or [=platform authenticators|platform=], should offer users more than one user verification method.  For example, both fingerprint sensing and PIN entry. This allows for fallback to other user verification means if the selected one is not working for some reason. Note that in the case of [=roaming authenticators=], the authenticator and platform might work together to provide a user verification method such as PIN entry [[FIDO-CTAP]].
 
 [=Client platforms=], at [=registration=] time, should provide affordances for users to complete [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
 

From ca5ed6525a39a43745609e8d23f3230dddf80eff Mon Sep 17 00:00:00 2001
From: =JeffH <jdhodges@google.com>
Date: Wed, 17 Feb 2021 13:09:35 -0800
Subject: [PATCH 7/8] Incorp emlun's suggestion,thx!

Co-authored-by: Emil Lundberg <emil@yubico.com>
---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index eeb33a56d..bb2cbfff2 100644
--- a/index.bs
+++ b/index.bs
@@ -7056,7 +7056,7 @@ as discussed in [[#sctn-username-enumeration]].
 
 [=User verification=]-capable [=authenticators=], whether [=roaming authenticators|roaming=] or [=platform authenticators|platform=], should offer users more than one user verification method.  For example, both fingerprint sensing and PIN entry. This allows for fallback to other user verification means if the selected one is not working for some reason. Note that in the case of [=roaming authenticators=], the authenticator and platform might work together to provide a user verification method such as PIN entry [[FIDO-CTAP]].
 
-[=Client platforms=], at [=registration=] time, should provide affordances for users to complete [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
+[=Client platforms=], at [=registration=] time, should provide affordances for users to complete future [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
 
 [=Ceremonies=] relying on timing, e.g., a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[!WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time). If a [=client platform=] determines that a [=[RP]=]-supplied timeout does not appropriately adhere to the latter [[!WCAG21]] guidelines, then the [=client platform=] MAY adjust the timeout accordingly.
 

From aba7dd6c9268f7ea06c33537b2808e7f7003ce08 Mon Sep 17 00:00:00 2001
From: JeffH <jdhodges@google.com>
Date: Wed, 17 Feb 2021 13:12:51 -0800
Subject: [PATCH 8/8] incorp another @emlun suggestion, thx!

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index bb2cbfff2..788d92cb8 100644
--- a/index.bs
+++ b/index.bs
@@ -7056,7 +7056,7 @@ as discussed in [[#sctn-username-enumeration]].
 
 [=User verification=]-capable [=authenticators=], whether [=roaming authenticators|roaming=] or [=platform authenticators|platform=], should offer users more than one user verification method.  For example, both fingerprint sensing and PIN entry. This allows for fallback to other user verification means if the selected one is not working for some reason. Note that in the case of [=roaming authenticators=], the authenticator and platform might work together to provide a user verification method such as PIN entry [[FIDO-CTAP]].
 
-[=Client platforms=], at [=registration=] time, should provide affordances for users to complete future [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
+[=[RPS]=], at [=registration=] time, SHOULD provide affordances for users to complete future [=authorization gestures=] correctly. This could involve naming the authenticator, choosing a picture to associate with the device, or entering freeform text instructions (e.g., as a reminder-to-self).
 
 [=Ceremonies=] relying on timing, e.g., a [=registration ceremony=] (see {{PublicKeyCredentialCreationOptions/timeout}}) or an [=authentication ceremony=] (see {{PublicKeyCredentialRequestOptions/timeout}}), ought to follow [[!WCAG21]]'s [Guideline 2.2 Enough Time](https://www.w3.org/TR/WCAG21/#enough-time). If a [=client platform=] determines that a [=[RP]=]-supplied timeout does not appropriately adhere to the latter [[!WCAG21]] guidelines, then the [=client platform=] MAY adjust the timeout accordingly.