Mention constant-zero case in §6.1.1 Signature Counter Considerations

index.bs

@@ -3620,6 +3620,9 @@ value of the [=authenticator data=] returned by [=authenticatorMakeCredential=].
 [=authenticator data=] again. The [=signature counter=]'s purpose is to aid [=[RPS]=] in detecting cloned authenticators. Clone
 detection is more important for authenticators with limited protection measures.
 
+Authenticators that do not implement a [=signature counter=]
+leave the <code>[=signCount=]</code> in the [=authenticator data=] constant at zero.
+
 A [=[RP]=] stores the [=signature counter=] of the most recent [=authenticatorGetAssertion=] operation. (Or the counter from the [=authenticatorMakeCredential=] operation if no [=authenticatorGetAssertion=] has ever been performed on a credential.) In subsequent
 [=authenticatorGetAssertion=] operations, the [=[RP]=] compares the stored [=signature counter=] value with the new
 <code>[=signCount=]</code> value returned in the assertion's [=authenticator data=].  If either is non-zero, and the new <code>[=signCount=]</code> value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.
@@ -3629,7 +3632,7 @@ Detecting a [=signature counter=] mismatch does not indicate whether the current
 Authenticators:
 - SHOULD implement per credential [=signature counters=].  This prevents the
     [=signature counter=] value from being shared between [=[RPS]=] and being possibly employed
-    as a correlation handle for the user. Authenticators may implement a global [=signature counter=],
+    as a correlation handle for the user. Authenticators MAY implement a global [=signature counter=],
     i.e., on a per-authenticator basis, but this is less privacy-friendly for users.
 
 - SHOULD ensure that the [=signature counter=] value does not