w3c · nadalin · Feb 16, 2018 · Feb 14, 2018 · Feb 14, 2018 · emlun
diff --git a/index.bs b/index.bs
@@ -827,8 +827,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
     :: The [=base64url encoding=] of |options|.{{PublicKeyCredentialCreationOptions/challenge}}.
     : {{CollectedClientData/origin}}
     :: The [=ascii serialization of an origin|serialization of=] |callerOrigin|.
-    : {{CollectedClientData/tokenBindingId}}
-    :: The [=Token Binding ID=] associated with |callerOrigin|, if one is available.
+    : {{CollectedClientData/tokenBinding}}
+    :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
     : {{CollectedClientData/clientExtensions}}
     :: |clientExtensions|
     : {{CollectedClientData/authenticatorExtensions}}
@@ -1144,8 +1144,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
     :: The [=base64url encoding=] of |options|.{{PublicKeyCredentialRequestOptions/challenge}}
     : {{CollectedClientData/origin}}
     :: The [=ascii serialization of an origin|serialization of=] |callerOrigin|.
-    : {{CollectedClientData/tokenBindingId}}
-    :: The [=Token Binding ID=] associated with |callerOrigin|, if one is available.
+    : {{CollectedClientData/tokenBinding}}
+    :: The status of [=Token Binding=] between the client and the |callerOrigin|, as well as the [=Token Binding ID=] associated with |callerOrigin|, if one is available.
     : {{CollectedClientData/clientExtensions}}
     :: |clientExtensions|
     : {{CollectedClientData/authenticatorExtensions}}
@@ -1926,10 +1926,17 @@ following Web IDL.
         required DOMString           type;
         required DOMString           challenge;
         required DOMString           origin;
-        DOMString                    tokenBindingId;
+        TokenBinding                 tokenBinding;
         AuthenticationExtensionsClientInputs clientExtensions;
         AuthenticationExtensionsAuthenticatorInputs authenticatorExtensions;
     };
+
+    dictionary TokenBinding {
+        required TokenBindingStatus status;
+        DOMString id;
+    };
+
+    enum TokenBindingStatus { "present", "supported", "not-supported" };
 </pre>
 
 <div dfn-type="dict-member" dfn-for="CollectedClientData">
@@ -1943,9 +1950,10 @@ following Web IDL.
     The <dfn>origin</dfn> member contains the fully qualified [=origin=] of the requester, as provided to the authenticator by
     the client, in the syntax defined by [[RFC6454]].
 
-    The <dfn>tokenBindingId</dfn> member contains the base64url encoding of the [=Token Binding ID=] that this client uses for
-    the [=Token Binding=] protocol when communicating with the [=[RP]=]. This can be omitted if no [=Token Binding=] has been
-    negotiated between the client and the [=[RP]=].
+    The <dfn>tokenBinding</dfn> member contains information about the state of the [=Token Binding=] protocol used when communicating with the [=[RP]=]. The `status` member is one of:
+        * `not-supported`: when the client does not support token binding.
+        * `supported`: the client supports token binding, but it was not negotiated when communicating with the [=[RP]=].
+        * `present`: token binding was used when communicating with the [=[RP]=]. In this case, the `id` member MUST be present and MUST be a [=base64url encoding=] of the [=Token Binding ID=] that was used.
 
     The OPTIONAL <dfn>clientExtensions</dfn> and <dfn>authenticatorExtensions</dfn> members contain additional parameters
     generated by processing the extensions passed in
@@ -2822,8 +2830,7 @@ When registering a new credential, represented by a {{AuthenticatorAttestationRe
 
 1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].
 
-1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBindingId}}</code> matches the [=Token Binding ID=] for the TLS
-    connection over which the attestation was obtained.
+1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the [=assertion=] was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.
 
 1. Verify that the value of <code>|C|.{{CollectedClientData/clientExtensions}}</code> is a subset of the extensions requested by
     the RP and that the value of <code>|C|.{{CollectedClientData/authenticatorExtensions}}</code> is also a subset of the
@@ -2930,8 +2937,7 @@ When verifying a given {{PublicKeyCredential}} structure (|credential|) as part
 
 1. Verify that the value of <code>|C|.{{CollectedClientData/origin}}</code> matches the [=[RP]=]'s [=origin=].
 
-1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBindingId}}</code> (if present) matches the [=Token Binding ID=]
-    for the TLS connection over which the signature was obtained.
+1. Verify that the value of <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/status}}</code> matches the state of [=Token Binding=] for the TLS connection over which the attestation was obtained. If [=Token Binding=] was used on that TLS connection, also verify that <code>|C|.{{CollectedClientData/tokenBinding}}.{{TokenBinding/id}}</code> matches the [=base64url encoding=] of the [=Token Binding ID=] for the connection.
 
 1. Verify that the value of <code>|C|.{{CollectedClientData/clientExtensions}}</code> is a subset of the extensions requested by
     the [=[RP]=] and that the value of <code>|C|.{{CollectedClientData/authenticatorExtensions}}</code> is also a subset of the