Add authenticator attachment used during authentication to assertion payload

index.bs

@@ -1370,6 +1370,7 @@ that are returned to the caller when a new credential is created, or a new asser
     interface PublicKeyCredential : Credential {
         [SameObject] readonly attribute ArrayBuffer              rawId;
         [SameObject] readonly attribute AuthenticatorResponse    response;
+        [SameObject] readonly attribute DOMString?               authenticatorAttachment;
         AuthenticationExtensionsClientOutputs getClientExtensionResults();
     };
 </xmp>
@@ -1388,6 +1389,19 @@ that are returned to the caller when a new credential is created, or a new asser
         {{CredentialsContainer/create()}}, this attribute's value will be an {{AuthenticatorAttestationResponse}}, otherwise,
         the {{PublicKeyCredential}} was created in response to {{CredentialsContainer/get()}}, and this attribute's value
         will be an {{AuthenticatorAssertionResponse}}.
+
+    :   <dfn>authenticatorAttachment</dfn>
+    ::  This attribute reports the [=authenticator attachment modality=] in effect at the time the
+        {{CredentialsContainer/create()|navigator.credentials.create()}} or
+        {{CredentialsContainer/get()|navigator.credentials.get()}} methods successfully complete.
+        The attribute’s value SHOULD be a member of {{AuthenticatorAttachment}}. [=[RPS]=] SHOULD treat unknown values
+        as if the value were null.
+
+        Note: If, as the result of a [=registration ceremony|registration=] or [=authentication ceremony=], {{PublicKeyCredential/authenticatorAttachment}}'s value is "cross-platform" and concurrently {{isUserVerifyingPlatformAuthenticatorAvailable}} returns [TRUE], then the user employed a [=roaming authenticator=] for this [=ceremony=] while there is an available [=platform authenticator=]. Thus the [=[RP]=] has the opportunity to prompt the user to register the available [=platform authenticator=], which may enable more streamlined user experience flows.
+
+Note: An [=authenticator's=] [=authenticator attachment modality|attachment modality=] could change over time.
+For example, a mobile phone might at one time only support [=platform attachment=]
+but later receive updates to support [=cross-platform attachment=] as well.
 
     :   {{PublicKeyCredential/getClientExtensionResults()}}
     ::  This operation returns the value of {{PublicKeyCredential/[[clientExtensionsResults]]}}, which is a [=map=] containing
@@ -1652,7 +1666,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
 
             1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}</code> is present:
 
-                  1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{authenticatorAttachment}}</code> is
+                  1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/authenticatorAttachment}}</code> is
                     present and its value is not equal to |authenticator|'s [=authenticator attachment modality=], [=iteration/continue=].
 
                   1. If <code>|options|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{residentKey}}</code>
@@ -1857,6 +1871,9 @@ a numbered step. If outdented, it (today) is rendered either as a bullet in the
                     :   {{PublicKeyCredential/[[identifier]]}}
                     ::  |id|
 
+                    :   {{PublicKeyCredential/authenticatorAttachment}}
+                    ::  The {{AuthenticatorAttachment}} value matching the current [=authenticator attachment modality=] of |authenticator|.
+
                     :   {{PublicKeyCredential/response}}
                     ::  A new {{AuthenticatorAttestationResponse}} object associated with |global| whose fields are:
 
@@ -2223,10 +2240,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
                 1.  Let |pubKeyCred| be a new {{PublicKeyCredential}} object associated with |global| whose fields are:
 
                     :   {{PublicKeyCredential/[[identifier]]}}
-
                     ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                         <code>|assertionCreationData|.[=credentialIdResult=]</code>.
 
+                    :   {{PublicKeyCredential/authenticatorAttachment}}
+                    ::  The {{AuthenticatorAttachment}} value matching the current [=authenticator attachment modality=] of |authenticator|.
+
                     :   {{PublicKeyCredential/response}}
                     ::  A new {{AuthenticatorAssertionResponse}} object associated with |global| whose fields are:
 
@@ -2326,10 +2345,6 @@ This method has no arguments and returns a Boolean value.
     };
 </xmp>
 
-Note: Invoking this method from a [=browsing context=] where the [=Web Authentication API=] is "disabled" according to the [=allowed to use=] algorithm&mdash;i.e., by a [=permissions policy=]&mdash;will result in the promise being rejected with a {{DOMException}} whose name is "{{NotAllowedError}}". See also [[#sctn-permissions-policy]].
-
-</div>
-
 ## Authenticator Responses (interface <dfn interface>AuthenticatorResponse</dfn>) ## {#iface-authenticatorresponse}
 
 [=Authenticators=] respond to [=[RP]=] requests by returning an object derived from the
@@ -2701,7 +2716,8 @@ attributes.
 This enumeration's values describe [=authenticators=]' [=authenticator attachment modality|attachment modalities=].
 [=[RPS]=] use this to express a preferred [=authenticator attachment modality=]
 when calling {{CredentialsContainer/create()|navigator.credentials.create()}}
-to [[#sctn-createCredential|create a credential]].
+to [[#sctn-createCredential|create a credential]], and [=clients=] use this to report the [=authenticator attachment modality=]
+used to complete a [=registration ceremony|registration=] or [=authentication ceremony=].
 
 <xmp class="idl">
     enum AuthenticatorAttachment {