Add authenticator attachment used during authentication to assertion payload

index.bs

@@ -1370,6 +1370,7 @@ that are returned to the caller when a new credential is created, or a new asser
     interface PublicKeyCredential : Credential {
         [SameObject] readonly attribute ArrayBuffer              rawId;
         [SameObject] readonly attribute AuthenticatorResponse    response;
+        [SameObject] readonly attribute DOMString?               authenticatorAttachment;
         AuthenticationExtensionsClientOutputs getClientExtensionResults();
     };
 </xmp>
@@ -1388,6 +1389,12 @@ that are returned to the caller when a new credential is created, or a new asser
         {{CredentialsContainer/create()}}, this attribute's value will be an {{AuthenticatorAttestationResponse}}, otherwise,
         the {{PublicKeyCredential}} was created in response to {{CredentialsContainer/get()}}, and this attribute's value
         will be an {{AuthenticatorAssertionResponse}}.
+
+    :   <dfn>authenticatorAttachment</dfn>
+    ::  This attribute contains the authenticatorAttachment used to communicate to the [=authenticator=], or `null` if 
+        the user agent does not have any attachment information. This attribute should be used by RPs in conjecture 
+        with isUVPAA to prompt user to register platform authenticator if it is availible and user is currently being authenticated 
+        with a cross-platform attachment. See [[#sctn-authenticator-attachment-modality]].
 
     :   {{PublicKeyCredential/getClientExtensionResults()}}
     ::  This operation returns the value of {{PublicKeyCredential/[[clientExtensionsResults]]}}, which is a [=map=] containing
@@ -2207,6 +2214,10 @@ When this method is invoked, the user agent MUST execute the following algorithm
                 :   <code><dfn for="assertionCreationData">signatureResult</dfn></code>
                 ::  whose value is the bytes of the signature value returned by the [=authenticator=].
 
+                :   <code><dfn for="assertionCreationData">authenticatorAttachmentResult</dfn></code>
+                ::  whose value is the authenticator attachment type used to communicate to the [=authenticator=]. Values SHOULD be either "platform" or "cross-platform". If the user agent does not have any authenticator attachment information, 
+                    set the value to null.
+
                 :   <code><dfn for="assertionCreationData">userHandleResult</dfn></code>
                 ::  If the [=authenticator=] returned a [=user handle=], set the value of [=userHandleResult=] to be the bytes of
                     the returned [=user handle=]. Otherwise, set the value of [=userHandleResult=] to null.
@@ -2242,6 +2253,11 @@ When this method is invoked, the user agent MUST execute the following algorithm
                         ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of
                             <code>|assertionCreationData|.[=assertionCreationData/signatureResult=]</code>.
 
+                        :   {{AuthenticatorAssertionResponse/authenticatorAttachment}}
+                        ::  If <code>|assertionCreationData|.[=assertionCreationData/authenticatorAttachmentResult=]</code> is null, set this
+                            field to null. Otherwise, set this field to a new {{DOMString}}, containing the value of
+                            <code>|assertionCreationData|.[=assertionCreationData/authenticatorAttachmentResult=]</code>.
+
                         :   {{AuthenticatorAssertionResponse/userHandle}}
                         ::  If <code>|assertionCreationData|.[=assertionCreationData/userHandleResult=]</code> is null, set this
                             field to null. Otherwise, set this field to a new {{ArrayBuffer}}, created using |global|'s
@@ -3962,6 +3978,10 @@ When this method is invoked, the [=authenticator=] MUST perform the following pr
 1. If any error occurred while generating the [=assertion signature=], return an error code equivalent to "{{UnknownError}}" and
     terminate the operation.
 
+1. Let |authenticatorAttachment| be <code>platform</code> or <code>cross-platform</code> based on the transport returned by authenticator following successful authentication. 
+    If transport is <code>null</code>, set |authenticatorAttachment| to null. If transport is <code>internal</code>, then set |authenticatorAttachment| to <code>platform</code>. 
+    Otherwise, set |authenticatorAttachment| to <code>cross-platform</code>.
+
 <!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to render it as
 a numbered step. If outdented, it (today) is rendered as a bullet in the midst of a numbered list :-/
 -->