From f4ffc88291825eed6bd51e46ad0c39d39a6829a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20=C3=85berg?= <anders@andersaberg.com>
Date: Wed, 31 Jan 2024 21:05:50 +0100
Subject: [PATCH] Allow AAGUID to pass through for platform authenticators

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index 4178af162..bddc01b49 100644
--- a/index.bs
+++ b/index.bs
@@ -2135,7 +2135,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
                                 same:
                                   1. If the [=authData/attestedCredentialData/aaguid=] in the [=attested credential data=] is 16 zero bytes, <code>|credentialCreationData|.[=attestationObjectResult=].fmt</code> is "packed", and "x5c" is absent from <code>|credentialCreationData|.[=attestationObjectResult=]</code>, then [=self attestation=] is being used and no further action is needed.
                                   1. Otherwise
-                                      1. Replace the [=authData/attestedCredentialData/aaguid=] in the [=attested credential data=] with 16 zero bytes.
+                                      1. If the {{PublicKeyCredential/authenticatorAttachment}} is set to {{AuthenticatorAttachment/cross-platform}}, replace the [=authData/attestedCredentialData/aaguid=] in the [=attested credential data=] with 16 zero bytes.
                                       1. Set the value of <code>|credentialCreationData|.[=attestationObjectResult=].fmt</code> to "none", and set the value of <code>|credentialCreationData|.[=attestationObjectResult=].attStmt</code> to be an empty [=CBOR=] map. (See [[#sctn-none-attestation]] and [[#sctn-generating-an-attestation-object]]).
 
                             :   {{AttestationConveyancePreference/indirect}}