w3c · nsatragno · Jul 24, 2024 · Jul 1, 2024 · Jul 1, 2024 · Jul 1, 2024
diff --git a/index.bs b/index.bs
@@ -98,20 +98,15 @@ spec:css-syntax-3;
 </pre>
 <pre class="biblio">
 {
-  "FEDCM": {
-    "authors": [ "Sam Goto" ],
-    "href": "https://fedidcg.github.io/FedCM/",
-    "title": "FedCM API"
-  },
   "WEB-LOGIN": {
     "authors": [ "Jason Denizac", "Robin Berjon", "Anne van Kesteren" ],
     "href": "https://github.com/jden/web-login",
     "title": "web-login"
   },
-  "WEB-OTP": {
-    "authors": [ "Sam Goto" ],
-    "href": "https://wicg.github.io/web-otp/",
-    "title": "WebOTP API"
+  "DIGITAL-CREDENTIALS": {
+    "authors": [ "Marcos Cáceres", "Sam Goto" ],
+    "href": "https://wicg.github.io/digital-credentials/",
+    "title": "Digital Credentials"
   }
 }
 </pre>
@@ -325,42 +320,63 @@ spec:css-syntax-3;
         <small>(in alphabetical order)</small></th>
         <th><dfn for="credential type registry">Options Member Identifier</dfn></th>
         <th><dfn for="credential type registry">Appropriate Interface Object</dfn></th>
+        <th><dfn for="credential type registry">Get Permissions Policy</dfn></th>
+        <th><dfn for="credential type registry">Create Permissions Policy</dfn></th>
         <th>Specification</th>
         <th>Requestor Contact</th>
       </tr>
     </thead>
+    <tr>
+        <td>digital-credential</td>
+        <td>digital</td>
+        <td>{{DigitalCredential}}</td>
+        <td>digital-credentials-get</td>
+        <td>null</td>
+        <td>[[DIGITAL-CREDENTIALS]]</td>
+        <td><a href="https://wicg.io/">WICG</a></td>
+    </tr>
     <tr>
         <td>federated</td>
         <td>federated</td>
         <td>{{FederatedCredential}}</td>
+        <td>null</td>
+        <td>null</td>
         <td>This specification: [[#federated]]</td>
         <td><a href="https://www.w3.org/2011/webappsec/">W3C</a></td>
     </tr>
     <tr>
         <td>identity</td>
         <td>identity</td>
         <td>{{IdentityCredential}}</td>
+        <td>[=identity-credentials-get=]</td>
+        <td>null</td>
         <td>[[FEDCM]]</td>
         <td><a href="https://www.w3.org/community/fed-id/">W3C</a></td>
     </tr>
     <tr>
         <td>otp</td>
         <td>otp</td>
         <td>{{OTPCredential}}</td>
+        <td>[=otp-credentials-feature|otp-credentials=]</td>
+        <td>null</td>
         <td>[[WEB-OTP]]</td>
         <td><a href="https://wicg.io/">WICG</a></td>
     </tr>
     <tr>
         <td>password</td>
         <td>password</td>
         <td>{{PasswordCredential}}</td>
+        <td>null</td>
+        <td>null</td>
         <td>This specification: [[#passwords]]</td>
         <td><a href="https://www.w3.org/2011/webappsec/">W3C</a></td>
     </tr>
     <tr>
         <td>public-key</td>
         <td>publicKey</td>
         <td>{{PublicKeyCredential}}</td>
+        <td>[=publickey-credentials-get-feature|publickey-credentials-get=]</td>
+        <td>[=publickey-credentials-create-feature|publickey-credentials-create=]</td>
         <td>[[WEBAUTHN]]</td>
         <td><a href="https://www.w3.org/blog/webauthn/">W3C</a></td>
     </tr>
@@ -382,6 +398,14 @@ spec:css-syntax-3;
   * Each registry entry must state the [=credential type registry/Appropriate Interface Object=] [=identifier=] for the
     [=credential type registry/credential type=].
 
+  * Each registry entry must state the [=credential type registry/Get Permissions Policy=] [=permission=]
+    used when executing <a abstract-op>Request a `Credential`</a> for a
+    [=credential type registry/credential type=], or null if no [=Document/permissions policy=] is specified.
+
+  * Each registry entry must state the [=credential type registry/Create Permissions Policy=] [=permission=]
+    used when executing <a abstract-op>Create a `Credential`</a> for a
+    [=credential type registry/credential type=], or null if no [=Document/permissions policy=] is specified.
+
   * Each registry entry must include a link that references a publicly available specification
     defining the [=credential type registry/credential type=] and the [=dictionary member=] [=identifier=].
 
@@ -950,8 +974,10 @@ spec:css-syntax-3;
 
     1.  Assert: |settings| is a [=secure context=].
 
-    1.  If |settings|'s [=relevant global object=]'s [=associated Document=] is not [=Document/fully active=],
-        then return [=a promise rejected with=] "{{NotAllowedError}}" {{DOMException}}.
+    1.  Let |document| be |settings|'s [=relevant global object=]'s [=associated Document=].
+
+    1.  If |document| is not [=Document/fully active=], then return [=a promise rejected with=]
+        "{{NotAllowedError}}" {{DOMException}}.
 
     1.  If <code>|options|.{{CredentialRequestOptions/signal}}</code> is [=AbortSignal/aborted=],
         then return [=a promise rejected with=]
@@ -965,8 +991,6 @@ spec:css-syntax-3;
             1.  If |interface| does not support {{CredentialMediationRequirement/conditional}}
                 [=user mediation=], return [=a promise rejected with=] a "{{TypeError}}" {{DOMException}}.
 
-    1.  Let |p| be [=a new promise=].
-
     1. For each |interface| in |options|' <a>relevant credential interface objects</a>:
 
         1. If |settings|' [=active credential types=] [=set/contains=] |interface|'s
@@ -983,21 +1007,16 @@ spec:css-syntax-3;
     1.  Let |sameOriginWithAncestors| be `true` if |settings| is [=same-origin with its
         ancestors=], and `false` otherwise.
 
-    1.  If |options|[{{CredentialRequestOptions/identity}}] [=map/exists=] and
-        if |settings|' [=relevant global object=]'s [=associated Document=] is **not**
-        [=allowed to use=] the [=identity-credentials-get=]
-        [=policy-controlled feature=] return [=a promise rejected with=] a "{{NotAllowedError}}"
-        {{DOMException}}.
+    1. For each |interface| in |options|' [=relevant credential interface objects=]:
 
-    1.  If |options|[{{CredentialRequestOptions/publicKey}}] [=map/exists=] and
-        if |settings|' [=relevant global object=]'s [=associated Document=] is **not**
-        [=allowed to use=] the [=publickey-credentials-get-feature|publickey-credentials-get=]
-        [=policy-controlled feature=] return [=a promise rejected with=] a "{{NotAllowedError}}"
-        {{DOMException}}.
+        1. Let |permission| be the |interface|'s {{Credential/[[type]]}} [=credential type registry/Get Permissions Policy=].
 
-        Note: <a const>`password`</a> and <a const>`federated`</a>
-        [=credential type registry/credential types=] are not presently treated as
-        [=policy-controlled features=], although this may change in the future.
+        1. If |permission| is null, continue.
+
+        1. If |document| is **not** [=allowed to use=] |permission|, return
+           [=a promise rejected with=] a "{{NotAllowedError}}" {{DOMException}}.
+
+    1.  Let |p| be [=a new promise=].
 
     1.  Run the following steps [=in parallel=]:
 
@@ -1164,22 +1183,14 @@ spec:css-syntax-3;
 
     1.  Let |global| be |settings|' [=environment settings object/global object=].
 
-    1.  If |settings|'s [=relevant global object=]'s [=associated Document=] is not [=Document/fully active=],
-        then return [=a promise rejected with=] "{{NotAllowedError}}" {{DOMException}}.
+    1.  Let |document| be the [=relevant global object=]'s [=associated Document=].
+
+    1.  If |document| is not [=Document/fully active=], then return
+        [=a promise rejected with=] "{{NotAllowedError}}" {{DOMException}}.
 
     1.  Let |sameOriginWithAncestors| be `true` if the [=current settings object=] is [=same-origin
         with its ancestors=], and `false` otherwise.
 
-    1.  If |options|[{{CredentialCreationOptions/publicKey}}] [=map/exists=] and
-        if |settings|' [=relevant global object=]'s [=associated Document=] is **not**
-        [=allowed to use=] the [=publickey-credentials-create-feature|publickey-credentials-create=]
-        [=policy-controlled feature=] return [=a promise rejected with=] a "{{NotAllowedError}}"
-        {{DOMException}}.
-
-        Note: <a const>`password`</a> and <a const>`federated`</a>
-        [=credential type registry/credential types=] are not presently treated as
-        [=policy-controlled features=], although this may change in the future.
-
     1.  Let |interfaces| be the [=set=] of |options|' <a>relevant credential interface objects</a>.
 
     1.  Return [=a promise rejected with=] `NotSupportedError` if any of the following statements
@@ -1194,6 +1205,15 @@ spec:css-syntax-3;
             types in order to support a "sign-up" use case. For the moment, though, we're punting
             on that by restricting the dictionary to a single entry.
 
+    1. For each |interface| in |interfaces|:
+
+        1. Let |permission| be the |interface|'s {{Credential/[[type]]}} [=credential type registry/Create Permissions Policy=].
+
+        1. If |permission| is null, continue.
+
+        1. If |document| is **not** [=allowed to use=] |permission|, return
+           [=a promise rejected with=] a "{{NotAllowedError}}" {{DOMException}}.
+
     1.  If <code>|options|.{{CredentialRequestOptions/signal}}</code> is [=AbortSignal/aborted=],
         then return [=a promise rejected with=]
         <code>|options|.{{CredentialRequestOptions/signal}}</code>'s [=AbortSignal/abort reason=].