From c39954b06957559f329deef4f7b59a306e8d867c Mon Sep 17 00:00:00 2001
From: Alexei Czeskis <alexei@czeskis.com>
Date: Fri, 23 Sep 2016 14:42:09 -0700
Subject: [PATCH] Adds optional transport hints to CredentialDescription (#194)

* Adds optional transport hints to CredentialDescription

Resolves #6
---
 index.bs | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index f5c0eb0a2..f7bba2cc2 100644
--- a/index.bs
+++ b/index.bs
@@ -415,12 +415,14 @@ When this method is invoked, the user agent MUST execute the following algorithm
 8. Use {{attestationChallenge}}, |callerOrigin| and |rpId|, along with the token binding key associated with |callerOrigin| (if
     any), to create a {{ClientData}} structure representing this request. Choose a hash algorithm for {{ClientData/hashAlg}} and
     compute the <a>clientDataJSON</a> and <a>clientDataHash</a>.
-    
+
 9. Initialize |issuedRequests| to an empty list.
 
 10. For each authenticator currently available on this platform: asynchronously invoke the <a>authenticatorMakeCredential</a>
     operation on that authenticator with |rpIdHash|, <a>clientDataHash</a>, {{accountInformation}}, |normalizedParameters|,
     {{ScopedCredentialOptions/excludeList}} and |clientExtensions| as parameters. Add a corresponding entry to |issuedRequests|.
+    - For each credential C in {{ScopedCredentialOptions/excludeList}} that has a non-empty |transports| list, optionally use
+        only the specified transports to test for the existence of C.
 
 11. While |issuedRequests| is not empty, perform the following actions depending upon the |adjustedTimeout| timer and responses
     from the authenticators:
@@ -495,6 +497,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
         platform-specific procedure to determine which, if any, credentials listed in {{AssertionOptions/allowList}} might be
         present on this authenticator, and set |credentialList| to this filtered list. If no such filtering is possible, set
         |credentialList| to an empty list.
+    - For each credential C within the |credentialList| that has a non-empty |transports| list, optionally use only the
+        specified transports to get assertions using credential C.
     - If the above filtering process concludes that none of the credentials on {{AssertionOptions/allowList}} can possibly be on this
         authenticator, do not perform any of the following steps for this authenticator, and proceed to the next authenticator
         (if any).
@@ -840,6 +844,7 @@ by the caller to select a credential for use.
     dictionary ScopedCredentialDescription {
         required ScopedCredentialType type;
         required BufferSource   id;
+        sequence < Transport >  transports;
     };
 </pre>
 
@@ -854,6 +859,32 @@ these methods.
 </div>
 
 
+### Credential Transport enumeration (enum <dfn enum>ExternalTransport</dfn>) ### {#transport}
+
+<pre class="idl">
+    enum Transport {
+        "usb",
+        "nfc",
+        "ble"
+    };
+</pre>
+
+<div dfn-for="Transport">
+    This enumeration defines the valid transports over which a client might
+    look for an Authenticator that can provide an assertion for the respective
+    credential.  Note that these are a hint from the Relying Party to the
+    client as to its best belief of how an authenticator may be reached.
+    <ul>
+        <li><dfn>usb</dfn> - the respective authenticator may be contacted over
+            USB.
+        <li><dfn>nfc</dfn> - the respective authenticator may be contacted over
+            Near Field Communication (NFC).
+        <li><dfn>ble</dfn> - the respective authenticator may be contacted over
+            Bluetooth Smart (Bluetooth Low Energy / BLE).
+    </ul>
+<div>
+
+
 ### Cryptographic Algorithm Identifier (type {{AlgorithmIdentifier}}) ### {#alg-identifier}
 
 A string or dictionary identifying a cryptographic algorithm and optionally a set of parameters for that algorithm. This type is