Add a hints element for both create and get.

index.bs

@@ -1903,6 +1903,8 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
  [=authenticators=] can be <a href="https://en.wikipedia.org/w/index.php?title=Hot_plug">hot-plugged</a> into (e.g., via USB)
  or discovered (e.g., via NFC or Bluetooth) by the [=client=] by various mechanisms, or permanently built into the [=client=].
 
+1. Consider the value of {{PublicKeyCredentialCreationOptions/hints}} and craft the user interface accordingly, as the user-agent sees fit.
+
 1. Start |lifetimeTimer|.
 
 <!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to render it as
@@ -2372,6 +2374,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
 1. Let |silentlyDiscoveredCredentials| be a new [=map=] whose [=map/entry|entries=] are of the form: [=DiscoverableCredentialMetadata=] → [=authenticator=].
 
+1. Consider the value of {{PublicKeyCredentialRequestOptions/hints}} and craft the user interface accordingly, as the user-agent sees fit.
+
 1. Start |lifetimeTimer|.
 
 1. [=While=] |lifetimeTimer| has not expired, perform the following actions depending upon |lifetimeTimer|,
@@ -2845,6 +2849,7 @@ value and terminate the operation.
  unsigned long timeout;
  sequence<PublicKeyCredentialDescriptorJSON> excludeCredentials = [];
  AuthenticatorSelectionCriteria authenticatorSelection;
+ sequence<DOMString> hints = [];
  DOMString attestation = "none";
  sequence<DOMString> attestationFormats = [];
  AuthenticationExtensionsClientInputsJSON extensions;
@@ -2902,6 +2907,7 @@ value and terminate the operation.
  DOMString rpId;
  sequence<PublicKeyCredentialDescriptorJSON> allowCredentials = [];
  DOMString userVerification = "preferred";
+ sequence<DOMString> hints = [];
  DOMString attestation = "none";
  sequence<DOMString> attestationFormats = [];
  AuthenticationExtensionsClientInputsJSON extensions;
@@ -3072,6 +3078,7 @@ optionally evidence of [=user consent=] to a specific transaction.
  unsigned long timeout;
  sequence<PublicKeyCredentialDescriptor> excludeCredentials = [];
  AuthenticatorSelectionCriteria authenticatorSelection;
+ sequence<DOMString> hints = [];
  DOMString attestation = "none";
  sequence<DOMString> attestationFormats = [];
  AuthenticationExtensionsClientInputs extensions;
@@ -3141,6 +3148,9 @@ optionally evidence of [=user consent=] to a specific transaction.
  that the [=authenticator=] MUST or SHOULD satisfy to participate in the {{CredentialsContainer/create()}} operation.
  See [[#dictionary-authenticatorSelection]].
 
+ : <dfn>hints</dfn>
+ :: This OPTIONAL member contains zero or more elements from {{PublicKeyCredentialHints}} to guide the user agent in interacting with the user. Note that the elements have type `DOMString` despite being taken from that enumeration. See [[#sct-domstring-backwards-compatibility]].
+
  : <dfn>attestation</dfn>
  :: The [=[RP]=] MAY use this OPTIONAL member to specify a preference regarding [=attestation conveyance=].
  Its value SHOULD be a member of {{AttestationConveyancePreference}}.
@@ -3461,6 +3471,7 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member MUST be
  USVString rpId;
  sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
  DOMString userVerification = "preferred";
+ sequence<DOMString> hints = [];
  DOMString attestation = "none";
  sequence<DOMString> attestationFormats = [];
  AuthenticationExtensionsClientInputs extensions;
@@ -3524,6 +3535,9 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member MUST be
 
  See {{UserVerificationRequirement}} for the description of {{AuthenticatorSelectionCriteria/userVerification}}'s values and semantics.
 
+ : <dfn>hints</dfn>
+ :: This OPTIONAL member contains zero or more elements from {{PublicKeyCredentialHints}} to guide the user agent in interacting with the user. Note that the elements have type `DOMString` despite being taken from that enumeration. See [[#sct-domstring-backwards-compatibility]].
+
  : <dfn>attestation</dfn>
  :: The [=[RP]=] MAY use this OPTIONAL member to specify a preference regarding [=attestation conveyance=].
  Its value SHOULD be a member of {{AttestationConveyancePreference}}.
@@ -3980,6 +3994,41 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere
 </div>
 
 
+### User-agent Hints Enumeration (enum <dfn enum>PublicKeyCredentialHints</dfn>) ### {#enum-hints}
+
+<xmp class="idl">
+ enum PublicKeyCredentialHints {
+ "security-key",
+ "client-device",
+ "hybrid",
+ };
+</xmp>
+
+Note: The {{PublicKeyCredentialHints}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
+
+<div dfn-type="enum-value" dfn-for="PublicKeyCredentialHints">
+ [=[WRPS]=] may use this enumeration to communicate hints to the user-agent about how a request may be best completed. These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the [=[RP]=] has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a [=[RP]=] may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones.
+
+ Hints MAY contradict information contained in credential {{PublicKeyCredentialDescriptor/transports}} and {{AuthenticatorSelectionCriteria/authenticatorAttachment}}. When this occurs, the hints take precedence. (Note that {{PublicKeyCredentialDescriptor/transports}} values are not provided when using [=discoverable credentials=], leaving hints as the only avenue for expressing some aspects of such a request.)
+
+ : <dfn>security-key</dfn>
+ :: Indicates that the [=[RP]=] believes that users will satisfy this request with a physical security key. For example, an enterprise [=[RP]=] may set this hint if they have issued security keys to their employees and will only accept those [=authenticators=] for [=registration ceremony|registration=] and [=authentication ceremony|authentication=].
+
+ For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/cross-platform}}.
+
+ : <dfn>client-device</dfn>
+ :: Indicates that the [=[RP]=] believes that users will satisfy this request with a [=platform authenticator=] attached to the [=client device=].
+
+ For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/platform}}.
+
+ : <dfn>hybrid</dfn>
+ :: Indicates that the [=[RP]=] believes that users will satisfy this request with general-purpose [=authenticators=] such as smartphones. For example, a consumer [=[RP]=] may believe that only a small fraction of their customers possesses dedicated security keys. This option also implies that the local [=platform authenticator=] should not be promoted in the UI.
+
+ For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/cross-platform}}.
+
+</div>
+
+
 ## Permissions Policy integration ## {#sctn-permissions-policy}
 
 This specification defines two [=policy-controlled features=] identified by