Shane Weeden

> Because the webauthn spec does _NOT_ direct RP's to store the UV bit from the registration ceremony in the credential because it is _per ceremony_ instead. I don't think...

Agree with @nadalin - the adoption community is the right place for this discussion. I do have a POV on the scenario: I would not try and implement such a...

Two suggestions from out of band discussion with @Firstyear for non-normative changes that would help RP developers: 1. Step 16 of [Registering a New Credential](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential) may be best moved to...

@Firstyear - I think we could leave the issue open and just close the PR if you want to track the items above.

The credProps extension was initially headed down this path and then brought back to a more narrow use case...

An authenticator selection criteria perhaps....

Actually I think there is room for expansion of the [AuthenticatorSelectionCriteria](https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria) to be more explicit as to what the RP wants or requires. For example, you could imagine additional criteria...

I also think the existing credProps extension could be used as a means for the client to indicate (to RP's that are not being prescriptive on cloud vs device-bound) what...

I believe this is closely related to #1688

Perhaps wild suggestion. If an RP requests direct attestation, why wouldn't the platforms offer a device-bound credential in this case?