Added simplified text based on feedback

w3c · Sep 18, 2024 · 39733f0 · 39733f0
1 parent e9a482a
commit 39733f0
Showing 1 changed file with 2 additions and 11 deletions.
diff --git a/index.bs b/index.bs
@@ -3871,7 +3871,7 @@ Note: The {{AttestationConveyancePreference}} enumeration is deliberately not re
     ::  The [=[RP]=] wants to receive the [=attestation statement=] as generated by the [=authenticator=].
 
     :   <dfn>enterprise</dfn>
-    ::  The [=[RP]=] wants to receive an [=attestation statement=] that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested [=RP ID=].
+    ::  The [=[RP]=] wants to receive an enterprise attestation, which is an [=attestation statement=] that may include information which uniquely identifies the authenticator. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested [=RP ID=].
 
         If permitted, the user agent SHOULD signal to the authenticator (at [invocation time](#CreateCred-InvokeAuthnrMakeCred)) that enterprise attestation is requested, and convey the resulting [=/AAGUID=] and [=attestation statement=], unaltered, to the [=[RP]=].
 </div>
@@ -6460,16 +6460,7 @@ The attributes above are structured within this certificate as such:
 
 ### Certificate Requirements for Enterprise Packed Attestation Statements ### {#sctn-enterprise-packed-attestation-cert-requirements}
 
-There are two potential sources for enterprise attestations in Packed format.
-
-1. Attestation statements from a hardware device, which was manufactured with the statement and a corresponding private key.
-2. Attestation statements which have been provisioned, such as a platform authenticator configured via managed policy.
-
-For attestation statements provided at manufacturing, the Extension OID `1.3.6.1.4.1.45724.1.1.2` (`id-fido-gen-ce-sernum`)
-MUST be present, containing a unique serial number for the device as an OCTET STRING. The extension MUST NOT be marked as critical.
-
-As enterprise attestations are normally consumed by [=[RPS]=] which are looking for particular authenticators,
-there MAY be additional extensions used to convey information based on prior agreement.
+The Extension OID `1.3.6.1.4.1.45724.1.1.2` ( `id-fido-gen-ce-sernum` ) MAY additionally be present in packed attestations for enterprise use. If present, this extension MUST indicate a unique octet string value per device against a particular AAGUID. This value MUST remain constant through factory resets, but MAY be distinct from any other serial number or other hardware identifier associated with the device. This extension MUST NOT be marked as critical, and the corresponding value is encoded as an OCTET STRING. This extension MUST NOT be present in non-enterprise attestations.
 
 ## TPM Attestation Statement Format ## {#sctn-tpm-attestation}