diff --git a/index.bs b/index.bs
index e5f847486..f6081d461 100644
--- a/index.bs
+++ b/index.bs
@@ -5890,6 +5890,10 @@ The attestation certificate MUST have the following fields/extensions:
     `1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`) MUST be present, containing the AAGUID as a 16-byte OCTET STRING.
     The extension MUST NOT be marked as critical.
 
+    As [=[RPS]=] may not know if the attestation root
+    certificate is used for multiple authenticator models, it is suggested that [=[RPS]=] check if the extension
+    is present, and if it is, then validate that it contains that same AAGUID as presented in the [=attestation object=].
+
     Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
     Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure: