From d13f46a06ba267d9633e5f86132de8e7818faa1c Mon Sep 17 00:00:00 2001
From: Shane Weeden <sweeden@au1.ibm.com>
Date: Wed, 22 Nov 2023 10:32:57 +1000
Subject: [PATCH] Clarify validation step for packed attestation certificate
 for RPs. Addresses #1998

---
 index.bs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index e5f847486..f917ca36a 100644
--- a/index.bs
+++ b/index.bs
@@ -5888,7 +5888,9 @@ The attestation certificate MUST have the following fields/extensions:
 
 - If the related attestation root certificate is used for multiple authenticator models, the Extension OID
     `1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`) MUST be present, containing the AAGUID as a 16-byte OCTET STRING.
-    The extension MUST NOT be marked as critical.
+    The extension MUST NOT be marked as critical. As [=Relying Parties=] may not know if the attestation root
+    certificate is used for multiple authenticator models, it is suggested that [=Relying Parties=] check if the extension
+    is present, and if it is, then validate that it contains that same AAGUID as presented in the [=attestation object=].
 
     Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
     Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure: