diff --git a/index.bs b/index.bs
index de366a567..0b8093de3 100644
--- a/index.bs
+++ b/index.bs
@@ -1662,7 +1662,6 @@ that are returned to the caller when a new credential is created, or a new asser
required Base64URLString authenticatorData;
required Base64URLString signature;
Base64URLString userHandle;
- Base64URLString attestationObject;
};
dictionary AuthenticationExtensionsClientOutputsJSON {
@@ -4727,10 +4726,6 @@ It takes the following input parameters:
wish to make a [=test of user presence=] optional although WebAuthn does not.
: |requireUserVerification|
:: The [=effective user verification requirement for assertion=], a Boolean value provided by the client.
-: |enterpriseAttestationPossible|
-:: A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator.
-: |attestationFormats|
-:: A sequence of strings that expresses the [=[RP]=]'s preference for attestation statement formats, from most to least preferable. If the [=authenticator=] returns [=attestation=], then it makes a best-effort attempt to use the most preferable format that it supports.
: |extensions|
:: A [=CBOR=] [=map=] from [=extension identifiers=] to their [=authenticator extension inputs=], created by the client based on
the extensions requested by the [=[RP]=], if any.
@@ -4776,17 +4771,9 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
which approach is implemented by the [=authenticator=], by some positive value.
If the [=authenticator=] does not implement a [=signature counter=], let the [=signature counter=] value remain constant at
zero.
-1. If |attestationFormats|:
-
- : is [=list/is not empty|not empty=]
- :: let |attestationFormat| be the first supported [=attestation statement format=] from |attestationFormats|, taking into account |enterpriseAttestationPossible|. If none are supported, fallthrough to:
-
- : is [=list/is empty|empty=]
- :: let |attestationFormat| be the [=attestation statement format=] most preferred by this authenticator. If it does not support attestation during assertion then let this be `none`.
-
1. Let |authenticatorData| [=perform the following steps to generate an authenticator data structure|be the byte array=]
specified in [[#sctn-authenticator-data]] including |processedExtensions|, if any, as
- the [=authData/extensions=] and excluding [=attestedCredentialData=]. This |authenticatorData| MUST include [=attested credential data=] if, and only if, |attestationFormat| is not `none`.
+ the [=authData/extensions=] and excluding [=attestedCredentialData=].
1. Let |signature| be the [=assertion signature=] of the concatenation |authenticatorData| || |hash| using the
[=public key credential source/privateKey=] of |selectedCredential| as shown in Figure , below. A simple,
undelimited
@@ -4798,11 +4785,8 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
Generating an [=assertion signature=].
-1. The |attestationFormat| is not `none` then create an [=attestation object=] for the new credential using the procedure specified in
- [[#sctn-generating-an-attestation-object]], the [=attestation statement format=] |attestationFormat|, and the values |authenticatorData|
- and |hash|, as well as {{enterprise|taking into account}} the value of |enterpriseAttestationPossible|. For more details on attestation, see [[#sctn-attestation]].
-
-1. If any error occurred then return an error code equivalent to "{{UnknownError}}" and terminate the operation.
+1. If any error occurred while generating the [=assertion signature=], return an error code equivalent to "{{UnknownError}}" and
+ terminate the operation.