w3c
diff --git a/‎index.bs
+43-21 b/‎index.bs
+43-21
@@ -302,7 +302,7 @@ spec:html; type:dfn; for:environment settings object; text:global object
 spec:infra; type:dfn; for:/; text:set
 spec:infra; type:dfn; text:list
 spec:infra; type:dfn; for:struct; text:item
-spec:infra; type:dfn; for:map-exists; text:exists
+spec:infra; type:dfn; for:map; text:exists
 spec:url; type:dfn; text:domain
 spec:url; type:dfn; for:url; text:host
 spec:url; type:dfn; text:valid domain;
@@ -806,6 +806,16 @@ would be obtained by the specification's algorithms.
 A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the
 “Web IDL” specification. [[!WebIDL]]
 
+### Enumerations as DOMString types ### {#sct-domstring-backwards-compatibility}
+
+Enumeration types are not referenced by other parts of the Web IDL because that
+would preclude other values from being used without updating this specification
+and its implementations. It is important for backwards compatibility that
+[=client platforms=] and [=[RPS]=] handle unknown values. Enumerations for this
+specification exist here for documentation and as a registry. Where the
+enumerations are represented elsewhere, they are typed as {{DOMString}}s, for
+example in {{PublicKeyCredentialDescriptor/transports}}.
+
 ## Authenticators ## {#sctn-conforming-authenticators}
 
 A [=[WAA]=] MUST provide the operations defined by [[#sctn-authenticator-model]], and those operations MUST behave as
@@ -1826,7 +1836,7 @@ a numbered step. If outdented, it (today) is rendered either as a bullet in the
                         ::  |attestationObject|
 
                         :   {{AuthenticatorAttestationResponse/[[transports]]}}
-                        ::  A sequence of zero or more unique {{DOMString}}s, in lexicographical order, that the |authenticator| is believed to support. The values SHOULD be members of {{AuthenticatorTransport}}.
+                        ::  A sequence of zero or more unique {{DOMString}}s, in lexicographical order, that the |authenticator| is believed to support. The values SHOULD be members of {{AuthenticatorTransport}}, but [=client platforms=] MUST ignore unknown values.
 
                             If a user agent does not wish to divulge this information it MAY substitute an arbitrary sequence designed to preserve privacy. This sequence MUST still be valid, i.e. lexicographically sorted and free of duplicates. For example, it may use the empty sequence. Either way, in this case the user agent takes the risk that [=[RP]=] behavior may be suboptimal.
 
@@ -2354,7 +2364,7 @@ during registration.
     ::  This operation returns the {{COSEAlgorithmIdentifier}} of the new credential. See [[#sctn-public-key-easy]].
 
     :   <dfn>\[[transports]]</dfn>
-    ::  This [=internal slot=] contains a sequence of zero or more unique {{DOMString}}s in lexicographical order. These values are the transports that the [=authenticator=] is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of {{AuthenticatorTransport}} but [=[RPS]=] MUST accept unknown values.
+    ::  This [=internal slot=] contains a sequence of zero or more unique {{DOMString}}s in lexicographical order. These values are the transports that the [=authenticator=] is believed to support, or an empty sequence if the information is unavailable. The values SHOULD be members of {{AuthenticatorTransport}} but [=[RPS]=] MUST ignore unknown values.
 </div>
 
 #### Easily accessing credential data #### {#sctn-public-key-easy}
@@ -2413,7 +2423,7 @@ optionally evidence of [=user consent=] to a specific transaction.
 
 <xmp class="idl">
     dictionary PublicKeyCredentialParameters {
-        required PublicKeyCredentialType      type;
+        required DOMString                    type;
         required COSEAlgorithmIdentifier      alg;
     };
 </xmp>
@@ -2422,7 +2432,7 @@ optionally evidence of [=user consent=] to a specific transaction.
     This dictionary is used to supply additional parameters when creating a new credential.
 
     :   <dfn>type</dfn>
-    ::  This member specifies the type of credential to be created.
+    ::  This member specifies the type of credential to be created. The value SHOULD be a member of {{PublicKeyCredentialType}} but [=client platforms=] MUST ignore unknown values, ignoring any {{PublicKeyCredentialParameters}} with an unknown {{PublicKeyCredentialParameters/type}}.
 
     :   <dfn>alg</dfn>
     ::  This member specifies the cryptographic signature algorithm with which the newly generated credential will be used, and
@@ -2493,7 +2503,7 @@ optionally evidence of [=user consent=] to a specific transaction.
     :   <dfn>attestation</dfn>
     ::  This member is intended for use by [=[RPS]=] that wish to express their preference for [=attestation conveyance=].
         Its values SHOULD be members of {{AttestationConveyancePreference}}.
-        [=Client platforms=] MUST ignore unknown values.
+        [=Client platforms=] MUST ignore unknown values, treating an unknown value as if the [=map/exist|member does not exist=].
         Its default value is "none".
 
     :   <dfn>extensions</dfn>
@@ -2620,17 +2630,17 @@ attributes.
 
 <xmp class="idl">
     dictionary AuthenticatorSelectionCriteria {
-        AuthenticatorAttachment      authenticatorAttachment;
+        DOMString                    authenticatorAttachment;
         boolean                      requireResidentKey = false;
-        ResidentKeyRequirement       residentKey;
-        UserVerificationRequirement  userVerification = "preferred";
+        DOMString                    residentKey;
+        DOMString                    userVerification = "preferred";
     };
 </xmp>
 
 <div dfn-type="dict-member" dfn-for="AuthenticatorSelectionCriteria">
     :   <dfn>authenticatorAttachment</dfn>
     ::  If this member is [=present|present=], eligible authenticators are filtered to only authenticators attached with the
-        specified [[#enum-attachment]].
+        specified [[#enum-attachment]]. The value SHOULD be a member of {{AuthenticatorAttachment}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the [=map/exist|member does not exist=].
 
     :   <dfn>requireResidentKey</dfn>
     ::  Note: This member is retained for backwards compatibility with WebAuthn Level 1 but is deprecated in favour of {{residentKey}}.
@@ -2645,12 +2655,12 @@ attributes.
     ::  Note: This member supersedes {{requireResidentKey}}. If both are present and the [=client=] understands {{residentKey}}, then
         {{residentKey}} is used and {{requireResidentKey}} is ignored.
 
-        See {{ResidentKeyRequirement}} for the description of {{residentKey}}'s values and semantics.
+        The value SHOULD be a member of {{ResidentKeyRequirement}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the [=map/exist|member does not exist=]. See {{ResidentKeyRequirement}} for the description of {{residentKey}}'s values and semantics.
 
     :   <dfn>userVerification</dfn>
     ::  This member describes the [=[RP]=]'s requirements regarding [=user verification=] for the
         {{CredentialsContainer/create()}} operation. Eligible authenticators are filtered to only those capable of satisfying this
-        requirement.
+        requirement. The value SHOULD be a member of {{UserVerificationRequirement}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the [=map/exist|member does not exist=].
 </div>
 
 
@@ -2668,6 +2678,8 @@ to [[#sctn-createCredential|create a credential]].
     };
 </xmp>
 
+Note: The {{AuthenticatorAttachment}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
+
 <div dfn-type="enum-value" dfn-for="AuthenticatorAttachment">
     :   <dfn>platform</dfn>
     ::  This value indicates [=platform attachment=].
@@ -2694,6 +2706,8 @@ credential|credentials=]. The [=client=] and user will then use whichever is ava
     };
 </xmp>
 
+Note: The {{ResidentKeyRequirement}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
+
 This enumeration's values describe the [=[RP]=]'s requirements for [=client-side discoverable credentials=] (formerly known as [=resident credentials=] or [=resident keys=]):
 
 <div dfn-type="enum-value" dfn-for="ResidentKeyRequirement">
@@ -2731,6 +2745,8 @@ during credential generation.
     };
 </xmp>
 
+Note: The {{AttestationConveyancePreference}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
+
 <div dfn-type="enum-value" dfn-for="AttestationConveyancePreference">
     :   <dfn>none</dfn>
     ::  This value indicates that the [=[RP]=] is not interested in [=authenticator=] [=attestation=]. For example, in order to
@@ -2770,7 +2786,7 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member MUST be
         unsigned long                        timeout;
         USVString                            rpId;
         sequence<PublicKeyCredentialDescriptor> allowCredentials = [];
-        UserVerificationRequirement          userVerification = "preferred";
+        DOMString                            userVerification = "preferred";
         AuthenticationExtensionsClientInputs extensions;
     };
 </xmp>
@@ -2796,8 +2812,7 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member MUST be
 
     :   <dfn>userVerification</dfn>
     ::  This OPTIONAL member describes the [=[RP]=]'s requirements regarding [=user verification=] for the
-        {{CredentialsContainer/get()}} operation. Eligible authenticators are filtered to only those capable of satisfying this
-        requirement.
+        {{CredentialsContainer/get()}} operation. The value SHOULD be a member of {{UserVerificationRequirement}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the [=map/exist|member does not exist=]. Eligible authenticators are filtered to only those capable of satisfying this requirement.
 
     :   <dfn>extensions</dfn>
     ::  This OPTIONAL member contains additional parameters requesting additional processing by the client and authenticator.
@@ -2896,7 +2911,7 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
     };
 
     dictionary TokenBinding {
-        required TokenBindingStatus status;
+        required DOMString status;
         DOMString id;
     };
 
@@ -2927,7 +2942,7 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
 
         <div dfn-type="dict-member" dfn-for="TokenBinding">
             :   <dfn>status</dfn>
-            ::  This member is one of the following:
+            ::  This member SHOULD be a member of {{TokenBindingStatus}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the {{CollectedClientData/tokenBinding}} [=map/exist|member does not exist=]. When known, this member is one of the following:
 
                 <div dfn-type="enum-value" dfn-for="TokenBindingStatus">
                     :   <dfn>supported</dfn>
@@ -2938,6 +2953,8 @@ Note: The {{CollectedClientData}} may be extended in the future. Therefore it's
                         {{TokenBinding/id}} member MUST be present.
                 </div>
 
+                Note: The {{TokenBindingStatus}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
+
             :   <dfn>id</dfn>
             ::  This member MUST be present if {{TokenBinding/status}} is {{TokenBindingStatus/present}}, and MUST be a [=base64url
                 encoding=] of the [=Token Binding ID=] that was used when communicating with the [=[RP]=].
@@ -3055,20 +3072,23 @@ If additional fields are added to {{CollectedClientData}} then verifiers that em
     };
 </xmp>
 
+Note: The {{PublicKeyCredentialType}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
+
 <div dfn-type="enum-value" dfn-for="PublicKeyCredentialType">
     This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as
     more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and
     attestation structures according to the type of the authenticator.
 
     Currently one credential type is defined, namely "<dfn>public-key</dfn>".
+
 </div>
 
 
 ### Credential Descriptor (dictionary <dfn dictionary>PublicKeyCredentialDescriptor</dfn>) ### {#dictionary-credential-descriptor}
 
 <xmp class="idl">
     dictionary PublicKeyCredentialDescriptor {
-        required PublicKeyCredentialType      type;
+        required DOMString                    type;
         required BufferSource                 id;
         sequence<DOMString>                   transports;
     };
@@ -3080,7 +3100,7 @@ parameter to the {{CredentialsContainer/create()}} or {{CredentialsContainer/get
 
 <div dfn-type="dict-member" dfn-for="PublicKeyCredentialDescriptor">
     :   <dfn>type</dfn>
-    ::  This member contains the type of the [=public key credential=] the caller is referring to.
+    ::  This member contains the type of the [=public key credential=] the caller is referring to. The value SHOULD be a member of {{PublicKeyCredentialType}} but [=client platforms=] MUST ignore any {{PublicKeyCredentialDescriptor}} with an unknown {{PublicKeyCredentialDescriptor/type}}.
 
     :   <dfn>id</dfn>
     ::  This member contains the [=credential ID=] of the [=public key credential=] the caller is referring to.
@@ -3109,15 +3129,15 @@ parameter to the {{CredentialsContainer/create()}} or {{CredentialsContainer/get
     };
 </xmp>
 
+Note: The {{AuthenticatorTransport}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
+
 <div dfn-type="enum-value" dfn-for="AuthenticatorTransport">
     [=Authenticators=] may implement various [[#enum-transport|transports]] for communicating with [=clients=]. This enumeration
     defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a
     specific credential. Note that these hints represent the [=[WRP]=]'s best belief as to how an authenticator may be reached. A
     [=[RP]=] will typically learn of the supported transports for a [=public key credential=] via
     {{AuthenticatorAttestationResponse/getTransports()}}.
 
-    Note: The {{AuthenticatorTransport}} enumeration is not referenced by other parts of the Web IDL because that would preclude other values from being used without updating this specification and its implementations. It is important for backwards compatibility that [=client platforms=] and [=[RPS]=] handle unknown values. Therefore it exists here for documentation and as a registry. Where transports are represented elsewhere, they are typed as {{DOMString}}s, for example in {{PublicKeyCredentialDescriptor/transports}}.
-
     :   <dfn>usb</dfn>
     ::  Indicates the respective [=authenticator=] can be contacted over removable USB.
 
@@ -3160,6 +3180,8 @@ parameter to the {{CredentialsContainer/create()}} or {{CredentialsContainer/get
 A [=[WRP]=] may require [=user verification=] for some of its operations but not for others, and may use this type to express its
 needs.
 
+Note: The {{UserVerificationRequirement}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
+
 <div dfn-type="enum-value" dfn-for="UserVerificationRequirement">
     :   <dfn>required</dfn>
     ::  This value indicates that the [=[RP]=] requires [=user verification=] for the operation and will fail the operation if the