Authenticator Attestation Response's [[transports]] should be an attribute rather than an internal slot.

[nbrr]

It is recommended for a credential record to register transports. This value is defined as an internal slot accessible through the Authenticator Attestation Response's getTransports method. This puts the RP in an awkward position as to accessing this value :

• in web browser context: the response to navigator.credentials.create() cannot be directly sent to the RP server to be saved as the internal slot data is usually not conveyed in serialization ; the web application must first extract the data with .getTransports() and add the value in its request to the RP server
• in Android Credential Manager context: the Credential Manager delivers a plain text JSON response without notion of internal slot.

Although these are implementation specific considerations, the current specification seems to make things unnecessarily difficult.

[emlun]

We would have done this if possible, but unfortunately this is not allowed by the Web IDL definition of an interface attribute:

An attribute is an interface member or namespace member [...] [...] The type of the attribute, after resolving typedefs, must not be a nullable or non-nullable version of any of the following types:

• a sequence type [...]

[[transports]] is of sequence type, so it cannot be an attribute of interface AuthenticatorAttestationResponse.

[emlun]

By the way, this is the same reason as for why getClientExtensionResults(), and a few others like it, must also be a getter method rather than a direct attribute.

[nbrr]

Thank you for explaining that @emlun. With this understanding and upon closer look, I notice that level 3 spec introduces use of toJSON(): this actually seems to address the frictions I mentioned?

[emlun]

Ah right - yes, it does! dictionary doesn't have this limitation, so the toJSON() outputs indeed include these getter results as plain attributes.