From d45d8f8db475ff9b1d5a9f3c616d03921cf2f4fc Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 11 Jul 2018 18:18:58 +0200
Subject: [PATCH 1/2] Add table numbers and captions

---
 index.bs | 226 ++++++++++++++++++++++++++++++-------------------------
 1 file changed, 125 insertions(+), 101 deletions(-)

diff --git a/index.bs b/index.bs
index 198ae8393..10876e8c3 100644
--- a/index.bs
+++ b/index.bs
@@ -67,6 +67,25 @@ Boilerplate: omit conformance, omit feedback-header, omit abstract-header
 Markup Shorthands: css off, markdown on
 </pre>
 
+<style type="text/css">
+body {
+    counter-reset: table;
+}
+/* For some reason, doing the counter-increment on the figcaption like Bikeshed does with figures does not seem to work here. */
+figure.table {
+    counter-increment: table;
+}
+figure.table figcaption {
+    counter-increment: none;
+}
+figure.table figcaption:not(.no-marker)::before {
+    content: "Table " counter(table) " ";
+}
+figure.table .overlarge {
+    max-width: 50em;
+}
+</style>
+
 
 <!-- TODO: Clean out these anchor lists once they appear in Shepherd -->
 <pre class="anchors">
@@ -2285,67 +2304,69 @@ format, and uses its knowledge of the authenticator to make trust decisions.
 The [=authenticator data=] has a compact but extensible encoding. This is desired since authenticators can be devices with
 limited capabilities and low power requirements, with much simpler software stacks than the client platform components.
 
-The [=authenticator data=] structure is a byte array of 37 bytes or more, as follows.
-
-<table class="complex data longlastcol">
-    <tr>
-        <th>Name</th>
-        <th>Length (in bytes)</th>
-        <th>Description</th>
-    </tr>
-    <tr>
-        <td><dfn>rpIdHash</dfn></td>
-        <td>32</td>
-        <td>
-            SHA-256 hash of the [=RP ID=] associated with the credential.
-        </td>
-    </tr>
-    <tr>
-        <td><dfn>flags</dfn></td>
-        <td>1</td>
-        <td>
-            Flags (bit 0 is the least significant bit):
-            - Bit 0: [=User Present=] ([=UP=]) result.
-                - `1` means the user is [=user present|present=].
-                - `0` means the user is not [=user present|present=].
-            - Bit 1: Reserved for future use (`RFU1`).
-            - Bit 2: [=User Verified=] ([=UV=]) result.
-                - `1` means the user is [=user verified|verified=].
-                - `0` means the user is not [=user verified|verified=].
-            - Bits 3-5: Reserved for future use (`RFU2`).
-            - Bit 6: [=Attested credential data=] included (`AT`).
-                - Indicates whether the authenticator added [=attested credential data=].
-            - Bit 7: Extension data included (`ED`).
-                - Indicates if the [=authenticator data=] has [=authDataExtensions|extensions=].
-        </td>
-    </tr>
-    <tr>
-        <td><dfn>signCount</dfn></td>
-        <td>4</td>
-        <td>[=Signature counter=], 32-bit unsigned big-endian integer.</td>
-    </tr>
-    <tr>
-        <td><dfn>attestedCredentialData</dfn></td>
-        <td>variable (if present)</td>
-        <td>
-            [=attested credential data=] (if present). See [[#sec-attested-credential-data]] for details. Its length depends on
-            the [=credentialIdLength|length=] of the [=credentialId|credential ID=] and [=credentialPublicKey|credential public
-            key=] being attested.
-        </td>
-    </tr>
-    <tr>
-        <td><dfn lt="authDataExtensions">extensions</dfn></td>
-        <td>variable (if present)</td>
-        <td>
-            Extension-defined [=authenticator data=]. This is a [=CBOR=] [[RFC7049]] map with [=extension identifiers=] as keys,
-            and [=authenticator extension outputs=] as values. See [[#extensions]] for details.
-        </td>
-    </tr>
-</table>
-
-  NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the
-  actual representation of the [=authenticator data=].
-
+The [=authenticator data=] structure is a byte array of 37 bytes or more, laid out as shown in [Table 1](#table-authData).
+
+<figure id="table-authData" class="table">
+    <table class="complex data longlastcol">
+        <tr>
+            <th>Name</th>
+            <th>Length (in bytes)</th>
+            <th>Description</th>
+        </tr>
+        <tr>
+            <td><dfn>rpIdHash</dfn></td>
+            <td>32</td>
+            <td>
+                SHA-256 hash of the [=RP ID=] associated with the credential.
+            </td>
+        </tr>
+        <tr>
+            <td><dfn>flags</dfn></td>
+            <td>1</td>
+            <td>
+                Flags (bit 0 is the least significant bit):
+                - Bit 0: [=User Present=] ([=UP=]) result.
+                    - `1` means the user is [=user present|present=].
+                    - `0` means the user is not [=user present|present=].
+                - Bit 1: Reserved for future use (`RFU1`).
+                - Bit 2: [=User Verified=] ([=UV=]) result.
+                    - `1` means the user is [=user verified|verified=].
+                    - `0` means the user is not [=user verified|verified=].
+                - Bits 3-5: Reserved for future use (`RFU2`).
+                - Bit 6: [=Attested credential data=] included (`AT`).
+                    - Indicates whether the authenticator added [=attested credential data=].
+                - Bit 7: Extension data included (`ED`).
+                    - Indicates if the [=authenticator data=] has [=authDataExtensions|extensions=].
+            </td>
+        </tr>
+        <tr>
+            <td><dfn>signCount</dfn></td>
+            <td>4</td>
+            <td>[=Signature counter=], 32-bit unsigned big-endian integer.</td>
+        </tr>
+        <tr>
+            <td><dfn>attestedCredentialData</dfn></td>
+            <td>variable (if present)</td>
+            <td>
+                [=attested credential data=] (if present). See [[#sec-attested-credential-data]] for details. Its length depends on
+                the [=credentialIdLength|length=] of the [=credentialId|credential ID=] and [=credentialPublicKey|credential public
+                key=] being attested.
+            </td>
+        </tr>
+        <tr>
+            <td><dfn lt="authDataExtensions">extensions</dfn></td>
+            <td>variable (if present)</td>
+            <td>
+                Extension-defined [=authenticator data=]. This is a [=CBOR=] [[RFC7049]] map with [=extension identifiers=] as keys,
+                and [=authenticator extension outputs=] as values. See [[#extensions]] for details.
+            </td>
+        </tr>
+    </table>
+    <figcaption>
+        [=Authenticator data=] layout. The names in the Name column are only for reference within this document, and are not
+        present in the actual representation of the [=authenticator data=].
+    </figcaption>
+</figure>
 
 The [=RP ID=] is originally received from the client when the credential is created, and again when an assertion is generated.
 However, it differs from other [=client data=] in some important ways. First, unlike the client data, the [=RP ID=] of a
@@ -2729,46 +2750,49 @@ understand the characteristics of the [=authenticators=] that they trust, based
 ### Attested credential data ### {#sec-attested-credential-data}
 
 <dfn>Attested credential data</dfn> is a variable-length byte array added to the [=authenticator data=] when generating an [=attestation
-object=] for a given credential. It has the following format:
-
-<table class="complex data longlastcol">
-    <tr>
-        <th>Name</th>
-        <th>Length (in bytes)</th>
-        <th>Description</th>
-    </tr>
-    <tr>
-        <td><dfn>aaguid</dfn></td>
-        <td>16</td>
-        <td>The AAGUID of the authenticator.</td>
-    </tr>
-    <tr>
-        <td><dfn>credentialIdLength</dfn></td>
-        <td>2</td>
-        <td>Byte length <strong>L</strong> of Credential ID, 16-bit unsigned big-endian integer.</td>
-    </tr>
-    <tr>
-        <td><dfn>credentialId</dfn></td>
-        <td>L</td>
-        <td>[=Credential ID=]</td>
-    </tr>
-    <tr>
-        <td><dfn>credentialPublicKey</dfn></td>
-        <td>variable</td>
-        <td>
-            The [=credential public key=] encoded in COSE_Key format,
-            as defined in [=Section 7=] of [[RFC8152]], using the [=CTAP2 canonical CBOR encoding form=].
-            The COSE_Key-encoded [=credential public key=] MUST contain the "alg" parameter and MUST NOT
-            contain any other OPTIONAL parameters. The "alg" parameter MUST contain a {{COSEAlgorithmIdentifier}} value.
-            The encoded [=credential public key=] MUST also contain any additional REQUIRED parameters stipulated by the
-            relevant key type specification, i.e., REQUIRED for the key type "kty" and algorithm "alg" (see Section 8 of
-            [[RFC8152]]).
-        </td>
-    </tr>
-</table>
-
-  NOTE: The names in the Name column in the above table are only for reference within this document, and are not present in the
-  actual representation of the [=attested credential data=].
+object=] for a given credential. Its format is shown in [Table 2](#table-attestedCredentialData).
+
+<figure id="table-attestedCredentialData" class="table">
+    <table class="complex data longlastcol">
+        <tr>
+            <th>Name</th>
+            <th>Length (in bytes)</th>
+            <th>Description</th>
+        </tr>
+        <tr>
+            <td><dfn>aaguid</dfn></td>
+            <td>16</td>
+            <td>The AAGUID of the authenticator.</td>
+        </tr>
+        <tr>
+            <td><dfn>credentialIdLength</dfn></td>
+            <td>2</td>
+            <td>Byte length <strong>L</strong> of Credential ID, 16-bit unsigned big-endian integer.</td>
+        </tr>
+        <tr>
+            <td><dfn>credentialId</dfn></td>
+            <td>L</td>
+            <td>[=Credential ID=]</td>
+        </tr>
+        <tr>
+            <td><dfn>credentialPublicKey</dfn></td>
+            <td>variable</td>
+            <td>
+                The [=credential public key=] encoded in COSE_Key format,
+                as defined in [=Section 7=] of [[RFC8152]], using the [=CTAP2 canonical CBOR encoding form=].
+                The COSE_Key-encoded [=credential public key=] MUST contain the "alg" parameter and MUST NOT
+                contain any other OPTIONAL parameters. The "alg" parameter MUST contain a {{COSEAlgorithmIdentifier}} value.
+                The encoded [=credential public key=] MUST also contain any additional REQUIRED parameters stipulated by the
+                relevant key type specification, i.e., REQUIRED for the key type "kty" and algorithm "alg" (see Section 8 of
+                [[RFC8152]]).
+            </td>
+        </tr>
+    </table>
+    <figcaption>
+        [=Attested credential data=] layout. The names in the Name column are only for reference within this document, and are not
+        present in the actual representation of the [=attested credential data=].
+    </figcaption>
+</figure>
 
 #### Examples of `credentialPublicKey` Values encoded in COSE_Key format #### {#sctn-encoded-credPubKey-examples}
 

From bc15894311be72aca26582e3d9a00877399fc59a Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Thu, 12 Jul 2018 12:00:41 +0200
Subject: [PATCH 2/2] Add caption and number to authenticator types table

---
 index.bs | 107 +++++++++++++++++++++++++++++--------------------------
 1 file changed, 56 insertions(+), 51 deletions(-)

diff --git a/index.bs b/index.bs
index b1b90de2f..2313d2215 100644
--- a/index.bs
+++ b/index.bs
@@ -2464,56 +2464,61 @@ the same procedure as other [=assertion signatures=] generated by the [=authenti
 [=Authenticator=] types vary along several different dimensions: [=authenticator attachment modality=], employed [[#transport|transport(s)]],
 [=credential storage modality=], and [=authentication factor capability=]. The combination of these dimensions defines an
 [=authenticator=]'s <dfn>authenticator type</dfn>, which in turn determines the broad use cases the [=authenticator=] supports.
-The following defines names for some [=authenticator types=]:
-
-<table class="data">
-    <thead>
-        <tr>
-            <th> [=Authenticator Type=] </th>
-            <th> [=Authenticator Attachment Modality=] </th>
-            <th> [=Credential Storage Modality=] </th>
-            <th> [=Authentication Factor Capability=] </th>
-        </tr>
-    </thead>
-    <tbody>
-        <tr>
-            <th> <dfn>Second-factor platform authenticator</dfn> </th>
-            <td> [=platform attachment|platform=] </td>
-            <td> [=remote credential storage modality|Remote=] </td>
-            <td> [=single-factor capable|Single-factor=] </td>
-        </tr>
-        <tr>
-            <th> <dfn>User-verifying platform authenticator</dfn> </th>
-            <td> [=platform attachment|platform=] </td>
-            <td> [=remote credential storage modality|Remote=] </td>
-            <td> [=multi-factor capable|Multi-factor=] </td>
-        </tr>
-        <tr>
-            <th> <dfn>First-factor platform authenticator</dfn> </th>
-            <td> [=platform attachment|platform=] </td>
-            <td> [=local credential storage modality|Local=] </td>
-            <td> [=multi-factor capable|Multi-factor=] </td>
-        </tr>
-        <tr>
-            <th> <dfn>Second-factor roaming authenticator</dfn> </th>
-            <td> [=cross-platform attachment|cross-platform=] </td>
-            <td> [=remote credential storage modality|Remote=] </td>
-            <td> [=single-factor capable|Single-factor=] </td>
-        </tr>
-        <tr>
-            <th> <dfn>User-verifying roaming authenticator</dfn> </th>
-            <td> [=cross-platform attachment|cross-platform=] </td>
-            <td> [=remote credential storage modality|Remote=] </td>
-            <td> [=multi-factor capable|Multi-factor=] </td>
-        </tr>
-        <tr>
-            <th> <dfn>First-factor roaming authenticator</dfn> </th>
-            <td> [=cross-platform attachment|cross-platform=] </td>
-            <td> [=local credential storage modality|Local=] </td>
-            <td> [=multi-factor capable|Multi-factor=] </td>
-        </tr>
-    </tbody>
-</table>
+[Table 2](#table-authenticatorTypes) defines names for some [=authenticator types=].
+
+<figure id="table-authenticatorTypes" class="table">
+    <table class="data">
+        <thead>
+            <tr>
+                <th> [=Authenticator Type=] </th>
+                <th> [=Authenticator Attachment Modality=] </th>
+                <th> [=Credential Storage Modality=] </th>
+                <th> [=Authentication Factor Capability=] </th>
+            </tr>
+        </thead>
+        <tbody>
+            <tr>
+                <th> <dfn>Second-factor platform authenticator</dfn> </th>
+                <td> [=platform attachment|platform=] </td>
+                <td> [=remote credential storage modality|Remote=] </td>
+                <td> [=single-factor capable|Single-factor=] </td>
+            </tr>
+            <tr>
+                <th> <dfn>User-verifying platform authenticator</dfn> </th>
+                <td> [=platform attachment|platform=] </td>
+                <td> [=remote credential storage modality|Remote=] </td>
+                <td> [=multi-factor capable|Multi-factor=] </td>
+            </tr>
+            <tr>
+                <th> <dfn>First-factor platform authenticator</dfn> </th>
+                <td> [=platform attachment|platform=] </td>
+                <td> [=local credential storage modality|Local=] </td>
+                <td> [=multi-factor capable|Multi-factor=] </td>
+            </tr>
+            <tr>
+                <th> <dfn>Second-factor roaming authenticator</dfn> </th>
+                <td> [=cross-platform attachment|cross-platform=] </td>
+                <td> [=remote credential storage modality|Remote=] </td>
+                <td> [=single-factor capable|Single-factor=] </td>
+            </tr>
+            <tr>
+                <th> <dfn>User-verifying roaming authenticator</dfn> </th>
+                <td> [=cross-platform attachment|cross-platform=] </td>
+                <td> [=remote credential storage modality|Remote=] </td>
+                <td> [=multi-factor capable|Multi-factor=] </td>
+            </tr>
+            <tr>
+                <th> <dfn>First-factor roaming authenticator</dfn> </th>
+                <td> [=cross-platform attachment|cross-platform=] </td>
+                <td> [=local credential storage modality|Local=] </td>
+                <td> [=multi-factor capable|Multi-factor=] </td>
+            </tr>
+        </tbody>
+    </table>
+    <figcaption>
+        Definitions of names for some [=authenticator types=].
+    </figcaption>
+</figure>
 
 These types can be further broken down into subtypes, such as which [[#transport|transport(s)]] a [=roaming authenticator=]
 supports. The following sections define the terms [=authenticator attachment modality=], [=credential storage modality=] and
@@ -2926,7 +2931,7 @@ understand the characteristics of the [=authenticators=] that they trust, based
 ### Attested credential data ### {#sec-attested-credential-data}
 
 <dfn>Attested credential data</dfn> is a variable-length byte array added to the [=authenticator data=] when generating an [=attestation
-object=] for a given credential. Its format is shown in [Table 2](#table-attestedCredentialData).
+object=] for a given credential. Its format is shown in [Table 3](#table-attestedCredentialData).
 
 <figure id="table-attestedCredentialData" class="table">
     <table class="complex data longlastcol">