[Spec] Add note on SPC opt-in, and misc clarifications

spec.bs

@@ -110,7 +110,8 @@ not just the merchant origin where the user first registered.
 
 To that end, an important feature of Secure Payment Confirmation is
 that the merchant (or another entity) may initiate the authentication
-ceremony on the [=Relying Party's=] behalf.
+ceremony on the [=Relying Party's=] behalf. The [=Relying Party=] must
+opt-in to allowing this behavior during credential creation.
 
 Functionally, this specification defines a new [=payment method=] for the
 {{PaymentRequest}} API, and adds a [=WebAuthn Extension=] to extend
@@ -218,10 +219,10 @@ In this section, we walk through some scenarios for Secure Payment Confirmation
 and the corresponding sample code for using this API. Note that these are
 example flows and do not limit the scope of how the API can be used.
 
-### Registration ### {#sctn-sample-registration}
+### Registration during a purchase ### {#sctn-sample-registration}
 
 This is a first-time flow, in which a new credential is created and stored by
-an issuing bank.
+an issuing bank during a purchase by the user on some merchant.
 
 1. The user visits `merchant.com`, selects an item to purchase, and proceeds to
     the checkout flow. They enter their payment instrument details, and indicate
@@ -275,8 +276,8 @@ const publicKey = {
     displayName: "Jane Doe",
   },
 
-  // This Relying Party will accept either an ES256 or RS256 credential, but
-  // prefers an ES256 credential.
+  // This example Relying Party will accept either an ES256 or RS256 credential,
+  // but prefers an ES256 credential.
   pubKeyCredParams: [
     {
       type: "public-key",
@@ -288,7 +289,6 @@ const publicKey = {
     }
   ],
 
-  // This Relying Party requires user verification.
   authenticatorSelection: {
     userVerification: "required",
     residentKey: "required",
@@ -321,7 +321,7 @@ navigator.credentials.create({ publicKey })
 
 </div> <!-- non-normative -->
 
-### Authentication ### {#sctn-sample-authentication}
+### Authentication on merchant site ### {#sctn-sample-authentication}
 
 This is the flow when a user with an already registered credential is
 performing a transaction and the issuing bank and merchant wish to use Secure
@@ -418,19 +418,29 @@ try {
     not) be used by a [=Relying Party=] for other authentication flows (e.g.,
     login).
 
-: <dfn>Steps to determine if a credential is SPC-enabled</dfn>
-:: An as-yet undefined process by which a user agent can, given a [=credential
-    ID=], determine if the credential represented by that ID is an [=SPC
-    Credential=].
+    Note: The current version of this specification requires the [=Relying
+          Party=] to explicitly opt in for a credential to be used in SPC in
+          either a first-party or third-party context. Longer-term, our
+          intention is that all [=public key credential|WebAuthn credentials=]
+          will be usable for SPC in a first-party context (e.g., on the
+          [=Relying Party's=] domain) and opt-in will only be required to allow
+          a credential to be used by a third-party.
+
+: <dfn>Steps to silently determine if a credential is SPC-enabled</dfn>
+:: An as-yet undefined process by which a user agent can, given a
+    [[webauthn-3#relying-party-identifier|Relying Party Identifier]] and a
+    [=credential ID=], silently (i.e., without user interaction) determine if
+    the credential represented by that ID is an [=SPC Credential=].
 
     NOTE: See <a href="https://github.com/w3c/webauthn/issues/1667">WebAuthn
     issue 1667</a>.
 
 : <dfn>Steps to silently determine if a credential is available for the current device</dfn>
-:: An as-yet undefined process by which a user agent can, given a [=credential
-    ID=], silently (i.e., without user interaction) determine if the credential
-    represented by that credential ID is available for the current device (i.e.,
-    could be successfully used as part of a WebAuthn
+:: An as-yet undefined process by which a user agent can, given a
+    [[webauthn-3#relying-party-identifier|Relying Party Identifier]] and a
+    [=credential ID=], silently (i.e., without user interaction) determine if
+    the credential represented by that credential ID is available for the
+    current device (i.e., could be successfully used as part of a WebAuthn
     [[webauthn-3#sctn-getAssertion|Get]] call).
 
     This allows the user agent to only conditionally display
@@ -617,10 +627,12 @@ input {{SecurePaymentConfirmationRequest}} |data|, are:
 
 1. For each |id| in |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"]:
 
-    1. Run the [=steps to determine if a credential is SPC-enabled=] and the
-        [=steps to silently determine if a credential is available for the
-        current device=]. If the result of either of these is `false`, remove
-        |id| from |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
+    1. Run the [=steps to silently determine if a credential is available for
+        the current device=] and the [=steps to silently determine if a
+        credential is SPC-enabled=], passing in
+        |data|["{{SecurePaymentConfirmationRequest/rpId}}"] and |id|. If the
+        result of either of these is `false`, remove |id| from
+        |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"].
 
 1. If |data|["{{SecurePaymentConfirmationRequest/credentialIds}}"] is now empty,
     return `false`. The user agent must maintain