w3c · MasterKale · Aug 7, 2024 · Mar 20, 2024 · May 1, 2024 · May 1, 2024
diff --git a/index.bs b/index.bs
@@ -2202,6 +2202,45 @@ During the above process, the user agent SHOULD show some UI to the user to guid
 authorizing an authenticator.
 </div>
 
+#### Registration API Exceptions
+
+[=[WRPS]=] can encounter the following {{DOMException|DOMExceptions}} from a call to {{CredentialsContainer/create()|navigator.credentials.create()}}. Some errors can have multiple reasons for why they happened, requiring the [=[WRPS]=] to infer the actual reason based on their use of WebAuthn:
+
+<dl dfn-type="argument" dfn-for="Registration API Exceptions">
+    :   <dfn>AbortError</dfn>
+    ::  The ceremony was cancelled via an {{AbortController}}
+        (see [[#sctn-abortoperation]] and [[#sctn-sample-aborting]] for more information.)
+
+    :   <dfn>ConstraintError</dfn>
+    ::  Either {{residentKey}} was set to "{{ResidentKeyRequirement/required}}" and no available authenticator supported resident keys,
+        or {{userVerification}} was set to "{{UserVerificationRequirement/required}}" and no available authenticator could perform [=user verification=].
+
+    :   <dfn>InvalidStateError</dfn>
+    ::  The authenticator used in the ceremony recognized an entry in {{excludeCredentials}}
+        after the user [=user consent|consented=] to registering a credential.
+
+    :   <dfn>NotSupportedError</dfn>
+    ::  No entry in {{PublicKeyCredentialCreationOptions/pubKeyCredParams}} had a `type` property of "{{PublicKeyCredentialType/public-key}}",
+        or the [=authenticator=] did not support any of the specified cryptographic parameters in {{PublicKeyCredentialCreationOptions/pubKeyCredParams}}.
+
+    :   <dfn>SecurityError</dfn>
+    ::  The [=effective domain=] was not a [=valid domain=],
+        or {{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} was not a registrable domain suffix of nor was equal to the [=effective domain=].
+
+    :   <dfn>TypeError</dfn>
+    ::  The value of {{PublicKeyCredentialCreationOptions/user}}.{{PublicKeyCredentialUserEntity/id}} was not between 1 and 64 bytes (inclusive.)
+
+    :   <dfn>UnknownError</dfn>
+    ::  The [=authenticator=] could not process the supplied options,
+        or encountered an error while creating the new credential object.
+
+    :   <dfn>{{NotAllowedError}}</dfn>
+    ::  A catch-all error covering a wide range of possible reasons,
+        including common ones like the user canceling out of the ceremony.
+        Some of these causes are documented throughout this spec,
+        while others are client-specific.
+
+</dl>
 
 ### Use an Existing Credential to Make an Assertion - PublicKeyCredential's `[[Get]](options)` Method ### {#sctn-getAssertion}
 
@@ -2704,6 +2743,29 @@ The steps for [=issuing a credential request to an authenticator=] are as follow
 
     1. Return [TRUE].
 
+#### Authentication API Exceptions
+
+[=[WRPS]=] can encounter the following {{DOMException|DOMExceptions}} from a call to {{CredentialsContainer/get()|navigator.credentials.get()}}:
+
+<dl dfn-type="argument" dfn-for="Authentication API Exceptions">
+    :   <dfn>AbortError</dfn>
+    ::  The ceremony was cancelled via an {{AbortController}}
+        (see [[#sctn-abortoperation]] and [[#sctn-sample-aborting]] for more information.)
+
+    :   <dfn>SecurityError</dfn>
+    ::  The [=effective domain=] was not a [=valid domain=],
+        or {{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} was not a registrable domain suffix of nor was equal to the [=effective domain=].
+
+    :   <dfn>UnknownError</dfn>
+    ::  The [=authenticator=] could not process the supplied options,
+        or encountered an error while generating an [=assertion signature=].
+
+    :   <dfn>NotAllowedError</dfn>
+    ::  A catch-all error covering a wide range of possible reasons,
+        including common ones like the user canceling out of the ceremony.
+        Some of these causes are documented throughout this spec,
+        while others are client-specific.
+</dl>
 
 ### Store an Existing Credential - PublicKeyCredential's `[[Store]](credential, sameOriginWithAncestors)` Method ### {#sctn-storeCredential}
 
@@ -5863,7 +5925,7 @@ The attributes above are structured within this certificate as such:
   04 12                                  -- OCTET STRING
     04  10                               -- OCTET STRING
       CD 8C 39 5C 26 ED EE DE            -- AAGUID cd8c395c-26ed-eede-653b-00797d03ca3c
-      65 3B 00 79 7D 03 CA 3C 
+      65 3B 00 79 7D 03 CA 3C
 
 30 12                                    -- SEQUENCE
   06 0B 2B 06 01 04 01 82 E5 1C 01 01 05 -- OID 1.3.6.1.4.1.45724.1.1.5