w3c · selfissued · Jan 15, 2025 · Jan 8, 2025 · Jan 8, 2025 · Jan 8, 2025
diff --git a/index.bs b/index.bs
@@ -9875,6 +9875,76 @@ Harry Halpin
 for their contributions as our W3C Team Contacts.
 
 
+# Revision History # {#revision-history}
+
+[INFORMATIVE]
+
+This section contains the substantive changes that have been made to this specification over time.
+
+## Changes since Web Authentication Level 2 [[webauthn-2-20210408]] ## {#changes-since-l2}
+
-## Changes since Web Authentication Level 2 [[webauthn-2-20210408]] ## {#changes-since-l2}
+## Changes in Web Authentication Level 3 ## {#changes-l3}
+
+The following changes were made between Web Authentication Level 2 [[webauthn-2-20210408]] and Level 3.
+
-## Changes since Web Authentication Level 2 [[webauthn-2-20210408]] ## {#changes-since-l2}
+## Changes in Web Authentication Level 3 ## {#changes-l3}
+
+The following changes were made between Web Authentication Level 2 [[webauthn-2-20210408]] and Level 3.
+
+### Substantive Changes ### {#changes-l3-substantive}
+
+The following changes were made to the [=Web Authentication API=] and the way it operates.
+
+Changes:
+
+- Updated timeout guidance: [[#sctn-timeout-recommended-range]]
+- `uvm` extension no longer included; see instead L2 [[webauthn-2-20210408]]
+- [=authData/attestedCredentialData/aaguid=] in [=attested credential data=] is no longer zeroed
+    when {{PublicKeyCredentialCreationOptions/attestation}} preference is {{AttestationConveyancePreference/none}}: [[#sctn-createCredential]]
+
+
+Deprecations:
+
+- Registration parameter
+    <code>{{CredentialCreationOptions/publicKey}}.{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialEntity/name}}</code>:
+    [[#dictionary-pkcredentialentity]]
+- [[#sctn-android-safetynet-attestation]]
+
+
+New features:
+
+- New JSON (de)serialization methods:
+    - {{PublicKeyCredential/toJSON()}} method in [[#iface-pkcredential]]
+    - [[#sctn-parseCreationOptionsFromJSON]]
+    - [[#sctn-parseRequestOptionsFromJSON]]
+- Create operations in cross-origin iframes:
+    - [[#sctn-createCredential]]
+    - [[#sctn-iframe-guidance]]
+- Conditional mediation for create: [[#sctn-createCredential]]
+- Conditional mediation for get: [[#sctn-getAssertion]]
+- [[#sctn-getClientCapabilities]]
+    - [[#sctn-disclosing-client-capabilities]]
+- New enum value {{AuthenticatorTransport/hybrid}} in [[#enum-transport]].
+- [[#sctn-signal-methods]]
+- New [=client data=] attribute {{CollectedClientData/topOrigin}}: [[#dictionary-client-data]]
+- [[#enum-hints]]
+- [[#sctn-related-origins]]
+- [=Authenticator data=] flags [=authData/flags/BE=] and [=authData/flags/BS=] assigned:
+    - [[#sctn-authenticator-data]]
+    - [[#sctn-credential-backup]]
+    - [[#sctn-automation-set-credential-properties]]
+- [[#sctn-compound-attestation]]
+- [[#prf-extension]]
+
+
+### Editorial Changes ### {#changes-l3-editorial}
+
+The following changes were made to improve clarity, readability, navigability and similar aspects of the document.
+
+- Updated [[#sctn-use-cases]] to reflect developments in deployment landscape.
+- Introduced [=credential record=] concept to formalize what data [=[RPS]=] need to store
+    and how it relates between [=registration ceremony|registration=] and [=authentication ceremonies=].
+- Clarified error conditions:
+    - [[#sctn-create-request-exceptions]]
+    - [[#sctn-get-request-exceptions]]
+- [[#sctn-strings]] split into subsections [[#sctn-strings-truncation-client]] and [[#sctn-strings-truncation-authenticator]]
+    to clarify division of responsibilities.
+- Added [[#sctn-test-vectors]].
+- Moved normative language outside of "note" blocks.
+
+
 <pre class=biblio>
 {