In L3 platform-based authenticators are allowed AAGUIDs that are not all-zero even when credentialCreationData.attestationConveyancePreferenceOption is "none". As a result, there is no additional privacy obtained by replacing self attestation with none attestation. Specifically the steps describing constructCredentialAlg in § 5.1.3. should be changed from:

1. If the aaguid in the attested credential data is 16 zero bytes, credentialCreationData.attestationObjectResult.fmt is "packed", and "x5c" is absent from credentialCreationData.attestationObjectResult, then self attestation is being used and no further action is needed.

to

1. If the aaguid in the attested credential data is 16 zero bytes or authenticator is a platform authenticator, credentialCreationData.attestationObjectResult.fmt is "packed", and "x5c" is absent from credentialCreationData.attestationObjectResult, then self attestation is being used and no further action is needed.