Proposed Change
https://www.w3.org/TR/webauthn-2/#dictionary-user-credential-params
Here the note box for the user handle says
Note: the user handle ought not be a constant value across different accounts, even for non-discoverable credentials
wouldn't it be better to instead use proper RFC2119 terms (such as SHOULD NOT)? especially for non-native english speakers "ought not" is likely a rather uncommon term, while RFC2119 terms are well established and specifically defined on their meanings within the scope of documents like this, such as should not isnt just a informal note that it might be not be the best idea, but specifically that:
there may exist valid reasons in particular circumstances when the
particular behavior is acceptable or even useful, but the full
implications should be understood and the case carefully weighed
before implementing any behavior described with this label.
Proposed Change
https://www.w3.org/TR/webauthn-2/#dictionary-user-credential-params
Here the note box for the user handle says
wouldn't it be better to instead use proper RFC2119 terms (such as SHOULD NOT)? especially for non-native english speakers "ought not" is likely a rather uncommon term, while RFC2119 terms are well established and specifically defined on their meanings within the scope of documents like this, such as should not isnt just a informal note that it might be not be the best idea, but specifically that: