fixup sample-authn example step 9. fixes #234

index.bs

@@ -2415,10 +2415,12 @@ credential.
 
 9. If an assertion was successfully generated and returned,
     - The script sends the assertion to the server.
-    - The server examines the assertion and validates that it was correctly generated. If so, it looks up the identity
-        associated with the associated public key; that identity is now authenticated. If the public key is not recognized by
-        the server (e.g., deregistered by server due to inactivity) then the authentication has failed; each [RP] will handle
-        this in its own way.
+    - The server examines the assertion, extracts the credential ID, looks up the registered
+       credential public key it is database, and verifies the assertion's authentication signature.
+       If valid, it looks up the identity associated with the assertion's credential ID; that
+       identity is now authenticated. If the credential ID is not recognized by the server (e.g.,
+       it has been deregistered due to inactivity) then the authentication has failed; each [RP]
+       will handle this in its own way.
     - The server now does whatever it would otherwise do upon successful authentication -- return a success page, set
         authentication cookies, etc.