add FIDOAuthnrSecReqs ref, minor editorials

index.bs

@@ -4213,12 +4213,15 @@ handled on the server side and do not need support from the API specified here.
 
 
 
+
+
 ## Cryptographic Challenges ## {#cryptographic-challenges}
 
 As a cryptographic protocol, Web Authentication is dependent upon randomized challenges
-to avoid replay attacks. Therefore, both {MakePublicKeyCredentialOptions/challenge}}'s 
+to avoid replay attacks. Therefore, both {MakePublicKeyCredentialOptions/challenge}}'s
 and {{PublicKeyCredentialRequestOptions/challenge}}'s value, MUST be randomly generated
-by the [=Relying Party=] in an environment they trust (e.g., on the server-side), and the challenge in the client's
+by [=[RPS]=] in an environment they trust (e.g., on the server-side), and the
+returned challenge value in the client's
 response must match what was generated. This should be done in a fashion that does not rely
 upon a client's behavior; e.g.: the Relying Party should store the challenge temporarily
 until the operation is complete. Tolerating a mismatch will compromise the security
@@ -4384,6 +4387,14 @@ Axel Nennker, Kimberly Paulhamus, Adam Powers, Yaron Sheffer, Mike West, Jeffrey
     "href": "http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf"
   },
 
+  "FIDOAuthnrSecReqs": {
+    "authors": ["D. Biggs", "J.E. Hill", "L. Lundblade", "M. Karlsson"],
+    "title": "FIDO Authenticator Security Requirements",
+    "href": "https://fidoalliance.org/specs/fido-security-requirements-v1.0-fd-20170524/",
+    "status": "FIDO Alliance Final Documents"
+  },
+
+
   "FIDOSecRef": {
     "authors": ["R. Lindemann", "D. Baghdasaryan", "B. Hill"],
     "title": "FIDO Security Reference",