Address review comments

Co-authored-by: =JeffH <jdhodges@google.com>
w3c · Jul 21, 2021 · 9d7bc35 · 9d7bc35
1 parent 8056f09
commit 9d7bc35
Showing 1 changed file with 13 additions and 10 deletions.
diff --git a/index.bs b/index.bs
@@ -1247,12 +1247,15 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
     PIN.
 
 : <dfn>User Account</dfn>
-:: In the context of this specification, a [=user account=] is some section of a [=[RP]=]'s services,
-    identified by a [=user handle=]
-    and associated with some set of [=credentials=] that a user may use to gain access to that section of services.
-    The set of credentials might change over time.
-    One user account might be accessed by one or more users and one user might have access to one or more user accounts,
-    depending on the user(s) and the [=[RP]=].
+:: In the context of this specification,
+    a [=user account=] denotes the mapping of a set of [=credentials=] [[CREDENTIAL-MANAGEMENT-1]]
+    to a (sub)set of a [=[RP]=]'s resources, as maintained and authorized by the [=[RP]=].
+    The [=[RP]=] maps a given [=public key credential=] to a [=user account=]
+    by assigning a [=user account=]-specific value to the credential's [=user handle=].
+    This mapping, the set of credentials, and their authorizations, may evolve over time.
+    A given [=user account=] might be accessed by one or more natural persons (also known as "users"),
+    and one natural person might have access to one or more [=user accounts=],
+    depending on actions of the user(s) and the [=[RP]=].
 
 : <dfn>User Consent</dfn>
 :: User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts.
@@ -6827,9 +6830,9 @@ In this case the {{PublicKeyCredentialRequestOptions/allowCredentials}} argument
 about which [=user accounts=] have WebAuthn credentials registered and which do not,
 which may be a signal of account protection strength.
 For example, say an attacker can initiate an [=authentication ceremony=] by providing only a username,
-and the [=[RP]=] responds with an non-empty {{PublicKeyCredentialRequestOptions/allowCredentials}} for some accounts,
-and with failure or a password challenge for other accounts.
-The attacker can then conclude that the latter accounts
+and the [=[RP]=] responds with a non-empty {{PublicKeyCredentialRequestOptions/allowCredentials}} for some [=user accounts=],
+and with failure or a password challenge for other [=user accounts=].
+The attacker can then conclude that the latter [=user accounts=]
 likely do not require a WebAuthn [=assertion=] for successful authentication,
 and thus focus an attack on those likely weaker accounts.
 
@@ -6913,7 +6916,7 @@ authentication, they are designed to be minimally identifying and not shared bet
 Additionally, a [=client-side discoverable public key credential source=] can optionally include a [=user
 handle=] specified by the [=[RP]=]. The [=public key credential|credential=] can then be used to both identify and
 [=authentication|authenticate=] the user.
-This means that a privacy-conscious [=[RP]=] can allow creating a [=user account=] without a traditional username,
+This means that a privacy-conscious [=[RP]=] can allow creation of a [=user account=] without a traditional username,
 further improving non-correlatability between [=[RPS]=].