Fix more nits identified by Jeffrey Yasskin

index.bs

@@ -407,6 +407,10 @@ are returned to the caller when a new credential is created, or a new assertion
         the {{ScopedCredential}} was created in response to {{CredentialsContainer/get()}}, and this attribute's value
         will be an {{AuthenticatorAssertionResponse}}.
 
+    :   <dfn>clientExtensionResults</dfn>
+    ::  This attribute contains a [=map=] containing [=extension identifier=] → [=client extension output=] entries
+        produced by the extension's [=client extension processing=].
+
     :   <dfn>\[[type]]</dfn>
     ::  The {{ScopedCredential}} [=interface object=]'s {{Credential/[[type]]}} [=internal slot=]'s value is the string
         "`scoped`".
@@ -1740,7 +1744,8 @@ When registering a new credential, represented by a {{AuthenticatorAttestationRe
 4. Verify that the {{CollectedClientData/tokenBinding}} in |C| matches the [=Token Binding ID=] for the TLS connection over
     which the attestation was obtained.
 
-5. Verify that the {{CollectedClientData/extensions}} in |C| is a proper subset of the extensions requested by the RP.
+5. Verify that the {{CollectedClientData/clientExtensions}} in |C| is a proper subset of the extensions requested by the RP
+   and that the {{CollectedClientData/authenticatorExtensions}} in |C| is also a proper subset of the extensions requested by the RP.
 
 6. Compute the hash of {{AuthenticatorResponse/clientDataJSON}} using the algorithm identified by
     <code>|C|.{{CollectedClientData/hashAlg}}</code>.
@@ -1819,7 +1824,8 @@ MUST proceed as follows:
 6. Verify that the {{CollectedClientData/tokenBinding}} member of |C| (if present) matches the [=Token Binding ID=] for the TLS connection
     over which the signature was obtained.
 
-7. Verify that the {{CollectedClientData/extensions}} member of |C| is a proper subset of the extensions requested by the RP.
+7. Verify that the {{CollectedClientData/clientExtensions}} member of |C| is a proper subset of the extensions requested by the RP
+   and that the {{CollectedClientData/authenticatorExtensions}} in |C| is also a proper subset of the extensions requested by the RP.
 
 8. Verify that the RP ID hash in |aData| is the SHA-256 hash of the RP ID expected by the RP.
 
@@ -2433,14 +2439,14 @@ Note: Extensions should aim to define authenticator arguments that are as small
 Extensions may define additional processing requirements on the client platform during the creation of credentials or the
 generation of an assertion.
 The [=client extension input=] for the extension is used an input to this client processing.
-Supported [=client extensions=] are recorded as a dictionary in the [=client data=] with the key {{CollectedClientData/extensions}}.
+Supported [=client extensions=] are recorded as a dictionary in the [=client data=] with the key {{CollectedClientData/clientExtensions}}.
 For each such
 extension, the client adds an entry to this dictionary with the [=extension identifier=] as the key, and the extension's
 [=client extension input=] as the value.
 
 Likewise, the [=client extension outputs=] are represented as a dictionary in the {{ScopedCredential/clientExtensionResults}}
 with [=extension identifiers=] as keys, and the <dfn>client extension output</dfn> value of each extension as the value.
-Like the [=client extension input=], the [=client extension ouput=] is a value that can be encoded in JSON.
+Like the [=client extension input=], the [=client extension output=] is a value that can be encoded in JSON.
 
 Extensions that require authenticator processing MUST define
 the process by which the [=client extension input=] can be used to determine the [=CBOR=] [=authenticator extension input=] and