fix issue #932 clarify rpIdHash generation, minor editorial linking

index.bs

@@ -2269,14 +2269,18 @@ validated by the authenticator during the [=authenticatorGetAssertion=] operatio
 with the requested credential exactly matches the [=RP ID=] supplied by the client, and that the [=RP ID=] [=is a registrable
 domain suffix of or is equal to=] the [=effective domain=] of the RP's [=origin=]'s [=effective domain=].
 
-The `UP` flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The
-`RFU` bits SHALL be set to zero.
+[=Authenticators=] <dfn for="authenticator data">perform the following steps to generate an [=authenticator data=] structure</dfn>:
 
-For attestation signatures, the authenticator MUST set the AT flag and include the <code>[=attestedCredentialData=]</code>. For
-authentication signatures, the AT flag MUST NOT be set and the <code>[=attestedCredentialData=]</code> MUST NOT be included.
+- Hash [=RP ID=] to generate the [=rpIdHash=].
 
-If the authenticator does not include any extension data, it MUST set the `ED` flag to zero, and to one if
-extension data is included.
+- The `UP` [=flag=] SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The
+    `RFU` bits SHALL be set to zero.
+
+- For [=attestation signatures=], the authenticator MUST set the AT [=flag=] and include the <code>[=attestedCredentialData=]</code>. 
+    For [=assertion signature|authentication signatures=], the AT [=flag=] MUST NOT be set and the <code>[=attestedCredentialData=]</code> MUST NOT be included.
+
+- If the authenticator does not include any [=authDataExtensions|extension data=], it MUST set the `ED` [=flag=] to zero, and to one if
+    [=authDataExtensions|extension data=] is included.
 
 The [figure below](#fig-authData) shows a visual representation of the [=authenticator data=] structure.
 
@@ -2465,7 +2469,7 @@ When this operation is invoked, the [=authenticator=] MUST perform the following
     </dl>
 
 1. Let |attestedCredentialData| be the [=attested credential data=] byte array including the |credentialId| and |publicKey|.
-1. Let |authenticatorData| be the byte array specified in [[#sec-authenticator-data]], including |attestedCredentialData| as the
+1. Let |authenticatorData| [=perform the following steps to generate an authenticator data structure|be the byte array=] specified in [[#sec-authenticator-data]], including |attestedCredentialData| as the
     <code>[=attestedCredentialData=]</code> and |processedExtensions|, if any, as the
     <code>[=authDataExtensions|extensions=]</code>.
 1. Return the [=attestation object=] for the new credential created by the procedure specified in
@@ -2530,7 +2534,8 @@ When this method is invoked, the [=authenticator=] MUST perform the following pr
 1. Increment the [=RP ID=]-associated
     [=signature counter=] or the global [=signature counter=] value, depending on 
     which approach is implemented by the [=authenticator=], by some positive value.
-1. Let |authenticatorData| be the byte array specified in [[#sec-authenticator-data]] including |processedExtensions|, if any, as
+1. Let |authenticatorData| [=perform the following steps to generate an authenticator data structure|be the byte array=]
+    specified in [[#sec-authenticator-data]] including |processedExtensions|, if any, as
     the <code>[=authDataExtensions|extensions=]</code> and excluding <code>[=attestedCredentialData=]</code>.
 1. Let |signature| be the [=assertion signature=] of the concatenation <code>|authenticatorData| || |hash|</code> using the
     [=public key credential source/privateKey=] of |selectedCredential| as shown in [Figure 2](#fig-signature), below. A simple,