use 'attacker' instead of 'user'

w3c · Sep 5, 2018 · e320eb5 · e320eb5
1 parent dbdf619
commit e320eb5
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/index.bs b/index.bs
@@ -5408,9 +5408,9 @@ only to the operating system user that created that [=platform credential=].
 ## Username Enumeration ## {#sctn-username-enumeration}
 
 While initiating a [=registration ceremony|registration=] or [=authentication ceremony=], there is a risk that the [=[WRP]=] might leak sensitive
-information about its registered users. For example, if a [=[RP]=] uses e-mail addresses as usernames and a user attempts to
+information about its registered users. For example, if a [=[RP]=] uses e-mail addresses as usernames and an attacker attempts to
 initiate an [=authentication=] [=ceremony=] for "alex.p.mueller@example.com" and the [=[RP]=] responds with a failure, but then
-successfully initiates an [=authentication ceremony=] for "j.doe@example.com", then the user can conclude that "j.doe@example.com"
+successfully initiates an [=authentication ceremony=] for "j.doe@example.com", then the attacker can conclude that "j.doe@example.com"
 is registered and "alex.p.mueller@example.com" is not. The [=[RP]=] has thus leaked the possibly sensitive information that
 "j.doe@example.com" has an account at this [=[RP]=].