Precisize that it's assertions that don't sign the credential ID

index.bs

@@ -8342,7 +8342,7 @@ are grouped into respective subsections.
 
 ## Credential ID Unsigned ## {#sctn-credentialIdSecurity}
 
-The [=credential ID=] is not signed.
+The [=credential ID=] accompanying an [=authentication assertion=] is not signed.
 This is not a problem because all that would happen if an [=authenticator=] returns
 the wrong [=credential ID=], or if an attacker intercepts and manipulates the [=credential ID=], is that the [=[WRP]=] would not look up the correct
 [=credential public key=] with which to verify the returned signed [=authenticator data=]