From 4d16a31c38d977da3b2f47ff3de31378f7f96d7d Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Mon, 7 Oct 2019 14:56:41 +0200
Subject: [PATCH] Clarify that RP is split into server and script

---
 index.bs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/index.bs b/index.bs
index edcdea0d4..3b4e8adc9 100644
--- a/index.bs
+++ b/index.bs
@@ -1172,6 +1172,12 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
 :: The entity whose <dfn>web application</dfn> utilizes the [[#sctn-api|Web Authentication API]] to [=registration|register=] and
     [=authentication|authenticate=] users.
 
+    A [=[RP]=] implementation typically consists of both some client-side script
+    that invokes the [=Web Authentication API=] in the [=client=],
+    and a server-side component that executes the [[#sctn-rp-operations|[RP] operations]] and other application logic.
+    Communication between the two components MUST use HTTPS or equivalent transport security,
+    but is otherwise beyond the scope of this specification.
+
         Note: While the term [=[RP]=] is also often used in other contexts (e.g., X.509 and OAuth), an entity acting as a [=[RP]=] in one
         context is not necessarily a [=[RP]=] in other contexts. In this specification, the term [=[WRP]=] is often shortened
         to be just [=[RP]=], and explicitly refers to a [=[RP]=] in the WebAuthn context. Note that in any concrete instantiation