Clarify that RP is split into server and script

index.bs

@@ -1172,6 +1172,12 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
 :: The entity whose <dfn>web application</dfn> utilizes the [[#sctn-api|Web Authentication API]] to [=registration|register=] and
     [=authentication|authenticate=] users.
 
+    A [=[RP]=] implementation typically consists of both some client-side script
+    that invokes the [=Web Authentication API=] in the [=client=],
+    and a server-side component that executes the [[#sctn-rp-operations|[RP] operations]] and other application logic.
+    Communication between the two components MUST use HTTPS or equivalent transport security,
+    but is otherwise beyond the scope of this specification.
+
         Note: While the term [=[RP]=] is also often used in other contexts (e.g., X.509 and OAuth), an entity acting as a [=[RP]=] in one
         context is not necessarily a [=[RP]=] in other contexts. In this specification, the term [=[WRP]=] is often shortened
         to be just [=[RP]=], and explicitly refers to a [=[RP]=] in the WebAuthn context. Note that in any concrete instantiation