Update proposal.md

Signed-off-by: Daniel Baumgarten <[email protected]>

139-pipeline-identity-tokens/proposal.md

@@ -3,7 +3,7 @@
 # Summary
 
 Pipelines should receive signed JWTs ([RFC7519](https://datatracker.ietf.org/doc/html/rfc7519)) from Concourse that contain information about them (team, pipeline-name etc.).
-They could the send this JWTs to outside services to authenticate using their identity as "Concourse-Pipeline X"
+They could then send this JWTs to outside services to authenticate using their identity as "Concourse-Pipeline X"
 
 
 # Motivation
@@ -81,7 +81,7 @@ Detailed usage-instructions for vault can follow if required.
 Implementation is split into different phases, that stack onto each other. We could implement the first few and expant the implementation step by step.
 
 ## Phase 1
-- When Concourse boots for the first time it creates a signature keypar and stores it into the DB
+- When Concourse boots for the first time it creates a signature keypair and stores it into the DB
 - Concourse exposes the public part of the key as a JWKS ([RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517)) under a publicly accessible path (for example: https://myconcourse.example.com/keys)
 - Concourse offers a minimal OIDC Discovery Endpoint ([RFC8418](https://datatracker.ietf.org/doc/html/rfc8414)) that basically just points to the JWKS-URL
 - Whenever a job/task/whatever of a pipeline is sent to a worker for execution, Concourse (preferably ATC) will generate a JWT with the following content