diff --git a/index.bs b/index.bs
index 0014e786a..cccfc1914 100644
--- a/index.bs
+++ b/index.bs
@@ -4559,13 +4559,14 @@ An [=authenticator=] can store a [=public key credential source=] in one of two
  1. In persistent storage embedded in the [=authenticator=], [=client=] or [=client device=], e.g., in a secure element.
     This is a technical requirement for a [=client-side discoverable public key credential source=].
 
- 1. By encrypting (i.e., wrapping) the [=credential private key=] such that only this [=authenticator=] can decrypt (i.e., unwrap) it and letting the resulting
-    ciphertext be the [=credential ID=] for the [=public key credential source=]. The [=credential ID=] is stored by the [=[RP]=]
+ 1. By encrypting (i.e., wrapping) the [=public key credential source=]
+    such that only this [=authenticator=] can decrypt (i.e., unwrap) it and letting the resulting
+    ciphertext be the [=credential ID=] of the [=public key credential source=]. The [=credential ID=] is stored by the [=[RP]=]
     and returned to the [=authenticator=] via the {{PublicKeyCredentialRequestOptions/allowCredentials}} option of
-    {{CredentialsContainer/get()}}, which allows the [=authenticator=] to decrypt and use the [=credential private key=].
+    {{CredentialsContainer/get()}}, which allows the [=authenticator=] to decrypt and use the [=public key credential source=].
 
-    This enables the [=authenticator=] to have unlimited storage capacity for [=credential private keys=], since the encrypted
-    [=credential private keys=] are stored by the [=[RP]=] instead of by the [=authenticator=] - but it means that a
+    This enables the [=authenticator=] to have unlimited credential storage capacity, since the encrypted
+    [=public key credential sources=] are stored by the [=[RP]=] instead of by the [=authenticator=] - but it means that a
     [=credential=] stored in this way must be retrieved from the [=[RP]=] before the [=authenticator=] can use it.
 
 Which of these storage strategies an [=authenticator=] supports defines the [=authenticator=]'s <dfn>credential storage
@@ -4576,11 +4577,11 @@ modality</dfn> as follows:
     credential capable</dfn>.
 
 - An [=authenticator=] has the <dfn>server-side credential storage modality</dfn> if it does not have the [=client-side credential storage
-    modality=], i.e., it only supports storing [=credential private keys=] as a ciphertext in the [=credential ID=].
+    modality=], i.e., it only supports storing [=public key credential sources=] as a ciphertext in the [=credential ID=].
 
 Note that a [=discoverable credential capable=] [=authenticator=] MAY support both storage strategies. In this case, the [=authenticator=] MAY
 at its discretion use different storage strategies for different [=public key credential|credentials=], though subject to the
-{{AuthenticatorSelectionCriteria/residentKey}} or {{AuthenticatorSelectionCriteria/requireResidentKey}} options of
+{{AuthenticatorSelectionCriteria/residentKey}} and {{AuthenticatorSelectionCriteria/requireResidentKey}} options of
 {{CredentialsContainer/create()}}.