From c2ec717da26c7021b64d5e52bc8dfd27ec257907 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 28 Nov 2023 13:13:20 +0100
Subject: [PATCH 1/2] Fix references to credential private key that should be
 credential source

See issue #2002: https://github.com/w3c/webauthn/issues/2002
---
 index.bs | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/index.bs b/index.bs
index e5f847486..6c75426e6 100644
--- a/index.bs
+++ b/index.bs
@@ -4551,13 +4551,14 @@ An [=authenticator=] can store a [=public key credential source=] in one of two
  1. In persistent storage embedded in the [=authenticator=], [=client=] or [=client device=], e.g., in a secure element.
     This is a technical requirement for a [=client-side discoverable public key credential source=].
 
- 1. By encrypting (i.e., wrapping) the [=credential private key=] such that only this [=authenticator=] can decrypt (i.e., unwrap) it and letting the resulting
-    ciphertext be the [=credential ID=] for the [=public key credential source=]. The [=credential ID=] is stored by the [=[RP]=]
+ 1. By encrypting (i.e., wrapping) the [=public key credential source=]
+    such that only this [=authenticator=] can decrypt (i.e., unwrap) it and letting the resulting
+    ciphertext be the [=credential ID=] of the [=public key credential source=]. The [=credential ID=] is stored by the [=[RP]=]
     and returned to the [=authenticator=] via the {{PublicKeyCredentialRequestOptions/allowCredentials}} option of
-    {{CredentialsContainer/get()}}, which allows the [=authenticator=] to decrypt and use the [=credential private key=].
+    {{CredentialsContainer/get()}}, which allows the [=authenticator=] to decrypt and use the [=public key credential source=].
 
-    This enables the [=authenticator=] to have unlimited storage capacity for [=credential private keys=], since the encrypted
-    [=credential private keys=] are stored by the [=[RP]=] instead of by the [=authenticator=] - but it means that a
+    This enables the [=authenticator=] to have unlimited credential storage capacity, since the encrypted
+    [=public key credential sources=] are stored by the [=[RP]=] instead of by the [=authenticator=] - but it means that a
     [=credential=] stored in this way must be retrieved from the [=[RP]=] before the [=authenticator=] can use it.
 
 Which of these storage strategies an [=authenticator=] supports defines the [=authenticator=]'s <dfn>credential storage
@@ -4568,7 +4569,7 @@ modality</dfn> as follows:
     credential capable</dfn>.
 
 - An [=authenticator=] has the <dfn>server-side credential storage modality</dfn> if it does not have the [=client-side credential storage
-    modality=], i.e., it only supports storing [=credential private keys=] as a ciphertext in the [=credential ID=].
+    modality=], i.e., it only supports storing [=public key credential sources=] as a ciphertext in the [=credential ID=].
 
 Note that a [=discoverable credential capable=] [=authenticator=] MAY support both storage strategies. In this case, the [=authenticator=] MAY
 at its discretion use different storage strategies for different [=public key credential|credentials=], though subject to the

From dbf6ca23d8cf8c3399a2ddde86d1222c0ceca023 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Tue, 28 Nov 2023 13:13:43 +0100
Subject: [PATCH 2/2] Say residentKey and requireResidentKey, not residentKey
 or requireResidentKey

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index 6c75426e6..9e1525a52 100644
--- a/index.bs
+++ b/index.bs
@@ -4573,7 +4573,7 @@ modality</dfn> as follows:
 
 Note that a [=discoverable credential capable=] [=authenticator=] MAY support both storage strategies. In this case, the [=authenticator=] MAY
 at its discretion use different storage strategies for different [=public key credential|credentials=], though subject to the
-{{AuthenticatorSelectionCriteria/residentKey}} or {{AuthenticatorSelectionCriteria/requireResidentKey}} options of
+{{AuthenticatorSelectionCriteria/residentKey}} and {{AuthenticatorSelectionCriteria/requireResidentKey}} options of
 {{CredentialsContainer/create()}}.