Link "credential ID".

index.bs

@@ -259,7 +259,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
 : <dfn>Attestation</dfn>
 :: Generally, <em>attestation</em> is a statement serving to bear witness, confirm, or authenticate.
     In the WebAuthn context, [=attestation=] is employed to <em>attest</em> to the <em>provenance</em> of an [=authenticator=]
-    and the data it emits; including, for example: credential IDs, [=credential key pairs=], signature counters, etc. An
+    and the data it emits; including, for example: [=credential IDs=], [=credential key pairs=], signature counters, etc. An
     [=attestation statement=] is conveyed in an [=attestation object=] during [=registration=]. See also [[#sctn-attestation]]
     and [Figure 3](#fig-attStructs).
 
@@ -976,7 +976,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
         2.  Let |value| be a new {{PublicKeyCredential}} associated with |global| whose fields are:
 
             :   {{PublicKeyCredential/[[identifier]]}}
-            ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of the credential ID
+            ::  A new {{ArrayBuffer}}, created using |global|'s [=%ArrayBuffer%=], containing the bytes of the [=credential ID=]
                 returned from the successful [=authenticatorGetAssertion=] operation, as defined in [[#op-get-assertion]].
             :   {{PublicKeyCredential/response}}
             ::  A new {{AuthenticatorAssertionResponse}} object associated with |global| whose fields are:
@@ -1088,7 +1088,7 @@ during registration.
     :   <dfn>attestationObject</dfn>
     ::  This attribute contains an [=attestation object=], which is opaque to, and cryptographically protected against
         tampering by, the client. The [=attestation object=] contains both [=authenticator data=] and an [=attestation
-        statement=]. The former contains the AAGUID, a unique credential ID, and the [=credential public key=]. The
+        statement=]. The former contains the AAGUID, a unique [=credential ID=], and the [=credential public key=]. The
         contents of the [=attestation statement=] are determined by the [=attestation statement format=] used by the
         [=authenticator=]. It also contains any additional information that the [=[RP]=]'s server requires to validate the
         [=attestation statement=], as well as to decode and validate the [=authenticator data=] along with the
@@ -1646,7 +1646,7 @@ The [=authenticator data=] structure is a byte array of 37 bytes or more, as fol
         <td>variable (if present)</td>
         <td>
             [=attestation data=] (if present). See [[#sec-attestation-data]] for details. Its length depends on the length of
-            the [=credential public key=] and credential ID being attested.
+            the [=credential public key=] and [=credential ID=] being attested.
         </td>
     </tr>
     <tr>
@@ -1781,7 +1781,7 @@ When this method is invoked, the [=authenticator=] must perform the following pr
 </figure>
 
 On successful completion, the authenticator returns to the user agent:
-- The identifier of the credential (credential ID) used to generate the [=assertion signature=].
+- The identifier of the credential ([=credential ID=]) used to generate the [=assertion signature=].
 - The [=authenticator data=] used to generate the [=assertion signature=].
 - The [=assertion signature=].
 - The [=user handle=] associated with the credential used to generate the [=assertion signature=].
@@ -1881,7 +1881,7 @@ credential. It has the following format:
     </tr>
     <tr>
         <td>L</td>
-        <td>Credential ID</td>
+        <td>[=Credential ID=]</td>
     </tr>
     <tr>
         <td>variable</td>
@@ -2123,13 +2123,13 @@ When registering a new credential, represented by a {{AuthenticatorAttestationRe
 13. If the attestation statement |attStmt| verified successfully and is found to be trustworthy, then register the new
     credential with the account that was denoted in the
     {{PublicKeyCredential/[[Create]](options)/options}}.{{MakePublicKeyCredentialOptions/user}} passed to
-    {{CredentialsContainer/create()}}, by associating it with the credential ID and credential public key contained in
+    {{CredentialsContainer/create()}}, by associating it with the [=credential ID=] and credential public key contained in
     |authData|'s [=attestation data=], as appropriate for the [=[RP]=]'s systems.
 
 14. If the attestation statement |attStmt| successfully verified but is not trustworthy per step 12 above, the [=[RP]=] SHOULD fail
     the registration ceremony.
 
-    NOTE: However, if permitted by policy, the [=[RP]=] MAY register the credential ID and credential public key but treat the
+    NOTE: However, if permitted by policy, the [=[RP]=] MAY register the [=credential ID=] and credential public key but treat the
         credential as one with [=self attestation=] (see [[#sctn-attestation-types]]). If doing so, the [=[RP]=] is asserting there
         is no cryptographic proof that the [=public key credential=] has been generated by a particular [=authenticator=] model.
         See [[FIDOSecRef]] and [[UAFProtocol]] for a more detailed discussion.
@@ -2629,7 +2629,7 @@ This attestation statement format is used with FIDO U2F authenticators using the
 
     Generate a Registration Response Message as specified in [[FIDO-U2F-Message-Formats]] section 4.3, with the application parameter set to the
     SHA-256 hash of the [=RP ID=] associated with the given credential, the challenge parameter set to |tbsHash|, and the key handle
-    parameter set to the credential ID of the given credential. Set the raw signature part of this Registration Response Message (i.e., without the user public key,
+    parameter set to the [=credential ID=] of the given credential. Set the raw signature part of this Registration Response Message (i.e., without the user public key,
     key handle, and attestation certificates) as |sig| and set the attestation certificates of
     the attestation public key as |x5c|.
 
@@ -2641,10 +2641,10 @@ This attestation statement format is used with FIDO U2F authenticators using the
         |clientDataHash| denote the [=hash of the serialized client data=].
     - If |clientDataHash| is 256 bits long, set |tbsHash| to this value. Otherwise set |tbsHash| to the SHA-256
         hash of |clientDataHash|.
-    - From |authenticatorData|, extract the claimed [=RP ID=] hash, the claimed credential ID and the claimed credential public key.
+    - From |authenticatorData|, extract the claimed [=RP ID=] hash, the claimed [=credential ID=] and the claimed credential public key.
     - Generate the claimed to-be-signed data as specified in [[FIDO-U2F-Message-Formats]] section 4.3, with the application
         parameter set to the claimed [=RP ID=] hash, the challenge parameter set to |tbsHash|, the key handle parameter set to the
-        claimed credential ID of the given credential, and the user public key parameter set to the claimed credential public
+        claimed [=credential ID=] of the given credential, and the user public key parameter set to the claimed credential public
         key.
     - Verify that the |sig| is a valid ECDSA P-256 signature over the to-be-signed data constructed above.
     - If successful, return attestation type Basic with the trust path set to |x5c|.
@@ -3396,7 +3396,7 @@ In this flow, the [=[RP]=] does not have a preference for [=platform authenticat
         such as attestation regarding the provenance and characteristics of the authenticator.
     - The server stores the [=credential public key=] in its database and associates it with the user as well as with the
         characteristics of authentication indicated by attestation, also storing a friendly name for later use.
-    - The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of
+    - The script may store data such as the [=credential ID=] in local storage, to improve future UX by narrowing the choice of
         credential for the user.
 
 The sample code for generating and registering a new key follows:
@@ -3519,10 +3519,10 @@ credential.
 
 9. If an assertion was successfully generated and returned,
     - The script sends the assertion to the server.
-    - The server examines the assertion, extracts the credential ID, looks up the registered
+    - The server examines the assertion, extracts the [=credential ID=], looks up the registered
         credential public key it is database, and verifies the assertion's authentication signature.
-        If valid, it looks up the identity associated with the assertion's credential ID; that
-        identity is now authenticated. If the credential ID is not recognized by the server (e.g.,
+        If valid, it looks up the identity associated with the assertion's [=credential ID=]; that
+        identity is now authenticated. If the [=credential ID=] is not recognized by the server (e.g.,
         it has been deregistered due to inactivity) then the authentication has failed; each [=[RP]=]
         will handle this in its own way.
     - The server now does whatever it would otherwise do upon successful authentication -- return a success page, set