w3c
diff --git a/‎lws10-authn-openid/index.html‎
Lines changed: 15 additions & 15 deletions b/‎lws10-authn-openid/index.html‎
Lines changed: 15 additions & 15 deletions
diff --git a/‎lws10-authn-saml/index.html‎
Lines changed: 9 additions & 9 deletions b/‎lws10-authn-saml/index.html‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎lws10-authn-ssi-cid/index.html‎
Lines changed: 12 additions & 12 deletions b/‎lws10-authn-ssi-cid/index.html‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎lws10-authn-ssi-did-key/index.html‎
Lines changed: 10 additions & 10 deletions b/‎lws10-authn-ssi-did-key/index.html‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎lws10-core/Authentication.html‎
Lines changed: 1 addition & 1 deletion b/‎lws10-core/Authentication.html‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lws10-core/Authorization.html‎
Lines changed: 3 additions & 3 deletions b/‎lws10-core/Authorization.html‎
Lines changed: 3 additions & 3 deletions
@@ -26,9 +26,9 @@
         xref: ["web-platform"],
         group: "lws",
         localBiblio: {
-          "LWS-PROTOCOL": {
-            title: "LWS Protocol",
-            href: "https://www.w3.org/TR/lws-core/",
+          "LWS10-CORE": {
+            title: "Linked Web Storage Protocol 1.0",
+            href: "https://www.w3.org/TR/lws10-core/",
             publisher: "W3C",
             status: "FPWD",
           },
@@ -84,7 +84,7 @@ <h2>Terminology</h2>
       </p>
 
       <p>
-        The terms "authentication credential" and "authentication suite" are defined by Linked Web Storage Protocol [[!LWS-PROTOCOL]]
+        The terms "<dfn data-cite="LWS10-CORE#dfn-agent">agent</dfn>", "<dfn data-cite="LWS10-CORE#dfn-authentication-credential">authentication credential</dfn>", and "<dfn data-cite="LWS10-CORE#dfn-authentication-suite">authentication suite</dfn>" are defined by Linked Web Storage Protocol [[!LWS10-CORE]]
       </p>
     </section>
 
@@ -93,7 +93,7 @@ <h2>Authentication Credential Serialization</h2>
 
       <p>
         OpenID Connect defines a protocol for producing signed ID Tokens, which are used to describe an end-user.
-        An ID Token is serialized as a signed JSON Web Token (JWT). In order to use an ID Token as an LWS authentication credential,
+        An ID Token is serialized as a signed JSON Web Token (JWT). In order to use an ID Token as an LWS <a>authentication credential</a>,
         the following additional requirements apply.
       </p>
 
@@ -122,7 +122,7 @@ <h2>Authentication Credential Serialization</h2>
       </ul>
 
       <p>
-        An example ID Token that is also an LWS authentication credential is included below.
+        An example ID Token that is also an LWS <a>authentication credential</a> is included below.
       </p>
 
       <pre id="example-id-token" class="example">
@@ -151,24 +151,24 @@ <h2>Authentication Credential Serialization</h2>
       <h2>Authentication Credential Validation</h2>
 
       <p>
-        For an ID Token to validate as an LWS authentication credential,
+        For an ID Token to validate as an LWS <a>authentication credential</a>,
         there must be a trust relationship between the verifier and the issuing party.
       </p>
 
       <p>
-        In the absence of a pre-existing trust relationship, the validator MUST dereference the <code>sub</code> (subject) claim in the authentication credential.
+        In the absence of a pre-existing trust relationship, the validator MUST dereference the <code>sub</code> (subject) claim in the <a>authentication credential</a>.
         The resulting resource MUST be formatted as a valid controlled identifier document [[!CID-1.0]] with an <code>id</code> value equal to the subject identifier.
       </p>
 
       <p>
         The verifier MUST use the subject's controlled identifier document to locate a service object whose <code>serviceEndpoint</code> value
-        is equal to the value of the <code>iss</code> claim from the authentication credential, and whose <code>type</code> value is equal to <code>https://www.w3.org/ns/lws#OpenIdProvider</code>.
-        The verifier MUST perform OpenID Connect Discovery to locate the public portion of the JSON Web Key (JWK) used to sign the authentication credential.
+        is equal to the value of the <code>iss</code> claim from the <a>authentication credential</a>, and whose <code>type</code> value is equal to <code>https://www.w3.org/ns/lws#OpenIdProvider</code>.
+        The verifier MUST perform OpenID Connect Discovery to locate the public portion of the JSON Web Key (JWK) used to sign the <a>authentication credential</a>.
         The JWT MUST be validated as described by OpenID Connect Core Section 3.1.3.7 [[!OPENID-CONNECT-CORE]].
       </p>
 
       <p>
-        An example Controlled Identifier Document for an agent using OpenID Connect is included below.
+        An example Controlled Identifier Document for an <a>agent</a> using OpenID Connect is included below.
       </p>
 
       <pre id="example-cid" class="example">
@@ -189,7 +189,7 @@ <h2>Authentication Credential Validation</h2>
       <h2>Token Type Identifier</h2>
 
       <p>
-        An ID Token used as an authentication credential MUST use the <code>urn:ietf:params:oauth:token-type:id_token</code> URI when interacting with an authorization server.
+        An ID Token used as an <a>authentication credential</a> MUST use the <code>urn:ietf:params:oauth:token-type:id_token</code> URI when interacting with an authorization server.
       </p>
 
     </section>
@@ -202,9 +202,9 @@ <h2>Security Considerations</h2>
       </p>
 
       <p>
-        An OpenID provider should support a mechanism to restrict the audience of an authentication credential to a limited set of entities, including an authorization server.
+        An OpenID provider should support a mechanism to restrict the audience of an <a>authentication credential</a> to a limited set of entities, including an authorization server.
         One mechanism for achieving this is to use Resource Indicators for OAuth 2.0 [[RFC8707]].
-        A client in possession of an authentication credential with no audience restrictions should exchange this token for an equivalent audience-restricted token by using, for example, OAuth 2.0 Token Exchange [[RFC8693]].
+        A client in possession of an <a>authentication credential</a> with no audience restrictions should exchange this token for an equivalent audience-restricted token by using, for example, OAuth 2.0 Token Exchange [[RFC8693]].
       </p>
 
       <p>
@@ -216,7 +216,7 @@ <h2>Security Considerations</h2>
       </p>
 
       <p>
-        The issuer of an authentication credential is responsible for validating the client identifier.
+        The issuer of an <a>authentication credential</a> is responsible for validating the client identifier.
         The issuer may use mechanisms such as an OAuth Client ID Metadata Document, an OAuth 2.0 Client ID Prefix, or OpenID Federation.
       </p>
 
 
@@ -26,9 +26,9 @@
         xref: ["web-platform"],
         group: "lws",
         localBiblio: {
-          "LWS-PROTOCOL": {
-            title: "LWS Protocol",
-            href: "https://www.w3.org/TR/lws-core/",
+          "LWS10-CORE": {
+            title: "Linked Web Storage Protocol 1.0",
+            href: "https://www.w3.org/TR/lws10-core/",
             publisher: "W3C",
             status: "FPWD",
           },
@@ -70,15 +70,15 @@ <h2>Terminology</h2>
       </p>
 
       <p>
-        The terms "authentication credential" and "authentication suite" are defined by Linked Web Storage Protocol [[!LWS-PROTOCOL]]
+        The terms "<dfn data-cite="LWS10-CORE#dfn-authentication-credential">authentication credential</dfn>" and "<dfn data-cite="LWS10-CORE#dfn-authentication-suite">authentication suite</dfn>" are defined by Linked Web Storage Protocol [[!LWS10-CORE]]
       </p>
     </section>
 
     <section id="serialization">
       <h2>Authentication Credential Serialization</h2>
 
       <p>
-        SAML tokens used as authentication credentials MUST be signed. In addition, a valid SAML token MUST include the following assertions:
+        SAML tokens used as <a>authentication credentials</a> MUST be signed. In addition, a valid SAML token MUST include the following assertions:
       </p>
 
       <p>
@@ -148,7 +148,7 @@ <h2>Authentication Credential Serialization</h2>
       <h2>Authentication Credential Validation</h2>
 
       <p>
-        In order to validate a SAML authentication credential, there must be a trust relationship with the issuing identity provider.
+        In order to validate a SAML <a>authentication credential</a>, there must be a trust relationship with the issuing identity provider.
         This specification does not define how a validating entity establishes a trust relationship with an identity provider,
         expecting these relationships to be established out-of-band.
       </p>
@@ -162,7 +162,7 @@ <h2>Authentication Credential Validation</h2>
       <h2>Token Type Identifier</h2>
 
       <p>
-        A SAML 2.0 assertion used as an authentication credential MUST use the <code>urn:ietf:params:oauth:token-type:saml2</code> URI when interacting with an authorization server.
+        A SAML 2.0 assertion used as an <a>authentication credential</a> MUST use the <code>urn:ietf:params:oauth:token-type:saml2</code> URI when interacting with an authorization server.
       </p>
     </section>
 
@@ -174,8 +174,8 @@ <h2>Security Considerations</h2>
       </p>
 
       <p>
-        A SAML identity provider should support a mechanism to restrict the audience of an authentication credential to a limited set of entities,
-        including an authorization server. A client in possession of an authentication credential with no audience restrictions
+        A SAML identity provider should support a mechanism to restrict the audience of an <a>authentication credential</a> to a limited set of entities,
+        including an authorization server. A client in possession of an <a>authentication credential</a> with no audience restrictions
         should exchange this token for an equivalent audience-restricted token by using, for example, OAuth 2.0 Token Exchange [[RFC8693]].
       </p>
     </section>
 
@@ -26,9 +26,9 @@
         xref: ["web-platform"],
         group: "lws",
         localBiblio: {
-          "LWS-PROTOCOL": {
-            title: "LWS Protocol",
-            href: "https://www.w3.org/TR/lws-core/",
+          "LWS10-CORE": {
+            title: "Linked Web Storage Protocol 1.0",
+            href: "https://www.w3.org/TR/lws10-core/",
             publisher: "W3C",
             status: "FPWD",
           },
@@ -52,8 +52,8 @@
       <h2>Introduction</h2>
       <p>
         Self-issued identity is important for cases where applications act on their own behalf. This includes autonomous bots as well as server-side scripts, among others.
-        In these cases, the agent is able to securely manage the private portion of a keypair, which it uses to generate signed JSON Web Tokens (JWT).
-        This specification describes how this class of agents can generate authentication credentials that can be used with a Linked Web Storage.
+        In these cases, the <a>agent</a> is able to securely manage the private portion of a keypair, which it uses to generate signed JSON Web Tokens (JWT).
+        This specification describes how this class of <a>agents</a> can generate <a>authentication credentials</a> that can be used with a Linked Web Storage.
       </p>
     </section>
     <section id="conformance"></section>
@@ -74,15 +74,15 @@ <h2>Terminology</h2>
       </p>
 
       <p>
-        The terms "authentication credential" and "authentication suite" are defined by Linked Web Storage Protocol [[!LWS-PROTOCOL]]
+        The terms "<dfn data-cite="LWS10-CORE#dfn-agent">agent</dfn>", "<dfn data-cite="LWS10-CORE#dfn-authentication-credential">authentication credential</dfn>", and "<dfn data-cite="LWS10-CORE#dfn-authentication-suite">authentication suite</dfn>" are defined by Linked Web Storage Protocol [[!LWS10-CORE]]
       </p>
     </section>
 
     <section id="serialization">
       <h2>Authentication Credential Serialization</h2>
 
       <p>
-        A self-issued authentication credential is serialized as a signed JSON Web Token (JWT). In order to use a JWT as an LWS authentication credential, the following additional requirements apply.
+        A self-issued <a>authentication credential</a> is serialized as a signed JSON Web Token (JWT). In order to use a JWT as an LWS <a>authentication credential</a>, the following additional requirements apply.
       </p>
 
       <p>
@@ -118,7 +118,7 @@ <h2>Authentication Credential Serialization</h2>
       </p>
 
       <p>
-        An example JWT that is also an LWS authentication credential is included below.
+        An example JWT that is also an LWS <a>authentication credential</a> is included below.
       </p>
 
       <pre id="example-authentication-token" class="example">
@@ -147,11 +147,11 @@ <h2>Authentication Credential Serialization</h2>
       <h2>Authentication Credential Validation</h2>
 
       <p>
-        In order to validate a JWT as an LWS authentication credential, there must be a trust relationship between the verifier and the issuing party.
+        In order to validate a JWT as an LWS <a>authentication credential</a>, there must be a trust relationship between the verifier and the issuing party.
       </p>
 
       <p>
-        In the absence of a pre-existing trust relationship, the verifier MUST dereference the <code>sub</code> (subject) claim in the authentication credential.
+        In the absence of a pre-existing trust relationship, the verifier MUST dereference the <code>sub</code> (subject) claim in the <a>authentication credential</a>.
         The resulting resource MUST be formatted as a valid controlled identifier document [[!CID-1.0]] with an <code>id</code> value equal to the subject identifier.
       </p>
 
@@ -160,7 +160,7 @@ <h2>Authentication Credential Validation</h2>
       </p>
 
       <p>
-        A verifier MUST validate all claims described by the authentication credential data model.
+        A verifier MUST validate all claims described by the <a>authentication credential</a> data model.
       </p>
 
       <p>
@@ -203,7 +203,7 @@ <h2>Authentication Credential Validation</h2>
       <h2>Token Type Identifier</h2>
 
       <p>
-        A self-issued JSON Web Token used as an authentication credential MUST use the <code>urn:ietf:params:oauth:token-type:jwt</code> URI when interacting with an authorization server.
+        A self-issued JSON Web Token used as an <a>authentication credential</a> MUST use the <code>urn:ietf:params:oauth:token-type:jwt</code> URI when interacting with an authorization server.
       </p>
 
     </section>
 
@@ -31,9 +31,9 @@
             href: "https://w3c-ccg.github.io/did-key-spec/",
             publisher: "W3C",
           },
-          "LWS-PROTOCOL": {
-            title: "LWS Protocol",
-            href: "https://www.w3.org/TR/lws-core/",
+          "LWS10-CORE": {
+            title: "Linked Web Storage Protocol 1.0",
+            href: "https://www.w3.org/TR/lws10-core/",
             publisher: "W3C",
             status: "FPWD",
           },
@@ -58,8 +58,8 @@ <h2>Introduction</h2>
       <p>
         Self-issued identity is important for cases where applications act on their own behalf.
         This includes autonomous bots as well as server-side scripts, among others.
-        In these cases, the agent is able to securely manage the private portion of a keypair, which it uses to generate signed JSON Web Tokens (JWT).
-        This specification describes how this class of agents can generate authentication credentials that can be used with a Linked Web Storage while using agent identifiers with the `did:key:` method.
+        In these cases, the <a>agent</a> is able to securely manage the private portion of a keypair, which it uses to generate signed JSON Web Tokens (JWT).
+        This specification describes how this class of <a>agents</a> can generate <a>authentication credentials</a> that can be used with a Linked Web Storage while using <a>agent</a> identifiers with the `did:key:` method.
       </p>
     </section>
 
@@ -77,15 +77,15 @@ <h2>Terminology</h2>
       </p>
 
       <p>
-        The terms "authentication credential" and "authentication suite" are defined by Linked Web Storage Protocol [[!LWS-PROTOCOL]]
+        The terms "<dfn data-cite="LWS10-CORE#dfn-agent">agent</dfn>", "<dfn data-cite="LWS10-CORE#dfn-authentication-credential">authentication credential</dfn>", and "<dfn data-cite="LWS10-CORE#dfn-authentication-suite">authentication suite</dfn>" are defined by Linked Web Storage Protocol [[!LWS10-CORE]]
       </p>
     </section>
 
     <section id="serialization">
       <h2>Authentication Credential Serialization</h2>
 
       <p>
-        A self-issued authentication credential is serialized as a signed JSON Web Token (JWT). In order to use a JWT as an LWS authentication credential, the following additional requirements apply.
+        A self-issued <a>authentication credential</a> is serialized as a signed JSON Web Token (JWT). In order to use a JWT as an LWS <a>authentication credential</a>, the following additional requirements apply.
       </p>
 
       <ul>
@@ -123,7 +123,7 @@ <h2>Authentication Credential Serialization</h2>
       </ul>
 
       <p>
-        An example JWT that is also an LWS authentication credential is included below.
+        An example JWT that is also an LWS <a>authentication credential</a> is included below.
       </p>
 
       <pre id="example-authentication-token" class="example">
@@ -155,7 +155,7 @@ <h2>Authentication Credential Validation</h2>
       </p>
 
       <p>
-        A verifier MUST validate all claims described by the authentication credential data model.
+        A verifier MUST validate all claims described by the <a>authentication credential</a> data model.
       </p>
 
       <p>
@@ -167,7 +167,7 @@ <h2>Authentication Credential Validation</h2>
       <h2>Token Type Identifier</h2>
 
       <p>
-        A self-issued JSON Web Token used as an authentication credential MUST use the <code>urn:ietf:params:oauth:token-type:jwt</code> URI when interacting with an authorization server.
+        A self-issued JSON Web Token used as an <a>authentication credential</a> MUST use the <code>urn:ietf:params:oauth:token-type:jwt</code> URI when interacting with an authorization server.
       </p>
     </section>
 
 
@@ -1,5 +1,5 @@
 <p>
-  This section defines a mechanism for identifying agents and end users that interact
+  This section defines a mechanism for identifying <a>agents</a> and end users that interact
   with a linked web storage server. This specification does not mandate a particular
   format for an <a>authentication credential</a>, though it does describe how existing identity systems
   can be used in conjunction with the linked web storage authorization framework.
 
@@ -1,6 +1,6 @@
 <p>
   Linked Web Storage describes a mechanism for persisting and managing protected data on the Web. Authorization is the mechanism
-  by which agents request and present access tokens in order to access this protected data.
+  by which <a>agents</a> request and present access tokens in order to access this protected data.
 </p>
 
 <section id="authorization-roles">
@@ -139,7 +139,7 @@ <h5>Request</h5>
         <li>The <code>resource</code> parameter is REQUIRED. The value of this parameter MUST be a URI and will be used to populate the
         <code>aud</code> (audience) claim in the resulting access token. The supplied value will be the same as the
         <code>realm</code> parameter response in a <code>WWW-Authenticate</code> challenge. The authorization server
-        MUST reject any request in which the resource parameter identifies an unknown or untrusted storage.
+        MUST reject any request in which the resource parameter identifies an unknown or untrusted <a>storage</a>.
         </li>
 
         <li>
@@ -183,7 +183,7 @@ <h5>Response</h5>
 
       <ul>
         <li>
-          <code>sub</code> (subject) — <strong>REQUIRED</strong>. This claim MUST be a URI identifying the agent performing the operation
+          <code>sub</code> (subject) — <strong>REQUIRED</strong>. This claim MUST be a URI identifying the <a>agent</a> performing the operation
         </li>
         <li>
           <code>iss</code> (issuer) — <strong>REQUIRED</strong>. This claim MUST be the URI of the authorization server