diff --git a/index.bs b/index.bs
index 484353127..44e1cbc60 100644
--- a/index.bs
+++ b/index.bs
@@ -562,11 +562,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
 1. Let |options| be the value of <code>|options|.{{CredentialCreationOptions/publicKey}}</code>.
 
-1. If any of the {{PublicKeyCredentialEntity/name}} member of |options|.{{MakePublicKeyCredentialOptions/rp}}, the
-    {{PublicKeyCredentialEntity/name}} member of |options|.{{MakePublicKeyCredentialOptions/user}},
-    the {{PublicKeyCredentialUserEntity/displayName}} member of |options|.{{MakePublicKeyCredentialOptions/user}},
-    or the {{PublicKeyCredentialUserEntity/id}}
-    member of |options|.{{MakePublicKeyCredentialOptions/user}} are [=present|not present=], return a {{TypeError}} [=simple exception=].
+1. If any of the {{PublicKeyCredentialEntity/name}} member of <code>|options|.{{MakeCredentialOptions/rp}}</code>, the
+    {{PublicKeyCredentialEntity/name}} member of <code>|options|.{{MakeCredentialOptions/user}}</code>,
+    the {{PublicKeyCredentialUserEntity/displayName}} member of <code>|options|.{{MakeCredentialOptions/user}}</code>,
+    or the {{PublicKeyCredentialEntity/id}}
+    member of <code>|options|.{{MakeCredentialOptions/user}}</code> are [=present|not present=], return a {{TypeError}}
+    [=simple exception=].
 
 1. If the {{MakePublicKeyCredentialOptions/timeout}} member of |options| is [=present=], check if its value lies within a
     reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set
@@ -588,38 +589,44 @@ When this method is invoked, the user agent MUST execute the following algorithm
         such as [=domain=], [=ipv4 address=], [=ipv6 address=], [=opaque host=], or [=empty host=].
         Only the [=domain=] format of [=host=] is allowed here.
 
-1. Let |rpId| be |effectiveDomain|.
-
 <!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to compile w/o errors
 -->
     <li id='CreateCred-DetermineRpId'>
-       If |options|.{{MakePublicKeyCredentialOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} is [=present=]:
 
-        1. If |options|.{{MakePublicKeyCredentialOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} [=is not a registrable domain suffix of
-            and is not equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate
-            this algorithm.
+        If <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code>
+            <dl class="switch">
+
+                :   Is [=present=]
+                ::  If <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> [=is not a
+                    registrable domain suffix of and is not equal to=] |effectiveDomain|, return a {{DOMException}} whose name
+                    is "{{SecurityError}}", and terminate this algorithm.
 
-        1. Set |rpId| to |options|.{{MakePublicKeyCredentialOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}.
+                :   Is [=present|not present=]
+                ::  Set <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> to
+                    |effectiveDomain|.
 
-            Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
-            object/origin=]'s [=effective domain=] unless the caller has explicitly set
-            |options|.{{MakePublicKeyCredentialOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} when calling
+            </dl>
+
+        Note: <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> represents the caller's
+            [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings object/origin=]'s [=effective
+            domain=] unless the caller has explicitly set
+            <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> when calling
             {{CredentialsContainer/create()}}.
     </li>
 
 1. Let |credTypesAndPubKeyAlgs| be a new [=list=] whose [=list/items=] are pairs of {{PublicKeyCredentialType}} and
     a {{COSEAlgorithmIdentifier}}.
 
-1. [=list/For each=] |current| of |options|.{{MakePublicKeyCredentialOptions/pubKeyCredParams}}:
+1. [=list/For each=] |current| of <code>|options|.{{MakePublicKeyCredentialOptions/pubKeyCredParams}}<code>:
+
     1. If <code>|current|.{{PublicKeyCredentialParameters/type}}</code> does not contain a {{PublicKeyCredentialType}} supported
         by this implementation, then [=continue=].
     1. Let |alg| be <code>|current|.{{PublicKeyCredentialParameters/alg}}</code>.
     1. [=list/Append=] the pair of <code>|current|.{{PublicKeyCredentialParameters/type}}</code> and |alg| to
         |credTypesAndPubKeyAlgs|.
 
-1. If |credTypesAndPubKeyAlgs| [=list/is empty=] and |options|.{{MakePublicKeyCredentialOptions/pubKeyCredParams}}
-    [=list/is not empty=], cancel the timer started in step 2, return a {{DOMException}} whose name is "{{NotSupportedError}}",
-    and terminate this algorithm.
+1. If |credTypesAndPubKeyAlgs| [=list/is empty=] and <code>|options|.{{MakePublicKeyCredentialOptions/pubKeyCredParams}}</code>
+    [=list/is not empty=], return a {{DOMException}} whose name is "{{NotSupportedError}}", and terminate this algorithm.
 
 1. Let |clientExtensions| be a new [=map=] and let |authenticatorExtensions| be a new [=map=].
 
@@ -663,7 +670,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
 1. If |currentlyAvailableAuthenticators| [=list/is empty=], return a {{DOMException}} whose name is
     "{{NotFoundError}}", and terminate this algorithm.
 
-1. If |options|.{{MakePublicKeyCredentialOptions/authenticatorSelection}} is [=present|present=], iterate through
+1. If <code>|options|.{{MakeCredentialOptions/authenticatorSelection}}</code> is [=present|present=], iterate through
         |currentlyAvailableAuthenticators| and do the following [=set/for each=] |authenticator|:
     1. If {{AuthenticatorSelectionCriteria/authenticatorAttachment}} is [=present|present=] and its value is not equal
         to |authenticator|'s attachment modality, [=iteration/continue=].
@@ -680,14 +687,16 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
 1. [=set/For each=] |authenticator| in |currentlyAvailableAuthenticators|:
     1. Let |excludeCredentialDescriptorList| be a new [=list=].
+
     1. [=list/For each=] credential descriptor |C| in <code>|options|.{{MakePublicKeyCredentialOptions/excludeCredentials}}</code>:
         1. If <code>|C|.{{transports}}</code> [=list/is not empty=], and |authenticator| is connected over a transport not
             mentioned in <code>|C|.{{transports}}</code>, the client MAY [=continue=].
         1. Otherwise, [=list/Append=] |C| to |excludeCredentialDescriptorList|.
-    1. [=In parallel=], invoke the [=authenticatorMakeCredential=] operation on |authenticator| with |rpId|,
-        |clientDataHash|, |options|.{{MakePublicKeyCredentialOptions/rp}}, |options|.{{MakePublicKeyCredentialOptions/user}},
-        <code>|options|.{{MakePublicKeyCredentialOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/requireResidentKey}}</code>,
-        |credTypesAndPubKeyAlgs|, |excludeCredentialDescriptorList|, and |authenticatorExtensions| as parameters.
+
+    1. Invoke the [=authenticatorMakeCredential=] operation on |authenticator| with
+        |clientDataHash|, <code>|options|.{{MakeCredentialOptions/rp}}</code>, <code>|options|.{{MakeCredentialOptions/user}}</code>,
+        |normalizedParameters|, |excludeCredentialDescriptorList|, and |authenticatorExtensions| as parameters.
+
     1. [=set/Append=] |authenticator| to |issuedRequests|.
 
 1. Start a timer for |adjustedTimeout| milliseconds. Then execute the following steps [=in parallel=]. The [=task source=] for
@@ -731,7 +740,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
             :   {{PublicKeyCredential/clientExtensionResults}}
             ::  A new {{AuthenticationExtensions}} object containing the [=extension identifier=] → [=client extension output=]
                 entries created by running each extension's [=client extension processing=] algorithm to create the [=client
-                extension outputs=], for each [=client extension=] in {{AuthenticatorResponse/clientDataJSON}}.clientExtensions.
+                extension outputs=], for each [=client extension=] in {{AuthenticatorResponse/clientDataJSON}}<code>.clientExtensions</code>.
 
         5. [=set/For each=] remaining |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on
             |authenticator| and [=set/remove=] it from |issuedRequests|.
@@ -1654,9 +1663,9 @@ The following operations can be invoked by the client in an authenticator sessio
 This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
 input parameters:
 
-- The caller's [=RP ID=], as <a href='#CreateCred-DetermineRpId'>determined</a> by the user agent and the client.
 - The [=hash of the serialized client data=], provided by the client.
-- The [=[RP]=]'s {{PublicKeyCredentialRpEntity}}.
+- The [=[RP]=]'s {{PublicKeyCredentialEntity}}. This contains the caller's [=RP ID=], as
+    <a href='#CreateCred-DetermineRpId'>determined</a> by the user agent and the client.
 - The user account's {{PublicKeyCredentialUserEntity}}.
 - A sequence of pairs of {{PublicKeyCredentialType}} and {{COSEAlgorithmIdentifier}} requested by the [=[RP]=].
     This sequence is ordered from most preferred to least