Add comments around aud specification. (#610)

/fixes #590

docs/design/verification_protocol.md

@@ -62,7 +62,9 @@ First, using the standard claims.
 * `iss` : The issuer will be used to determine which public key(s) are valid for
 verification. This is to allow for key rotation.
 * `aud` : The audience must be as configured for this installation of the
-exposure notifications server.
+exposure notifications server. The operator of the exposure notifications server
+is the one to define this value and should be shared to all participating health
+authorities.
 * `iat` : The unix timestamp at which the token was issued.
 * `exp` : The unix timestamp at which the token will expire.
 * `nbf` : If present, the "not before" timestamp will be honored.

tools/admin-console/templates/healthauthority.html

@@ -32,9 +32,10 @@ <h2>Edit Health Authority '{{.ha.Issuer}}'</h2>
     <label class="control-label col-sm-3" for="Audience">Audience:</label>
     <div class="col-sm-6">
       <input type="text" id="Audience" name="Audience" size="50" value="{{.ha.Audience}}">
-      <small id="AudienceHelpBlock" class="form-text text-muted">The audience that will
-        be present, specific to this server if the verifying authority is working
-        with multiple backends. This is the 'aud' field of the certificate JWT.
+      <small id="AudienceHelpBlock" class="form-text text-muted">
+        The valud for audience is defined by the operator of this server. It should be
+        communicated to the health authority for inclusion in the verification
+        certificates. This is the 'aud' field of the certificate JWT.
         <strong>Once set, this field should not be edited.</strong></small>
     </div>
   </div>