diff --git a/design/20210203.certificate-request-identity.md b/design/20210203.certificate-request-identity.md
index 728615da0..d08e3a22b 100644
--- a/design/20210203.certificate-request-identity.md
+++ b/design/20210203.certificate-request-identity.md
@@ -48,8 +48,8 @@ is able to determine whether that identity is allowed to request that
 certificate, given some policy configuration setup by a cluster administrator.
 
 Although auditing exists in Kubernetes and exposes the identity of the
-requester, its configuration is not always exposed to end users, such as in
-scenarios when using managed Kubernetes (GKE, EKS etc). In scenarios when
+requester, its configuration is not always exposed to end users, such as
+when using managed Kubernetes (GKE, EKS etc). In scenarios where
 configuring auditing is available, it is often not preferable and an
 anti-pattern to make runtime decisions on historical audit logs.