diff --git a/rs002-pki.md b/rs002-pki.md
index a5f6254..56a9169 100644
--- a/rs002-pki.md
+++ b/rs002-pki.md
@@ -93,7 +93,7 @@ Where, `limit` specifies how many parcels can be sent within a given number of s
 
 Each gateway has at least two certificates for the same long-term key pair: One self-issued and one certificate issued by each of its peer gateways. Consequently, every private gateway has exactly two certificates because it has exactly one peer, while a Internet gateway may have more certificates.
 
-Self-issued certificates MUST only be used to issue certificates to peers, and therefore such certificates will be the root for a PDA or a [Cargo Delivery Authorization (CDA)](#cargo-delivery-authorization-cda). Self-issued certificates MUST NOT be used to sign channel or binding messages. Peers MAY use the self-issued certificate to encrypt payloads when not using the Channel Session Protocol.
+Self-issued certificates MUST only be used to issue certificates to peers, and therefore such certificates will be the root for a PDA or a [Cargo Delivery Authorization (CDA)](#cargo-delivery-authorization-cda). Self-issued certificates MUST NOT be used to sign channel or binding messages.
 
 Certificates issued by peers MUST be used to sign channel and binding messages like cargoes. A certificate issued by a private gateway to its Internet peer is known as a CDA, and additional requirements and recommendations apply.