RS-002: Clarify that channel messages to Internet gateways must use s…

…elf-issued certs
AwalaApp · Jul 19, 2024 · d89f482 · d89f482
1 parent 1bc4a69
commit d89f482
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/rs002-pki.md b/rs002-pki.md
@@ -97,7 +97,9 @@ Conversely, an Internet gateway will start with one certificate (self-issued), p
 
 Self-issued certificates MUST only be used to issue certificates to peers, and therefore such certificates will be the root for a PDA or a [Cargo Delivery Authorization (CDA)](#cargo-delivery-authorization-cda). Self-issued certificates MUST NOT be used to sign channel or binding messages.
 
-Certificates issued by peers MUST be used to sign [channel](rs000-core.md#gateway-messaging-protocol) and [binding](rs000-core.md#gateway-synchronization-binding) messages like cargoes.
+Certificates issued by peers MUST be used to sign [channel](rs000-core.md#gateway-messaging-protocol) and [binding](rs000-core.md#gateway-synchronization-binding) messages like cargoes,
+except for channel messages sent to Internet gateways,
+which MUST use self-issued certificates as the recipient is an Internet node.
 A certificate issued by a private gateway to its Internet peer is known as a CDA, and additional requirements and recommendations apply.
 
 ### Cargo Delivery Authorization (CDA)