diff --git a/draft-ymbk-lsvr-l3dl-signing.xml b/draft-ymbk-lsvr-l3dl-signing.xml
index ef59717..538fde2 100644
--- a/draft-ymbk-lsvr-l3dl-signing.xml
+++ b/draft-ymbk-lsvr-l3dl-signing.xml
@@ -62,8 +62,8 @@
     PDU to contain a key which can be used to verify signatures on
     subsequent PDUs.  This document describes two mechanisms based on
     digital signatures, one that is Trust On First Use (TOFU), and one
-    that uses X.509 certificates to provide authentication as well as
-    session integrity.</t>
+    that uses certificates to provide authentication as well as session
+    integrity.</t>
 
   </abstract>
 
@@ -88,7 +88,8 @@
     for the OPEN PDU to contain an algorithm specifier and a key which
     can be used to verify signatures on subsequent PDUs.  This document
     describes two methods of key generation and signing for use by L3DL,
-    Trust On First Use, AKA TOFU, and a PKI-based mechanism.</t>
+    Trust On First Use (TOFU) and a PKI-based mechanism to provide
+    authentication as well as session integrity.</t>
 
     <t>To the receiver, the two methods are indistinguishable, the key
     provided in the OPEN PDU is used to verify the signatures on the
@@ -178,6 +179,24 @@
     </section>
 
   <section anchor="security" title="Security Considerations">
+
+    <t>The TOFU method requires a leap of faith to accept the key in the
+    OPEN PDU, as it can not be verified against any authority.  Hence it
+    is jokingly referred to as Married On First Date.  The assurance it
+    does provide is that subsequent signed PDUs are from the same peer.
+    And data integrity is a positive side effect of the signature.</t>
+
+    <t>The PKI-based method offers assurance that the certificate, and
+    hence the keying material, provided in the OPEN PDU are authorized
+    by a central authority, e.g. the Clos's network security team.  The
+    onward assurance of talking to the same peer and data integrity are
+    the same as in the TOFU method.</t>
+
+    <t>With the PKI-based method, automated device provisioning could
+    restrict which subsidiary certificates were allowed from which peers
+    on a per interface basis.  This would complicate key rolls.  Where
+    one draws the line between rigidity, flexibility, and security
+    varies.</t>
     
     <t>The REKEY PDU is open to abuse to create an algorithm suite
     downgrade attack.</t>
@@ -210,6 +229,12 @@
          
     </section>
   
+  <section anchor="acks" title="Acknowledgments">
+    
+    <t>The authors than Russ Housley for advice and review.</t>
+
+    </section>
+
   </middle>
 
 <back>