diff --git a/tech/cia-do-dont.wiki b/tech/cia-do-dont.wiki
index 6f466f1..0236e60 100644
--- a/tech/cia-do-dont.wiki
+++ b/tech/cia-do-dont.wiki
@@ -78,4 +78,8 @@ This is the CIA list of dos and donts.
 * Authentication *must* be done with TLS 1.2, Elliptic curve DSA, DSA, or RSA 
   - Asymmetric keys *must* be at least 2048 bits (Elliptic curve, 256 bits)
 * Authentication via TLS 1.2 *must* include the use of certs by both parties
-* Authentication via TLS 1.2 *must* validate the cert
+* Authentication via TLS 1.2 *must* validate the cert utlized by both parties.
+  If the cert is invalid, they should terminate the connection. This guidance
+  referes to the inner cryptosctream which may be masked by HTTPS, this doesn
+  no apply to the outer stream
+* Tools must support unique certs and CAs for network auth for each deployment