Tom, ...
Steve Thank you for the comments. I did not say, but my intent was to make Viktor's statements clearer, easier to comment on, so if he made a mistake, then my intention was to make the same mistake!
understood
So,yes, I would add a reference for reference identity, such as RFC6125, and my [ ?] was intended to convey that I thought that this needed changing, about CAs.
OK.
But on key management, I am not sure I agree with you. Yes, ECDHE is a part of key management, but I would not think it on its own as being key management; or put differently, you either have key management or you do not, so 'authenticated key management' seems to me .. well, not real. I look in vain for it in RFC2401 or RFC2828.
Key management comes in many flavors. Some KM techniques provide mutual authentication, some provide 1-way authentication, some provide group-level auth, and some provide no auth. there also are flavors of unauthenticated KM, e.g., TOFU/LoF that confirm persistence of a peer's key material, absent a third-party assertion about identity. Thus I think it important to note that the IETF has striven to provide authenticated key management on a large scale, and that has imposed impediments to use of many of our protocols. Steve