diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml
index 7d2557d..860b5d5 100644
--- a/dtbootstrap-anima-keyinfra.xml
+++ b/dtbootstrap-anima-keyinfra.xml
@@ -1738,12 +1738,23 @@ locator3  = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]></artwork>
             </t>
             <t>
               Use of TLS 1.3 (or newer) is encouraged.
-              TLS 1.2 or newer is REQUIRED on the Pledge side.
-              TLS 1.3 (or newer) SHOULD be available on the Registrar server interface,
-              and the Registrar client interface, but TLS 1.2 MAY be used.
-              TLS 1.3 (or newer) SHOULD be available on the MASA server interface, but TLS
-              1.2 MAY be used.
+              TLS 1.2 or newer is REQUIRED on the pledge side.
+              TLS 1.3 (or newer) SHOULD be available on the registrar server
+              interface, and the registrar client interface, but TLS 1.2 MAY
+              be used.
+              When TLS 1.3 is used the use of Server Name Indication (SNI,
+              <xref target="RFC6066" />) is not required, per <xref
+              target="RFC8446" /> section 9.2, as this
+              specification is an application profile specification.
             </t>
+
+            <t>
+              A pledge connects to the registrar using only an IP address and it will
+              not have any idea of a correct SNI value.
+              This also implies that the registrar interface MUST NOT be virtual-
+              hosted in such a way that it depends on the SNI being present.
+            </t>
+
             <t>
               Establishment of the BRSKI-EST TLS connection is as
               specified in EST <xref target="RFC7030"/> section 4.1.1 "Bootstrap