Wordsmithing, and tighten up language around mTLS verification

Signed-off-by: Flynn <[email protected]>

Author: kflynn

geps/gep-3792/index.md

@@ -282,27 +282,32 @@ This is a straightforward way to permit each component to verify the identity
 of the other, which will provide sufficient basis for verifying identity when
 mTLS meshes are involved.
 
-- An alternative would be to define a single trust bundle, requiring the OCG
-  and the mesh to each use the same CA certificate. This adds considerable
-  operational complexity (especially in the world of enterprise PKI) without
-  any real benefit.
+- An alternative would be to require the OCG and the mesh to share the same
+  root certificate(s), in which case they would have exactly the same trust
+  bundle. This adds considerable operational complexity (especially in the
+  world of enterprise PKI) without any real benefit.
 
 ### Solving the Protocol Problem
 
 The protocol problem is that the OCG needs a way to indicate to the mesh that
 it intends to participate in the mesh for a given connection, and the mesh
 needs to accept the OCG's participation.
 
-As a starting point for OCG/mTLS mesh interaction:
-
-- The OCG MUST use an mTLS connection to communicate with meshed workloads.
+We start by requiring that the OCG MUST use mTLS to communicate with meshed
+workloads, and that the identities of both peers MUST be verified:
 
 - The OCG MUST use an mTLS certificate ultimately signed by a certificate in
   the trust bundle provided to the mesh.
 
 - The mesh MUST use an mTLS certificate ultimately signed by a certificate in
   the trust bundle provided to the OCG.
 
+- The OCG MUST verify the mesh's certificate against the trust bundle
+  provided to the OCG.
+
+- The mesh MUST verify the OCG's certificate against the trust bundle
+  provided to the mesh.
+
 - The OCG MUST send the `ocg.gateway.networking.k8s.io/v1` ALPN protocol
   during mTLS negotiation. The mesh MUST interpret this ALPN selection as a
   signal that the OCG intends to participate in the mesh.