@@ -166,15 +166,17 @@ A **secure channel** referred in [REQ-TECH-2] and used in transportation is a cr
Mutual trust is in plural form not exluding IP Multicast or Anycast usage if implemented.


**Figure 5.2.1-1: Secure channel example with TLS**
The figure above is an illustration of a simple TLS protected communication between NMS and the managed device.
The device initiates the connection towards reachable endpoint based on a DNS address configured into the managed device.
The figure 5.2.1-1 is an illustration of a simple TLS protected communication between product and the managed device, where the device initiates the connection towards reachable endpoint based on a DNS address configured into the managed device.
The device validates the provided public certificate and logs in with machine credentials.
NMS authorises the query based on the role and identity of the device.
Other approaches are possible, including where the product is responsible for initiating the TLS connection towards the managed device and logging into the managed device.
In this case, the managed device is responsible for authorizing the product based on the identity of the product.
### 5.2.2 Cryptographic key intialisation and rotation
***[REQ-CRYPTO-4]** The product shall support and implement a on-demand rotation of cryptographic keys.