Explain EDHOC or alternatives as OSCORE boostraps, add citations

draft-lenders-core-dnr.md

@@ -65,7 +65,14 @@ informative:
   RFC8484: doh
   RFC9250: doq
   I-D.amsuess-core-coap-over-gatt: coap-gatt
-
+  lwm2m:
+    title: White Paper – Lightweight M2M 1.1
+    author:
+      org: OMA SpecWorks
+    date: 2018-10
+    target: https://omaspecworks.org/white-paper-lightweight-m2m-1-1/
+  I-D.ietf-ace-edhoc-oscore-profile: ace-edhoc
+  RFC9203: ace-oscore
 
 --- abstract
 
@@ -88,7 +95,7 @@ DoH, DoQ or similar TLS-based solutions typically are not possible.
 The Constrained Application Protocol (CoAP) {{-coap}}, the transfer protocol for DoC, is mostly
 agnostic to the transport layer, i.e., it can be transported over UDP, TCP, or WebSockets
 {{-coap-tcp}}, and even more obscure transport such as Bluetooth GATT {{-coap-gatt}} or SMS
-[tbd-citation] are discussed.
+{{lwm2m}} are discussed.
 CoAP comes with 3 security modes that would need to be covered by the SvcParams:
 
 - **No Security:** No encryption, just plain CoAP. While not recommended with {{-doc}}, this mode
@@ -98,8 +105,13 @@ CoAP comes with 3 security modes that would need to be covered by the SvcParams:
   transfered over TCP {{-coap-tcp}}.
 - **Object Security:** Application-layer based object encryption within CoAP based on OSCORE
   {{-oscore}}. OSCORE can be either used as an alternative or in addition to transport security.
-  EDHOC {{-edhoc}} is used to establish the encryption context between two hosts and OSCORE-ACE
-  [citation?] can be used for authentication of a server.
+
+  OSCORE keys are not usable indefinitely and need to be set up,
+  for example through an EDHOC key exchange {{-edhoc}},
+  which may use credentials from trusted authorization server (AS)
+  as described in the ACE EDHOC profile {{-ace-edhoc}}.
+  As an alternative to EDHOC,
+  keys can be set up by such an AS as described in the ACE OSCORE profile {{-ace-oscore}}.
 
 ## Problems