cmal1. authentication can be assured by keys defined in the h-card (that can be cached locally by remote endpoints), 2. encryption is easy 3. giving your endpoint only a subkey of your master key (which you can revoke and change at any time) makes it easier to tackle full-compromission
