Remote CIB administration currently supports unencrypted communication (completely insecure), keyless encryption (subject to man-in-the-middle attacks), and certificate-based encryption. Pacemaker Remote supports pre-shared key (PSK) encryption and certificate-based encryption.
For consistency and security, implement PSK encryption for remote CIB administration, and deprecate the ability to use keyless encryption and unencrypted communication. Currently, a slight mistake in configuring certificate-based encryption could leave the server in an insecure state.
Also create a task to drop the deprecated methods at a new release series.