Certificate-based authentication schemes can therefore be ruled out: certificates which confirm that guest and remote station belong together would require the host to trust the authority issuing these certificates, which would again mean that the host needs to accept the decision of an external instance of whether to share her Interne connection with a guest or not.