Modify motivation and fix toc

keps/sig-auth/NNNN-external-tls-certificate-authenticator/README.md

@@ -99,6 +99,7 @@ tags, and then generate with `hack/update-toc.sh`.
       - [Sign response](#sign-response)
   - [Test Plan](#test-plan)
   - [Graduation Criteria](#graduation-criteria)
+    - [Alpha -> Beta Graduation](#alpha---beta-graduation)
   - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)
   - [Version Skew Strategy](#version-skew-strategy)
 - [Implementation History](#implementation-history)
@@ -107,7 +108,8 @@ tags, and then generate with `hack/update-toc.sh`.
   - [External signer vs existing authenticators using TLS certificates](#external-signer-vs-existing-authenticators-using-tls-certificates)
   - [Monolithic vs modular architecture](#monolithic-vs-modular-architecture)
   - [RPC vs exec](#rpc-vs-exec)
-  - [Stdin vs program argument](#stdin-vs-program-argument)
+  - [Independent external plugin configuration vs passing configuration parameters from kubectl/client-go](#independent-external-plugin-configuration-vs-passing-configuration-parameters-from-kubectlclient-go)
+  - [Stdin vs environment variables vs program arguments](#stdin-vs-environment-variables-vs-program-arguments)
 - [Infrastructure Needed (optional)](#infrastructure-needed-optional)
 <!-- /toc -->
 
@@ -173,10 +175,13 @@ demonstrate the interest in a KEP within the wider Kubernetes community.
 [experience reports]: https://github.com/golang/go/wiki/ExperienceReports
 -->
 
-How would you react if your laptop was stolen? Are you worried about attackers performing a cold boot attack to extract your Kubernetes credentials? Do you already use a YubiKey for SSH and GPG, and wonder why you cannot use it with kubectl? If yes, then this enhancement is for you!
-​
+<!-- How would you react if your laptop was stolen? Are you worried about attackers performing a cold boot attack to extract your Kubernetes credentials?  -->
+Are you worried about someone getting access to your Kubernetes credentials?
+(For example, by extracting private keys from your laptop using malware or by performing a cold boot attack.)
+Do you already use a YubiKey for SSH and GPG, and wonder why you cannot use it with kubectl? If yes, then this enhancement is for you!
+
 Highly regulated environments, such as FinTech, require delegating all digital key operations to specialized [Hardware Security Modules (HSMs)](https://en.wikipedia.org/wiki/Hardware_security_module). Amongst others, HSMs increase security by storing digital keys without allow them to be extracted. Authentication, encryption and signing is performed via a standard such as the PKCS#11 on the HSM directly. In fact, many regulated environments already require developers and operators to store SSH and GPG keys on the [YubiKey](https://en.wikipedia.org/wiki/YubiKey), a popular HSM connected via USB.
-​
+
 Unfortunately, as of today, kubectl lacks support for PKCS#11 (see [Issue #64783](https://github.com/kubernetes/kubernetes/issues/64783)). Indeed, kubectl requires direct access to the client key data, which can either be stored in the kubeconfig or provided via a [credentials plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins). Because of this, some security bloggers have even argued for [not using certificates](https://www.tremolosecurity.com/kubernetes-dont-use-certificates-for-authentication/) in kubectl at all.
 
 ### Goals