diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index 79e3843d44..479a0031da 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -476,6 +476,26 @@ version of TLS.  An endpoint MUST terminate the connection if a version of TLS
 older than 1.3 is negotiated.
 
 
+## Peer Authentication
+
+The requirements for authentication depend on the application protocol that is
+in use.  TLS provides server authentication and permits the server to request
+client authentication.
+
+A client MUST authenticate the identity of the server.  This typically involves
+verification that the identity of the server is included in a certificate and
+that the certificate is issued by a trusted entity (see for example
+{{?RFC2818}}).
+
+A server MAY request that the client authenticate during the handshake. A server
+MAY refuse a connection if the client is unable to authenticate when requested.
+The requirements for client authentication vary based on application protocol
+and deployment.
+
+A server MUST NOT use post-handshake client authentication (see Section 4.6.2 of
+{{!I-D.ietf-tls-tls13}}).
+
+
 # QUIC Packet Protection {#packet-protection}
 
 QUIC packet protection provides authenticated encryption of packets.  This