diff --git a/node/Topology.cpp b/node/Topology.cpp
index 5632c3372..0cd3db9e9 100644
--- a/node/Topology.cpp
+++ b/node/Topology.cpp
@@ -234,16 +234,24 @@ bool Topology::isProhibitedEndpoint(const Address &ztaddr,const InetAddress &ipa
 	// bit of extra security against spoofing, replaying, etc.
 	if (std::find(_upstreamAddresses.begin(),_upstreamAddresses.end(),ztaddr) != _upstreamAddresses.end()) {
 		for(std::vector<World::Root>::const_iterator r(_planet.roots().begin());r!=_planet.roots().end();++r) {
-			for(std::vector<InetAddress>::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) {
-				if (ipaddr.ipsEqual(*e))
-					return false;
+			if (r->identity.address() == ztaddr) {
+				if (r->stableEndpoints.size() == 0)
+					return false; // no stable endpoints specified, so allow dynamic paths
+				for(std::vector<InetAddress>::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) {
+					if (ipaddr.ipsEqual(*e))
+						return false;
+				}
 			}
 		}
 		for(std::vector<World>::const_iterator m(_moons.begin());m!=_moons.end();++m) {
 			for(std::vector<World::Root>::const_iterator r(m->roots().begin());r!=m->roots().end();++r) {
-				for(std::vector<InetAddress>::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) {
-					if (ipaddr.ipsEqual(*e))
-						return false;
+				if (r->identity.address() == ztaddr) {
+					if (r->stableEndpoints.size() == 0)
+						return false; // no stable endpoints specified, so allow dynamic paths
+					for(std::vector<InetAddress>::const_iterator e(r->stableEndpoints.begin());e!=r->stableEndpoints.end();++e) {
+						if (ipaddr.ipsEqual(*e))
+							return false;
+					}
 				}
 			}
 		}
diff --git a/one.cpp b/one.cpp
index 43af7dea6..016aab746 100644
--- a/one.cpp
+++ b/one.cpp
@@ -545,7 +545,6 @@ static void idtoolPrintHelp(FILE *out,const char *pn)
 	fprintf(out,"  getpublic <identity.secret>" ZT_EOL_S);
 	fprintf(out,"  sign <identity.secret> <file>" ZT_EOL_S);
 	fprintf(out,"  verify <identity.secret/public> <file> <signature>" ZT_EOL_S);
-	fprintf(out,"  mkcom <identity.secret> [<id,value,maxDelta> ...] (hexadecimal integers)" ZT_EOL_S);
 }
 
 static Identity getIdFromArg(char *arg)
@@ -690,34 +689,6 @@ static int idtool(int argc,char **argv)
 			fprintf(stderr,"%s signature check FAILED" ZT_EOL_S,argv[3]);
 			return 1;
 		}
-	} else if (!strcmp(argv[1],"mkcom")) {
-		if (argc < 3) {
-			idtoolPrintHelp(stdout,argv[0]);
-			return 1;
-		}
-
-		Identity id = getIdFromArg(argv[2]);
-		if ((!id)||(!id.hasPrivate())) {
-			fprintf(stderr,"Identity argument invalid, does not include private key, or file unreadable: %s" ZT_EOL_S,argv[2]);
-			return 1;
-		}
-
-		CertificateOfMembership com;
-		for(int a=3;a<argc;++a) {
-			std::vector<std::string> params(OSUtils::split(argv[a],",","",""));
-			if (params.size() == 3) {
-				uint64_t qId = Utils::hexStrToU64(params[0].c_str());
-				uint64_t qValue = Utils::hexStrToU64(params[1].c_str());
-				uint64_t qMaxDelta = Utils::hexStrToU64(params[2].c_str());
-				com.setQualifier(qId,qValue,qMaxDelta);
-			}
-		}
-		if (!com.sign(id)) {
-			fprintf(stderr,"Signature of certificate of membership failed." ZT_EOL_S);
-			return 1;
-		}
-
-		printf("%s",com.toString().c_str());
 	} else {
 		idtoolPrintHelp(stdout,argv[0]);
 		return 1;