1 files changed, 12 insertions, 9 deletions

diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst
index 7a7a07700..3740c5f7b 100644
--- a/doc/plugindev/certauth.rst
+++ b/doc/plugindev/certauth.rst
@@ -13,16 +13,19 @@ A certauth module implements the **authorize** method to determine
 whether a client's certificate is authorized to authenticate a client
 principal.  **authorize** receives the DER-encoded certificate, the
 requested client principal, and a pointer to the client's
-krb5_db_entry (for modules that link against libkdb5).  It returns the
+krb5_db_entry (for modules that link against libkdb5).  The method
+must decode the certificate and inspect its attributes to determine if
+it should authorize PKINIT authentication.  It returns the
 authorization status and optionally outputs a list of authentication
-indicator strings to be added to the ticket.  Beginning in release
-1.19, the authorize method can request that the hardware
-authentication bit be set in the ticket by returning
-**KRB5_CERTAUTH_HWAUTH**.  Beginning in release 1.20, the authorize method
-can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the hardware
-authentication bit be set in the ticket but otherwise defer authorization
-to another certauth module.  A module must use its own internal or
-library-provided ASN.1 certificate decoder.
+indicator strings to be added to the ticket.
+
+Beginning in release 1.19, the authorize method can request that the
+hardware authentication bit be set in the ticket by returning
+**KRB5_CERTAUTH_HWAUTH**.  Beginning in release 1.20, the authorize
+method can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the
+hardware authentication bit be set in the ticket but otherwise defer
+authorization to another certauth module.  A module must use its own
+internal or library-provided ASN.1 certificate decoder.
 
 A module can optionally create and destroy module data with the
 **init** and **fini** methods.  Module data objects last for the