diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index 297d3bbe..4306ae3a 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -125,6 +125,9 @@ message CertificateValidationContext {
   // <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
   // specified.
   //
+  // It can optionally contain certificate revocation lists, in which case Envoy will verify
+  // that the presented peer certificate has not been revoked by one of the included CRLs.
+  //
   // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
   // system CA locations.
   core.DataSource trusted_ca = 1;