From 0f50eda297088ad14ebcf22d1ad2657fe0f3ea92 Mon Sep 17 00:00:00 2001
From: Heiko Schaefer <heiko@schaefer.name>
Date: Tue, 30 Aug 2022 17:49:59 +0200
Subject: [PATCH] Add some notes about the 'cardholder certificate' feature.

---
 openpgp-card/src/openpgp.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/openpgp-card/src/openpgp.rs b/openpgp-card/src/openpgp.rs
index 758f3a0..58a9a70 100644
--- a/openpgp-card/src/openpgp.rs
+++ b/openpgp-card/src/openpgp.rs
@@ -141,6 +141,16 @@ impl<'a> OpenPgpTransaction<'a> {
     ///
     /// Call select_data() before calling this fn to select a particular
     /// certificate (if the card supports multiple certificates).
+    ///
+    /// According to the OpenPGP card specification:
+    ///
+    /// The cardholder certificate DOs are designed to store a certificate (e. g. X.509)
+    /// for the keys in the card. They can be used to identify the card in a client-server
+    /// authentication, where specific non-OpenPGP-certificates are needed, for S-MIME and
+    /// other x.509 related functions.
+    ///
+    /// (See https://support.nitrokey.com/t/nitrokey-pro-and-pkcs-11-support-on-linux/160/4
+    /// for some discussion of the `cardholder certificate` OpenPGP card feature)
     #[allow(dead_code)]
     pub fn cardholder_certificate(&mut self) -> Result<Vec<u8>, Error> {
         log::info!("OpenPgpTransaction: cardholder_certificate");