diff --git a/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h b/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h
index 21951e38..f11c3a4a 100644
--- a/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h
+++ b/libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h
@@ -4924,6 +4924,11 @@ OEMCryptoResult OEMCrypto_GetBootCertificateChain(
  * function is used to generate an OEM Certificate key pair, the session will be
  * ready to sign a provisioning request with the OEM Cert private key.
  *
+ * The public key shall be an ASN.1 DER-encoded SubjectPublicKeyInfo as
+ * specified in RFC 5280. Widevine recommends ECC keys for Provisioning 4.0, but
+ * an RSA key may also be used. If the key is an RSA key, then the encoding
+ * should use "rsaEncryption" (OID 1.2.840.113549.1.1.1), and not RSASSA-PSS.
+ *
  * @param[in] session: session id.
  * @param[out] public_key: pointer to the buffer that receives the public key
  *    that is to be certified by the server. The key must be an ASN.1