From f49a4b326f24aecb2f06efa0e3a218ef20310114 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Wed, 5 Jan 2022 10:54:09 -0800
Subject: [PATCH] Add missing comments.

---
 authority/provisioner/nebula.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go
index d9001ec4..55142e55 100644
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@@ -23,6 +23,15 @@ const (
 	NebulaCertHeader jose.HeaderKey = "nbc"
 )
 
+// Nebula is a provisioner that verifies tokens signed using nebula private
+// keys. The tokens embed a header parameter with the certificate that can be
+// used to verify the signature. Those certificates are verified using the
+// Nebula CAs encoded in Roots. The process is similar to X5C or SSHPOP tokens.
+//
+// Because of Nebula "leaf" certificates use X25519 keys, the tokens are signed
+// using XEd25519 defined at
+// https://signal.org/docs/specifications/xeddsa/#xeddsa and implemented by
+// go.step.sm/crypto/x25519.
 type Nebula struct {
 	ID        string   `json:"-"`
 	Type      string   `json:"type"`
@@ -35,6 +44,7 @@ type Nebula struct {
 	audiences Audiences
 }
 
+// Init verifies and initializes the nebula provisioner.
 func (p *Nebula) Init(config Config) error {
 	switch {
 	case p.Type == "":