diff --git a/docs/root/intro/arch_overview/ssl.rst b/docs/root/intro/arch_overview/ssl.rst
index 234ccd4cf..e8ad64834 100644
--- a/docs/root/intro/arch_overview/ssl.rst
+++ b/docs/root/intro/arch_overview/ssl.rst
@@ -14,6 +14,8 @@ requirements (TLS1.2, SNI, etc.). Envoy supports the following TLS features:
   to server certificate verification.
 * **Certificate verification and pinning**: Certificate verification options include basic chain
   verification, subject name verification, and hash pinning.
+* **Certificate revocation**: Envoy can check peer certificates against a certificate revocation list
+  (CRL) if one is :ref:`provided <envoy_api_field_auth.CertificateValidationContext.crl>`.
 * **ALPN**: TLS listeners support ALPN. The HTTP connection manager uses this information (in
   addition to protocol inference) to determine whether a client is speaking HTTP/1.1 or HTTP/2.
 * **SNI**: SNI is currently supported for client connections. Listener support is likely to be added
diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index 989107c07..304e19a96 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -152,7 +152,7 @@ message CertificateValidationContext {
   // An optional `certificate revocation list
   // <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
   // (in PEM format). If specified, Envoy will verify that the presented peer
-  // certificate has not been revoked by this CRL. If this file contains
+  // certificate has not been revoked by this CRL. If this DataSource contains
   // multiple CRLs, all of them will be used.
   DataSource crl = 7;
 }