- * - When doing validation, a target public key type is provided. That
- * type is the combination of a key algorithm (RSA or EC) and an
- * intended key usage (key exchange or signature); in the context
- * of a SSL/TLS client validating a server's certificate, the algorithm
- * and usage are obtained from the cipher suite (e.g. ECDHE_RSA means
- * that an RSA key for signatures is expected).
+ * - Successful validation produces a public key type but also a set
+ * of allowed usages (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).
+ * The caller is responsible for checking that the key type and
+ * usages are compatible with the expected values (e.g. with the
+ * selected cipher suite, when the client validates the server's
+ * certificate).