diff --git a/lib/x509.mli b/lib/x509.mli
index a06771a9..01c9c809 100644
--- a/lib/x509.mli
+++ b/lib/x509.mli
@@ -816,12 +816,13 @@ module Authenticator : sig
 
   (** [chain_of_trust ~time ~crls ~hash_whitelist trust_anchors] is
       [authenticator], which uses the given [time] and list of [trust_anchors]
-      to verify the certificate chain. This is an implementation of the
-      algorithm described in
+      to verify the certificate chain. All signatures must use a hash algorithm
+      specified in [hash_whitelist], defaults to SHA-2.  Signatures on revocation
+      lists [crls] must also use a hash algorithm in [hash_whitelist]. This is
+      an implementation of the algorithm described in
       {{:https://tools.ietf.org/html/rfc5280#section-6.1}RFC 5280}, using
       {!Validation.verify_chain_of_trust}.  The given trust anchors are not
-      checked to be valid trust anchors any further (you have to do this
-      manually with {!Validation.valid_ca} or {!Validation.valid_cas})!  *)
+      validated, you can filter them with {!Validation.valid_cas} if desired. *)
   val chain_of_trust : ?time:Ptime.t -> ?crls:CRL.t list ->
     ?hash_whitelist:Nocrypto.Hash.hash list -> Certificate.t list -> t
 
diff --git a/tests/regression.ml b/tests/regression.ml
index cc0365c2..c0ad35a8 100644
--- a/tests/regression.ml
+++ b/tests/regression.ml
@@ -26,10 +26,8 @@ let test_jc_ca_fail () =
   | Error `InvalidChain -> ()
   | _ -> Alcotest.fail "something went wrong with jc_ca"
 
-let hash_whitelist = [ `SHA1 ]
-
 let test_jc_ca_all_hashes () =
-  match Validation.verify_chain_of_trust ~hash_whitelist ~host:(host "jabber.ccc.de") ~anchors:[cacert] [jc ; cacert] with
+  match Validation.verify_chain_of_trust ~hash_whitelist:[`SHA1] ~host:(host "jabber.ccc.de") ~anchors:[cacert] [jc ; cacert] with
   | Ok _ -> ()
   | _ -> Alcotest.fail "something went wrong with jc_ca"