- * A custom KeyResolver can be supplied from outside the TrustEngine.
- * Alternatively, one may be specified to the plugin constructor.
- * A non-caching, inline resolver will be used as a fallback.
+ * <p>It is the responsibility of the application to ensure that the credentials
+ * supplied are in fact associated with the peer who presented the credential.
+ *
+ * <p>If criteria with a peer name are supplied, the "name" of the EE certificate
+ * may also be checked to ensure that it identifies the intended peer.
+ * The peer name itself or implementation-specific rules based on the content of the
+ * peer credentials may be applied. Implementations may omit this check if they
+ * deem it unnecessary.