diff --git a/keps/sig-auth/20190607-certificates-api.md b/keps/sig-auth/20190607-certificates-api.md
index 4ca1193189b2..4a04d55bb2bb 100644
--- a/keps/sig-auth/20190607-certificates-api.md
+++ b/keps/sig-auth/20190607-certificates-api.md
@@ -202,6 +202,16 @@ guaranteed to verify a connection the kube-apiserver using the default service.
 To support HA upgrades, the kube-controller-manager will duplicate defaulting code for an empty `signerName` for one
 release.
 
+#### Limiting approval powers for certain signers.
+Given multiple signers which may be implemented as "dumb" controllers that sign if the CSR is approved, there is benefit
+to providing a simple way to subdivide approval powers through the API.  We can introduce an admission plugin that requires
+ 1. verb == `create`
+ 2. resource == `certificatesigningrequests/approve/(.spec.signerName)`
+ 3. name == `<name of CSR>` 
+ 4. group == `certificates.k8s.io`
+
+If a signer/approver pairs want a stronger guarantee like a signed assertion, that can be built today using annotations. 
+
 ### CertificateSigningRequest API Definition
 
 ```go