diff --git a/doc/glossary.rst b/doc/glossary.rst
index 74c975cf89..6b35b6446d 100644
--- a/doc/glossary.rst
+++ b/doc/glossary.rst
@@ -30,7 +30,7 @@ Glossary
    CA
    Certificate Authority
 
-      An entity that signs and issues digital certificates , certifying the ownership of a public
+      An entity that signs and issues digital certificates, certifying the ownership of a public
       key by the named subject of the certificate.
       CAs are a part of a public key infrastructure, like the SCION :term:`Control-Plane PKI`.
 
diff --git a/doc/manuals/control.rst b/doc/manuals/control.rst
index 7257066cf7..f1e8fd3567 100644
--- a/doc/manuals/control.rst
+++ b/doc/manuals/control.rst
@@ -10,8 +10,9 @@ It signs and validates the path information based on the :term:`Control-Plane PK
 The :program:`control` service is also the recursive resolver for path information for endpoints in
 the local AS.
 
-In core ASes, the :program:`control` service also acts as the certificate authority from which ASes
-in the local ISD request renewed certificates (or as a proxy thereof).
+In ASes with the :ref:`CA role<overview-as-roles>`, the :program:`control` service also acts as the
+certificate authority from which ASes in the local ISD request renewed certificates (or as a proxy
+thereof).
 
 See :doc:`/control-plane` for an introduction to the SCION control plane and the tasks of the
 :program:`control` service.
diff --git a/doc/overview.rst b/doc/overview.rst
index 657b391f4d..93203eb4cf 100644
--- a/doc/overview.rst
+++ b/doc/overview.rst
@@ -61,6 +61,27 @@ The endpoint local address is not used for inter-domain routing or forwarding, d
 globally unique, and can thus be an IPv4, IPv6, or MAC address, for example.
 A SCION endpoint address is the ``ISD-AS,local address`` 3-tuple.
 
+.. _overview-as-roles:
+
+AS Roles
+^^^^^^^^
+
+Some ASes have special roles in their ISD.
+The TRC of an ISD declares which AS has which designated roles.
+An AS can have multiple, or all, of these roles at the same time.
+
+- **Core ASes** have a special role in routing.
+  They are at the top of their ISD's routing domain, and connect their customer ASes to the outside.
+  Core ASes participate in the inter-ISD *and* the intra-ISD path-exploration process (see
+  `Routing`_ below).
+
+- **Certification authorities (CAs)** are responsible for issuing AS certificates to other ASes
+  and/or themselves.
+
+- **Voting ASes** and **Authoritative ASes** are related to the update mechanism for TRCs.
+  Voting ASes can "vote" to accept an updated TRC.
+  Authoritative ASes always have the latest TRCs of the ISD and start the announcement of a TRC update.
+
 .. _overview-link-types:
 
 Link Types