diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 3d99933c04..48c9713511 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -788,6 +788,10 @@ typedef uint32_t psa_algorithm_t;
  *                      is true). This may be a truncated or untruncated
  *                      MAC algorithm.
  * \param mac_length    Desired length of the truncated MAC in bytes.
+ *                      This must be at most the full length of the MAC
+ *                      and must be at least an implementation-specified
+ *                      minimum. The implementation-specified minimum
+ *                      shall not be zero.
  *
  * \return              The corresponding MAC algorithm with the specified
  *                      length.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 44862424d8..0aa19cf9d7 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1600,8 +1600,10 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
     }
     else if( truncated < 4 )
     {
-        /* Too small to make any sense. Reject. 4 bytes is too small for
-         * security but ancient protocols with 32-bit MACs do exist. */
+        /* A very short MAC is too short for security since it can be
+         * brute-forced. Ancient protocols with 32-bit MACs do exist,
+         * so we make this our minimum, even though 32 bits is still
+         * too small for security. */
         status = PSA_ERROR_NOT_SUPPORTED;
     }
     else if( truncated > operation->mac_size )