-.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.2 2023/09/29 09:28:21 tb Exp $
+.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.3 2023/09/29 15:41:06 tb Exp $
.\"
.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
.\"
.Bl -enum
.It
The initial set of allowed IP address and AS number resources is defined in
-the trust anchor; inheritance is not allowed in the trust anchor.
+the trust anchor, where inheritance is not allowed.
.It
All IP address delegation or AS number delegation extensions
-must be in canonical form according to
+appearing in the validation path must be in canonical form
+according to
.Xr X509v3_addr_is_canonical 3
and
.Xr X509v3_asid_is_canonical 3 .
.It
If the IP address delegation extension is present in a certificate,
it must also be present in its issuer.
-Similarly for AS identifiers.
+Similarly for the AS identifiers delegation extension.
.It
-An issuer may only delegate resources present in its
-RFC 3779 extensions.
+An issuer may only delegate subsets of resources present in its
+RFC 3779 extensions or subsets of resources inherited from its issuer.
.El
.Pp
.Fn X509v3_addr_validate_path
projects / openbsd / commitdiff