From d32ef593b5201a6fddfc9e32a8f17968d332bdeb Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 29 Sep 2023 15:41:06 +0000 Subject: [PATCH] Some wording tweaks to make things a bit more precise. --- lib/libcrypto/man/X509v3_addr_validate_path.3 | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/libcrypto/man/X509v3_addr_validate_path.3 b/lib/libcrypto/man/X509v3_addr_validate_path.3 index 109cab3f524..d3c088c9160 100644 --- a/lib/libcrypto/man/X509v3_addr_validate_path.3 +++ b/lib/libcrypto/man/X509v3_addr_validate_path.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.2 2023/09/29 09:28:21 tb Exp $ +.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.3 2023/09/29 15:41:06 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -47,20 +47,21 @@ path validation. .Bl -enum .It The initial set of allowed IP address and AS number resources is defined in -the trust anchor; inheritance is not allowed in the trust anchor. +the trust anchor, where inheritance is not allowed. .It All IP address delegation or AS number delegation extensions -must be in canonical form according to +appearing in the validation path must be in canonical form +according to .Xr X509v3_addr_is_canonical 3 and .Xr X509v3_asid_is_canonical 3 . .It If the IP address delegation extension is present in a certificate, it must also be present in its issuer. -Similarly for AS identifiers. +Similarly for the AS identifiers delegation extension. .It -An issuer may only delegate resources present in its -RFC 3779 extensions. +An issuer may only delegate subsets of resources present in its +RFC 3779 extensions or subsets of resources inherited from its issuer. .El .Pp .Fn X509v3_addr_validate_path -- 2.20.1