1 files changed, 7 insertions, 6 deletions
diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
index 109cab3f52..d3c088c916 100644
--- a/src/lib/libcrypto/man/X509v3_addr_validate_path.3
+++ b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.2 2023/09/29 09:28:21 tb Exp $
+.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.3 2023/09/29 15:41:06 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -47,20 +47,21 @@ path validation.
 .Bl -enum
 .It
 The initial set of allowed IP address and AS number resources is defined in
-the trust anchor; inheritance is not allowed in the trust anchor.
+the trust anchor, where inheritance is not allowed.
 .It
 All IP address delegation or AS number delegation extensions
-must be in canonical form according to
+appearing in the validation path must be in canonical form
+according to
 .Xr X509v3_addr_is_canonical 3
 and
 .Xr X509v3_asid_is_canonical 3 .
 .It
 If the IP address delegation extension is present in a certificate,
 it must also be present in its issuer.
-Similarly for AS identifiers.
+Similarly for the AS identifiers delegation extension.
 .It
-An issuer may only delegate resources present in its
+An issuer may only delegate subsets of resources present in its
-RFC 3779 extensions.
+RFC 3779 extensions or subsets of resources inherited from its issuer.
 .El
 .Pp
 .Fn X509v3_addr_validate_path

diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3 index 109cab3f52..d3c088c916 100644 --- a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 +++ b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.2 2023/09/29 09:28:21 tb Exp $	1	.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.3 2023/09/29 15:41:06 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -47,20 +47,21 @@ path validation.
47	.Bl -enum	47	.Bl -enum
48	.It	48	.It
49	The initial set of allowed IP address and AS number resources is defined in	49	The initial set of allowed IP address and AS number resources is defined in
50	the trust anchor; inheritance is not allowed in the trust anchor.	50	the trust anchor, where inheritance is not allowed.
51	.It	51	.It
52	All IP address delegation or AS number delegation extensions	52	All IP address delegation or AS number delegation extensions
53	must be in canonical form according to	53	appearing in the validation path must be in canonical form
		54	according to
54	.Xr X509v3_addr_is_canonical 3	55	.Xr X509v3_addr_is_canonical 3
55	and	56	and
56	.Xr X509v3_asid_is_canonical 3 .	57	.Xr X509v3_asid_is_canonical 3 .
57	.It	58	.It
58	If the IP address delegation extension is present in a certificate,	59	If the IP address delegation extension is present in a certificate,
59	it must also be present in its issuer.	60	it must also be present in its issuer.
60	Similarly for AS identifiers.	61	Similarly for the AS identifiers delegation extension.
61	.It	62	.It
62	An issuer may only delegate resources present in its	63	An issuer may only delegate subsets of resources present in its
63	RFC 3779 extensions.	64	RFC 3779 extensions or subsets of resources inherited from its issuer.
64	.El	65	.El
65	.Pp	66	.Pp
66	.Fn X509v3_addr_validate_path	67	.Fn X509v3_addr_validate_path