Some wording tweaks to make things a bit more precise.

1 files changed, 7 insertions, 6 deletions

diff --git a/lib/libcrypto/man/X509v3_addr_validate_path.3 b/lib/libcrypto/man/X509v3_addr_validate_path.3
index 109cab3f524..d3c088c9160 100644
--- a/lib/libcrypto/man/X509v3_addr_validate_path.3
+++ b/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.2 2023/09/29 09:28:21 tb Exp $
+.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.3 2023/09/29 15:41:06 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -47,20 +47,21 @@ path validation.
 .Bl -enum
 .It
 The initial set of allowed IP address and AS number resources is defined in
-the trust anchor; inheritance is not allowed in the trust anchor.
+the trust anchor, where inheritance is not allowed.
 .It
 All IP address delegation or AS number delegation extensions
-must be in canonical form according to
+appearing in the validation path must be in canonical form
+according to
 .Xr X509v3_addr_is_canonical 3
 and
 .Xr X509v3_asid_is_canonical 3 .
 .It
 If the IP address delegation extension is present in a certificate,
 it must also be present in its issuer.
-Similarly for AS identifiers.
+Similarly for the AS identifiers delegation extension.
 .It
-An issuer may only delegate resources present in its
-RFC 3779 extensions.
+An issuer may only delegate subsets of resources present in its
+RFC 3779 extensions or subsets of resources inherited from its issuer.
 .El
 .Pp
 .Fn X509v3_addr_validate_path