SECURITY.md: make x509 data section more readable

Signed-off-by: Janos Follath <janos.follath@arm.com>
2026-03-20 11:11:08 +01:00 · 2026-01-20 10:38:16 +00:00
parent 7b2ad1c518
commit 92dbfb34f0
1 changed files with 11 additions and 8 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -145,15 +145,18 @@ Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).)
 The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED`
 configuration option is defined. This option is off by default.

-#### Formatting of X.509 certificates and certificate signing requests
+#### Formatting of X509 data

-When parsing X.509 certificates, certificate signing requests (CSRs) or
-certificate revocation lists (CRLs) Mbed TLS does not check that they are
-strictly compliant with X.509 and other relevant standards. In the case of
-signed certificates and signed CRLs, the signing party is assumed to have
-performed this validation (and the certificate or CRL is trusted to be correctly
-formatted as long as the signature is correct).  Similarly, CSRs are implicitly
-trusted by Mbed TLS to be standards-compliant.
+This section discusses limitations in how X.509 objects are processed. This
+applies to certificates, certificate signing requests (CSRs) and certificate
+revocation lists (CRLs).
+
+Mbed TLS does not check that they are strictly compliant with X.509 and other
+relevant standards. In the case of signed certificates and signed CRLs, the
+signing party is assumed to have performed this validation (and the certificate
+or CRL is trusted to be correctly formatted as long as the signature is
+correct).  Similarly, CSRs are implicitly trusted by Mbed TLS to be
+standards-compliant.

 **Warning!** Mbed TLS must not be used to sign untrusted CSRs or CRLs unless
 extra validation is performed separately to ensure that they are compliant to