From 92dbfb34f065eb13671c7e2ddfb968edaac7c8d6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 20 Jan 2026 10:38:16 +0000 Subject: [PATCH] SECURITY.md: make x509 data section more readable Signed-off-by: Janos Follath --- SECURITY.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 529e3b6fae..114dce6a69 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -145,15 +145,18 @@ Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).) The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED` configuration option is defined. This option is off by default. -#### Formatting of X.509 certificates and certificate signing requests +#### Formatting of X509 data -When parsing X.509 certificates, certificate signing requests (CSRs) or -certificate revocation lists (CRLs) Mbed TLS does not check that they are -strictly compliant with X.509 and other relevant standards. In the case of -signed certificates and signed CRLs, the signing party is assumed to have -performed this validation (and the certificate or CRL is trusted to be correctly -formatted as long as the signature is correct). Similarly, CSRs are implicitly -trusted by Mbed TLS to be standards-compliant. +This section discusses limitations in how X.509 objects are processed. This +applies to certificates, certificate signing requests (CSRs) and certificate +revocation lists (CRLs). + +Mbed TLS does not check that they are strictly compliant with X.509 and other +relevant standards. In the case of signed certificates and signed CRLs, the +signing party is assumed to have performed this validation (and the certificate +or CRL is trusted to be correctly formatted as long as the signature is +correct). Similarly, CSRs are implicitly trusted by Mbed TLS to be +standards-compliant. **Warning!** Mbed TLS must not be used to sign untrusted CSRs or CRLs unless extra validation is performed separately to ensure that they are compliant to