Standardize on =over 4 and check for it.

[openssl.git] / doc / man3 / CT_POLICY_EVAL_CTX_new.pod

diff --git a/doc/man3/CT_POLICY_EVAL_CTX_new.pod b/doc/man3/CT_POLICY_EVAL_CTX_new.pod
index fe25cd9cae4d86e1a3f046aafb40fe287fc90564..7839fd393a0bee105e16c7e1f474a87637ea8e96 100644 (file)
--- a/doc/man3/CT_POLICY_EVAL_CTX_new.pod
+++ b/doc/man3/CT_POLICY_EVAL_CTX_new.pod
@@ -32,7 +32,7 @@ This policy may be, for example, that at least one valid SCT is available. To
 determine this, an SCT's timestamp and signature must be verified.
 This requires:
 
-=over
+=over 4
 
 =item * the public key of the log that issued the SCT
 
@@ -49,7 +49,7 @@ The above requirements are met using the setters described below.
 CT_POLICY_EVAL_CTX_new() creates an empty policy evaluation context. This
 should then be populated using:
 
-=over
+=over 4
 
 =item * CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for
 
@@ -68,8 +68,8 @@ CT_POLICY_EVAL_CTX.
 
 The SCT timestamp will be compared to this time to check whether the SCT was
 issued in the future. RFC6962 states that "TLS clients MUST reject SCTs whose
-timestamp is in the future". Typically, the time provided to this function will
-be the current time.
+timestamp is in the future". By default, this will be set to 5 minutes in the
+future (e.g. (time() + 300) * 1000), to allow for clock drift.
 
 The time should be in milliseconds since the Unix epoch.