Update documentation for the new PSK behaviour

[openssl.git] / doc / man3 / SCT_validate.pod

diff --git a/doc/man3/SCT_validate.pod b/doc/man3/SCT_validate.pod
index 713bcd29d87a81d4fafb0683f42e3f1d9b2944ba..fa7e2a8ba2cc20542f8810c9d15c88bcb7f42f3a 100644 (file)
--- a/doc/man3/SCT_validate.pod
+++ b/doc/man3/SCT_validate.pod
@@ -10,12 +10,12 @@ checks Signed Certificate Timestamps (SCTs) are valid
  #include <openssl/ct.h>
 
  typedef enum {
-  SCT_VALIDATION_STATUS_NOT_SET,
-  SCT_VALIDATION_STATUS_UNKNOWN_LOG,
-  SCT_VALIDATION_STATUS_VALID,
-  SCT_VALIDATION_STATUS_INVALID,
-  SCT_VALIDATION_STATUS_UNVERIFIED,
-  SCT_VALIDATION_STATUS_UNKNOWN_VERSION
+     SCT_VALIDATION_STATUS_NOT_SET,
+     SCT_VALIDATION_STATUS_UNKNOWN_LOG,
+     SCT_VALIDATION_STATUS_VALID,
+     SCT_VALIDATION_STATUS_INVALID,
+     SCT_VALIDATION_STATUS_UNVERIFIED,
+     SCT_VALIDATION_STATUS_UNKNOWN_VERSION
  } sct_validation_status_t;
 
  int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
@@ -31,20 +31,26 @@ SCT_get_validation_status().
 
 A CT_POLICY_EVAL_CTX must be provided that specifies:
 
-=over
+=over 2
 
-=item * The certificate the SCT was issued for.
+=item *
+
+The certificate the SCT was issued for.
 
 Failure to provide the certificate will result in the validation status being
 SCT_VALIDATION_STATUS_UNVERIFIED.
 
-=item * The issuer of that certificate.
+=item *
+
+The issuer of that certificate.
 
 This is only required if the SCT was issued for a pre-certificate
 (see RFC 6962). If it is required but not provided, the validation status will
 be SCT_VALIDATION_STATUS_UNVERIFIED.
 
-=item * A CTLOG_STORE that contains the CT log that issued this SCT.
+=item *
+
+A CTLOG_STORE that contains the CT log that issued this SCT.
 
 If the SCT was issued by a log that is not in this CTLOG_STORE, the validation
 status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG.
@@ -54,9 +60,11 @@ status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG.
 If the SCT is of an unsupported version (only v1 is currently supported), the
 validation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION.
 
-If the SCT's signature is incorrect, the validation status will be
-SCT_VALIDATION_STATUS_INVALID. Otherwise, if all checks have passed, the
-validation status will be SCT_VALIDATION_STATUS_VALID.
+If the SCT's signature is incorrect, its timestamp is in the future (relative to
+the time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation
+status will be SCT_VALIDATION_STATUS_INVALID.
+
+If all checks pass, the validation status will be SCT_VALIDATION_STATUS_VALID.
 
 =head1 NOTES
 
@@ -78,7 +86,7 @@ returned value will be SCT_VALIDATION_STATUS_NOT_SET.
 
 =head1 SEE ALSO
 
-L<ct(3)>
+L<ct(7)>
 
 =head1 HISTORY