On Mon, Jan 19, 2026 at 10:37:40AM +0100, Claudio Jeker wrote:
> On Mon, Jan 19, 2026 at 08:47:54AM +0100, Theo Buehler wrote:
> > This pulls the non-inheritance check for TAs into cert_parse_extensions()
> > and adds a check that the INRs are a non-empty set. The latter is redundant
> > with existing checks for presence of at least one of ASIdentifiers and
> > IPAddrBlocks combined with non-inheritance but it does not hurt to be
> > explicit.
> > 
> > The second change is splitting everything to do with the SPKI into a
> > helper since the current logic is messy and has completely unrelated
> > things interleaved. In a follow-up I'll also split out the validity
> > check. Later on ta_parse() will be renamed into something more
> > appropriate.
> 
> OK claudio@
> I wonder if the XXX in the ta_parse() comment is really needed. I
> understand that this no longer does a real parse but either we just rename
> the function (ta_check, ta_validate) or keep ta_parse and just drop the
> XXX. I guess you already have something in mind for this :)

Agreed, it is basically a leftover from how this patch stack grew and
I was going to drop it when I rename ta_parse() to ta_validate a bit
later. I committed the diff without XXX.