On Sat, Aug 13, 2022 at 04:51:05PM +0200, Theo Buehler wrote:
> job mentioned that it might be preferable to do the validation in
> parse_{roa,rsc,aspa}(). So here's a diff that does this. It reworks
> valid_{roa,rsc}() to compare only against the EE cert's resources
> since it doesn't really make sense to walk the auth chain for this
> anyway. That the EE cert's resources are covered by the auth chain is
> checked later as part of valid_x509().
>
> Inheritance in the EE cert will now result in a warning and the roa/rsc
> won't be considered valid.
OK job@
