On Tue, Jun 20, 2023 at 10:10:43PM +0200, Theo Buehler wrote: > The first warning cannot be hit because the X509v3_asid_is_canonical() > errors on empty asIdsOrRanges sequences. This is not the case for > IPAddrBlocks... > > There is some ambiguity in RFC 6487, 4.8.10 whether empty > ipAddressesOrRanges are allowed or not. I opted for the stricter > interpretation matching AS numbers and likely the intent.
I concur, extensions with empty containers are a mis-issuance of the product. OK job@