upstream: clarify encoding of options/extensions; bz2389

OpenBSD-Commit-ID: c4e92356d44dfe6d0a4416deecb33d1d1eba016c

PROTOCOL.certkeys

@@ -231,10 +231,15 @@ is a sequence of zero or more tuples:
 Options must be lexically ordered by "name" if they appear in the
 sequence. Each named option may only appear once in a certificate.
 
-The name field identifies the option and the data field encodes
-option-specific information (see below). All options are
-"critical"; if an implementation does not recognise a option,
-then the validating party should refuse to accept the certificate.
+The name field identifies the option. The data field contains
+option-specific information encoded as zero or more values inside
+the string. I.e. an empty data field would be encoded as a zero-
+length string (00 00 00 00), and data field that holds a single
+string value "a" would be encoded as (00 00 00 05 00 00 00 01 65).
+
+All options are "critical"; if an implementation does not recognise
+a option, then the validating party should refuse to accept the
+certificate.
 
 Custom options should append the originating author or organisation's
 domain name to the option name, e.g. "my-option@example.com".
@@ -318,4 +323,4 @@ permit-user-rc          empty         Flag indicating that execution of
                                       of this script will not be permitted if
                                       this option is not present.
 
-$OpenBSD: PROTOCOL.certkeys,v 1.19 2021/06/05 13:47:00 naddy Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.20 2024/12/06 16:02:12 djm Exp $