The relevant text from 3779 is copied below, and underlined.
2.3. IP Address Delegation Extension Certification Path Validation Certification path validation of a certificate containing the IP address delegation extension requires additional processing. As _each_ certificate in a path is validated, the IP addresses in the IP address delegation extension of that certificate _MUST be subsumed by_ _IP addresses in the IP address delegation extension in the issuer's__ _ _certificate_. _Validation MUST fail when this is not the case_. A certificate that is a trust anchor for certification path validation of certificates containing the IP address delegation extension, as well as all certificates along the path, MUST each contain the IP address delegation extension. The initial set of allowed address ranges is taken from the trust anchor certificate.
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
