From b2c0d1b7ae67e990fdd8d6e9f5aa0c81dc64e76a Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Thu, 26 Nov 2020 10:31:22 -0500
Subject: [PATCH] Caveat the rest of the certificate fields

---
 docs/specifications/url.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/specifications/url.rst b/docs/specifications/url.rst
index 32e755bed..4aa5c21d6 100644
--- a/docs/specifications/url.rst
+++ b/docs/specifications/url.rst
@@ -117,6 +117,9 @@ The hash component of a version 1 NURL differs in three ways from the prior vers
 .. note::
    *Only* the certificate's keypair is pinned by the SPKI hash.
    The freedom to change every other part of the certificate is coupled with the fact that all other parts of the certificate contain arbitrary information set by the private key holder.
+   It is neither guaranteed nor expected that a certificate-issuing authority has validated this information.
+   Therefore,
+   *all* certificate fields should be considered within the context of the relationship identified by the SPKI hash.
 
 3. The hash is encoded using urlsafe-base64 (without padding) instead of base32.
    This provides a more compact representation and minimizes the usability impacts of switching from a 160 bit hash to a 224 bit hash.