target = "https://tools.ietf.org/rfc/rfc8446#4.2.4"

# 4.2.4.  Certificate Authorities
#
# The "certificate_authorities" extension is used to indicate the
# certificate authorities (CAs) which an endpoint supports and which
# SHOULD be used by the receiving endpoint to guide certificate
# selection.
# 
# The body of the "certificate_authorities" extension consists of a
# CertificateAuthoritiesExtension structure.
# 
#    opaque DistinguishedName<1..2^16-1>;
# 
#    struct {
#        DistinguishedName authorities<3..2^16-1>;
#    } CertificateAuthoritiesExtension;
# 
# authorities:  A list of the distinguished names [X501] of acceptable
#    certificate authorities, represented in DER-encoded [X690] format.
#    These distinguished names specify a desired distinguished name for
#    a trust anchor or subordinate CA; thus, this message can be used
#    to describe known trust anchors as well as a desired authorization
#    space.
# 
# The client MAY send the "certificate_authorities" extension in the
# ClientHello message.  The server MAY send it in the
# CertificateRequest message.
# 
# The "trusted_ca_keys" extension [RFC6066], which serves a similar
# purpose but is more complicated, is not used in TLS 1.3 (although it
# may appear in ClientHello messages from clients which are offering
# prior versions of TLS).

[[spec]]
level = "SHOULD"
quote = '''
The "certificate_authorities" extension is used to indicate the
certificate authorities (CAs) which an endpoint supports and which
SHOULD be used by the receiving endpoint to guide certificate
selection.
'''

[[spec]]
level = "MAY"
quote = '''
The client MAY send the "certificate_authorities" extension in the
ClientHello message.
'''

[[spec]]
level = "MAY"
quote = '''
The server MAY send it in the
CertificateRequest message.
'''