target = "https://tools.ietf.org/rfc/rfc8446#4.4.2.3"

# 4.4.2.3.  Client Certificate Selection
#
# The following rules apply to certificates sent by the client:
# 
# -  The certificate type MUST be X.509v3 [RFC5280], unless explicitly
#    negotiated otherwise (e.g., [RFC7250]).
# 
# -  If the "certificate_authorities" extension in the
#    CertificateRequest message was present, at least one of the
#    certificates in the certificate chain SHOULD be issued by one of
#    the listed CAs.
# 
# -  The certificates MUST be signed using an acceptable signature
#    algorithm, as described in Section 4.3.2.  Note that this relaxes
#    the constraints on certificate-signing algorithms found in prior
#    versions of TLS.
# 
# -  If the CertificateRequest message contained a non-empty
#    "oid_filters" extension, the end-entity certificate MUST match the
#    extension OIDs that are recognized by the client, as described in
#    Section 4.2.5.

[[spec]]
level = "MUST"
quote = '''
-  The certificate type MUST be X.509v3 [RFC5280], unless explicitly
negotiated otherwise (e.g., [RFC7250]).
'''

[[spec]]
level = "SHOULD"
quote = '''
-  If the "certificate_authorities" extension in the
CertificateRequest message was present, at least one of the
certificates in the certificate chain SHOULD be issued by one of
the listed CAs.
'''

[[spec]]
level = "MUST"
quote = '''
-  The certificates MUST be signed using an acceptable signature
algorithm, as described in Section 4.3.2.
'''

[[spec]]
level = "MUST"
quote = '''
-  If the CertificateRequest message contained a non-empty
"oid_filters" extension, the end-entity certificate MUST match the
extension OIDs that are recognized by the client, as described in
Section 4.2.5.
'''