The "check_update" CI failure is unrelated and should be handled elsewhere.
I've extended this PR as discussed in #7871; it is ready for further review.

I've just added the following (small) commits:

• X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc
• x509_vfy.c: Improve a couple of internally documenting comments
• x509_trs.c: rename to x509_trust.c for clarity and correct comment in trust_compat()

Thanks @vdukhovni for having a quick look
and sorry for all those typos (it was a long day yesterday). Fixed them.

I've meanwhile updated and strongly improved the documentation of trust anchors.
This took me half a day because to this end had to understand at least to some level
the related concepts of "purpose", "use", and "trust" attributes, which are very poorly documented.
The text I've added/updated here is still not complete on these topics but should bring major improvements.

Doing further improvements on the x509 app I just came across documentation of EKU cert extension checking in openssl-x509.pod.in.
Since this is actually of more general nature and makes much more sense in openssl-verification-options.pod I've moved it there.

Are there any further review comments on this?

Needs rebase now

Needs rebase now

Thanks for the notice; done.

Is it time yet to retire support for the "Netscape" certificate features? Perhaps this is all dead code that no users are relying on?
Are any CAs still creating this type of certificate?

See #9247 #9242 #9241

Quoting a comment from #9241: "To quote email from Mozilla folks I have: "In general if there is an IETF PKIX replacement for a Netscape datatype, then you don't need to support the Netscape datatype. Therefore OpenSSL does not need to support Netscape cert types and Netscape cert sequence." "

Good point that support for Netscape certs and the respective documentation should be removed.
This is certainly to be done in a separate PR.

Just some nits. Otherwise good work!

Thanks @t8m. I've handled all items (as far as it makes sense within this PR).

This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago

@openssl/otc, this PR (as well as a couple of other cert-related PRs of mine) have been stuck for many months due to missing further treatment by the OTC.

The relevance of improving the documentation of cert path validation, in particular on the details of trust vs. purpose, is exemplified by a recent discussion on https://www.mail-archive.com/[email protected]/msg89496.html.
Among others, the author of that thread complained, like I did more than a year ago, about the pretty tautological and thus useless "documentation" of X509_VERIFY_PARAM_set_trust():

X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to B<trust>.

IMO, apart from the x509.h changes this would be mergeable after the beta release. It is also a quite big change to the documentation, so it will require some time to properly review and so it would be nice to be able to postpone this after beta. Unfortunately this is another example of PR that mixes multiple unrelated things into a single PR.

Thanks for your response.
So when I find the time I will somehow split this PR in more digestable pieces.

BTW, when is the beta release currently planned/expected?
Is it June 30th as indicated in the respective GitHub milestone label?

This pull request is ready to merge

Merged. Glad this through, after long time in between.
Thanks to all who contributed and to @pauildale for giving the final thrust.