There's some discussion in m.d.s.p [1] about whether section 7.1.4.2 of the BRs applies only to end-entity certificates, or also to roots and ICAs. I believe it applies only to end-entity certs; Mozilla disagrees.
-Rick [1] https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/yV84X0xkkEo/cPyt4G7YCQAJ _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
