There's some discussion in m.d.s.p [1] about whether section 7.1.4.2 of the BRs applies only to end-entity certificates, or also to roots and ICAs. I believe it applies only to end-entity certs; Mozilla disagrees. -Rick [1] https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/yV84X0xkkEo/cPyt4G7YCQAJ