[Servercert-wg] Subject name requirements for CA Certificates

[Curt Spann]

We (Apple) approach the BRs as Default-Deny in which it only specifies what is allowed. The Default-Deny approach makes it less ambiguous to determine the requirement for operating a publicly trusted CA.

I encourage CAs to review their practices against the BRs using Default-Deny. If CAs would like to add additional statements to the BRs to align with their practices the CAs should create ballots to update the BRs.

- Curt