Continuing the discussion from Improving revocation : will Let's Encrypt support OCSP Must-staple?:

CP:

."id-kp-emailProtection [RFC5280] maybe present. Other values shouldnotbe present"

Is this an hint that there maybe come s/mime certificates too ?

And an typo on the head of page 62:

"Curve P-521" "ansip384r1 ::= { iso(1) identified-organization(3) certicom(132) curve(0) 35 }"

CPS:

The CA ensures that the public exponent of the RSA Keysfor aDV-SSL Certificates is in the range between 2 16+1 and 2256-1. The modulus are an odd number, not the power of a prime, and have no factors smaller than 752.

This can not be real ?

- The range "2 16+1" i think is missing some formular sign and 2256 looks also odd.
- If the RSA key have an prime factor 752 and less than 2^32 than you can put it to the trash bin.

Here also 2^752 is meant.

Personally i think here need someone take an carefully look at all number and formulars.