diff --git a/README.md b/README.md
index ef7c3e0..4782256 100644
--- a/README.md
+++ b/README.md
@@ -126,12 +126,19 @@ The class 3 certificate must contain the following fields:
 - [Extended Key Usage](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.12):
   `server auth, client auth, email protection, code signing, OCSP signing, SmartCard logon, anyExtendedKeyUsage`
 
+  *Note:* this will not be sufficient to fulfill the
+  [Google requirements for S/MIME certificates](https://support.google.com/a/answer/7300887)
+
 - [CRL Distribution Points](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.13):
   http://crl.cacert.org/class3-revoke.crl
 
+  *Note:* CRL URLs must use the http URL scheme
+
 - [Authority Information Access](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.2.1):
 
-  - CA issuers: https://www.cacert.org/certs/root_X0F.der
+  - CA issuers: http://www.cacert.org/certs/root_X0F.der
 
     Reference the Root CA certificate's canonical DER URL
   - OCSP: URI:http://ocsp.cacert.org/
+
+  *Note:* CA issuers and OCSP URLs must use the http URL scheme