From f0ce9bb01e7aa0de5e6f16354a0887c2a081cb7c Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Sat, 9 Jul 2022 15:10:36 +0200
Subject: [PATCH] Add references to Google policy, use http for OCSP, CRL, CA
 issuers

---
 README.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ef7c3e0..4782256 100644
--- a/README.md
+++ b/README.md
@@ -126,12 +126,19 @@ The class 3 certificate must contain the following fields:
 - [Extended Key Usage](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.12):
   `server auth, client auth, email protection, code signing, OCSP signing, SmartCard logon, anyExtendedKeyUsage`
 
+  *Note:* this will not be sufficient to fulfill the
+  [Google requirements for S/MIME certificates](https://support.google.com/a/answer/7300887)
+
 - [CRL Distribution Points](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.13):
   http://crl.cacert.org/class3-revoke.crl
 
+  *Note:* CRL URLs must use the http URL scheme
+
 - [Authority Information Access](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.2.1):
 
-  - CA issuers: https://www.cacert.org/certs/root_X0F.der
+  - CA issuers: http://www.cacert.org/certs/root_X0F.der
 
     Reference the Root CA certificate's canonical DER URL
   - OCSP: URI:http://ocsp.cacert.org/
+
+  *Note:* CA issuers and OCSP URLs must use the http URL scheme