gen, protos: document chain membership policy (#77)

* gen, protos: document chain membership policy

Signed-off-by: William Woodruff <[email protected]>

* gen, protos: apply suggestions

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>

protos/sigstore_common.proto

@@ -169,9 +169,21 @@ message SubjectAlternativeName {
 message X509CertificateChain {
         // The chain of certificates, with indices 0 to n.
         // The first certificate in the array must be the leaf
-        // certificate used for signing. Any intermediate certificates
-        // must be stored as offset 1 to n-1, and the root certificate at
-        // position n.
+        // certificate used for signing.
+        //
+        // Signers MUST NOT include their root CA certificates in their embedded
+        // certificate chains, and SHOULD NOT include intermediate CA
+        // certificates that appear in independent roots of trust.
+        //
+        // Verifiers MUST validate the chain carefully to ensure that it chains
+        // up to a root CA certificate that they trust, regardless of whether
+        // the chain includes additional intermediate/root CA certificates.
+        // Verifiers MAY enforce additional constraints, such as requiring that
+        // all intermediate CA certificates appear in an independent root of
+        // trust.
+        //
+        // Verifiers SHOULD handle old or non-complying bundles that have
+        // additional intermediate/root CA certificates.
         repeated X509Certificate certificates = 1;
 }