diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go
index acd9b10b..4c0e4f1d 100644
--- a/gen/pb-go/common/v1/sigstore_common.pb.go
+++ b/gen/pb-go/common/v1/sigstore_common.pb.go
@@ -874,9 +874,21 @@ type X509CertificateChain struct {
 
 	// The chain of certificates, with indices 0 to n.
 	// The first certificate in the array must be the leaf
-	// certificate used for signing. Any intermediate certificates
-	// must be stored as offset 1 to n-1, and the root certificate at
-	// position n.
+	// certificate used for signing.
+	//
+	// Signers MUST NOT include their root CA certificates in their embedded
+	// certificate chains, and SHOULD NOT include intermediate CA
+	// certificates that appear in independent roots of trust.
+	//
+	// Verifiers MUST validate the chain carefully to ensure that it chains
+	// up to a root CA certificate that they trust, regardless of whether
+	// the chain includes additional intermediate/root CA certificates.
+	// Verifiers MAY enforce additional constraints, such as requiring that
+	// all intermediate CA certificates appear in an independent root of
+	// trust.
+	//
+	// Verifiers SHOULD handle old or non-complying bundles that have
+	// additional intermediate/root CA certificates.
 	Certificates []*X509Certificate `protobuf:"bytes,1,rep,name=certificates,proto3" json:"certificates,omitempty"`
 }
 
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py
index 5ec1bd31..bc8ceed7 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py
@@ -200,9 +200,16 @@ class X509CertificateChain(betterproto.Message):
     certificates: List["X509Certificate"] = betterproto.message_field(1)
     """
     The chain of certificates, with indices 0 to n. The first certificate in
-    the array must be the leaf certificate used for signing. Any intermediate
-    certificates must be stored as offset 1 to n-1, and the root certificate at
-    position n.
+    the array must be the leaf certificate used for signing. Signers MUST NOT
+    include their root CA certificates in their embedded certificate chains,
+    and SHOULD NOT include intermediate CA certificates that appear in
+    independent roots of trust. Verifiers MUST validate the chain carefully to
+    ensure that it chains up to a root CA certificate that they trust,
+    regardless of whether the chain includes additional intermediate/root CA
+    certificates. Verifiers MAY enforce additional constraints, such as
+    requiring that all intermediate CA certificates appear in an independent
+    root of trust. Verifiers SHOULD handle old or non-complying bundles that
+    have additional intermediate/root CA certificates.
     """
 
 
diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts
index 40f98a4a..082bb8de 100644
--- a/gen/pb-typescript/src/__generated__/sigstore_common.ts
+++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts
@@ -279,9 +279,21 @@ export interface X509CertificateChain {
   /**
    * The chain of certificates, with indices 0 to n.
    * The first certificate in the array must be the leaf
-   * certificate used for signing. Any intermediate certificates
-   * must be stored as offset 1 to n-1, and the root certificate at
-   * position n.
+   * certificate used for signing.
+   *
+   * Signers MUST NOT include their root CA certificates in their embedded
+   * certificate chains, and SHOULD NOT include intermediate CA
+   * certificates that appear in independent roots of trust.
+   *
+   * Verifiers MUST validate the chain carefully to ensure that it chains
+   * up to a root CA certificate that they trust, regardless of whether
+   * the chain includes additional intermediate/root CA certificates.
+   * Verifiers MAY enforce additional constraints, such as requiring that
+   * all intermediate CA certificates appear in an independent root of
+   * trust.
+   *
+   * Verifiers SHOULD handle old or non-complying bundles that have
+   * additional intermediate/root CA certificates.
    */
   certificates: X509Certificate[];
 }
diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto
index 231a17e7..eeb0fb43 100644
--- a/protos/sigstore_common.proto
+++ b/protos/sigstore_common.proto
@@ -169,9 +169,21 @@ message SubjectAlternativeName {
 message X509CertificateChain {
         // The chain of certificates, with indices 0 to n.
         // The first certificate in the array must be the leaf
-        // certificate used for signing. Any intermediate certificates
-        // must be stored as offset 1 to n-1, and the root certificate at
-        // position n.
+        // certificate used for signing.
+        //
+        // Signers MUST NOT include their root CA certificates in their embedded
+        // certificate chains, and SHOULD NOT include intermediate CA
+        // certificates that appear in independent roots of trust.
+        //
+        // Verifiers MUST validate the chain carefully to ensure that it chains
+        // up to a root CA certificate that they trust, regardless of whether
+        // the chain includes additional intermediate/root CA certificates.
+        // Verifiers MAY enforce additional constraints, such as requiring that
+        // all intermediate CA certificates appear in an independent root of
+        // trust.
+        //
+        // Verifiers SHOULD handle old or non-complying bundles that have
+        // additional intermediate/root CA certificates.
         repeated X509Certificate certificates = 1;
 }