Changes to MRSP 5.2 to address Issue mozilla#226

Here are some changes to address Issue mozilla#226.

rootstore/policy.md

@@ -588,17 +588,15 @@ algorithm attacks against certificates. As such, all new certificates
 MUST have a serial number greater than zero, containing at least 64 bits of
 output from a CSPRNG.
 
-CAs MUST NOT issue certificates that have:
+CAs MUST NOT issue certificates or, where applicable, CRLs or OCSP responses, that have:
 
 *   ASN.1 DER encoding errors;
 *   invalid public keys (e.g., RSA certificates with public exponent
     equal to 1);
 *   duplicate issuer names and serial numbers (except that a Certificate
     Transparency pre-certificate is allowed to match the corresponding
     certificate);
-*   incorrect extensions (e.g., SSL certificates that exclude SSL
-    usage, or authority key IDs that include both the key ID and the
-    issuer’s issuer name and serial number); *or*
+*   missing or incorrect extensions (e.g., TLS certificates with no subjectAltName extension, delegated OCSP responders without the id-pkix-ocsp-nocheck extension); *or*
 *   cRLDistributionPoints or OCSP authorityInfoAccess extensions for
     which no operational CRL or OCSP service exists.