Comment Re:Rouge students and some more insight (Score 1) 300
but they haven't even bothered to make sure that only leaf certificates can be issued.
Nope; the CA only signed a what you call a leaf certificate, but the constraint which determines whether a key can is a branch ("CA = true") or leaf ("CA = false") was part of the cert that they were able to change. See the last paragraph of section 5.1