IIRC there was a (ietf draft? rfc? whitepaper?) on limiting CA trust domains, email-centric (may be even x.400-centric), but I cannot find it now! Does anyone remember what exactly it was?