The place I would look is the WebPKI guidelines: both the CA/B forum documents, the Mozilla Root Inclusion documents, and the Certificate Practices Statements of CAs reputed to do it well. However I don't think anything covers how certs will get used. Usually the CN will have an indication of the purpose. This strikes me as an easy way to keep everything straight, although the certs will be identified by sha256 hashes when exchanged. Sincerely, Watson Ladd