I wonder about the downvotes, with the long documented history of software failing to properly validate certificate chains (or worse, trees).

See for example http://blog.codekills.net/2012/04/08/adventures-in-x509-the-... about what really happens when one steps outside the well traveled path of certificate attributes...