Merge "Update the UdsCertChain comment to reflect the latest recommendation." into main am: 9471625f69 am: dfbe1009ca

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/3207215

Change-Id: I127de33487e8b89f64f48d2695e88b4f4c2f1520
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl

@@ -62,9 +62,13 @@ UdsCerts = {
 SignerName = tstr
 
 UdsCertChain = [
-    2* X509Certificate      ; Root -> ... -> Leaf. "Root" is the vendor self-signed
-                            ; cert, "Leaf" contains UDS_Public. There may also be
-                            ; intermediate certificates between Root and Leaf.
+    + X509Certificate       ; Root -> ... -> Leaf. "Root" is the vendor self-signed
+                            ; cert, "Leaf" contains UDS_Public. It's recommended to
+                            ; have at least 3 certificates in the chain.
+                            ; The Root certificate is recommended to be generated in an air-gapped,
+                            ; HSM-based secure environment. The intermediate signing keys may be
+                            ; online, and should be rotated regularly (e.g. annually). Additionally,
+                            ; the intermediate certificates may contain product family identifiers.
 ]
 
 ; A bstr containing a DER-encoded X.509 certificate (RSA, NIST P-curve, or EdDSA)