Part 6 contains already a detailed description on ApplicationInstance Certificates.

Similar information would make sense for

• Root CA certificates
• Intermediate CA certificates
• User certification (x509 authentication)

Regarding CA certs: We need to look into best practices. AFAIK the AKID should always be there.
Here is an example of Verisign:

    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        1.3.6.1.5.5.7.1.12:
            0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
        X509v3 Subject Key Identifier:
            B6:77:FA:69:48:47:9F:53:12:D5:C2:EA:07:32:76:07:D1:97:07:19

Regarding user certificates:
Because using thumbprints is impractical to map to users (needs to be changed on every renew) it makes sense to use a username (or email) in the common name field.
This is already often the case when working with smart cards.
User certs are end entity certificates, so the CA flag should be set to false (even if it's self-signed).