Dave,
I agree with your recommendations. Please note that the PKIX X.509 Cert and
CRL Profile states that keyUsage should always be critical, if present, and
the S/MIME Cert Handling Spec states that keyUsage MUST be critical, if
present.
- John Pawling