PKIX certificates have had "Extended Key Usage" extensions since before RFC5280. They are mis-understood and mis-used.
This document makes the current EKU extension historic, replacing it with two new extensions: one for certification authorities (giving permission), and a second one for end-entity certificates giving authorization.