The original description of TrustListType::AddCertificate states "allows a Client to add a single Certificate to the Trust List".

1.04 added another paragraph to fix an issue where this is not fix for:
"If the Certificate is issued by a CA then the Client shall provide the entire chain in the certificate argument (see Part 6). After validating the Certificate, the Server shall add the CA Certificates to the Issuers list in the Trust List. The leaf Certificate is added to the list specified by the isTrustedCertificate argument."

This breaks all existing applications (clients and servers) and potentially creates a major security issue.

In the best case, a server takes the first certificat in the chain and puts it in the requested place (trust or issuer list).

In the worst case, a server takes the complete chain and stores it completely in the trust list.

I would expect no existing server is implementig the special logic that was added in 1.04.

In addition it forces a behaviour that is maybe not what the user wants to do. It would not be possible to put two certificates out of the chain into the trust list and the remaining chain into the issuer list.

Instead the client should call AddCertificate for every single certificate in the chain and indicate the expected location.

This feature was added for management of self-signed certificates and not for CA signed certificates. For CA signed certificates the TrustList Read/Writer must be used since the reguired CRL cannot be added managed with the Methods (Add/Remove).

I strongly recommend to replace the new paragraph with a requirement that every certificate in a chain must be added as single certificate starting from the root.