In the BRs, it is permitted but not required, with a footnote saying "If a CA Certificate does not assert the digitalSignature bit, the CA Private Key MUST NOT be used to sign an OCSP Response." Now that we don't do OCSP, we don't need digitalSignature in future TLS Subordinate CA Certificates, and we can make it optional in the CP-CPS.
https://cabforum.org/working-groups/server/baseline-requirements/requirements/#712107-ca-certificate-key-usage
https://letsencrypt.org/documents/isrg-cp-cps-v6.1/#tls-subordinate-ca-certificate-profile
In the BRs, it is permitted but not required, with a footnote saying "If a CA Certificate does not assert the digitalSignature bit, the CA Private Key MUST NOT be used to sign an OCSP Response." Now that we don't do OCSP, we don't need digitalSignature in future TLS Subordinate CA Certificates, and we can make it optional in the CP-CPS.
https://cabforum.org/working-groups/server/baseline-requirements/requirements/#712107-ca-certificate-key-usage
https://letsencrypt.org/documents/isrg-cp-cps-v6.1/#tls-subordinate-ca-certificate-profile