Comment Re:subdomain trust (Score 1) 92
Or is this an option?
The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. Restrictions apply to the subject distinguished name and apply to subject alternative names.
...
>
It is an option that was not forced on the root CAs. Essentially none of the public CAs are signing from intermediary CAs with name restrictions applied to their certificates.
Generally the restriction mechanism is only allowed to do something kind of "creepy"; where the root CA essentially "sells" this service to a smaller company for perhaps $50,000 or so and issues a restricted certificate --- that allows whoever bought this service to sign subcerts within certain constraints.