CAs are strongly encouraged to constrain their Intermediate Issuing Certificates to the first and second-level domains that they are authorized to issue certificates for, such as .edu, .gov, and the country-level TLD. Some CAs only need to issue certificates within certain TLDs, such as government run/sponsored CAs, and CAs for national research and education networks. The CA’s user base is large enough that typical Mozilla users in their region would benefit from having their root certificate included in NSS, but the CA only needs to issue certificates within certain first and second-level domains.
The CA’s CP/CPS documentation should indicate the first and second-level domains that the Issuing Subordinate Certificates are constrained to, and cite the use of Name Constraints as specified in RFC 3280 or RFC 5280 and marked as critical.
Notes:
* NSS already fully supports RFC 3280 name constraints. * RFC 3280, RFC 4325, and RFC 4630 are all obsolete. RFC 5280 is current.
* The Name Constraints extension is a part of the PKIX profile for certificates. See RFC
5280, section 4.2.1.10, <http://www.apps.ietf.org/rfc/rfc5280.html#sec-4.2.1.10>, and section 6.1.1, <http://tools.ietf.org/html/rfc5280#section-6.1.1>. Note that while it is part of the standard, it is not required to be implemented.