during our last meeting with Simo we discussed support for name constraint
extension in CA certificates and clients.
The Name Constraints Extensions is defined here:
Following article could be interesting for you if you like longer stories:
"Mozilla changes policy to limit risk of subordinate CA certificate abuse"
Author: Lucian Constantin 19.02.2013 kl 21:50
If I remember correctly, questions were mainly about support on client side
and about implications for older clients.
Freeipa-devel mailing list