Chrome’s address bar will use https:// by default

[merb]

3. use cross signing with name constraints to not have this problem

https://tools.ietf.org/html/rfc5280#section-4.2.1.10

[Sebb767]

4. Find out that name constraints are either not supported or ignore by basically all major libraries.

[fomine3]

Issuing CA cert with Name Constraints is good, but end user should recognize the certificate is constrained to their domains or not.

[midasuni]

The end user should be able to choose the domains the root is valid for - regardless of x509 name constraints.