On Monday, August 8, 2016 at 12:47:26 PM UTC-7, S Davidson wrote:
> However, I am interested in feedback from the Mozilla community, including any experience on handling subCAs with large numbers of nameConstraints.
My biggest concern relates to the re-use of the issuer name and key across multiple distinct certificates. That's a relative recipe for hell when constructing paths - particularly with the duplicate SKID. If you don't vary the validity period, you've got even more non-determinism.
Is there a reason this customer can't simply have two unique-subject intermediates to handle their various needs? Segment (Domain Set A) to Intermediate A, and (Domain Set B) to Intermediate B.
I would strongly discourage putting it all under one intermediate, even though I'm not aware of any explicit prohibition of this.