[foxcpp]

>if you trust a third party CA they can just sign for anybody without limits

It is possible for a root certificate to have a name constraint making all certificates issued for other e.g. TLDs invalid. Like it is done in dn42 CA.

[detaro]

Yes, that's the nicer solution, and it seems Apple finally got around to adding support for it as well a while back - for a long time they didn't support it, so name constraints broke validation for Safari and Chrome on macOS.