In practice, this means that CAs can't issue sub-CA certificates with name constraints extensions marked as critical, as required by the specification, because some clients will reject the certificates. As a result, version 1.1 of the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" guidelines released by the Certification Authority/Browser (CAB) Forum allows CAs to issue sub-CA certificates with name constraints set as non-critical.
"Non-critical Name Constraints are an exception to RFC 5280 that MAY be used until the Name Constraints extension is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide," the Baseline Requirements (BRs) say.
The Mozilla Security Team said that version 2.1 of Mozilla's CA Certificate Policy requires CAs to update their operations and SSL certificate issuance to comply with version 1.1 of the CAB Forum's BRs. However, it's not immediately clear if Mozilla's new policy will allow name constraints extensions to be marked as non-critical or not, Ristic said.