Thanks, I wasn't aware of that. I guess I'd feel a bit more comfortable installing a CA with those constraints, though I'd wonder how many administrators actually know to do it—seems like a feature that's not currently well known and something that can be easily overlooked.
There would also be risks to users if installing these custom CAs became common practice. It might be safe to do it for certificates with suitable name constraints, but until certificate installation UIs add something special for this ("this certificate has authority over X, Y, Z"), users aren't going to distinguish between safe/unsafe (constrained/unconstrained) CAs.
