I 100% agree, and I also think it'd be a better solution than wildcard certs in most cases where they're used. I would love to be able to have a personal CA cert that was name constrained to mydomain.tld for the duration of my registration of that domain which I could then use to issue certs for subdomain.mydomain.tld for individual services instead of having to have one *.mydomain.tld which hypothetically might allow a single compromised service to be turned in to the ability to impersonate any of my services.
Obviously having a glut of new private CAs would cause scalability issues for CT logs that are already having issues keeping up with current uses, perhaps CT requirements could be reduced for such single-domain CAs in combination with limited lifetimes.
Obviously having a glut of new private CAs would cause scalability issues for CT logs that are already having issues keeping up with current uses, perhaps CT requirements could be reduced for such single-domain CAs in combination with limited lifetimes.