provider would want to use name constraints ... is that what you meant in the later part of the sentence above?
I think this would only work if the issuer had the name constraint in its certificate. See http://www.ietf.org/rfc/rfc3280.txt, bottom of p 36 4.2.1.11 Name Constraints The name constraints extension, which MUST be used only in a CA certificate, ... So if they provided a sub CA for you, then maybe. Otherwise no. I expect that the number of certs involved is too low for "yes". (I still think name constraints is supported so poorly, it will remain unusable for a few years except in closed pkis.) There are a number of large subordinate CA projects provided by verisign to certain large academic institutions; there the answer might well be yes. But I don't know and have no easy way of finding out.