Support testing NameConstraints?

[kcking]

NameConstraints on a CA cert designate a whitelist/blacklist of CNs and SANs that certificates signed by that CA can contain (they can also be applied to any GeneralName (see RFC5280). Support for NameConstraints is minimal, the only mainstream clients I'm aware of that implement it are NSS (used by Firefox) and the openssl cli (and these implementations don't necessarily work for all types of GeneralName).

NameConstraints allow one to give a CA restricted trust, such as only trusting the DoD Root (that was installed on my Mac by default) with *.gov SANs.

Would trytls be interested in a contribution adding some sort of NameConstraints support to its testbed?