Intermediates aren't a delegation mechanism as such. They're a way to navigate to the roots trust.

The trust is always in the root itself.

It's not an active directory / LDAP / tree type mechanism where you can say I trust things at this node level and below.

account42 2 days ago | parent | next [-]

But they could and IMO should be a delegation mechanism. The Name Constraints extension already exists.

	▲	everfrustrated 2 days ago \| parent [-]
		The trouble is the constraint mechanism is outside of the inherent chain of trust logic and is checked using application level logic. So you have to modify all potential clients for this constraint to be enforced. So it's effectively worthless as there is no way to roll it out in any meaningful sense.

stego-tech 2 days ago | parent | prev [-]

Appreciate the clarification! My grievance still stands, but at least I can articulate it better going forward.