X.509 technically does support a parameter in CA certificates called Name Constraints which allows them to be restricted to issuing certificates within a specific set of names. Historically this feature has not been well supported though it seems like the browsers have added it more recently.
I agree wholeheartedly that this feature should be used more widely to restrict CAs where practical, obviously limiting government CAs to their respective ccTLD(s) seems like an easy one. Personally I'd also like to see this extended to allow for a domain owner to get a private CA certificate issued for their domain(s) which can then be used to issue individual certificates within that/those domain(s) as a more secure alternative to wildcard certificates.
There is no substantial technical reason this couldn't be done, just a lot of older software that wouldn't understand the restrictions and could either reject the certs entirely or consider them valid even if they shouldn't be.
Netflix for example uses this feature internally and built a test suite: https://netflixtechblog.com/bettertls-c9915cd255c0
I agree wholeheartedly that this feature should be used more widely to restrict CAs where practical, obviously limiting government CAs to their respective ccTLD(s) seems like an easy one. Personally I'd also like to see this extended to allow for a domain owner to get a private CA certificate issued for their domain(s) which can then be used to issue individual certificates within that/those domain(s) as a more secure alternative to wildcard certificates.
There is no substantial technical reason this couldn't be done, just a lot of older software that wouldn't understand the restrictions and could either reject the certs entirely or consider them valid even if they shouldn't be.