The latest version of the PKIX certificate profile (draft-ietf-pkix-new-part1-08.txt) requires that name constraints always apply to the final (end-entity) certificate in a chain, even if that certificate is self-issued (subject and issuer names match). This is a change from earlier versions of that document, which said that name constraints should not be checked on the final certificate if it was self-issued. The document was changed for two reasons: to be consistent with X.509(2000) and to close the security hole that was opened by the old algorithm, which would allow names in the final certificate to completely avoid name constraints checks, violating the intent of earlier CAs. It might seem that no such hole exists, since a self-issued certificate must have matching subject and issuer names. But the subject alternative names need not match and would be completely unrestricted without the name constraints checks.

The current versions of PKIXCertPathValidator and SunCertPathBuilder skip the name constraints check if the final certificate is self-issued. This should be changed to comply with the latest PKIX specifications and also to avoid the security hole that the current behavior creates (described in the preceding paragraph).