This is a question of domain administrative boundaries. There are a number instance problems (each with a nuance), like Proxy/Interception certificates issued against *.COM and *.NET, and email SmartHosts that receive mail on behalf of an organization.
The browser and CAs use the Public Suffix List (PSL) in an attempt to determine the administrative boundaries.