diff --git a/authority/authority.go b/authority/authority.go
index 73aa9cca..fe00eff2 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -80,6 +80,8 @@ type Authority struct {
 	authorizeRenewFunc    provisioner.AuthorizeRenewFunc
 	authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc
 
+	// Constraint engine
+
 	// Policy engines
 	policyEngine *policy.Engine
 
diff --git a/authority/internal/constraints/constraints.go b/authority/internal/constraints/constraints.go
index 997b53aa..3a320481 100644
--- a/authority/internal/constraints/constraints.go
+++ b/authority/internal/constraints/constraints.go
@@ -22,9 +22,9 @@ func (e ConstraintError) Error() string {
 	return e.Detail
 }
 
-// Service implements a constraint validator for DNS names, IP addresses, Email
+// Engine implements a constraint validator for DNS names, IP addresses, Email
 // addresses and URIs.
-type Service struct {
+type Engine struct {
 	hasNameConstraints      bool
 	permittedDNSDomains     []string
 	excludedDNSDomains      []string
@@ -36,10 +36,10 @@ type Service struct {
 	excludedURIDomains      []string
 }
 
-// New creates a constraint validation service that contains the given chain of
+// New creates a constraint validation engine that contains the given chain of
 // certificates.
-func New(chain ...*x509.Certificate) *Service {
-	s := new(Service)
+func New(chain ...*x509.Certificate) *Engine {
+	s := new(Engine)
 	for _, crt := range chain {
 		s.permittedDNSDomains = append(s.permittedDNSDomains, crt.PermittedDNSDomains...)
 		s.excludedDNSDomains = append(s.excludedDNSDomains, crt.ExcludedDNSDomains...)
@@ -64,7 +64,7 @@ func New(chain ...*x509.Certificate) *Service {
 
 // Validate checks the given names with the name constraints defined in the
 // service.
-func (s *Service) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error {
+func (s *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error {
 	if !s.hasNameConstraints {
 		return nil
 	}
diff --git a/authority/internal/constraints/constraints_test.go b/authority/internal/constraints/constraints_test.go
index 34e204e0..cb750c52 100644
--- a/authority/internal/constraints/constraints_test.go
+++ b/authority/internal/constraints/constraints_test.go
@@ -47,12 +47,12 @@ func TestNew(t *testing.T) {
 	tests := []struct {
 		name string
 		args args
-		want *Service
+		want *Engine
 	}{
-		{"ok", args{[]*x509.Certificate{ca1.Intermediate, ca1.Root}}, &Service{
+		{"ok", args{[]*x509.Certificate{ca1.Intermediate, ca1.Root}}, &Engine{
 			hasNameConstraints: false,
 		}},
-		{"ok with constraints", args{[]*x509.Certificate{ca2.Intermediate, ca2.Root}}, &Service{
+		{"ok with constraints", args{[]*x509.Certificate{ca2.Intermediate, ca2.Root}}, &Engine{
 			hasNameConstraints:  true,
 			permittedDNSDomains: []string{"internal.example.org"},
 			excludedDNSDomains:  []string{"internal.example.com"},
@@ -205,7 +205,7 @@ func Test_service_Validate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			s := &Service{
+			s := &Engine{
 				hasNameConstraints:      tt.fields.hasNameConstraints,
 				permittedDNSDomains:     tt.fields.permittedDNSDomains,
 				excludedDNSDomains:      tt.fields.excludedDNSDomains,