Comment by silvestrov
3 years ago
A business case for Let's Encrypt is to support internal hosts which are not visible on the internet (Let's Encrypt can check that) and omit the hostnames from the Certificate Transparency Logs.
Let a business pay $100/year for 10 internal hostnames.
I'm fairly certain LE is required to emit signed certificates to CT by the CA/B forum baseline requirements, with no "internal only" exception.
In other words, if they do this they will be untrusted in browsers. They could offer this service on a secondary untrusted root if they wanted.
They could augment the CT spec, such that only a hash of the domain needs to be made public.
Would be a great way to found LE :)