Comment by codedokode

3 years ago

[flagged]

How would you implement “strict checking” at scale and for free?

  • Implement a proper Proof of Possession system (PoP) and make Let's Encrypt opt-in instead of opt-out.

    Given that in the end, Let's Encrypt/ACME relies on PoP of a DNS domain, DNSSEC setup on the domain should have been a prerequisite.

    In addition, an explicit opt-in should be required, for example, with a requirement for a CAA record pointing to LE.

    ---

    As a side note, this whole situation leaves me with a really weird feeling.

    On one end, I will always be grateful for LE enabling tls/https generalization.

    On the other, I kind of feel betrayed and/or ashamed that LE/ACME almost willingly introduced protocol flaws weakening the whole CA infrastructure and that we (me included) didn't challenge it more when LE was introduced.