← Back to context

Comment by lxgr

3 years ago

How would you implement “strict checking” at scale and for free?

Implement a proper Proof of Possession system (PoP) and make Let's Encrypt opt-in instead of opt-out.

Given that in the end, Let's Encrypt/ACME relies on PoP of a DNS domain, DNSSEC setup on the domain should have been a prerequisite.

In addition, an explicit opt-in should be required, for example, with a requirement for a CAA record pointing to LE.

---

As a side note, this whole situation leaves me with a really weird feeling.

On one end, I will always be grateful for LE enabling tls/https generalization.

On the other, I kind of feel betrayed and/or ashamed that LE/ACME almost willingly introduced protocol flaws weakening the whole CA infrastructure and that we (me included) didn't challenge it more when LE was introduced.

If they used DNS validation it would be better because there would be only one point of failure (DNS) rather than many (DNS and every ISP between CA and a site).