← Back to context

Comment by Groxx

3 years ago

Ownership is already handled by checking DNS (and this thread covers a way to make that even more secure, which LE supports), and as far as I can tell neither has nothing to do with preventing MITM between LE and your servers.

And no, I don't mean throwing LE certs around to prevent MITM - this whole article is about the difficulties before having an LE cert, so that's necessarily excluded.

I'm wondering "why not client certificates". They're a well established way to stop MITM, seems like a simple choice for the ownership validation step.

Have you ever tried to explain key distribution/management to a normal person?

You should try it sometime.

  • Sure, but this is not particularly relevant when talking about a security product that you use to do key distribution and management (LetsEncrypt).

    Explaining and guiding people through that is the whole point.