Comment by Groxx
3 years ago
Ownership is already handled by checking DNS (and this thread covers a way to make that even more secure, which LE supports), and as far as I can tell neither has nothing to do with preventing MITM between LE and your servers.
And no, I don't mean throwing LE certs around to prevent MITM - this whole article is about the difficulties before having an LE cert, so that's necessarily excluded.
I'm wondering "why not client certificates". They're a well established way to stop MITM, seems like a simple choice for the ownership validation step.
Have you ever tried to explain key distribution/management to a normal person?
You should try it sometime.
Sure, but this is not particularly relevant when talking about a security product that you use to do key distribution and management (LetsEncrypt).
Explaining and guiding people through that is the whole point.