Comment by kakwa_
3 years ago
Implement a proper Proof of Possession system (PoP) and make Let's Encrypt opt-in instead of opt-out.
Given that in the end, Let's Encrypt/ACME relies on PoP of a DNS domain, DNSSEC setup on the domain should have been a prerequisite.
In addition, an explicit opt-in should be required, for example, with a requirement for a CAA record pointing to LE.
---
As a side note, this whole situation leaves me with a really weird feeling.
On one end, I will always be grateful for LE enabling tls/https generalization.
On the other, I kind of feel betrayed and/or ashamed that LE/ACME almost willingly introduced protocol flaws weakening the whole CA infrastructure and that we (me included) didn't challenge it more when LE was introduced.
No comments yet
Contribute on Hacker News ↗