← Back to context

Comment by kakwa_

3 years ago

Implement a proper Proof of Possession system (PoP) and make Let's Encrypt opt-in instead of opt-out.

Given that in the end, Let's Encrypt/ACME relies on PoP of a DNS domain, DNSSEC setup on the domain should have been a prerequisite.

In addition, an explicit opt-in should be required, for example, with a requirement for a CAA record pointing to LE.

---

As a side note, this whole situation leaves me with a really weird feeling.

On one end, I will always be grateful for LE enabling tls/https generalization.

On the other, I kind of feel betrayed and/or ashamed that LE/ACME almost willingly introduced protocol flaws weakening the whole CA infrastructure and that we (me included) didn't challenge it more when LE was introduced.