Comment by mhandley
11 years ago
Let's Encrypt can run a web spider - crawl the web to build a database of actively used domain names.
Periodically poll DNS for the list from that database to obtain the NS records for pretty much all of the web, and also A records for all the actively used hosts you find in the crawl. Keep this cache as a trace of how DNS records change.
Now, do the DNS polling from several different geographic locations. Now you've got a history of DNS from different viewpoints.
When you get a request for a certificate for, say, "microsoft.com", look up the domain name in the way described on the Lets Encrypt description. But also check that this IP address appears in the history, either from multiple locations for a few days, or from one location for a few months.
If this test fails, check if the historic IP addresses for this domain from the polled cache are already running TLS, signed by a regular CA. If so, reject the application.
Otherwise continue with validation in the way described on the Lets Encrypt web page.
Thanks for the interesting suggestion -- I'll mention it to the people working on the CA implementation as a possible validation technique to consider.