We say this because we trust LetsEncrypt. But if this was a random CA, I’d want them held to the standard LetsEncrypt is setting here.
Quote Tweet
Replying to @tqbf
This is unbelievable. The time wasted just _discussing_ this.
3
42
Conversation
Replying to
I'd rather they finish getting accounturi / validationmethods to production. Has been on staging for ages. It makes domain validation actually work as people would probably expect.
Makes CT more valuable for people who don't track each valid cert on each server for it too.
IMO, the current way that works is a pretty massive vulnerability which this completely solves. I'd rather they deal with that rather than fretting about some off-by-one error which they managed to make in the linting tool too. It's software. We know it's screwed up like that.
1
Most people checking CT are just going to see a bunch of Let's Encrypt, nothing else, and call it good because they trust LE. Meanwhile, they verify domain control via ~2x unauthenticated HTTP requests happily hopping between a bunch of servers / domains to find the challenge.