| ▲ | benburkert 4 days ago |
| We theoretically could, but those certificates would show up in CT logs. (For quick & easy monitoring, you can get an RSS feed for your domain on https://crt.sh/, but it's not the most reliable service.) It would be a reputation killer if we did that, just like it would be for your DNS provider or ISP. |
|
| ▲ | masfuerte 4 days ago | parent [-] |
| Right, but if you want people to trust you, you need to be open about what people are trusting you with. Your original answer seemed obfuscatory. |
| |
| ▲ | benburkert 4 days ago | parent [-] | | Sorry, not trying to obfuscate anything, hopefully this clarifies: users trust us to hold their ACME account key and we only ask for DNS records prefixed with `_acme-challenge.` to be CNAME delegated. With this we could issue or revoke a new certificate, but we couldn't impersonate them because we don't control the rest of their DNS. | | |
| ▲ | dogleash 4 days ago | parent [-] | | > we couldn't impersonate them because we don't control the rest of their DNS. If that were true, nobody would need signed certificates in the first place. |
|
|
