It sounds like you're asking a CA to solve a problem a CA can't solve. To draw an analogy, CAs are like the judiciary branch, and not the legislator.
It's not about allowing, it's about being able to keep the service up and running for everyone, and not putting the service at risk for what is essentially an important but still minor use-case.
That's a lot of effort for a non-profit relying on donations to keep the lights on. Also: What's your definition of abuse? If there are no rate limits and I develop an App that, for some reason or other, needs a certificate for every device it runs on, and that App is used by a couple of million users (remember: Let's Encrypt has issued ~2M certificates total in about 5 months), is that abuse or a legitimate use case? What's better - to have clearly defined rate limits, or an arbitrary limit based on what someone would consider abuse, and which could end up breaking things at random once it falls in that category? I'd rather have a predictable service level, thank you.
Those are not off the table, and there's a good chance they'll be implemented if the ACME WG includes a validation mechanism that's good enough for wildcard domains.
Iâm not seeing how anything you wrote invalidates my point.
Because of the chain of validation in HTTPS each CA is effectively a little king/bureaucrat who gets to decide who gets on the internet and who doesnât. If one king doesnât let you your only option is to go ask another king. Letsencyrpt is the most generous king. But that doesnât change the fact you still need permission from one of these kings.
That wasnât the case just 6 months ago because HTTPS wasnât required. Now that it is these kings all just got a bunch more power.
Iâm sympathetic to the fact that unlimited certs has issues. Somehow DNS servers that run the internet work even though they get millions of hits a day. Maybe in a similar way certs need to take the same kind of delegation down so that itâs not just a small number of CA/Kings that get to decide who gets to participate and who doesnât. I donât know enough about certs but if they can be chainged to any level maybe LE needs to issue the kind people can make new certs from. Or maybe an entirely new system is needed, one without CAs.
Iâm not trying to invalidate your point. Iâm saying that Letâs Encrypt is a CA, and it has to play by the rules all CAs have to play by. Theyâre not the ones who set the rules, and theyâre not the ones who decide(d) how TLS and the trust system works. If you want to change that system, youâll have to convince browser and OS vendors (among others). In the meantime, with the current system, rate limits are a necessity, for the reasons previously stated.
