I have a suggestion for the ACMEv2 endpoint.
And that is, when a domain is locked due to issuance policy due to Lets Encrypt’s own blacklist, I Think it should try to solve that using authorizations instead, and also augument this validation with the CAA records.
There are a few cases here on let’s encrypt, where a owner of a “high value” domain wants to secure additional domains and gets blocked by the policy and needs to do a “manual validation” with the LE personell.
A better idea is to perform these validations automatically instead.
Example (Yes, I know the example is very “stupid” but imagine a lesser known domain):
Lets say im the owner of paypal.com and wants to create a certificate of paypal.co.cc
When I create the authorization for paypal.co.cc, it could also in ACMEv2, request validation for paypal.com aswell. If that succeeds it could “bypass” the policy block.
This needs Another format of the blacklist:
Currently, its just X where X is an blacklisted Word.
The blacklist could be instead a key-value pair, where X is the blacklisted Word, and Y is a comma-separated list of owner domains that “owns” this Word. Validation must succeed for all “owner domains” that own a specific blacklisted Word for a issuance to complete.
If there is multiple blacklisted Words inside a domain name, validations must be done for all those additional names.
Of course, it should check the CAA for these “owner domains” too, and if CAA prohibits issuance, then it should hard-fail.
One example is this:
Here it could instead, in ACMEv2, of hard-failing, request authorization for walmart.com and if that authorization succeeds, then you are permitted to continue despite the policy block.