Let’s Encrypt differs from other CAs with regards to issuing certificates for subdomains/hostnames without permission given by the domain owner (see https://github.com/letsencrypt/letsencrypt/issues/455 ).
For example if I am on dialup on the “example” ISP, I can get a certificate for
dialup123.example.com even though
example.com is owned by my ISP and he hasn’t given me permission.
I think there needs to be a way for domain owners to prevent this. Perhaps it could be done in DNS using a TXT record?
For domains with such a TXT record there would have to be an additional check, for example using the contact data given in WHOIS or using the domain name without any subdomains/hostname before a certificate is issued.
What do you think? I’m sure this issue has already been considered?