Choosing which challenges are allowed for a domain


For example if one suspects MitM may happen extremely close to a server and no matter how many attempts are made from different IPs to verify the domain it will not be able to bypass the attacker, they may want to disable http and tls-sni challenges.

#2 and ACME-CAA "validationmethods" support

Yet to be enabled in production, but certainly on its way once the CAA draft stabilizes.