Stumbled on this Ars article this morning about Cloudflare’s upcoming free multipath check service for CAs. Curious what the community thinks about it.
On the one hand, I like the idea of hardening the domain validation process from another attack vector. But it will also add complexity from the CA side and a single (though large) point of failure unless additional large companies provide a similar service.
The article mentions wanting the CAB to eventually make multipath checking mandatory. I don’t really follow CAB discussions. Has there been any preliminary rumbling about it?