It would be great if identifier validation could be considered hierarchical. For instance, let’s say I have a multi-tenant application (one customer per subdomain) at foo.com
I need to dynamically provision a new cert for each signed up customer at custname.foo.com which, if I have to generate an identifier and complete the challenge for each one is fairly complex. However, if verifying my ownership of the apex domain allowed me to automatically verify subdomains, I would only need to do the challenge once and could make a single call to mint certs for each subsequent subdomain I need to provision.