How do you confirm the person asking for the certificate actually owns the domain?

All arguments apply to any form of domain validation (e.g., by email confirmation). It is really hard from outside to distinguish ownership from pwnership.

They normally do it by email.

2 posts were split to a new topic: Why doesn’t Let’s Encrypt use WHOIS information for domain validation?