On the ACME mailing list last year, someone brought up How does ACME handle domain reuse? It was suggested that lowering friction for domain reuse would inherently also “enable attackers,” so you just have to wait for the old certificate to expire.
But when verifying someone owns a domain, should Boulder not at the very least get an upper ceiling on how long someone might maintain control of the domain? If the Registry Expiry Date is less than 90 days in the future, it should probably limit the certificate’s validity period (and that of all subdomain certs), so that it’s easier for whoever snatches up the domain next to get a new cert issued without hassle. (And possibly warn the site owner.)
At most you might need to confirm currentExpiryDate is not-sooner-than previouslySeenExpiryDate to be sure it wasn’t tampered with.
I mean, if the future of the web is encrypting everything, even shitty DNS parked advertising farms will need to be able to get certificates with minimal delay.