Mentioning challenge type in subject OU


#1

Has anyone among LE staff ever thought about mentioning the challenge type in organizationalUnitName?

For me the main point is how much trust to put. During private beta, I obtained my first LE cert for the domain that I don’t even own. DVSNI challenge succeeded by having control over the server which is specified in DNS A-record.

It would be impossible to pass DNS TXT challenge, so it can be considered a security enhancement, and I wonder why this wasn’t a priority before public beta.


#2

I’m not sure if Baseline Requirements allow CAs to put anything in the OU field for domain-validated certificates.

For end users, this won’t really be relevant - no one’s going to check that field manually.

If someone delegated control over a domain to you, it should be expected that you’re able to acquire a certificate for that domain. This is in line with other CA’s practices. Legal ownership of the domain isn’t a factor here, IMO.