Let's Encrypt Subscriber Agreement in § 3.3.1 says:
You warrant to ISRG and the public-at-large that You are the legitimate registrant of the Internet domain name that is, or is going to be, the subject of Your Certificate, or that You are the duly authorized agent of such registrant.
What does it legally mean to be the duly authorized agent of a registrant in this context?
Is it enough that subscriber is given by a registrant a sufficient control over the subdomain to successfully complete ACME challenge (as opposed to gaining such control against registrant's will), or it requires something more?
In the latter case it would seem to imply that Let's Encrypt certificates couldn't be used with variety of dynamic DNS services or similar, but I see many people using domains from Afraid's FreeDNS so I suppose it must be the former. Can someone confirm that?
This does feel like something that could usefully be clarified, especially because people might have intuitions about what an agency relationship involves that they might not be sure are relevant to the contexts where they use Let’s Encrypt.
Please don’t consider this an authoritative interpretation or a substitute for the existing text (I was not involved in drafting this part and don’t have authority to interpret it on behalf of ISRG): I think the intention is something like “the legitimate registrant […] intended to permit You to use the relevant domain name or subdomain for purposes which would include obtaining a publicly-trusted certificate for it”. This is usually true, for example, if you’re a system administrator or webmaster of a site using a name delegated to you by the domain registrant. Situations in which this is not true include if you’re maliciously trying to get a fraudulent certificate, or if you know that the legitimate domain name registrant does not or would not want you to have the certificate you’re requesting.
(In general, also not claiming to interpret this on behalf of ISRG, I think a relevant situation where you couldn’t properly warrant this is if you suspect that you could pass domain validation or other authorization procedures for the requested certificate as a technical matter, yet you believe that the domain registrant doesn’t want you to. For example: because you’ve been fired from a job, or because the registrant is in the middle of switching from one infrastructure provider to another, or because your ability to pass the DV checks is a result of someone else’s typo or software bug, or because the underlying domain registration has been transferred but your ACME account still has valid DV authorizations for the time being, or something.)