I actually started this for DNS because that was the topic there but I thought about this in a greater way.
my Idea is that subdomain should NOT require re-challenge if you are already authorised for something above (that doesnt match the PSL)
especially coz LE keeps you 10 months authorised after getting a challenge this can be really helpful especially when handling a large SAN cert which contains a lot of subs.
first it looks for a authorisation for foo.bar.test.abc.zm (direct check)
if no match go up in the domain if it was already authorised, mark as completed.
then we have bar.test.abc.zm
same procedure
now we have test.abc.zm
and now we have a stop because abc.zm (the next step) matches *.zm on the PSL without any exceptions.
so in that case if you had any of the upper levels already approved that you dont need a lower level challenge.
I think this might make sense for DNS, but maybe not for other challenge types. Consider the webmaster of a university web site; the webmaster may not be allowed to edit DNS records at all, and is perhaps only responsible for the main site (example.edu) and not for the departmental and administrative delegations under that.
No other provider gives you a subdomain certificate unless you own the root domain. Doing it the opposite way in the name of automation is nothing but a nuisance to power users. There’s no reason both can’t be supported - subdomain-only validation through HTTP, or wildcard validation through root domain DNS.
If someone owns the root DNS, they can point the subdomains to any HTTP server and delete any delegation if present.
More important, with DNS you could already silently do this without interfering with the operation of the site on the subdomain (unlike with HTTP validation where the original site would most likely not be reachable if you changed DNS to point to your own system to serve the validation data)
also it would be nice if you could just push your account pub key in the DNS so you dont even need to be asked for putting a challenge somewhere to authroise your domain but you would just need to sign stuff with the key listed in the DNS
would also allow easier rollouts and probably less data because you dont need to say “push this challenge here” - “okay I did it” - “Okay I verify it” *verification* -> “okay verified”
but just “sign me this” - “okay here’s the signature” - *check agains keys listed in DNS* -> “okay”
this is a great idea and I think it could even be used to allow wildcard certificates for a whole domain!