Duplicate Signature Key Selection Attack in Let's Encrypt

Fortunately, it was mitigated before Let&#x27;s Encrypt was publicly trusted.. <a href="http:&#x2F;&#x2F;www.ietf.org&#x2F;mail-archive&#x2F;web&#x2F;acme&#x2F;current&#x2F;msg00611.html" rel="nofollow">http:&#x2F;&#x2F;www.ietf.org&#x2F;mail-archive&#x2F;web&#x2F;acme&#x2F;current&#x2F;msg00611.h...</a>

To be clear, the challenge types in question where removed from Let&#x27;s Encrypt production config during the private beta period (when we had a strict whitelist of domains allowed to be issued for), had mitigations for them in while they were out, and we deleted the code for them entirely the other day (in <a href="https:&#x2F;&#x2F;github.com&#x2F;letsencrypt&#x2F;boulder&#x2F;pull&#x2F;1247" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;letsencrypt&#x2F;boulder&#x2F;pull&#x2F;1247</a> )

Wait, what good is a signature then if you can craft it? I may have misunderstood, would appreciate a dumbed down answer.