Glad to see DNS validation from multiple perspectives, that's a scary attack vector.<p>I wonder if we can ever hope for CA/B to permit name constrained, short lifespan, automatically issued intermediate CAs, authenticated with something like a DNS-01 challenge. I've advocated for this before [1][2], but here's my pitch again:<p>I want to issue certificates from my own ICA for my homelab and office, to avoid ratelimits and hide hostnames for private services. I submit that issuing a 90-day ICA certificate with a name constraint that only allows it to issue certificates for the specific domain <i>is no more dangerous than issuing a wildcard certificate</i>, and offers enough utility that it should be considered seriously.<p>Objection 1: "Just use a wildcard cert." Wildcard certs are <i>not</i> sufficient here because they don't support nested wildcards, and — more importantly — they don't allow you to isolate hosts since any host can serve all subdomains. I'd rather not give some rando vibecoded nodejs app the same certificate that I use to handle auth.<p>Objection 2: "Just install a self-signed CA on all your devices." Installing and managing self-signed CAs on every device is tedious, error prone, and arguably more dangerous than issuing a 90-day name-constrained ICA.<p>Objection 3: "Aren't name constraints not supported by all clients?" On the contrary, they've had wide support for almost a <i>decade</i>, and for those just set the critical bit.<p>I understand this is not a "just ship it lmao" kind of change, but if we want this by 2030 planning for it needs to start happening <i>now</i>.<p>[1]: <a href="https://news.ycombinator.com/item?id=37537689">https://news.ycombinator.com/item?id=37537689</a><p>[2]: <a href="https://news.ycombinator.com/item?id=29808233">https://news.ycombinator.com/item?id=29808233</a>