[pfg]

It's certainly easier for automation. I think the security implications are mostly the same - you're vulnerable to DNS spoofing and BGP hijacking either way. With email validation, a misconfigured or breached email server is enough to get a certificate, while with http validation, it's your web server or web app that could be vulnerable.

[brohee]

And a vulnerability in your website permitting an attacker to create a file opens the possibility for an attacker to get a certificate for your site too, and without certificate transparency you'll possibly never even know it even happened...