| LE "created" this issue in the sense that they were the first to formalize an implementable specification for automated verification of authorized domain name use. In comparison to the prior relatively unspecified approach to verification, it's still an improvement. "The last person who touched needs to take ownership over anything anyone can blame on the change" is the management style which leads to enterprise IT being unable to get anything done. Because at that point, the safest thing is to never change anything - regardless of how bad things currently are. Sometimes the world changes, and other parts of the technology ecosystem need to adapt. [Editing to add since I can't reply to you]:
The fundamental "flaw" here is that it's possible for people to get self-signed certificates served for domains where they haven't validated ownership of the domain. Hosting companies can't be simply adjusting their routing tables for anyone who asks. If you are pointing a domain name at an IP address which will accept routes from any untrusted party, that's simply not a secure situation. A signed certificate might be good evidence of some authority for a domain, but a self-signed certificate used in a challenge process most assuredly is not. |