[arkadiyt]

LetsEncrypt was vulnerable to this exact attack - it let people issue valid TLS certificates for domains they didn't control:

https://www.agwa.name/blog/post/duplicate_signature_key_sele...

[galadran]

We discuss this exact attack (and blog post) in Section 5.1 of the paper :).

IIRC: it was missed by both an academic analysis of LE and a 3rd party audit of their crypto design. Thankfully Andrew spotted it a few weeks before they went live in major browsers!