[rixthefox]

Why blame LetsEncrypt? Instead blame the operators who are refusing to address basic network security.

I run a network, we do the whole shabang of RPKI, DNSSEC, and CAA. It sounds a whole lot like operators who refuse to address clear security issues. LetsEncrypt is not to blame when someone spoofs your address space.

LetsEncrypt is not a LIR/RIR, their business is not IP resources but SSL certificates. They are a CA. They have no tools available to them to address that problem.

[immibis]

Because Let's Encrypt is the CA that hands out certificates without actually verifying identity.

[phicoh]

If you set the CAA correctly, then letsencrypt will limit validation to the dns method. Together with DNSSEC that is enough to prevent issuing certificates in case of a route hijack.