[kortilla]

> Uh what is a mitm cert? You're the custodian of the private key associated with the certificate, not LetsEncrypt.

Don’t be obtuse. Letsencrypt and every other trusted CA has the ability to issue new certs for any domain at any time without you knowing.

There is absolutely no requirement to submit these to Certificate Transparency. That’s a thing some browsers do, but not most mail clients.

If you don’t trust the root CAs at all and only trust your self signed cert or only trust another signing cert you control, then a mitm isn’t possible without getting your private signing cert keys.

[nucleardog]

Not that it removes you entirely from the PKI ecosystem as you seem to desire, but in case you’re not aware since 2017 CAs are required to check and honour the CAA DNS records you set. These specify which CAs are allowed to issue certificates for your domain.

If any CA issues a certificate anyway, they’re in violation of requirement 3.2.2.8. Don’t know what you’re up to, but I have to imagine it would have to be pretty interesting to someone for one of those companies to face down an existential threat and misissue a certificate for your domain.

[commandersaki]

> Don’t be obtuse. Letsencrypt and every other trusted CA has the ability to issue new certs for any domain at any time without you knowing.

You shouldn't use words you don't understand. I already pointed this out.

> There is absolutely no requirement to submit these to Certificate Transparency. That’s a thing some browsers do, but not most mail clients.

If you want to be in Chrome bundle or Safari/Mac bundle you need to submit to at least one approved CT log. If you're found misbehaving or issuing non compliant certificates, expect ire from CA/B and potential ejection from certificate trust stores. This has happened quite a number of times, and CAs in the WebPKI trust are highly unlikely to issue a MITM certificate.