[masfuerte]

Right, but if you want people to trust you, you need to be open about what people are trusting you with. Your original answer seemed obfuscatory.

[benburkert]

Sorry, not trying to obfuscate anything, hopefully this clarifies: users trust us to hold their ACME account key and we only ask for DNS records prefixed with `_acme-challenge.` to be CNAME delegated.

With this we could issue or revoke a new certificate, but we couldn't impersonate them because we don't control the rest of their DNS.

[dogleash]

> we couldn't impersonate them because we don't control the rest of their DNS.

If that were true, nobody would need signed certificates in the first place.