It looks like LetsEncrypt is really the only service that issues ACME certs anymore. So basically it's an SPOF for like 90% of the web. Impressive how well they managed to fuck that one up, nice job EFF.
@cjd ICANN can (and has) canceled TLDs and domains (on threat of canceling TLD) for political reasons. The shadowy "TLS cabal" selects CAs for inclusion in the "trusted" list for mainstream browsers. Any CA on the list can forge any cert whenever they want.
ICANN is ok for public websites - but if you want actual security, run your own TLD and CA. Like we did in the old days before ICANN.
We've been CLI (manual) signing certs, but I'm about to try this open source ACME server for private CAs/TLDs:
https://github.com/smallstep/certificates
x := SomeStruct {
// hehe missing field here, lets just make it nil
}
Lead to so many blowups that it soured my opinion of the entire language. Not to mention most of my go experience was working on terrible code...