This is fantastic news. I just whish x509/browsers/other clients could be fixed with proper support/implementation for scoping, so signing a CA cert limited to a single TLD wouldn't be a big deal.
That way, Letsencrypt could've just signed a CA cert that was authorised to sign certs for anything under example.com - but not for anything else - and we could bootstrap trust in internal/local CAs just as we now do with certificates.
That way, Letsencrypt could've just signed a CA cert that was authorised to sign certs for anything under example.com - but not for anything else - and we could bootstrap trust in internal/local CAs just as we now do with certificates.