Normally, WebPKI certificates lack a secure issuance process and an attacker able to MITM unauthenticated HTTP(S) can obtain one.

GrapheneOS uses the CAA accounturi feature to securely pin our Let's Encrypt account keys for each of our servers for secure certificate issuance.

#grapheneos #privacy #security #webpki #letsencrypt #accounturi