Re: What can go wrong?
Well, domain certificates have never verified identity well -- the CAs are not qualified to make legal trademark decisions, for example. (Who is to say that Banko Famerica is not a perfectly common name in Whateverland?)
And as to control of the domain: I've not looked at the protocol yet, but I'm assuming you need to have DNS records in place and pointing to the IP the client is running on for every domain name you want in the certificate at the very least. (People with load balancers are big enough to pay, I'd guess.)
Still, the possible implications for shared hosting and dynamic dns are interesting. Time to pin your certs, I guess.
Biting the hand that feeds IT
