It is such a great improvement that ISPs cannot eavesdrop us anymore... only for everyone to terminate TLS at cloudflare so they (and thus US government) can now eavesdrop everyone.

The problem is that finding a root source of trust aren't easy this days. LE was neutral, now nobody is.

Russian government issued their new root certificate years ago.

Nobody trusted it enough to request a certificate from them or install it on their computers. Including almost all of the russian residents.

If Let's Encrypt enforces the rules, as written in pdf, a lot of people would lose a choice.

Frankly, even publishing a statement like that would make the scales of trust tip for some.

We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals.

> I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them.

Note that phones already try to prevent you from using a certificate that you provide yourself.

Do we also need to put all our letters into strongboxes before we send them?

Maybe we should have solve the ISP snooping problem by making that illegal instead.