Self-signed. Yes, an attacker would not ordinarily find this harder to pass than the http-01 challenge today. Validation using this approach was method 3.2.2.4.9 ("Test Certificate") and is no longer permitted for new issuance under current Baseline Requirements.

Let's Encrypt offers three ACME methods which implement 3.2.2.4.6 ("Agreed Upon Change to Website"), 3.2.2.4.7 ("DNS Change") and 3.2.2.4.10 ("TLS Using a Random Number").

> 3.2.2.4.9 > Baseline Requirements

Where can I find these details? Sorry if I'm being a bit dense here.

The CA/Browser Forum publishes the Baseline Requirements to their web site

https://cabforum.org/baseline-requirements-documents/

In recent years the BRs are using RFC 3647 structure. This RFC gives an outline for how to write policy documents for PKIX (X.509 Public Key Infrastructure for the Internet) and rather than wrestle with each organisation having its own preferred way to organise much the same information the trend is to require RFC 3647, so you know the stuff about names will be in section 3 for example

The RFC 3647 structure doesn't break down as far as 3.2.2.4 but 3.2.2 is where people explain how they're going to validate organisation names, and so in the Baseline Requirements 3.2.2.4 is where the "Ten Blessed Methods" are described, the authorised means by which public CAs can determine if the name you want a certificate for is really yours.

Thanks for sharing that, friend. Appreciated.

Indeed, the self-signed cert idea doesn't work in this context.