> It just turns out that delegating trust to root CAs, CAs, and browser/OS vendors (the latter via built-in certificate lists) makes it easy for the end user.

This flexibility is what allowed let’s encrypt to bootstrap, right?