FWIW: submission is not endorsement. I think there are tons of flaws in this argument.
For example, they mention TLSA would have prevented this. TLSA would not have prevented this. Not only did the attackers not succeed in acquiring a TLS certificate (every DV CA knows about partial BGP hijacks), no browsers actually implement TLSA or have indicated an interest in TLSA.
I don't know if the article refers to TLSA as "pinning" because they don't understand what TLSA is or because they're trying to obscure it, but "pinning" does not generally mean "replacing your issuance system and trust root wholesale with an obscure system controlled by whatever organization controls your TLD".
For example, they mention TLSA would have prevented this. TLSA would not have prevented this. Not only did the attackers not succeed in acquiring a TLS certificate (every DV CA knows about partial BGP hijacks), no browsers actually implement TLSA or have indicated an interest in TLSA.
I don't know if the article refers to TLSA as "pinning" because they don't understand what TLSA is or because they're trying to obscure it, but "pinning" does not generally mean "replacing your issuance system and trust root wholesale with an obscure system controlled by whatever organization controls your TLD".