In light of the recent jabber.ru compromise, it became clear how weak our TLS ecosystem really is.
One proposed fix is to only allow certificate renewal via ACME using the dns-01 method, but since it (typically) relies on full access to the DNS zones, many people are reluctant to use it (do you really want to give full control over your DNS to your webserver?)
The proposed fix is to be able to issue restricted API keys that only have write access to some records in the zone (e.g. only some records/trees, only TXT records, or even TXT records with specific content).
So, I would like for the DeSEC staff to actually consider adding support for such a feature.