Com--com.com domain and potential phishing

I came across https://crt.sh/?q=com--com.com today, which shows this domain is generating certificates for websites such as

• twitter.com--com.com crt.sh | 16182030347
• www.google.com--com.com crt.sh | 16590313950
• *.com--com.com (many)

and many more suspicious-looking websites, often bundled together in a single certificate.

Neither the Google nor the Twitter lookalike domains are serving (no A or AAAA record).

I understand there have been several discussions on the revocation topic, especially around the role of a CA in this, but the Subscriber Agreement (Version 1.5 from 24 February 2025) states

You also acknowledge and accept that ISRG may, without advance notice, immediately
revoke Your Certificate if ISRG determines, in its sole discretion, that: [...] (vi) Your Certificate is being used, or has been used, to enable any
criminal activity (such as phishing attacks, fraud or the distribution of malware);

Is this one of the cases in which ISRG would take action?

First, thanks for having submitted this by citing prior discussions on the subject.

IMHO you actually make an important point here, and I think this actually does violate the LetsEncrypt blocklist strategy which seeks to protect issuance against lookalikes for high-risk domains (which i think are financial and internet infrastructure) . I will surface this on the community moderator channel.

The high risk domains policy protects against issuance for high risk domains themselves (i.e. if that domain's infrastructure is compromised), not for lookalikes.

Our stance on phishing domains is clear: handling those is the responsibility of the browser and the registrar. People investigating such domains for security or journalistic purposes deserve to have their traffic encrypted just like on any other site.

Even someone falling for a scam website deserves to have their information protected so that it only goes to that one scammer and not everyone else on the network path.