Mechanism for requesting revocation of mis-used certificates?

I have a question regarding the revocation of certificates that are being misused. Let's Encrypt announced their policy about filtering certificate requests. Unlike other CAs, who have aggressive policies, Let's encrypt will only be checking requests against flagged sites on Google's Safe Browsing list.

However, CAs have a responsibility (see below, its CA/B Forum requirement) to not only filter incoming requests, but to revoke certificates they have issued which are being misused. They must then log this information and use it to prevent those same sites from reapplying in the future.

In the case that someone comes across a domain using a LE cert, which is conducting phishing, malware distribution, or other illegal activity, what is the proper avenue for reporting that? Some CAs have dedicated email addresses like "" to report such instances. Let's Encrypt has a "" email listed on their contact page. Is this one of the intended uses of this email?

There are a few sections of the CA/B Forum Baseline Requirements which establish the required behavior here. (Link to BRs:

-Section 9.6.3 addresses that fact that the CA MUST include stipulations allowing them to revoke certificates that are being misused. Let's Encrypt's CA Policy does contain these needed stipulations.

-Section 4.1.1 and 5.2.2: "In accordance with Section 5.5.2, the CA SHALL maintain an internal database of all previously revoked Certificates and previously rejected certificate requests due to suspected phishing or other fraudulent usage or concerns. The CA SHALL use this information to identify subsequent suspicious certificate requests."

-Section 4.2.1: Requirement to take extra care with "high risk" requests. "High Risk Certificate Request" is defined as:" A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage, names contained in previously rejected certificate requests or revoked Certificates, names listed on the Miller Smiles phishing list or the Google Safe Browsing list, or names that the CA identifies using its own risk‐mitigation criteria. "

-Section requires a CA revoke a certificate "within 24 hours" if it is misused


Bump. Perhaps this is in the wrong category. Can someone from Let’s Encrypt comment on this? @jcjones or @schoen? From the sections I have quoted in the BRs I believe this is a required practice, though perhaps others have a different interpretation?

As listed on Policy and Legal Repository - Let's Encrypt :

Certificate Problem Reports
To report private key compromise, certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to certificates, please email

You're correct, the Security@ address is intended for disclosures of problems with ACME, the Boulder CA software, or other aspects of the operation of the CA.