I have a question regarding the revocation of certificates that are being misused. Let’s Encrypt announced their policy about filtering certificate requests. Unlike other CAs, who have aggressive policies, Let’s encrypt will only be checking requests against flagged sites on Google’s Safe Browsing list.
However, CAs have a responsibility (see below, its CA/B Forum requirement) to not only filter incoming requests, but to revoke certificates they have issued which are being misused. They must then log this information and use it to prevent those same sites from reapplying in the future.
In the case that someone comes across a domain using a LE cert, which is conducting phishing, malware distribution, or other illegal activity, what is the proper avenue for reporting that? Some CAs have dedicated email addresses like "firstname.lastname@example.org" to report such instances. Let’s Encrypt has a "email@example.com" email listed on their contact page. Is this one of the intended uses of this email?
There are a few sections of the CA/B Forum Baseline Requirements which establish the required behavior here. (Link to BRs: https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_3_1.pdf)
-Section 9.6.3 addresses that fact that the CA MUST include stipulations allowing them to revoke certificates that are being misused. Let’s Encrypt’s CA Policy does contain these needed stipulations.
-Section 4.1.1 and 5.2.2: “In accordance with Section 5.5.2, the CA SHALL maintain an internal database of all previously revoked Certificates and previously rejected certificate requests due to suspected phishing or other fraudulent usage or concerns. The CA SHALL use this information to identify subsequent suspicious certificate requests.”
-Section 4.2.1: Requirement to take extra care with “high risk” requests. “High Risk Certificate Request” is defined as:" A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage, names contained in previously rejected certificate requests or revoked Certificates, names listed on the Miller Smiles phishing list or the Google Safe Browsing list, or names that the CA identifies using its own risk‐mitigation criteria. "
-Section 220.127.116.11 requires a CA revoke a certificate “within 24 hours” if it is misused