Proving any or all identifier for certificate revocation

That issue made me think about the following problem, DDNS: security question .

When an attacker gets temporarily control of your domain (for example domain hijacking), he may issue certificate for your domain. The problem is, when you get back the control of your own domain you may not be able to revoke the certificate (assuming you do not have the key of the certificate, neither the account key), if the attacker was smart enough to add a “guard” domain name into the certificate which he owns.

Wouldn’t it be more appropriate to be able to revoke a certificate if you prove ownership of any identifier in the certificate instead of all as requires by the RFC8555?

There’s more than a few shared hosting platforms that put domains from unrelated tenants onto shared certificates with 100 SANs.


The hosting provider puts all those identifiers into one certificate, he is the real owner of the certificate, not the tenants. Does any of the tenants has the capability to revoke certificate at all?

Edit: You are right, the tenant may change provider, so he could revoke the original certificate that way.

This situation would meet the bar for administrative revocation by Let’s Encrypt.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.