Well, it was on the expected lines. The thread where I highlighted the complicity of CAs was locked by the moderator / someone from Chrome team. It is fantastic to know that all roads seem to lead to Rome. No wonder no one is accountable my friends. Aaron Gable you quoted CA Browser Forum's regulat…

For background, it is important to understand the distinction between a few different kinds of certificates that exist. Domain Validation (DV) certificates convey only one piece of meaning: the entity which has control over this domain name wants this domain name to be associated with this public k…

[image] web3: certificate was misused What does misused mean in this context? If your domain is i.am.a.spammer.spam and you control it, the certificate is not misused.

@lestaff , you didn't want my input on the last one, so it's all yours.

I do not agree with you. If your domain is you.are.a.swindler.com and you are impersonating another credible American Business, then as a CA you are very much responsible. Does the charter not get governed by the law of the land? In USA, impersonating an american business is a crime. Is that not a "…

Do you have any case law to reference? [image] web3: Is that not a "misuse"? That's nothing more than one opinion, not common law. I dislike spammers, so much so that I operate an IP block list with more than 30M IPs in it. But I also understand the problem here. And you are putting the b…

[image] web3: In USA, impersonating an american business is a crime. Is that not a "misuse"? That's a crime, a matter for the courts. Nothing concerning a CA. You're directing your anger at the wrong organisation. The scammer deserves it. Let's Encrypt doesn't.

[image] aarongable: Organization Validation (OV) and Extended Validation (EV) certificates convey the above, as well as information about the business or other entity which controls the domain, such as their name of incorporation, locality of operation, and more. To add on this: it's exploita…

Let's take this to brick-and-mortar businesses for a clearer understanding. Let's say that you own Mendy's restaurant and hired a security company to install a safe and an alarm system in your building and a food delivery company to get supplies. Let's then say some shady characters steal your recip…

Dear Aaron, I will respectfully agree to disagree with you as well as some other members of this community. It is "Scam enablement" written all over it. I have a list of at least 150+ online scammers (that we have painstakingly collected) that are using Let's Encrypt's Domain Verification Certifica…

Thank you for making your stance clear. I don't believe there is any further discussion to be had in this thread. I encourage you to work with the CA/BF to establish new requirements if that is the kind of change that you want -- if the root program requirements are updated to state that CAs must r…

Well, if you belong to an organization willing to stamp out bad, illicit, fraudulent sites around the world, Please share a link so we can join the fight! Cheers!

SSL Certificate Issues / CAs enabling Scammers?

Issuance Policy

9peppe February 17, 2022, 1:30am 8

To add on this: it's exploitable as well.

You can get an EV certificate with any organisation name you want, you just need to incorporate a paper company somewhere.

Topic		Replies	Views
CA's Role in Fighting Phishing and Malware ISRG/Organizational	24	3110	February 6, 2025
Why does let's encrypt issue SSL certificates to fraudulent sites Issuance Policy	33	12208	February 5, 2024
The CA's Role in Fighting Phishing and Malware Issuance Policy	109	25738	November 12, 2019
Misused certificates Issuance Policy	48	13288	September 7, 2023
Certbot Not Able to Issue Certificate - Site marked as unsafe Google Safe Browsing Help	29	9104	May 1, 2017

SSL Certificate Issues / CAs enabling Scammers?

Related topics