Thank you for your response and for the time taken to review the reported case. However, we would like to formally express our disagreement with the position adopted.
We believe that allowing a website engaged in fraudulent activity and impersonating the image, identity, and brand of a legitimate organization to continue using a valid digital certificate poses a significant risk to the safety of citizens and internet users. The presence of an active certificate can create a false sense of legitimacy and trust, thereby facilitating and amplifying the impact of these scams—particularly among individuals who are unfamiliar with such fraudulent schemes.
While we understand the need for clear and broadly applicable policies, we believe that once specific facts and supporting evidence of impersonation and fraud have been presented, the inability to invalidate the certificate may be perceived as indirectly legitimizing these unlawful practices and the harm they cause.
From our perspective, revoking certificates in well-documented cases of fraud and impersonation would significantly contribute to user protection and help strengthen trust in the digital security ecosystem.
We appreciate your consideration of this matter for any future policy reviews and remain open to further discussion or analysis should that be possible.
Tl;DR: stop using the presence of a certificate as an indicator of the trustworthiness of a site. That is not what certificates communicate.
What you propose is not possible or even needed. A certificate makes no statement on the trustworthiness of a website. It only indicates that secure communication is available with the site, and that you are communicating with a domain name that is contained in its SAN.
Anyone interpreting a certificate to indicate something else is making it up on their own and should stop at once, as that is not something that a certificate can convey.
The problem isn't malicious sites using TLS. It's people not understanding what a certificate does. Vouching for the safety of the contents of a site is not one of the functions that certificates perform. Nor is it something that they are suiteable for. The sooner you free yourself from that notion, the safer you will be.
These days, a web site using a valid certificate is not displayed any higher trust level any more, contrary as used to be before. Today, only connection using old, untrusted technology (plain HTTP) is displayed specificaly as lower trust level.
I think this article from the Let's Encrypt blog post will explain why Let's Encrypt doesn't take action against domains involved in phishing or abuse.
TL;DR: There are better channels to report problematic domains to, including Google Safe Browsing, and Microsoft SmartScreen. They do a much better job getting warnings out than a certificate authority could. At on point, Let's Encrypt even checked domains against Google's API. This is no longer the case (explained in this forum post.)
