According to Let’s Encrypt Terms of Service (https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)
4.3 Suspension and Revocation
You also acknowledge and accept that ISRG may, without advance notice, immediately revoke Your Certificate if ISRG determines, in its sole discretion, that: (vi) Your Certificate is being used, or has been used, to enable any criminal activity (such as phishing attacks, fraud or the distribution of malware);
Through the CT we found a site that was run by scammers to steal money from our customers, so we contacted Let’s Encrypt with a request to revoke the certificate. We got a response that was contradicting the Terms of Service as it is published by Let’s Encrypt (and, please, mind that Terms of Service is a legally binding document).
OK, we thought that support person was just not trained properly so we searched a bit more and found the following contact information (https://letsencrypt.org/documents/isrg-cps-v2.5/#4-9-3-procedure-for-revocation-request):
1.5.2 Contact person
The ISRG PMA can be contacted at:
Policy Management Authority
Internet Security Research Group
1 Letterman Drive, Suite D4700
San Francisco, CA 94129
Certificate Problem Reports can be submitted via email to:
Surely, Policy Management Authority is aware of the Terms of Service and will handle the request. Little we know, but the address is bouncing messages (well, it is actually configured as a redirect to a firstname.lastname@example.org, but it seems that ZenDesk no longer knows about such a customer and any message sent to the officially published contact e-mail are bouncing).
Now, there are two questions I would love to hear the official position on:
- What is the correct contact e-mail for the Policy Management Authority (if it is the specified e-mail, when Let’s Encrypt is planing to actually fix it?)
- Why support staff replies that Let’s Encrypt do not revoke certificates which are clearly used for criminal activities when the Terms of Service explicitly says that in such a use is against the terms and the certificate will be revoked?