Abuse is a serious issue, but Certificate Authorities are not well suited to assess and
address abuse. ACME Certificate Authorities (CA) verify proof of control over an end
entity's domain name and issue certificates based on that assessment. However, the CA
does not assess the content served from the domain. This is not something that can be
achieved reliably at the time of certificate issuance because website content can change
over time and there are no objective criteria CAs can use to make such an assessment.
Furthermore, content can be localized based on a requester's network address, making it
challenging for a CA to make an accurate and comprehensive assessment.
Even if a CA assesses the content served from a domain at the time of certificate issuance,
it would not be a viable long-term solution. The content on a website can change
significantly over time, rendering the initial assessment obsolete. Additionally, wildcard
certificates cover multiple subdomains under a single domain. Monitoring and assessing the
content served from each subdomain is not viable.
Specialized entities with expertise in content moderation, online safety, and regulatory
compliance are better equipped to handle these matters. If you have encountered content that
you believe is abusive or malicious, please use the following resources to report it:
Google Trust Services retains the right
to revoke certificates issued by our CAs as specified in our Subscriber Agreement, but we do
not proactively assess content. In-line with WebPKI practices and requirements, we do not
process Certificate Problem Reports for abuse including certificates issued for domains that
are known to be used for malware, phishing, spam or other malicious activities. Let's
Encrypt has an often referenced post covering their stance on abuse and their approach to
this challenging problem:
The CA's Role in Fighting Phishing and Malware, which is very similar to Google Trust
Services' approach.