> It's not the CA's job to make sure your domain isn't expiring. It's yours.
Really? In the simplest case, their entire job is certifying that the holder of the private key is the holder of the domain name[1]. That begs the question, of course: how is it that we trust every single CA to certify every single domain? Why don't we trust the issuer of each domain hierarchy to certify only those domains it's permitted to issue?
The entire XPKI is broken, broken, _broken_.
[1] In the more complex case, of course, they certify that the keyholder is some external entity.
I mean, would it not be a problem for the CA that you (after the domain has expired) still is in possession of a valid certificate for a domain which you do not have control over?
Really? In the simplest case, their entire job is certifying that the holder of the private key is the holder of the domain name[1]. That begs the question, of course: how is it that we trust every single CA to certify every single domain? Why don't we trust the issuer of each domain hierarchy to certify only those domains it's permitted to issue?
The entire XPKI is broken, broken, _broken_.
[1] In the more complex case, of course, they certify that the keyholder is some external entity.