[gcp]

It's very unfortunate there isn't a way to force more responsibility/accountability onto CAs who issue phishing certificates.

It's very easy: get the browser vendors to remove them from the root store. It's exceedingly effective. The "problem" is that the browser vendors seem to agree that CAs shouldn't be content watchdogs.

Did you read the linked position paper from LetsEncrypt?

[caf]

I think they're right - the CAs job (which they're not exactly nailing either) is to ensure that the browser is connected to the site it thinks it is. After that, it's the browser's job to ensure that the site it thinks it's connecting to and the site that the user thinks they're connecting to are the same.

[pokemon-trainer]

That's very much a libertarian style nuclear option to remove a CA from the root store. Why can't the industry work out a fine to pay an ICANN-like org for root CAs when it happens?

[Buge]

A large percent of phishing sites are hacked wordpress sites.

So if a CA offers a certificate to a legitimate wordpress site, which then proceeds to let itself get hacked and host a phishing page, that CA now has to pay a fine?