> A system as easy as ACME for domain holders to revoke any certificate.
ACME in fact supports this, and I expect at some point CAs will be required to support it.
In the meantime, I'm working on a tool that will take a certificate, identify the true issuer, look up the CA's problem reporting email address, and provide an email template with the right words to make the CA care. If the CA supports revocation over ACME the tool will take care of revocation automatically (although you'll still have to demonstrate control over the domain).
(Note however that your example is flawed because the certificate was actually authorized by virtue of making Cloudflare your DNS provider. If you don't like that, your recourse is to pick a different DNS provider which is more respectful of their customers.)
> A monitoring system that will only alert me on new certificates in the CT logs that it can't find on my infrastructure.
Commercial CT monitors, like Cert Spotter (my product) or Hardenize support integration with your certificate issuance infrastructure so you're only notified if the certificate is unknown. I only get CT alerts for my domains if I actually need to care.
The open source version of Cert Spotter can execute a script when it discovers a certificate, and I know of users that use this to cross-check against their inventory and only send an alert if the certificate is unknown.
> ACME in fact supports this, and I expect at some point CAs will be required to support it.
If you use ACME to get a certificate from CA1, then you can use ACME to revoke the same certificate from CA1.
But if the cert was issued from CA2 (via ACME or otherwise), there is nothing you can do about it. And even if the 'rogue' cert was also issued from CA1 as well (but under a different account), unless you have the private there is nothing you can do to revoke it; only perhaps get a completely new cert that 'supersedes' it.
No, ACME allows you to revoke a certificate if you can successfully complete a challenge for every domain in the certificate (see https://www.rfc-editor.org/rfc/rfc8555#section-7.6 "an account that holds authorizations for all of the identifiers in the certificate"). The certificate need not be issued from the same account.
Once root programs require all CAs to support ACME, then all you need for automatic revocation is a mapping from CA to ACME directory URL (this could perhaps be disclosed through the CCADB).
ACME in fact supports this, and I expect at some point CAs will be required to support it.
In the meantime, I'm working on a tool that will take a certificate, identify the true issuer, look up the CA's problem reporting email address, and provide an email template with the right words to make the CA care. If the CA supports revocation over ACME the tool will take care of revocation automatically (although you'll still have to demonstrate control over the domain).
(Note however that your example is flawed because the certificate was actually authorized by virtue of making Cloudflare your DNS provider. If you don't like that, your recourse is to pick a different DNS provider which is more respectful of their customers.)
> A monitoring system that will only alert me on new certificates in the CT logs that it can't find on my infrastructure.
Commercial CT monitors, like Cert Spotter (my product) or Hardenize support integration with your certificate issuance infrastructure so you're only notified if the certificate is unknown. I only get CT alerts for my domains if I actually need to care.
The open source version of Cert Spotter can execute a script when it discovers a certificate, and I know of users that use this to cross-check against their inventory and only send an alert if the certificate is unknown.