I recently tranferred a domain name after winning a dispute resolution case. Generating an SSL certificate for the domain got me wondering if there is any process in place for invalidating any previously-generated certificates for such domain names. There is an obvious opportunity for impersonation attacks here - and forcible transfer of a domain through dispute resolution might actually serve as motivation for such an attack.
I guess there is not much incentive for CAs to do this, but should it not be required for CAs to invalidate certs at least in cases of obvious (e.g., automatically detectable) domain ownership changes?
Or is something like this actually done?
