The CDN doesn't check that, dauth does all the checks and auto-revokes. This doesn't pass dauth because atum isn't behind dauth.
Atum doesn't check anything other than that you have the tls-certificate. It handles updates and other common use things that don't make sense to put behind a ton of checks.
Ok but... I don't see how hard it would be to just put that behind a proxy/middleware that checks activity on a specific cert. If there's a sudden peak coming from different IPs it wouldn't be hard to flag...
I don't know, I can't believe this isn't monitorable xD