No, that’s backwards. You want to whitelist, deny by default, not whack a mole a blacklist. Then you set it once and done. Hence the certification requirement to be on the whitelist.