Hi Robin, Thank you for this report.
On 27/09/16 02:07, Robin Alden wrote: > When we use an 'agreed-upon change to website' method to prove domain > control, we consider proof of control of 'www.<base_domain>' as also > proving control of '<base_domain>' (except where '<base_domain>' is a > public suffix). > We don't give any other sub-domain this treatment, only 'www'. > We believe that the currently enforced and audited (pre-ballot 169) BRs > permit us to do this under section 3.2.2.4 method 7. 3.2.2.4 section 7 says: "Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the FQDN to at least the same level of assurance as those methods previously described." Where does Comodo's documentation of this methodological equivalence reside? Is it in your CP/CPS or elsewhere? Could you share it with us please? > [4] https://crt.sh/?cablint=1+week This URL is a 404. Are you simply saying that cablint alerted you to the error? Does Comodo run cablint over all certificates post-issuance (or pre-issuance)? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy