Gervase Markham, on 04 October 2016 07:10, said.. > Thank you for this report. > > On 27/09/16 02:07, Robin Alden wrote: > > When we use an 'agreed-upon change to website' method to prove > domain > > control, we consider proof of control of 'www.<base_domain>' as also > > proving control of '<base_domain>' (except where '<base_domain>' is a > > public suffix). > > We don't give any other sub-domain this treatment, only 'www'. > > We believe that the currently enforced and audited (pre-ballot 169) BRs > > permit us to do this under section 3.2.2.4 method 7. > > 3.2.2.4 section 7 says: > > "Using any other method of confirmation, provided that the CA maintains > documented evidence that the method of confirmation establishes that the > Applicant is the Domain Name Registrant or has control over the FQDN to > at least the same level of assurance as those methods previously described." > > Where does Comodo's documentation of this methodological equivalence > reside? Is it in your CP/CPS or elsewhere? Could you share it with us > please?
It previously existed only in unpublished documentation, so far as I am aware. Our auditors were aware of it. Our validation and support staff have freely offered this information to assist customers in getting certificates validated and issued. It is now publicly documented at https://secure.comodo.com/api/pdf/latest/Domain%20Control%20Validation.pdf and in the knowledgebase article at: https://support.comodo.com/index.php?/Knowledgebase/Article/View/791/16/alte rnative-methods-of-domain-control-validation-dcv Regards Robin Alden Comodo _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy