Nick Lamb, on 02 October 2016 17:50, said.. > The first thing that jumps out at me from their report is that they mistake .sb > for a gTLD when it is actually a ccTLD.
That was a mistake in writing the report. The point is that it is a TLD. > The second thing obviously is that they do have exactly the "rule" Richard > Wang described, and they believe this was justified under the BRs old 3.2.2.4 > method 7 (which isn't a method at all, it's basically a catch-all). > > I examined the Comodo CPS and wasn't able to find any mention of this rule. > Indeed based on the CPS I would have assumed that control over a website > www.example.com would under no circumstances be sufficient to get a > certificate for the name example.com from Comodo and I would be grateful > if anyone can point me to where they have written that it is. > I can't speak to your assumptions, but I concede that it is not explicit in the CPS. It is now documented at https://secure.comodo.com/api/pdf/latest/Domain%20Control%20Validation.pdf and in the knowledgebase article at: https://support.comodo.com/index.php?/Knowledgebase/Article/View/791/16/alte rnative-methods-of-domain-control-validation-dcv Regards Robin Alden Comodo _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy