I have used Comodo in the past for SSL as well as code signing certificates but the current validation process is broken. I understand that they have guidelines to follow, etc., but the training of the validation team seems to be poor to accommodate privacy concerns.
Here is the requirements for a code sign certificate in their own guidelines.
The validation team sends me a broken link to the cabforum site saying they are required to follow the guidelines there but those guidelines are for site certificates and explicitly says it is not for code-signing certificates.
Here are the problems I am facing. Verifiable information does not mean public. Why is this so difficult to understand for the validation team?
- The domain name may have a privacy proxy registration as allowed by ICANN
https://www.icann.org/resources/pages/privacy-proxy-registration-2013-03-22-en
and yet Comodo requires making this public for them to verify via WHOIS. This is nonsense.
I have provided them with the latest invoice of the entity managing the private registration for us - Verio - showing the company address and the domain name. This allows them to verify the domain ownership without making private information public via WHOIS.
- A company registered in Delaware, is listed in the State Database along with the local agent that is representing the company in Delaware as required by the State. It lists the address and phone number of the registration agent.
Comodo wants me to list our private address and phone number in some third party online directories which for a company with a huge software distribution is dangerous. That phone will start ringing with all kinds of support questions and crank calls making that phone number useless for anything.
I have provided them with the invoice from the acting agent for Delaware State registration that has the name of the company, mailing address, e-mail address and the phone number as registered with them. This is a legal entity authorized to hold this information and this allows the information to be verified without making it public in some third party database that can be harvested for all kinds of unintended and illegal use.
Is it possible for someone responsible at Comodo to take a look at these requirements and instruct their validation team to make better judgments than keep sending form letters.
I am not asking them to skip their validation process, just thinking about what is needed and doing the validation right with the documents provided than arbitrary means that do not respect privacy.
If making everything public is what Comodo insists it needs (and it is their rights to do so), then this should be listed in all the guidelines so that people can stay away from doing business with Comodo with such a disregard for privacy. Can we even be sure that the private statements we provide such as bank statements will be kept private by a company that does not understand privacy?
A constructive reply and help in making things right would be appreciated. It will help me and it will help Comodo get rid of the reputation it is getting for a brain dead validation process.