Difficulties with SSL validation process for .com.au domains


As a reseller in the Australian market, we seem to have constant issues with this.
I’m using one example here, but it’s a common theme. We recently purchased two InstantSSL certificates, for two servers on one domain.

Having been through this before, we immediately forwarded a utilities bill including company name and address to docs[at]comodo.com. ONE of these certificates was then validated then handed over. For the other, I logged a support case to determine the delay.

How does that even make sense? Where is the logic in being able to validate server1.domain.com and not server2.domain.com.

In the ensuing discussion, my pet peeve is that every individual email from support starts with “We are glad to inform that we have activated your account information”, I mean how many times does my account need to be activated?

So my most recent email states: "… as Australian domains don’t show a physical street address in the whois. We require some documentation to prove ownership of the domain. The quickest way to resolve this problem would be to send us any letter/document from your ISP/Registrar "
Sorry, but anyone suggesting that contacting a registrar and asking for a letter that shouldn’t be needed would be in any way a “quick” process hasn’t had enough experience in this area to be selling me a certificate.
What I’m really trying to get at is that a .com.au domain may not list street records on whois, but it has its own requirements. Specifically:
.com.au domain names can be registered by Australian registered businesses. .com.au registrants must be:
a ) an Australian registered company; or
b ) trading under a registered business name in any Australian State or Territory; or
c ) an Australian partnership or sole trader;
d ) a foreign company licensed to trade in Australia; or
e ) an owner of an Australian Registered Trade Mark; or
f ) an applicant for an Australian Registered Trade Mark; or
g ) an association incorporated in any Australian State or Territory; or
h ) an Australian commercial statutory body.
Furthermore, your business name must be, or be like, the name or trademark used above. So in putting the following together:

  • For our client to obtain their .com.au domain, they already provided auDA with a reigstered company name, proved it with an ABN, and got it registered
    *The domain in question DOES have “Eligibility Name: COMPANY” and “Eligibility ID: BUSINESS NUMBER” in the whois records.
  • Our client has provided email addresses such as ssladmin[at]domain.com
  • Client built a website that shows address and ABN on “contact us” page
  • Our client provided a utilities bill with the company name and street address listed
    I’m tired of going back and forth with support, where sending an email in the afternoon gets you a response in the morning, given all the above. There just has to be a better way. What does everyone else do?
    Particularly on an “InstantSSL” product, which we don’t ever seem to be able to deliver in less than a few days.

Well, in the interests of keeping things professional I won’t say how this was resolved this time.

Really, if anyone out there is reading this, we’ll make a lot more sales with a more workable process. Some of the following would be trivial proofs of domain ownership for us, I’d urge them to be considered:

  • Must make a custom, random, TXT record on the domain
  • Must embed a hidden random string in the website
    Or best of all
  • Making use of the “eligibility ID” field required on .com.au domains

I’ve had to guess somewhat at the order you are referring to, but I’m reasonably sure that I have the right one, so allow me to address the points that you have made.

I don’t see a utility bill. What I do see that you sent was information from ASIC, which seems to be for a related company (parent, subsidiary, sister company) that relates directly neither to the information on the SSL certificate nor the domain registration, and was not accepted for validation purposes. We found the information we needed to verify the organization from other sources.

The problem here is that the company shown as registrant has been voluntarily deregistered, and is therefore no longer in existence.

I don’t really see the relevance of this despite your insistence in the support ticket you sent that, “The whois records clearly demonstrate that COMPANY X own this domain.” The domain registrant owns the domain, and in this case, the domain registrant is defunct. Due to that fact, I am unsatisfied with the validation that has been performed on these orders as to verification of domain ownership, and will be sending you information directly as to how we need to proceed to avoid revocation of these certs.

That MAY go a long way toward demonstrating domain control, however I can find no indication in our records that any communication we have sent to that address has been directly responded to.

Someone can put anything they like on a website they control, so it really does nothing to verify the accuracy of the company details which may be shown. In this case the ABN is NOT shown as you claim, and the company name is neither that submitted to us on the SSL request, nor that shown in the whois information under either the registrant OR eligibility data, therefore even if we could accept information posted on the companies own website, which we can’t, in this case that information supplies more questions than answers.

At this point, I’m thoroughly confused both as to the correct company information, as well as the outstanding domain ownership problem. I would prefer to have a phone conversation about this because it would be much easier to go through everything that way, but as that may be difficult given the disparate time zones, I will send you a direct email adding the relevant order and company details which I’ve left out of this post, and if we can not resolve it that way we can set up a time to speak directly.

How can you possibly validate a domain, issue a certificate, then advise me that you will revoke that certificate unless we come up with additional documentation? Would things have been different if I never made this post?

The documentation you have asked for in your email will simply be impossible to obtain. Give me some time to see if I can find some other process for you. If I cannot, any revocation will be expected to come with a refund.

Also, you did mention that responding to an email sent to ssladmin@domain may be of assistance. Feel free to email anything you like to this address and request a response.