I purchased a Comodo code signing certificate as an individual last week. I understood that there were strict face-to-face verification guidelines to follow at the time of purchase, and I have complied with all of those guidelines, plus a lot of other arbitrary-seeming requests that Comodo has made since I first placed my order.
I am profoundly frustrated with the confusing and inadequate documentation and communications I’ve received from Comodo. Here’s a day-by-day account of the process up to this point. What is going on, here?
DAY ONE (January 7, 2015)
I purchase a 1-year Comodo code signing certificate and begin fulfilling the requirements of the Comodo Face-to-Face Verifications (a Comodo document titled “Documentation Instructions for Personal Identification).
I collect a credit card statement, a property tax statement, and my personal identification, and bring it to a co-worker at my place of employment, who is a registered notary public that offers her services for free to fellow employees.
She follows the instructions provided, making copies and faxing the documents, as directed in the “Instructions to Licensed/Commissioned Notary or Attorney” of the Comodo document.
Observation 1: The instructions say “the Applicant will send via overnight delivery all documents to the Comodo address listed on page 5 of these instructions” and “FAX the copies of all documents to Comodo at the fax number shown on page 5 of this document.” But there is no page 5. The document is only 3 pages long.
Observation 2: The document says “Make photocopies of this form including Parts 3 and 4” but none of the sections of the form are numbered. We just include the entire document.
Because of the inconsistencies in the Comodo instructions, I place a call to Comodo to confirm the correct address and fax number, etc. We then fax the document packet to Comodo as instructed.
That same day, I ship the hard-copy documents stamped by my notary to Comodo’s Broad Street address in New Jersey by Federal Express overnight. (Tracking number xxxxxxxx6346.)
DAY TWO (Jan 8)
I receive notification that my delievery has been received by Comodo’s New Jersey office, signed for by someone with initials S.R. at 11:40 AM.
I also receive an email from Comodo Security Services acknowledging that my order has been placed. I notice that the order number in this confirmation email (xxxx1789) is different from the one I had put in the documents that we had faxed and overnighted.
DAY THREE (Jan 9)
I sign up at the Comodo helpdesk (https://support.comodo.com/) using the email address associated with my domain and submit a request indicating that the order number I received via email from the one I had included on my documentation, and just making sure they knew which order number my sent/faxed documents are associated with. This request opens my Comodo support ticket (#WHT-xxx-x7917).
Later that night I receive an email from Comodo Validation, saying “We regret to inform you that we have not yet received any documents we request you to send those Documents attested by your Notary as an attachment in PDF format along with this email so once we receive it we will proceed further.”
Are they saying they lost both my fax and my hard-copy documents? I immediately reply, providing both the requested PDF files and the FedEx shipping confirmation. I also request confirmation from them that they indeed lost both my fax AND hard-copies. They never answer this question.
Note: I have noticed that on the Comodo Discussion Board (https://forums.comodo.com/) some other code signing customers have also had this happen; Comodo lost their documents. How is this possible, really, at a company whose job is directly tied to security and privacy?
DAY 4 (Jan 10)
I receive an email from Comodo Validation saying they need to verify my notary’s registration details.
They also tell me I need to update the whois information on my web site. (I don’t remember seeing this requirement in any of the materials I had seen when I ordered. My whois information was intentionally private.)
DAY 5 (Jan 11)
I update the whois information on my site so it is no longer private, in order to comply with Comodo’s request.
DAY 6 (Jan 12)
I reply to Comodo support, indicating that my whois info is up-to-date, and pointing them to a link where they can confirm it.
I also provide my notary’s credentials and contact information, as well as her state of Oregon commission number (xx0524).
A few hours later, Comodo Validation responds, saying “We are unable to access the state of Oregon webpage. Please get back to us with the .pdf format of the webpage where the notary credentials are listing. So that we can proceed further.”
Problem: The State of Oregon does not publish the names of licensed/commissioned individuals online. You can only get this confirmation by purchasing apostille services from the state, where someone in the Oregon Secretary of State’s office stamps a notarized document with their approval that the notary is indeed registered. I also talked to my notary, and she said she doesn’t have access to any special web site for this sort of thing either. But she offers to send Comodo a copy of her notary license.
I decide to call Comodo directly, rather than wait another 24 hours for another non-answer. After waiting on hold about 15 minutes, I finally get to speak with a representative. When I explain my situation to him (that Comodo is requesting information that does not exist online), he tells me to email firstname.lastname@example.org… the same people I’ve already been dealing with for the past week. I ask him if he is at least able to look up my account and answer my original question of whether my fax and hard copy documents were actually lost. He informs me that their computers are down, and I need to email email@example.com.
I respond to Comodo, telling them that online notary verification isn’t available in Oregon, but that I can either send them my notary’s license, or I can go through the apostille process, which will be an extra cost and time sink for me. I ask “Will either of these methods be sufficient? If so, which ones? (Option #2 means I have to take time off work to travel to the state capital, so option #1 would be ideal.)”
DAY 7 (Jan 13)
Comodo responds, saying, “Kindly send the PDF, we will review and let you know the status, whether the pdf is acceptable or not.”
My notary provides a PDF of her license, which I forward to Comodo Validation.
DAY 8 (Jan 14)
Comodo responds with, “kindly provide a state of Oregon link where we can verify his job title. once we receive the link we will let you know the status of your order.”
What? First, what does my notary’s job title have to do with anything? Her job doesn’t have anything to do with the fact that she’s a commissioned notary. Second, both she and I work for a large high-tech company that takes privacy and security very seriously, and we do not publish any information about our employees online. Most tech companies don’t. Comodo, of all companies, has to understand this.
Where are the ACTUAL guidelines for face-to-face verification? Comodo has asked for all sorts of stuff that wasn’t in the document I was provided at the time of my order.
What else do I REALLY have to provide in order to confirm to Comodo I am who I say I am? I have complied every step of the way, and Comodo seems to just keep coming up with more reasons not to proceed.
If I go through the expensive and time consuming process of apostille services through Oregon, how do I know that Comodo’s even going to receive the documents I send them? They won’t even give me a straight answer on what happened to the first batch of stuff I both faxed and overnighted!