As Bjorn posted above, "there are proper CAs doing their best to make the world a safer place, and there are those out for easy money." is 100% correct in Comodo's case.

The simple fact is that when you become a reseller of Comodo, you get the option in their portal to simply "checkmark" a box acknowledging that you have gathered all the required vetting documentation from your SSL customer for each order placed. This completely pushes off the responsibility of verifying domain owner's identities from the Certificate Authority (Comodo) to the resellers who are NOT in the business of verifying identities.

In short, Comodo does not provide any form of domain owner identity verification through the resellers of their products at all! Sure they provide encryption but give you no idea of who actually owns the website you're attempting to trust.

Pathetic!

-Dom Montgomery

We were about to consider purchasing code signing certificate from them. But with this issue, I think we better stick with the other guys: either Verisign or Godaddy

- Ismael

Since there is no international system of approval for CAs, we are in a more difficult situation than when we want to know if a chartered accountant can be trusted. Each browser maker has to either do their own rather expensive vetting of CAs who want to be included in their rootstore, or they have to rely on somebody else's rootstore. Those who go with their own rootstore risk negative attention if they are being more careful than the most lenient competitor – "browser X does not work with site Y" – because most users do not understand that it has something to do with security until after they have been burned.

Another problem is even bigger than the unreliable CA. The unreliable domain registrar has mostly been overlooked, even though they are in many cases easier to target.

Even if the certificate providers do their job, that does not help much if the registrar does not provide up to date and truthful information about who owns the domain. Nor does it further net safety that some will let a domain be transferred quickly and without an audit trail, do not check the identity of the new owner, or any number of other sloppy behaviours we know have caused problems in the past.

Nevertheless, this is under our direct control and needless to say that our further layers of defenses succeeded to prevent an attack on a high-profile target such as Verisign. A such, you are right, no system is perfect and mistakes do happen. However exactly because of that, special care must be taken and the system itself must be protected. More than that, retaining all evidences are important as well. As such we also had the capability to verify if other such attempts happened. We've found none.

There is a huge difference in my opinion between this flaw and that of Comodo, as no validation system was in place at all. That's not a flaw, it was simply non-existent. Would StartCom outsource domain validation to a third party? Most likely not.