Comment 33 for bug 310999

We know that the certificate that was mistakenly issued for mozilla.com was revoked, as soon as it was found by Comodo.

What we don't know is why Comodo doesn't perform its own domain validation, instead relying on the registration authorities it pays to do so. (The fact that the RAs are paid only if they have a certificate issued places them in an actual conflict of interest.)

I still think that Comodo has shown themselves incompetent with their design, and unless and until they remove ALL registration-authority functionality from ALL delegated registration authorities pending a complete redesign of the program (including adding the requirement that Comodo perform the domain control verifications itself rather than relying on the RAs to do it) I believe that they should have their trust bits removed; if they do not complete this within a standard product update cycle they should be dropped from the trust program.