Comodo CA provide various types of SSL certificates. Some of there SSL certificate issued by only domain validation.
But there EV SSL issued by doing Company Validation it means they cross check the company details and also do phone verification.
What, pray tell, does such a process actually look like in reality? Does it look like a valid route towards verifying that your company and its officers are legitimate or, as is usually the case with these things, is it a system which can be easily manipulated to give you what you want without you giving it what it wants?
Let's start by looking at your domain registration details:
I've highlighted two important points there, firstly, that is the 'registered office' address for the company, as well as the given 'correspondence address' for 'Mr Peter Smith', the 'CryptoDAO Limited' sole director and shareholder.
Trouble is, there are a lot of other companies registered to that address, too. In fact it is quite obviously an address being used by a corporate service provider, whose nominee director is a 'Stefano Rossini':
So, we know you're using a company formation agent to provide your registered office/correspondence address. But the lack of other appointments for 'Mr Peter Smith' suggest that you didn't opt for a nominee because you'd still need to provide your details for the 'persons with significant control' section, as a nominee shareholder issues a Declaration of Trust document to the actual beneficial owner of the share and it is the B.O. who is legally recognised as having significant control over the company even when nominee directors and shareholders are used.
Still with me? I do hope so because I will now explain how you have played the system in order to fool your users into believing you have been validated and legitimised by it.
But, before I do, I'll just mention the relevance of the second item I highlighted in your domain reg info:
That phone number is not a UK phone network number, it is a VOIP line.
On to the EV SSL Certificate 'validation' of your company or, rather, how you gamed the system to get your EV SSL Certificate:
https://www.instantssl.com/ssl-certificate-products/ssl/ssl-ev-validation.html
The EV SSL Certificate vetting process will validate the requestor's domain control and verify the requesting entity's legal existence and identity. The EV SSL validation process is the most extensive and rigorous in the Industry. This process ensures that the green trust indicator will only be awarded to trustworthy and non-fraudulent websites.
Unlike other validation processes in the SSL industry, a certification authority issuing EV SSL Certificate cannot rely on any kind of self-reported data (such as address and phone numbers) during the validation process. This means that all data provided by a company hoping to obtain an EV SSL Certificate will be checked against reliable third-party sources.
Before an EV SSL certificate can be issued, three important steps need to be performed by the EV SSL Certificate vendor. The steps are:
Confirm the existence of the Company through 3rd party sources
Verify that the request has been made on behalf of the company
Obtain mutual confirmation of the request between the Certificate Authority and the requesting party
Typically this is a contract that will be sent at the end of the validation process to the requesting party. The contract must be signed by an authorized person.
For all three steps listed above, special guidelines outline in detail what background checks should be performed by all Certificate Authorities issuing EV SSL Certificates.
Domain name
A customer wishing to obtain an EV SSL Certificate must own and control the domain name that will utilize the EV SSL Certificate. A Certificate Authority will check website registration records (Whois database) or may ask the customer to make a change to the website under the domain name.
Individual's authorization
The Certification Authority must verify that the individual requesting the certificate is acting as a legitimate agent for the requesting company.
One way that a Certificate Authority may verify this data is by contacting the requesting company's human resource department.
The Certificate Authority will also verify the identity of the contract signer (in most cases this will be a C level management person). Usually this is verified with written documentation.
Legal existence and identity
A Certificate Authority will check to make sure that the business is legally recognized and that the formal name matches the official Government records. In cases where a trading name is used, the Certificate Authority must verify any alternative names that differ from the legal name of the customer in qualified databases.
Physical existence
The Certification Authority is required to cross-check the address listed in the certificate application against a qualified government database. If the listed address cannot be verified by consulting the government database, an on-site visit may be necessary to investigate the discrepancy. Investigators may need to take photos of business operations or speak with company personal.
Telephone number
The Certificate Authority will confirm that the telephone number listed on the certificate application is the primary telephone number for the requesting organization. This is accomplished by calling the number directly or by checking phone directory listings.
The bold components, utilising your anonymous structure, are gamed as follows:
Domain name - Yep, you have a domain name.
Individual's authorization - Yes, you have 'an individual' you have authorised (well, you have a name)
Legal existence and identity - Yes, you paid roughly twenty quid to get a UK company incorporated, so it definitely exists on the register.
Physical existence - Yes, the address you gave does actually exist. For your company and many many others registered to the same place.
Telephone number - You gave a VOIP number because that way you can receive calls to your 'Mr Peter Smith' who, no doubt, dutifully verifies that you are so totally legit, right?
So, in actuality, none of the process which you claim verifies the legitimacy of your operation actually proves anything about you, other than proving that you have taken the trouble to game the system without releasing any of your identity information, in order to lie to your users about the significance of an EV SSL Cert being issued in your twenty-quid UK incorp's name.
I see your 'Electronic Web Filing' link which supposedly 'proves' the legitimacy of 'Mr Peter Smith', and raise you another 'Electronic Web Filing' link which explains what that actually means.
https://ewf.companieshouse.gov.uk/help/en/stdwf/faqHelp.htmlYou either gave the incorporation agent the name to register as Director and Shareholder, which means the agent 'authenticated' the name 'Mr Peter Smith' (which simply means he confirms it to have been legitimately filed, not that it authenticates the identity of the person named), or you could have had your own authentication code sent to the 'registered office' (which is actually that of a formation agent) and they send it to you for you to 'authenticate' the details yourself.
As for your Dun & Bradstreet 'DUNS' number, well that is just self-selected registration again so it doesn't legitimise you either.
Absolutely none of what you claim proves your operation is legitimate actually does anything of the sort. In fact, given the lengths you have gone to in order to game the system as you have, it pretty much proves just how untrustworthy you are and how nobody should be sending their cryptocurrency to your exchange.