[cbg0]

Actually it's automated in most places, simply requiring you to confirm a request via an e-mail address associated with the domain you're getting an SSL for (typically admin@ hostmaster@ webmaster@, though it varies between certificate providers).

[duskwuff]

Most of the reputable CAs have some practices in place to check for keywords related to big brands and auto-reject certificate requests. (So you can't get a certificate for "login-facebook.com" or whatnot, for instance.)

[chetanahuja]

"(So you can't get a certificate for "login-facebook.com" or whatnot, for instance.)"

You mean not from one of those "reputable" CAs. But really, why would I go to a "reputable" CA for my deceptive certificate if my intent is not so reputable?

[chetanahuja]

There's no requirement in the spec for using "reputable" CA's for certificates.

[johnnydoebk]

Could you provide a few examples of reputable and not so reputable CAs?

[rjaco31]

Just browse the truststore of your browser, you'd be surprised.

[rdancer]

No, they don't. What would be the point, anyway?

[duskwuff]

Er, from personal experience I can say that at least some well-known CAs absolutely do review keywords appearing in SSL certificate requests. For a (really stupid and disappointing) example, see:

http://forums.comodo.com/ssl-certificate-b14.0/-t106480.0.ht...