That’s an interesting mental exercise, as what the CA’s basically do is tie a domain name to an entity using an authoritative source - exactly what whois is today and an RDS would be in the future (in theory).
Certificate type dependant - the bulk of certs by the main CA's are validated by one of 4 methods: 1. trust in the people ordering it 2. by sending an email to(admin/administrator/webmaster/postmaster)@(thedomain) with a code/link (i.e. can they get/respond to an email) 3. simple nslookup of a CNAME containing the MD5 of the CSR (i.e. do they have access to edit the dns entries) 4. placement of a code/snippet/file on a website (i.e. do they have some form of file-level access to the hosting) Only for certain certificate types do they do things like look at "official" document sources to try and verify the provided data = some other database (and they don’t use WHOIS for that, they use the phone book !) and/or ask for scans (or faxes) of a utility bill etc Rob --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus