The gist is this: they query whois information for contact email addresses, which are used for domain ownership verification. For some domains, this information is only provided in image form via a web service to prevent scraping. So Comodo ran those images through OCR. However, the OCR system reproducibly mistook a lowercase L for a 1 if the next symbol as a number, or 1 for a lowercase L if it was followed by a letter. The same applies to 0/O.<p>The whole concept of OCRing whois ownership info and issuing certificates based on that seems like a terrible idea...