> For example, a cert where the owner validated "netwi.ru" was able to add "mx.idisk.su", an entirely different domain, without validating it.<p>Now that's odd, because I know those two domains. I've even requested some certificates for them myself before (never had anything odd - I think I would've noticed if there was a way to add a domain without validation), but I left the company in January 2015.<p>It was my coworker requesting that certificate, and I've just found - still have the access to the servers as I help them with small issues on rare occasions - that at the same date it was issued (Feb 26, 2015) he had most certainly got a validation file (idisk.su.html) and put it into idisk.su's static root.<p>Webserver logs are, of course, long gone so can't really tell if it was actually accessed or not, but I think when I had requested certificates myself it was a wizard-style process where one got a file to download and the only next action was to validate it, no other way to proceed.<p>I mean, at least he got the file and put it there, in a proper place. And it's also weird that the certificate in question (<a href="https://crt.sh/?id=29805560" rel="nofollow">https://crt.sh/?id=29805560</a>) had included another idisk.su subdomain (mail.idisk.su) that wasn't marked as not validated in the report (<a href="https://www.wosign.com/report/wosign_incidents_report_09042016.pdf;" rel="nofollow">https://www.wosign.com/report/wosign_incidents_report_090420...</a> page 13).<p>I don't doubt there was a severe bug. But this leaves me wondering whenever the analysis followed was really accurate (not saying it wasn't, but still sort of curious that it could be).