I work for one of the big CAs out there. For those domains a human actually performs a manual WHOIS query for those TLDs and then manually enters in the email address associated with the domain contact and they are required to include a screenshot of the WHOIS details for verification of the information. A second individual then is required to perform a verification that the email address entered is correct per the attached screenshot.

All of this, plus the querying of the organization's legal registration, business address and contact is all done by trained people and due to internal efficiencies and workflows we can complete that in a matter of minutes from the time a customer places an order.

In the end, even an organizational vetted certificate is still completed just as fast as it takes customers usually to click on the approval email to authorize issuance and submit the CSR for the certificate creation.

So it's a matter of cutting costs for Comodo. Thank you.

Have you considered generating these screenshots automatically? It seems like if you did, this would protect you against both typos and insiders.

I'd expect HTTP, DNS based or email to {hostmaster,postmaster,etc.}@domain validation to be more common than validation based on WHOIS data. There are probably very few domains for who only the WHOIS based validation is doable.

They may actually do it manually.