Руководство по выпуску и управлению EV SSL сертификатов с расширенной валидацией
11 Verification Requirements
11.1 General Overview
This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement.
11.1.1 Verification Requirements – Overview
Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate
conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented
by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following:
(1) Verify Applicant’s existence and identity, including;
(A) Verify the Applicant’s legal existence and identity (as more fully set forth in Section 11.2 herein),
(B) Verify the Applicant’s physical existence (business presence at a physical address), and
(C) Verify the Applicant’s operational existence (business activity).
(2) Verify the Applicant is a registered holder, or has exclusive control, of the Domain Name(s) to be included in the EV Certificate;
(3) Verify the Applicant’s authorization for the EV Certificate, including;
(A) Verify the name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester,
(B) Verify that a Contract Signer signed the Subscriber Agreement or that a duly authorized Applicant Representative acknowledged and agreed to the Terms of Use; and
(C) Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request.
11.1.2 Acceptable Methods of Verification – Overview
As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 11.2 through11.13 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement.
11.2 Verification of Applicant’s Legal Existence and Identity
11.2.1 Verification Requirements
To verify the Applicant’s legal existence and identity, the CA MUST do the following.
(1) Private Organization Subjects
(A) Legal Existence: Verify that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated) with the Incorporating or Registration Agency in the Applicant’s Jurisdiction of Incorporation or Registration, and not designated on the records of the Incorporating or Registration Agency by labels such as “inactive”, “invalid”, “not current”, or the equivalent.
(B) Organization Name: Verify that the Applicant’s formal legal name as recorded with the Incorporating or Registration Agency in the Applicant’s Jurisdiction of Incorporation or Registration matches the Applicant’s name in the EV Certificate Request.
(C) Registration Number: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant’s Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant’s date of Incorporation or Registration.
(D) Registered Agent: Obtain the identity and address of the Applicant’s Registered Agent or Registered Office (as applicable in the Applicant’s Jurisdiction of Incorporation or Registration).
(2) Government Entity Subjects
(A) Legal Existence: Verify that the Applicant is a legally recognized Government Entity, in existence in the political subdivision in which such Government Entity operates.
(B) Entity Name: Verify that the Applicant’s formal legal name matches the Applicant’s name in the EV Certificate Request.
(C) Registration Number: The CA MUST attempt to obtain the Applicant’s date of incorporation, registration, or formation, or the identifier for the legislative act that created the Government Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity.
(3) Business Entity Subjects
(A) Legal Existence: Verify that the Applicant is engaged in business under the name submitted by the Applicant in the Application.
(B) Organization Name: Verify that the Applicant’s formal legal name as recognized by the Registration Authority in the Applicant’s Jurisdiction of Registration matches the Applicant’s name in the EV Certificate Request.
(C) Registration Number: Attempt to obtain the specific unique Registration Number assigned to the Applicant by the Registration Agency in the Applicant’s Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant’s date of Registration.
(D) Principal Individual: Verify the identity of the identified Principal Individual.
(4) Non-Commercial Entity Subjects (International Organizations)
(A) Legal Existence: Verify that the Applicant is a legally recognized International Organization Entity.
(B) Entity Name: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request.
(C) Registration Number: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity.
11.2.2 Acceptable Method of Verification (1) Private Organization Subjects: All items listed in Section 11.2.1(1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source.
(2) Government Entity Subjects: All items listed in Section 11.2.1(2) MUST either be verified directly with, or obtained directly from, one of the following:
(i) a Qualified Government Information Source in the political subdivision in which such Government Entity operates;
(ii) a superior governing Government Entity in the same
political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or
(iii) from a judge that is an active member of the federal, state or local judiciary within that political subdivision, or
(iv) an attorney representing the Government Entity.
Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in Section 11.10.1.
Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source.
(3) Business Entity Subjects: All items listed in Section 11.2.1(3) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below.
(4) Principal Individual: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency’s face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation.
(A) Face-To-Face Validation: The face-to-face validation MUST be conducted before either an employee of the CA, a Latin Notary, a Notary (or equivalent in the Applicant’s jurisdiction), a Lawyer, or Accountant (Third-Party Validator). The Principal Individual(s) MUST present the following documentation (Vetting Documents) directly to the Third-Party Validator:
(i) A Personal Statement that includes the following information:
1. Full name or names by which a person is, or has been, known (including all other names used);
2. Residential Address at which he/she can be located;
3. Date of birth; and
4. An affirmation that all of the information contained in the Certificate Request is true and correct.
(ii) A current signed government-issued identification document that includes a photo of the Individual and is signed by the Individual such as:
1. A passport;
2. A driver’s license;
3. A personal identification card;
4. A concealed weapons permit; or
5. A military ID.
(iii) At least two secondary documentary evidences to establish his/her identity that include the name of the Individual, one of which MUST be from a financial institution.
1. Acceptable financial institution documents include:
a. A major credit card, provided that it contains an expiration date and it has not expired'
b. A debit card from a regulated financial institution, provided that it contains an expiration date and it has not expired,
c. A mortgage statement from a recognizable lender that is less than six months old,
d. A bank statement from a regulated financial institution that is less than six months old.
2. Acceptable non-financial documents include:
a. Recent original utility bills or certificates from a utility company confirming the arrangement to pay for the services at a fixed address (not a mobile/cellular telephone bill),
b. A copy of a statement for payment of a lease, provided that the statement is dated within the past six months,
c. A certified copy of a birth certificate,
d. A local authority tax bill for the current year,
e. A certified copy of a court order, such as a divorce certificate, annulment papers, or adoption papers.
The Third-Party Validator performing the face-to-face validation MUST:
(i) Attest to the signing of the Personal Statement and the identity of the signer; and
(ii) Identify the original Vetting Documents used to perform the identification. In addition, the Third-Party Validator MUST attest on a copy of the current signed government-issued photo identification document that it is a full, true, and accurate reproduction of the original.
(B) Verification of Third-Party Validator: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant’s jurisdiction), lawyer, or accountant in the jurisdiction of the Individual’s residency, and that the Third-Party Validator actually did perform the services and did attest to the signature of the Individual.
(C) Cross-checking of Information: The CA MUST obtain the signed and attested Personal Statement together with the attested copy of the current signed government-issued photo identification document. The CA MUST review the documentation to determine that the information is consistent, matches the information in the application, and identifies the Individual. The CA MAY rely on electronic copies of this documentation, provided that:
(i) the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and
(ii) electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA’s jurisdiction.
(5) Non-Commercial Entity Subjects (International Organization): All items listed in Section 11.2.1 (4) MUST be verified either:
(A) With reference to the constituent document under which the International Organization was formed; or
(B) Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or
(C) Directly against any current list of qualified entities that the CA/Browser Forum may maintain at www.cabforum.org.
(D) In cases where the International Organization applying for the EV Certificate is an organ or agency - including a non-governmental organization of a verified International Organization, then the CA may verify the International Organization Applicant directly with the verified umbrella International Organization of which the Applicant is an organ or agency.
11.3 Verification of Applicant’s Legal Existence and Identity – Assumed Name
11.3.1 Verification Requirements
If, in addition to the Applicant’s formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant’s Jurisdiction of Incorporation or Registration, the Applicant’s identity, as asserted in the EV Certificate, is to contain any assumed name (also known as “doing business as”, “DBA”, or “d/b/a” in the US, and “trading as” in the UK) under which the Applicant conducts business, the CA MUST verify that:
(i) the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and
(ii) that such filing continues to be valid.
11.3.2 Acceptable Method of Verification
To verify any assumed name under which the Applicant conducts business:
(1) The CA MAY verify the assumed name through use of a Qualified Government Information Source operated by, or on behalf of, an appropriate government agency in the jurisdiction of the Applicant’s Place of Business, or by direct contact with such government agency in person or via mail, e-mail, Web address, or telephone; or
(2) The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency.
(3) The CA MAY rely on a Verified Legal Opinion, or a Verified Accountant Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid.
11.4 Verification of Applicant’s Physical Existence
11.4.1 Address of Applicant’s Place of Business
(1) Verification Requirements: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business.
(2) Acceptable Methods of Verification
(A) Place of Business in the Country of Incorporation or Registration
(i) For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in Section 11.2 to verify legal existence: (1) For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business;
(2) For Applicants who are not listed at the same Place of Business address in the current version of either at least one QIIS or QTIS, the CA MUST confirm that the address provided by the Applicant in the EV Certificate Request is the Applicant's or a Parent/Subsidiary Company's business address, by obtaining documentation of a site visit to the business address, which MUST be performed by a reliable individual or firm. The documentation of the site visit MUST:
(a) Verify that the Applicant's business is located at the exact address stated in the EV Certificate Request (e.g., via permanent signage, employee confirmation, etc.),
(b) Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location,
(c) Indicate whether there is a permanent sign (that cannot be moved) that identifies the Applicant,
(d) Indicate whether there is evidence that the Applicant is conducting ongoing business activities at the site (not that it is just, for example, a mail drop, P.O. box, etc.), and
(e) Include one or more photos of
(i) the exterior of the site (showing signage indicating the Applicant's name, if present, and showing the street address if possible), and
(ii) the interior reception area or workspace.
(2) For all Applicants, the CA MAY alternatively rely on a Verified Legal Opinion or a Verified Accountant Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there.
(3) For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction.
(4) For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in Section 11.2 to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business.
(B) Place of Business not in the Country of Incorporation or Registration: The CA MUST rely on a Verified Legal Opinion or Verified Accountant's Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there.
11.4.2 Telephone Number for Applicant’s Place of Business
(1) Verification Requirements: To further verify the Applicant’s physical existence and business presence, as well as to assist in confirming other verification requirements, the CA MUST verify a main telephone number for one of the Applicant’s Places of Business.
(2) Acceptable Methods of Verification: To verify the Applicant’s telephone number, the CA MUST perform items A and either B or C as listed below:
(A) Confirm the Applicant’s telephone number by calling it and obtaining an affirmative response sufficient to enable a reasonable person to conclude that the Applicant is reachable by telephone at the number dialed;
(B) Confirm that the telephone number is listed as one of the Applicant’s or Parent/Subsidiary Company’s or Principal Individual’s (for business entities) telephone numbers, matching an address of one of the Applicant’s Places of Business in records provided by the applicable phone company, or, alternatively, in at least one QIIS, QGIS, or QTIS;
(C) Rely on a Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant’s telephone number, as provided, is a main phone number for the Applicant’s Place of Business.
11.5 Verification of Applicant’s Operational Existence
11.5.1 Verification Requirements
If the Applicant, or a Parent or Affiliate of the Applicant, has been in existence for less than three years, as indicated by the records of the Incorporating Agency or Registration Agency, and is not listed in either the current version of one QIIS or QTIS, the CA MUST verify that the Applicant has the ability to engage in business. In other words, if the Applicant is a Subsidiary or Affiliate of an entity that the CA verified as in existence for three or more years, then the CA MAY rely on the existence of the Parent or Affiliate as verification of the Applicant’s operational existence.
11.5.2 Acceptable Methods of Verification
To verify the Applicant’s operational existence, the CA MUST perform one of the following:
(1) Verify that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. The CA MUST receive authenticated documentation directly from a Regulated Financial Institution verifying that the Applicant has an active current Demand Deposit Account with the institution.
(2) Rely on a Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution.
11.6 Verification of Applicant’s Domain Name
11.6.1 Verification Requirements
The CA MUST confirm that the Applicant:
(A) Is the registered holder of the Domain Name, or
(B) Has been granted the exclusive right to use the Domain Name by the registered holder of the Domain Name;
To verify the Applicant’s registration, or exclusive control, of the Domain Name(s) to be listed in the EV Certificate, the CA MUST verify that each such Domain Name is registered with an Internet Corporation for Assigned Names and Numbers (ICANN)-approved registrar or a registry listed by the Internet Assigned Numbers Authority (IANA). For Government Entity Applicants, the CA MAY rely on the Domain Name listed for that entity in the records of the QGIS in the Applicant’s Jurisdiction.
The CA MUST compare any registration information that is publicly available from the WHOIS database with the verified Subject organization information and MUST confirm that it is neither misleading nor inconsistent.
The CA MUST further confirm that the Applicant is aware of its registration or exclusive control of the Domain Name.
11.6.2 Acceptable Methods of Verification
(1) Applicant as Registered Holder: Acceptable methods by which the CA MAY verify that the Applicant is the registered holder of the Domain Name include the following:
(A) Performing a WHOIS inquiry on the Internet for the Domain Name supplied by the Applicant, and obtaining a response indicating that the Applicant or a Parent/Subsidiary Company is the entity to which the Domain Name is registered; or
(B) Communicating with the contact listed on the WHOIS record to confirm that the Applicant is the registered holder of the Domain Name and having the contact update the WHOIS records to reflect the proper Domain Name registration. Confirmation that the registered owner of the Domain Name is a Parent/Subsidiary Company of the Applicant, or a registered trading name of the Applicant is sufficient to establish that the Applicant is the registered owner of the Domain Name;
(C) In cases where domain registration information is private, and the domain registrar offers services to forward communication to the registered domain holder, the CA MAY contact the Applicant through the domain registrar by e-mail or paper mail.
(2) Applicant’s Exclusive Right to Use: In cases where the Applicant is not the registered holder of the Domain Name, the CA MUST verify the Applicant’s exclusive right to use the Domain Name(s).
(A) In cases where the registered domain holder can be contacted using information obtained from WHOIS, or through the domain registrar, the CA MUST obtain positive confirmation from the registered domain holder by paper mail, e-mail, telephone, or facsimile that the Applicant has been granted the exclusive right to use the requested Fully Qualified Domain Name (FQDN).
If the Top-Level Domain is a generic top-level domain (gTLD) such as .com, .net, or .org in accordance with RFC 1591, the CA MUST obtain positive confirmation from the second-level domain registration holder. For example, if the requested FQDN is www1.www.example.com, the CA MUST obtain positive confirmation from the domain holder of example.com.
If the Top-Level Domain is a 2 letter Country Code Top-Level Domain (ccTLD), the CA MUST obtain positive confirmation from the domain holder at the appropriate domain level, based on the rules of the ccTLD. For example, if the requested FQDN is www.mysite.users.internet.co.uk, the CA MUST obtain positive confirmation from the domain holder of internet.co.uk.
In addition, the CA MUST verify the Applicant‘s exclusive right to use the Domain Name using one of the following methods:
(i) Relying on a Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant has the exclusive right to use the specified Domain Name in identifying itself on the Internet; or
(ii) Relying on a representation from the Contract Signer, or the Certificate Approver, if expressly so authorized in a mutually-agreed-upon contract.
(B) In cases where the registered domain holder cannot be contacted, the CA MUST:
(i) Rely on a Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant has the exclusive right to use the specified Domain Name in identifying itself on the Internet; and
(ii) Rely on a representation from the Contract Signer, or the Certificate Approver, if expressly so authorized in a mutually-agreed-upon contract, coupled with a practical demonstration by the Applicant establishing that it controls the Domain Name by making an agreed-upon change in information found online on a Web page identified by a uniform resource identifier containing the Applicant’s FQDN.
(3) Knowledge: Acceptable methods by which the CA MAY verify that the Applicant is aware that it has exclusive control of the Domain Name include the following:
(A) Relying on a Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant is aware that it has exclusive control of the Domain Name; or
(B) Obtaining a confirmation from the Contract Signer or Certificate Approver verifying that the Applicant is aware that it has exclusive control of the Domain Name.
(4) Mixed Character Set Domain Names: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization.
11.7 Verification of Name, Title, and Authority of Contract Signer and Certificate Approver
11.7.1 Verification Requirements
For both the Contract Signer and the Certificate Approver, the CA MUST verify the following.
(1) Name, Title and Agency: The CA MUST verify the name and title of the Contract Signer and the Certificate Approver, as applicable. The CA MUST also verify that the Contract Signer and the Certificate Approver are agents representing the Applicant.
(2) Signing Authority of Contract Signer: The CA MUST verify that the Contract Signer is authorized by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant, including a contract that designates one or more Certificate Approvers on behalf of the Applicant.
(3) EV Authority of Certificate Approver: The CA MUST verify, through a source other than the Certificate Approver him- or herself, that the Certificate Approver is expressly authorized by the Applicant to do the following, as of the date of the EV Certificate Request:
(A) Submit, and, if applicable, authorize a Certificate Requester to submit, the EV Certificate Request on behalf of the Applicant; and
(B) Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and
(C) Approve EV Certificate Requests submitted by a Certificate Requester.
11.7.2 Acceptable Methods of Verification – Name, Title and Agency
Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following.
(1) Name and Title: The CA MAY verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such a role is in fact the named person designated to act in such role.
(2) Agency: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by:
(A) Contacting the Applicant’s Human Resources Department by phone or mail (at the phone number or address for the Applicant’s Place of Business, verified in accordance with these Guidelines) and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; or
(B) Obtaining an Independent Confirmation From the Applicant (as described in Section 11.10.4), or a Verified Legal Opinion (as described in Section 11.10.1), or a Verified Accountant Letter (as described in Section 11.10.2) verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant.
(C) Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant.
The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified.
11.7.3 Acceptable Methods of Verification – Authority
Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include:
(1) Legal Opinion: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Legal Opinion (as described in Section 11.10.1);
(2) Accountant Letter: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Accountant Letter (as described in Section 11.10.2);
(3) Corporate Resolution: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a properly authenticated corporate resolution that confirms that the person has been granted such Signing Authority, provided that such resolution is
(i) certified by the appropriate corporate officer (e.g., secretary), and
(ii) the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification;
(4) Independent Confirmation from Applicant: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in Section 11.10.4);
(5) Contract between CA and Applicant: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified;
(6) Prior Equivalent Authority: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority.
(A) Prior Equivalent Authority of a Contract Signer MAY be relied upon for confirmation or verification of the signing authority of the Contract Signer when the Contract Signer has executed a binding contract between the CA and the Applicant with a legally valid and enforceable seal or handwritten signature and only when the contract was executed more than 90 days prior to the EV Certificate application. The CA MUST record sufficient details of the previous agreement to correctly identify it and associate it with the EV application. Such details MAY include any of the following:
(i) Agreement title,
(ii) Date of Contract Signer’s signature,
(iii) Contract reference number, and
(iv) Filing location.
(B) Prior Equivalent Authority of a Certificate Approver MAY be relied upon for confirmation or verification of the EV Authority of the Certificate Approver when the Certificate Approver has performed one or more of the following:
(i) Under contract to the CA, has served (or is serving) as an Enterprise RA for the Applicant, or
(ii) Has participated in the approval of one or more certificate requests, for certificates issued by the CA and which are currently and verifiably in use by the Applicant. In this case the CA MUST have contacted the Certificate Approver by phone at a previously validated phone number or have accepted a signed and notarized letter approving the certificate request.
(7) QIIS or QGIS: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by a QIIS or QGIS that identifies the Contract Signer and/or the Certificate Approver as a corporate officer, sole proprietor, or other senior official of the Applicant.
(8) Contract Signer’s Representation/Warranty: Provided that the CA verifies that the Contract Signer is an employee or agent of the Applicant, the CA MAY rely on the signing authority of the Contract Signer by obtaining a duly executed representation or warranty from the Contract Signer that includes the following acknowledgments:
(A) That the Applicant authorizes the Contract Signer to sign the Subscriber Agreement on the Applicant's behalf,
(B) That the Subscriber Agreement is a legally valid and enforceable agreement,
(C) That, upon execution of the Subscriber Agreement, the Applicant will be bound by all of its terms and conditions,
(D) That serious consequences attach to the misuse of an EV certificate, and
(E) The contract signer has the authority to obtain the digital equivalent of a corporate seal, stamp or officer's signature to establish the authenticity of the company's Web site.
Note: An example of an acceptable representation/warranty appears in Appendix E.
11.7.4 Pre-Authorized Certificate Approver
Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA:
(1) Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and
(2) Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in Section 11.7.3.
The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s).
Such an agreement MUST provide that the Applicant shall be obligated under the Subscriber Agreement for all EV Certificates issued at the request of, or approved by, such Certificate Approver(s) until such EV Authority is revoked, and MUST include mutually agreed-upon provisions for
(i) authenticating the Certificate Approver when EV Certificate Requests are approved,
(ii) periodic re-confirmation of the EV Authority of the Certificate Approver,
(iii) secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and
(iv) such other appropriate precautions as are reasonably necessary.
11.8 Verification of Signature on Subscriber Agreement and EV Certificate Requests
Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with Section 11.7.4 of these Guidelines. If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document.
11.8.1 Verification Requirements
(1) Signature: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant.
(2) Approval Alternative: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of Section 11.9 can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request.
11.8.2 Acceptable Methods of Signature Verification
Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following.
(1) A phone call to the Applicant’s or Agent’s phone number, as verified in accordance with these Guidelines, asking to speak to the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant.
(2) A letter mailed to the Applicant’s or Agent’s address, as verified through independent means in accordance with these Guidelines, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a phone or mail response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant.
(3) Use of a signature process that establishes the name and title of the signer in a secure manner, such as through use of an appropriately secure login process that identifies the signer before signing, or through use of a digital signature made with reference to an appropriately verified certificate.
(4) Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer.
11.9 Verification of Approval of EV Certificate Request
11.9.1 Verification Requirements
In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request.
11.9.2 Acceptable Methods of Verification
Acceptable methods of verifying the Certificate Approver’s approval of an EV Certificate Request include:
(1) Contacting the Certificate Approver by phone or mail at a verified phone number or address for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request;
(2) Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or
(3) Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with Section 11.8 of these Guidelines.
11.10 Verification of Certain Information Sources
11.10.1 Verified Legal Opinion
(1) Verification Requirements: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements:
(A) Status of Author: The CA MUST verify that the legal opinion is authored by an independent legal practitioner retained by and representing the Applicant (or an in-house legal practitioner employed by the Applicant) (Legal Practitioner) who is either:
(i) A lawyer (or solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the Applicant’s Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility, or
(ii) A notary that is a member of the International Union of Latin Notaries, and is licensed to practice in the country of the Applicant’s Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility (and that such jurisdiction recognizes the role of the Latin Notary);
(B) Basis of Opinion: The CA MUST verify that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Legal Opinion are based on the Legal Practitioner’s stated familiarity with the relevant facts and the exercise of the Legal Practitioner’s professional judgment and expertise;
(C) Authenticity: The CA MUST confirm the authenticity of the Verified Legal Opinion.
(2) Acceptable Methods of Verification: Acceptable methods of establishing the foregoing requirements for a Verified Legal Opinion are:
(A) Status of Author: The CA MUST verify the professional status of the author of the legal opinion by directly contacting the authority responsible for registering or licensing such Legal Practitioner(s) in the applicable jurisdiction;
(B) Basis of Opinion: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner’s stated familiarity with the relevant facts and the exercise of the practitioner’s professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner’s jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as Appendix B;
(C) Authenticity: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner’s assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS.
In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in Section 11.10.1 (2)(A), no further verification of authenticity is required.
11.10.2 Verified Accountant Letter
(1) Verification Requirements: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements:
(A) Status of Author: The CA MUST verify that the accountant letter is authored by an independent Accounting Practitioner retained by and representing the Applicant (or an in-house professional accountant employed by the Applicant) who is a certified public accountant, chartered accountant, or has an equivalent license within the Applicant’s Jurisdiction of Incorporation, Jurisdiction of Registration, or the jurisdiction where the Applicant maintains an office or physical facility. Verification of license MUST be through that jurisdiction’s member of the International Federation of Accountants (IFAC) or through the regulatory organization in that jurisdiction appropriate to contact when verifying an accountant’s license to practice in that jurisdiction.
(B) Basis of Opinion: The CA MUST verify that the Accounting Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Accountant Letter are based on the Accounting Practitioner’s stated familiarity with the relevant facts and the exercise of the Accounting Practitioner’s professional judgment and expertise;
(C) Authenticity: The CA MUST confirm the authenticity of the Verified Accountant Letter.
(2) Acceptable Methods of Verification: Acceptable methods of establishing the foregoing requirements for a Verified Accountant Letter are listed here.
(A) Status of Author: The CA MUST verify the professional status of the author of the accountant letter by directly contacting the authority responsible for registering or licensing such Accounting Practitioners in the applicable jurisdiction.
(B) Basis of Opinion: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner’s stated familiarity with the relevant facts and the exercise of the practitioner’s professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner’s jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as Appendix C.
(C) Authenticity: To confirm the authenticity of the accountant’s opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner’s assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS.
In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in Section 11.10.2 (2)(A), no further verification of authenticity is required.
11.10.3 Face-to-Face Validation
(1) Verification Requirements: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements:
(A) Qualification of Third-Party Validator: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant’s jurisdiction), Lawyer, or Accountant in the jurisdiction of the individual’s residency;
(B) Document Chain of Custody: The CA MUST verify that the Third-Party Validator viewed the Vetting Documents in a face-to-face meeting with the individual being validated;
(C) Verification of Attestation: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the attestation and vetting documents.
(2) Acceptable Methods of Verification: Acceptable methods of establishing the foregoing requirements for vetting documents are:
(A) Qualification of Third-Party Validator: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction;
(B) Document Chain of Custody: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual;
(C) Verification of Attestation: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in Section 11.10.3 (1)(A), no further verification of authenticity is required.
11.10.4 Independent Confirmation From Applicant
An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., knowledge of its exclusive control of a Domain Name, confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is:
(A) Received by the CA from a Confirming Person (someone other than the person who is the subject of the inquiry) that has the appropriate authority to confirm such a fact, and who represents that he/she has confirmed such fact;
(B) Received by the CA in a manner that authenticates and verifies the source of the confirmation; and
(C) Binding on the Applicant.
An Independent Confirmation from the Applicant MAY be obtained via the following procedure:
(1) Confirmation Request: The CA MUST initiate a Confirmation Request via an appropriate out-of-band communication, requesting verification or confirmation of the particular fact at issue as follows:
(A) Addressee: The Confirmation Request MUST be directed to:
(i) A position within the Applicant’s organization that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current QGIS, QIIS, QTIS, Verified Legal Opinion, Verified Accountant Letter, or by contacting the Applicant’s Human Resources Department by phone or mail (at the phone number or address for the Applicant’s Place of Business, verified in accordance with these Guidelines); or
(ii) The Applicant’s Registered Agent or Registered Office in the Jurisdiction of Incorporation as listed in the official records of the Incorporating Agency, with instructions that it be forwarded to an appropriate Confirming Person; or
(iii) A named individual verified to be in the direct line of management above the Contract Signer or Certificate Approver by contacting the Applicant’s Human Resources Department by phone or mail (at the phone number or address for the Applicant’s Place of Business, verified in accordance with these Guidelines).
(B) Means of Communication: The Confirmation Request MUST be directed to the Confirming Person in a manner reasonably likely to reach such person. The following options are acceptable:
(i) By paper mail addressed to the Confirming Person at:
(1) The address of the Applicant’s Place of Business as verified by the CA in accordance with these Guidelines, or
(2) The business address for such Confirming Person specified in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter, or
(3) The address of the Applicant’s Registered Agent or Registered Office listed in the official records of the Jurisdiction of Incorporation, or
(ii) By e-mail addressed to the Confirming Person at the business e-mail address for such person listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter; or
(iii) By telephone call to the Confirming Person, where such person is contacted by calling the main phone number of the Applicant’s Place of Business (verified in accordance with these Guidelines) and asking to speak to such person, and a person taking the call identifies him- or herself as such person; or
(iv) By facsimile to the Confirming Person at the Place of Business. The facsimile number must be listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter. The cover page must be clearly addressed to the Confirming Person.
(2) Confirmation Response: The CA MUST receive a response to the Confirmation Request from a Confirming Person that confirms the particular fact at issue. Such response MAY be provided to the CA by telephone, by e-mail, or by paper mail, so long as the CA can reliably verify that it was provided by a Confirming Person in response to the Confirmation Request.
(3) The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if:
(A) The domain of the e-mail address is owned by the Applicant and is the Confirming Person’s own e-mail address and not a group e-mail alias;
(B) The Confirming Person’s telephone/fax number is verified by the CA to be a telephone number that is part of the organization’s telephone system, and is not the personal phone number for the person.
11.10.5 Qualified Independent Information Source
A Qualified Independent Information Source (QIIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information. A commercial database is a QIIS if the following are true:
(1) Industry groups rely on the database for providing accurate location or contact information;
(2) The database distinguishes between self-reported data and data reported by independent information sources;
(3) The database provider identifies how frequently they update the information in their database;
(4) Changes in the data that will be relied upon will be reflected in the database in no more than 12 months; and
(5) The database provider uses authoritative sources independent of the Subject, or multiple corroborated sources, to which the data pertains.
Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest do not qualify as a QIIS. The CA MUST check the accuracy of the database and ensure its data is acceptable.
11.10.6 Qualified Government Information Source
A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity.
11.10.7 Qualified Government Tax Information Source
A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States).
11.11 Other Verification Requirements
11.11.1 High Risk Status
The requirements of Section 11.5 of the Baseline Requirements apply equally to EV Certificates.
11.11.2 Denied Lists and Other Legal Black Lists
(1) Verification Requirements: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant’s Jurisdiction of Incorporation, Registration, or Place of Business:
(A) Is identified on any government denied list, list of prohibited persons, or other list that prohibits doing business with such organization or person under the laws of the country of the CA’s jurisdiction(s) of operation; or
(B) Has its Jurisdiction of Incorporation, Registration, or Place of Business in any country with which the laws of the CA’s jurisdiction prohibit doing business.
The CA MUST NOT issue any EV Certificate to the Applicant if either the Applicant, the Contract Signer, or Certificate Approver or if the Applicant’s Jurisdiction of Incorporation or Registration or Place of Business is on any such list.
(2) Acceptable Methods of Verification: The CA MUST take reasonable steps to verify with the following lists and regulations:
(A) If the CA has operations in the U.S., the CA MUST take reasonable steps to verify with the following US Government denied lists and regulations:
(i) BIS Denied Persons List - http://www.bis.doc.gov/dpl/thedeniallist.asp
(ii) BIS Denied Entities List - http://www.bis.doc.gov/Entities/Default.htm
(iii) US Treasury Department List of Specially Designated Nationals and Blocked Persons - http://www.treas.gov/ofac/t11sdn.pdf
(iv) US Government export regulations
(B) If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country.
11.11.3 Parent/Subsidiary/Affiliate Relationship
A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under section 11.4.1, 11.4.2, 11.5.1, or 11.6.1, MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following:
(1) QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS;
(2) Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in Section 11.10.4);
(3) Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified;
(4) Legal Opinion: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Legal Opinion (as described in Section 11.10.1);
(5) Accountant Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Accountant Letter (as described in Section 11.10.2); or
(6) Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is
(i) certified by the appropriate corporate officer (e.g., secretary), and
(ii) the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification.
11.12 Final Cross-Correlation and Due Diligence
Except for Enterprise EV Certificates:
(1) The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation.
(2) The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation.
(3) The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly.
(4) In the case where some or all of the documentation used to support the application is in a language other than the CA’s normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in Section 14.1 of these Guidelines. When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY:
(A) Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or
(B) When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with Section 11.12, Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or
(C) When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of Sections 17.5 and 17.6.
In the case of Enterprise EV Certificates to be issued in compliance with the requirements of Section 14.2 of these Guidelines, the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section.
11.13 Requirements for Re-use of Existing Documentation
11.13.1 For Validated Data
(1) The age of validated data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits:
(A) Legal existence and identity – thirteen months;
(B) Assumed name – thirteen months;
(C) Address of Place of Business – thirteen months, but thereafter data MAY be refreshed by checking a Qualified Independent Information Source, even where a site visit was originally required;
(D) Telephone number for Place of Business – thirteen months;
(E) Bank account verification – thirteen months;
(F) Domain Name – thirteen months;
(G) Identity and authority of Certificate Approver – thirteen months, unless a contract is in place between the CA and the Applicant that specifies a different term, in which case, the term specified in such contract will control. For example, the contract MAY use terms that allow the assignment of roles that are perpetual until revoked, or until the contract expires or is terminated.
(2) The age of information used by the CA to verify such an EV Certificate Request MUST NOT exceed the Maximum Validity Period for such information set forth above in subsection (1), based on the date the information was last updated by the QIIS, QGIS, or QTIS (e.g., if an online database was accessed by the CA on July 1, but contained data last updated by the QIIS, QGIS, or QTIS on February 1 of the same year, then the date on which the information was obtained would be considered to be February 1).
(3) The CA MAY issue multiple EV Certificates listing the same Subject and based on a single EV Certificate Request, subject to the aging and updating requirement stated above.
(4) Each EV Certificate issued by the CA MUST be supported by a valid current EV Certificate Request and a Subscriber Agreement signed by the appropriate Applicant Representative on behalf of the Applicant or Terms of Use acknowledged by the appropriate Applicant Representative.
(5) In the case of outdated information, the CA MUST repeat the verification processes required in these Guidelines.
11.13.2 Validation for Existing Subscribers
In conjunction with an EV Certificate Request placed by an Applicant who is already a customer of the CA, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate will still be accurate and valid.
11.13.3 Exceptions
Notwithstanding the requirements set forth in Section Error! Reference source not found., when performing the authentication and verification tasks for issuing an EV Certificate where the Applicant has a current valid EV Certificate issued by the CA, a CA MAY:
(1) Rely on its prior authentication and verification of:
(A) The Principal Individual of a Business Entity under Section 11.2.2 (4) if the Principal Individual is the same as the Principal Individual verified by the CA in connection with the previously issued EV Certificate;
(B) The Applicant's Place of Business under Section 11.4.1;
(C) The telephone number of the Applicant's Place of Business required by Section 11.4.2, but still MUST perform the verification required by Section 11.4.2 (2)(A);
(D) The Applicant's Operational Existence under Section 11.5;
(E) The name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester under Section 11.7, except where a contract is in place between the CA and the Applicant that specifies a specific term for the authority of the Contract Signer, and/or the Certificate Approver, and/or Certificate Requester in which case, the term specified in such contract will control;
(F) The email address used by the CA for independent confirmation from the Applicant under Section 11.10.4 (1)(B)(ii);
(2) Rely on a prior Verified Legal Opinion or Accountant Letter that established:
(A) The Applicant's exclusive right to use the specified Domain Name under Section 11.6.2 (2)(A)(i) and Section 11.6.2 (2)(B)(i), provided that the CA verifies that either:
(i) The WHOIS record still shows the same registrant as indicated when the CA received the prior Verified Legal Opinion or Verified Accountant Letter, or
(ii) The Applicant establishes domain control via a practical demonstration as detailed in Section 11.6.2(2)(B)(ii).
(B) That the Applicant is aware that it has exclusive control of the Domain Name, under Section 11.6.1 (3).
11.13.4 Validation of Re-issuance Requests
A CA may rely on previously verified information to issue a replacement certificate where:
(1) The expiration date of the replacement certificate is the same as the expiration date of the currently valid EV Certificate that is being replaced, and
(2) The Subject of the Certificate is the same as the Subject in the currently valid EV Certificate that is being replaced.