From 3ee1f68e3a4ae74ea4728dd5fc2fa2c9abebe926 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 7 Jun 2023 14:53:04 -0700 Subject: [PATCH 01/48] Add files via upload --- docs/RFC3647_Template.md | 270 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 270 insertions(+) create mode 100644 docs/RFC3647_Template.md diff --git a/docs/RFC3647_Template.md b/docs/RFC3647_Template.md new file mode 100644 index 00000000..d995ea84 --- /dev/null +++ b/docs/RFC3647_Template.md @@ -0,0 +1,270 @@ +# 1. INTRODUCTION +## 1.1 Overview +## 1.2 Document name and identification +## 1.3 PKI participants +### 1.3.1 Certification authorities +### 1.3.2 Registration authorities +### 1.3.3 Subscribers +### 1.3.4 Relying parties +### 1.3.5 Other participants +## 1.4 Certificate usage +### 1.4.1 Appropriate certificate uses +### 1.4.2 Prohibited certificate uses +## 1.5 Policy administration +### 1.5.1 Organization administering the document +### 1.5.2 Contact person +### 1.5.3 Person determining CPS suitability for the policy +### 1.5.4 CPS approval procedures +## 1.6 Definitions and acronyms +# 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES +## 2.1 Repositories +## 2.2 Publication of certification information +## 2.3 Time or frequency of publication +## 2.4 Access controls on repositories +# 3. IDENTIFICATION AND AUTHENTICATION (11) +## 3.1 Naming +### 3.1.1 Types of names +### 3.1.2 Need for names to be meaningful +### 3.1.3 Anonymity or pseudonymity of subscribers +### 3.1.4 Rules for interpreting various name forms +### 3.1.5 Uniqueness of names +### 3.1.6 Recognition, authentication, and role of trademarks +## 3.2 Initial identity validation +### 3.2.1 Method to prove possession of private key +### 3.2.2 Authentication of organization identity +### 3.2.3 Authentication of individual identity +### 3.2.4 Non-verified subscriber information +### 3.2.5 Validation of authority +### 3.2.6 Criteria for interoperation +## 3.3 Identification and authentication for re-key requests +### 3.3.1 Identification and authentication for routine re-key +### 3.3.2 Identification and authentication for re-key after revocation +## 3.4 Identification and authentication for revocation request +# 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS +## 4.1 Certificate Application +### 4.1.1 Who can submit a certificate application +### 4.1.2 Enrollment process and responsibilities +## 4.2 Certificate application processing +### 4.2.1 Performing identification and authentication functions +### 4.2.2 Approval or rejection of certificate applications +### 4.2.3 Time to process certificate applications +## 4.3 Certificate issuance +### 4.3.1 CA actions during certificate issuance +### 4.3.2 Notification to subscriber by the CA of issuance of certificate +## 4.4 Certificate acceptance +### 4.4.1 Conduct constituting certificate acceptance +### 4.4.2 Publication of the certificate by the CA +### 4.4.3 Notification of certificate issuance by the CA to other entities +## 4.5 Key pair and certificate usage +### 4.5.1 Subscriber private key and certificate usage +### 4.5.2 Relying party public key and certificate usage +## 4.6 Certificate renewal +### 4.6.1 Circumstance for certificate renewal +### 4.6.2 Who may request renewal +### 4.6.3 Processing certificate renewal requests +### 4.6.4 Notification of new certificate issuance to subscriber +### 4.6.5 Conduct constituting acceptance of a renewal certificate +### 4.6.6 Publication of the renewal certificate by the CA +### 4.6.7 Notification of certificate issuance by the CA to other entities +## 4.7 Certificate re-key +### 4.7.1 Circumstance for certificate re-key +### 4.7.2 Who may request certification of a new public key +### 4.7.3 Processing certificate re-keying requests +### 4.7.4 Notification of new certificate issuance to subscriber +### 4.7.5 Conduct constituting acceptance of a re-keyed certificate +### 4.7.6 Publication of the re-keyed certificate by the CA +### 4.7.7 Notification of certificate issuance by the CA to other entities +## 4.8 Certificate modification +### 4.8.1 Circumstance for certificate modification +### 4.8.2 Who may request certificate modification +### 4.8.3 Processing certificate modification requests +### 4.8.4 Notification of new certificate issuance to subscriber +### 4.8.5 Conduct constituting acceptance of modified certificate +### 4.8.6 Publication of the modified certificate by the CA +### 4.8.7 Notification of certificate issuance by the CA to other entities +## 4.9 Certificate revocation and suspension +### 4.9.1 Circumstances for revocation +### 4.9.2 Who can request revocation +### 4.9.3 Procedure for revocation request +### 4.9.4 Revocation request grace period +### 4.9.5 Time within which CA must process the revocation request +### 4.9.6 Revocation checking requirement for relying parties +### 4.9.7 CRL issuance frequency (if applicable) +### 4.9.8 Maximum latency for CRLs (if applicable) +### 4.9.9 On-line revocation/status checking availability +### 4.9.10 On-line revocation checking requirements +### 4.9.11 Other forms of revocation advertisements available +### 4.9.12 Special requirements re key compromise +### 4.9.13 Circumstances for suspension +### 4.9.14 Who can request suspension +### 4.9.15 Procedure for suspension request +### 4.9.16 Limits on suspension period +## 4.10 Certificate status services +### 4.10.1 Operational characteristics +### 4.10.2 Service availability +### 4.10.3 Optional features +## 4.11 End of subscription +## 4.12 Key escrow and recovery +### 4.12.1 Key escrow and recovery policy and practices +### 4.12.2 Session key encapsulation and recovery policy and practices +# 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS (11) +## 5.1 Physical controls +### 5.1.1 Site location and construction +### 5.1.2 Physical access +### 5.1.3 Power and air conditioning +### 5.1.4 Water exposures +### 5.1.5 Fire prevention and protection +### 5.1.6 Media storage +### 5.1.7 Waste disposal +### 5.1.8 Off-site backup +## 5.2 Procedural controls +### 5.2.1 Trusted roles +### 5.2.2 Number of persons required per task +### 5.2.3 Identification and authentication for each role +### 5.2.4 Roles requiring separation of duties +## 5.3 Personnel controls +### 5.3.1 Qualifications, experience, and clearance requirements +### 5.3.2 Background check procedures +### 5.3.3 Training requirements +### 5.3.4 Retraining frequency and requirements +### 5.3.5 Job rotation frequency and sequence +### 5.3.6 Sanctions for unauthorized actions +### 5.3.7 Independent contractor requirements +### 5.3.8 Documentation supplied to personnel +## 5.4 Audit logging procedures +### 5.4.1 Types of events recorded +### 5.4.2 Frequency of processing log +### 5.4.3 Retention period for audit log +### 5.4.4 Protection of audit log +### 5.4.5 Audit log backup procedures +### 5.4.6 Audit collection system (internal vs. external) +### 5.4.7 Notification to event-causing subject +### 5.4.8 Vulnerability assessments +## 5.5 Records archival +### 5.5.1 Types of records archived +### 5.5.2 Retention period for archive +### 5.5.3 Protection of archive +### 5.5.4 Archive backup procedures +### 5.5.5 Requirements for time-stamping of records +### 5.5.6 Archive collection system (internal or external) +### 5.5.7 Procedures to obtain and verify archive information +## 5.6 Key changeover +## 5.7 Compromise and disaster recovery +### 5.7.1 Incident and compromise handling procedures +### 5.7.2 Computing resources, software, and/or data are corrupted +### 5.7.3 Entity private key compromise procedures +### 5.7.4 Business continuity capabilities after a disaster +## 5.8 CA or RA termination +# 6. TECHNICAL SECURITY CONTROLS (11) +## 6.1 Key pair generation and installation +### 6.1.1 Key pair generation +### 6.1.2 Private key delivery to subscriber +### 6.1.3 Public key delivery to certificate issuer +### 6.1.4 CA public key delivery to relying parties +### 6.1.5 Key sizes +### 6.1.6 Public key parameters generation and quality checking +### 6.1.7 Key usage purposes (as per X.509 v3 key usage field) +## 6.2 Private Key Protection and Cryptographic Module Engineering Controls +### 6.2.1 Cryptographic module standards and controls +### 6.2.2 Private key (n out of m) multi-person control +### 6.2.3 Private key escrow +### 6.2.4 Private key backup +### 6.2.5 Private key archival +### 6.2.6 Private key transfer into or from a cryptographic module +### 6.2.7 Private key storage on cryptographic module +### 6.2.8 Method of activating private key +### 6.2.9 Method of deactivating private key +### 6.2.10 Method of destroying private key +### 6.2.11 Cryptographic Module Rating +## 6.3 Other aspects of key pair management +### 6.3.1 Public key archival +### 6.3.2 Certificate operational periods and key pair usage periods +## 6.4 Activation data +### 6.4.1 Activation data generation and installation +### 6.4.2 Activation data protection +### 6.4.3 Other aspects of activation data +## 6.5 Computer security controls +### 6.5.1 Specific computer security technical requirements +### 6.5.2 Computer security rating +## 6.6 Life cycle technical controls +### 6.6.1 System development controls +### 6.6.2 Security management controls +### 6.6.3 Life cycle security controls +## 6.7 Network security controls +## 6.8 Time-stamping +# 7. CERTIFICATE, CRL, AND OCSP PROFILES +## 7.1 Certificate profile +### 7.1.1 Version number(s) +### 7.1.2 Certificate extensions +### 7.1.3 Algorithm object identifiers +### 7.1.4 Name forms +### 7.1.5 Name constraints +### 7.1.6 Certificate policy object identifier +### 7.1.7 Usage of Policy Constraints extension +### 7.1.8 Policy qualifiers syntax and semantics +### 7.1.9 Processing semantics for the critical Certificate Policies extension +## 7.2 CRL profile +### 7.2.1 Version number(s) +### 7.2.2 CRL and CRL entry extensions +## 7.3 OCSP profile +### 7.3.1 Version number(s) +### 7.3.2 OCSP extensions +# 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS +## 8.1 Frequency or circumstances of assessment +## 8.2 Identity/qualifications of assessor +## 8.3 Assessor's relationship to assessed entity +## 8.4 Topics covered by assessment +## 8.5 Actions taken as a result of deficiency +## 8.6 Communication of results +# 9. OTHER BUSINESS AND LEGAL MATTERS +## 9.1 Fees +### 9.1.1 Certificate issuance or renewal fees +### 9.1.2 Certificate access fees +### 9.1.3 Revocation or status information access fees +### 9.1.4 Fees for other services +### 9.1.5 Refund policy +## 9.2 Financial responsibility +### 9.2.1 Insurance coverage +### 9.2.2 Other assets +### 9.2.3 Insurance or warranty coverage for end-entities +## 9.3 Confidentiality of business information +### 9.3.1 Scope of confidential information +### 9.3.2 Information not within the scope of confidential information +### 9.3.3 Responsibility to protect confidential information +## 9.4 Privacy of personal information +### 9.4.1 Privacy plan +### 9.4.2 Information treated as private +### 9.4.3 Information not deemed private +### 9.4.4 Responsibility to protect private information +### 9.4.5 Notice and consent to use private information +### 9.4.6 Disclosure pursuant to judicial or administrative process +### 9.4.7 Other information disclosure circumstances +## 9.5 Intellectual property rights +## 9.6 Representations and warranties +### 9.6.1 CA representations and warranties +### 9.6.2 RA representations and warranties +### 9.6.3 Subscriber representations and warranties +### 9.6.4 Relying party representations and warranties +### 9.6.5 Representations and warranties of other participants +## 9.7 Disclaimers of warranties +## 9.8 Limitations of liability +## 9.9 Indemnities +## 9.10 Term and termination +### 9.10.1 Term +### 9.10.2 Termination +### 9.10.3 Effect of termination and survival +## 9.11 Individual notices and communications with participants +## 9.12 Amendments +### 9.12.1 Procedure for amendment +### 9.12.2 Notification mechanism and period +### 9.12.3 Circumstances under which OID must be changed +## 9.13 Dispute resolution provisions +## 9.14 Governing law +## 9.15 Compliance with applicable law +## 9.16 Miscellaneous provisions +### 9.16.1 Entire agreement +### 9.16.2 Assignment +### 9.16.3 Severability +### 9.16.4 Enforcement (attorneys' fees and waiver of rights) +### 9.16.5 Force Majeure +## 9.17 Other provisions From d6b5067048723eb4776f8537600f15cbdd168bbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 7 Jun 2023 15:01:28 -0700 Subject: [PATCH 02/48] EVG.md --- docs/EVG.md | 2000 +++++++-------------------------------------------- 1 file changed, 271 insertions(+), 1729 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 4f1d5df9..5b8495ba 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1,6 +1,6 @@ --- title: Guidelines for the Issuance and Management of Extended Validation Certificates -subtitle: Version 1.8.0 +subtitle: Version 2.0.0 author: - CA/Browser Forum date: 30 November, 2022 @@ -10,1731 +10,273 @@ copyright: | This work is licensed under the Creative Commons Attribution 4.0 International license. --- -# Introduction - -The Guidelines describe an integrated set of technologies, protocols, identity proofing, lifecycle management, and auditing practices specifying the minimum requirements that must be met in order to issue and maintain Extended Validation Certificates ("EV Certificates") concerning an organization. Subject Organization information from valid EV Certificates can then be used in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site or other services they are accessing. Although initially intended for use in establishing Web-based data communication conduits via TLS/SSL protocols, extensions are envisioned for S/MIME, time-stamping, VoIP, IM, Web services, etc. - -The primary purposes of Extended Validation Certificates are to: 1) identify the legal entity that controls a Web or service site, and 2) enable encrypted communications with that site. The secondary purposes include significantly enhancing cybersecurity by helping establish the legitimacy of an organization claiming to operate a Web site, and providing a vehicle that can be used to assist in addressing problems related to distributing malware, phishing, identity theft, and diverse forms of online fraud. - -**Notice to Readers** - -The Guidelines for the Issuance and Management of Extended Validation Certificates present criteria established by the CA/Browser Forum for use by certification authorities when issuing, maintaining, and revoking certain digital certificates for use in Internet Web site commerce. These Guidelines may be revised from time to time, as appropriate, in accordance with procedures adopted by the CA/Browser Forum. Questions or suggestions concerning these guidelines may be directed to the CA/Browser Forum at . - -**The CA/Browser Forum** - -The CA/Browser Forum is a voluntary open organization of certification authorities and suppliers of Internet browsers and other relying-party software applications. Membership is listed at . - -## Document History - -| **Ver.** | **Ballot** | **Description** | **Adopted** | **Effective\*** | -|-|-|-----|--|--| -| 1.4.0 | 72 | Reorganize EV Documents | 29 May 2012 | 29 May 2012 | -| 1.4.1 | 75 | NameConstraints Criticality Flag | 8 June 2012 | 8 June 2012 | -| 1.4.2 | 101 | EV 11.10.2 Accountants | 31 May 2013 | 31 May 2013 | -| 1.4.3 | 104 | Domain verification for EV Certificates | 9 July 2013 | 9 July 2013 | -| 1.4.4 | 113 | Revision to QIIS in EV Guidelines | 13 Jan 2014 | 13 Jan 2014 | -| 1.4.5 | 114 | Improvements to the EV Definitions | 28 Jan 2014 | 28 Jan 2014 | -| 1.4.6 | 119 | Remove "OfIncorporation" from OID descriptions in EVG 9.2.5 | 24 Mar 2014 | 24 Mar 2014 | -| 1.4.7 | 120 | Affiliate Authority to Verify Domain | 5 June 2014 | 5 June 2014 | -| 1.4.8 | 124 | Business Entity Clarification | 5 June 2014 | 5 June 2014 | -| 1.4.9 | 127 | Verification of Name, Title and Agency | 17 July 2014 | 17 July 2014 | -| 1.5.0 | 126 | Operational Existence | 24 July 2014 | 24 July 2014 | -| 1.5.1 | 131 | Verified Method of Communication | 12 Sept 2014 | 12 Sept 2014 | -| 1.5.2 | 123 | Reuse of Information | 16 Oct. 2014 | 16 Oct. 2014 | -| 1.5.3 | 144 | Validation rules for .onion names | 18 Feb. 2015 | 18 Feb. 2015 | -| 1.5.4 | 146 | Convert Baseline Requirements to RFC 3647 Framework | 16 Apr. 2015 | 16 Apr. 2015 | -| 1.5.5 | 145 | Operational Existence for Government Entities | 5 Mar. 2015 | 5 Mar. 2015 | -| 1.5.6 | 147 | Attorney-Accountant Letter Changes | 25 June 2015 | 25 June 2015 | -| 1.5.7 | 151 | Addition of Optional OIDs for Indicating Level of Validation | 28 Sept 2015 | 28 Sept 2015 | -| 1.5.8 | 162 | Sunset of Exceptions | 15 Mar 2016 | 15 Mar 2016 | -| 1.5.9 | 163 | Fix Errata in EV Guidelines 11.2.1 | 18 Mar 2016 | 18 Mar 2016 | -| 1.6.0 | 171 | Updating ETSI Standards | 1 July 2016 | 1 July 2016 | -| 1.6.1 | 180 | In EV 11.7.1, removed outdated cross-reference to BR 3.2.2.4(7) | 7 Jan. 2017 | 7 Jan. 2017 | -| 1.6.2 | 103 | 825-day Certificate Lifetimes | 17 Mar. 2017 | 17 Mar. 2017 | -| 1.6.3 | 198 | .Onion Revisions (declared invalid) | 7 May 2017 | 8 June 2017 | -| 1.6.4 | 191 | Clarify Place of Business Information | 23 May 2017 | 23 June 2017 | -| 1.6.5 | 201 | .onion Revisions | 8 June 2017 | 8 July 2017 | -| 1.6.6 | 192 | Notary revision | 28 June 2017 | 28 July 2017 | -| 1.6.7 | 207 | ASN.1 Jurisdiction | 23 October 2017 | 23 November 2017 | -| 1.6.8 | 217 | Sunset RFC 2527 | 21 Dec 2017 | 9 Mar 2018 | -| 1.6.9 | SC16 | Other Subject Attributes | 15 Mar 2019 | 16 Apr 2019 | -| 1.7.0 | SC17 | Alternative registration numbers for EV certificates | 21 May 2019 | 21 June 2019 | -| 1.7.1 | SC24 | Fall cleanup v2 | 12 Nov 2019 | 19 Dec 2019 | -| 1.7.2 | SC27 | Version 3 Onion Certificates | 19-Feb-2020 | 27-Mar-2020 | -| 1.7.3 | SC30 | Disclosure of Registration / Incorporating Agency | 13-Jul-2020 | 20-Aug-2020 | -| 1.7.3 | SC31 | Browser Alignment | 16-Jul-2020 | 20-Aug-2020 | -| 1.7.4 | SC35 | Cleanups and Clarifications | 9-Sep-2020 | 19-Oct-2020 | -| 1.7.5 | SC41 | Reformatting the BRs, EVGs, and NCSSRs | 24-Feb-2021 | 5-Apr-2021 | -| 1.7.6 | SC42 | 398-day Re-use Period | 22-Apr-2021 | 2-Jun-2021 | -| 1.7.7 | SC47 | Sunset subject:organizationalUnitName | 30-Jun-2021 | 16-Aug-2021 | -| 1.7.8 | SC48 | Domain Name and IP Address Encoding | 22-Jul-2021 | 25-Aug-2021 | -| 1.7.9 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | -| 1.8.0 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | - -\* Effective Date and Additionally Relevant Compliance Date(s) - -## Relevant Dates - -| **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | -|--|--|----------| -| 2020-01-31 | [9.2.8](#928-subject-organization-identifier-field) | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | -| 2020-09-01 | [9.4](#94-maximum-validity-period-for-ev-certificate) & Appendix F | Certificates issued MUST NOT have a Validity Period greater than 398 days. | -| 2020-10-01 | [11.1.3](#1113-disclosure-of-verification-sources) | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | -| 2022-09-01 | [9.2.7](#927-subject-organizational-unit-name-field) | CAs MUST NOT include the organizationalUnitName field in the Subject | - -**Implementers' Note**: Version 1.3 of these EV Guidelines was published on 20 November 2010 and supplemented through May 2012 when version 1.4 was published. ETSI TS 102 042 and ETSI TR 101 564 Technical Report: Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs reference version 1.3 of these EV Guidelines, and ETSI Draft EN 319 411-1 references version 1.4. Version 1.4.5 of Webtrust(r) for Certification Authorities – Extended Validation Audit Criteria references version 1.4.5 of these EV Guidelines. As illustrated in the Document History table above, the CA/Browser Forum continues to improve relevant industry guidelines, including this document, the Baseline Requirements, and the Network and Certificate System Security Requirements. We encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty. We will respond to implementation questions directed to questions@cabforum.org. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. - -# 1. Scope - -These Guidelines for the issuance and management of Extended Validation Certificates describe certain of the minimum requirements that a Certification Authority must meet in order to issue Extended Validation Certificates. Subject Organization information from Valid EV Certificates may be displayed in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site they are accessing. These Guidelines incorporate the Baseline Requirements established by the CA/Browser Forum by reference. A copy of the Baseline Requirements is available on the CA/Browser Forum's website at . - -These Guidelines address the basic issue of validating Subject identity information in EV Certificates and some related matters. They do not address all of the related matters, such as certain technical and operational ones. This version of the Guidelines addresses only requirements for EV Certificates intended to be used for SSL/TLS authentication on the Internet and for code signing. Similar requirements for S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions. - -These Guidelines do not address the verification of information, or the issuance, use, maintenance, or revocation of EV Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, where its Root CA Certificate is not distributed by any Application Software Supplier. - -# 2. Purpose - -## 2.1. Purpose of EV Certificates - -EV Certificates are intended for establishing Web-based data communication conduits via the TLS/SSL protocols and for verifying the authenticity of executable code. - -### 2.1.1. Primary Purposes - -The primary purposes of an EV Certificate are to: - -1. **Identify the legal entity that controls a Web site**: Provide a reasonable assurance to the user of an Internet browser that the Web site the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information; and - -2. **Enable encrypted communications with a Web site**: Facilitate the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a Web site. - -### 2.1.2. Secondary Purposes - -The secondary purposes of an EV Certificate are to help establish the legitimacy of a business claiming to operate a Web site or distribute executable code, and to provide a vehicle that can be used to assist in addressing problems related to phishing, malware, and other forms of online identity fraud. By providing more reliable third-party verified identity and address information regarding the business, EV Certificates may help to: - -1. Make it more difficult to mount phishing and other online identity fraud attacks using Certificates; -2. Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves to users; and -3. Assist law enforcement organizations in their investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the Subject. - -### 2.1.3. Excluded Purposes - -EV Certificates focus only on the identity of the Subject named in the Certificate, and not on the behavior of the Subject. As such, an EV Certificate is **not** intended to provide any assurances, or otherwise represent or warrant: - -1. That the Subject named in the EV Certificate is actively engaged in doing business; -2. That the Subject named in the EV Certificate complies with applicable laws; -3. That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or -4. That it is "safe" to do business with the Subject named in the EV Certificate. - -# 3. References - -See Baseline Requirements, which are available at . - -# 4. Definitions - -Capitalized Terms are defined in the Baseline Requirements except where provided below: - -**Accounting Practitioner**: A certified public accountant, chartered accountant, or a person with an equivalent license within the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility; provided that an accounting standards body in the jurisdiction maintains full (not "suspended" or "associate") membership status with the International Federation of Accountants. - -**Baseline Requirements**: The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates as published by the CA/Browser Forum and any amendments to such document. - -**Business Entity**: Any entity that is not a Private Organization, Government Entity, or Non-Commercial Entity as defined herein. Examples include, but are not limited to, general partnerships, unincorporated associations, sole proprietorships, etc. - -**Certificate Approver**: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to - - i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and - ii. to approve EV Certificate Requests submitted by other Certificate Requesters. - -**Certificate Requester**: A natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. - -**Confirmation Request**: An appropriate out-of-band communication requesting verification or confirmation of the particular fact at issue. - -**Confirming Person**: A position within an Applicant's organization that confirms the particular fact at issue. - -**Contract Signer**: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. - -**Demand Deposit Account**: A deposit account held at a bank or other financial institution, the funds deposited in which are payable on demand. The primary purpose of demand accounts is to facilitate cashless payments by means of check, bank draft, direct debit, electronic funds transfer, etc. Usage varies among countries, but a demand deposit account is commonly known as a share draft account, a current account, or a checking account. - -**EV Authority**: A source other than the Certificate Approver, through which verification occurs that the Certificate Approver is expressly authorized by the Applicant, as of the date of the EV Certificate Request, to take the Request actions described in these Guidelines. - -**EV Certificate**: A certificate that contains subject information specified in these Guidelines and that has been validated in accordance with these Guidelines. - -**EV Certificate Beneficiaries**: Persons to whom the CA and its Root CA make specified EV Certificate Warranties. - -**EV Certificate Renewal**: The process whereby an Applicant who has a valid unexpired and non-revoked EV Certificate makes an application, to the CA that issued the original certificate, for a newly issued EV Certificate for the same organizational name and Domain Name prior to the expiration of the Applicant's existing EV Certificate but with a new 'valid to' date beyond the expiry of the current EV Certificate. - -**EV Certificate Reissuance**: The process whereby an Applicant who has a valid unexpired and non-revoked EV Certificate makes an application, to the CA that issued the original certificate, for a newly issued EV Certificate for the same organizational name and Domain Name prior to the expiration of the Applicant's existing EV Certificate but with a 'valid to' date that matches that of the current EV Certificate. - -**EV Certificate Request**: A request from an Applicant to the CA requesting that the CA issue an EV Certificate to the Applicant, which request is validly authorized by the Applicant and signed by the Applicant Representative. - -**EV Certificate Warranties**: In conjunction with the CA issuing an EV Certificate, the CA and its Root CA, during the period when the EV Certificate is Valid, promise that the CA has followed the requirements of these Guidelines and the CA's EV Policies in issuing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. - -**EV OID**: An identifying number, in the form of an "object identifier," that is included in the `certificatePolicies` field of a certificate that: - - i. indicates which CA policy statement relates to that certificate, and - ii. is either the CA/Browser Forum EV policy identifier or a policy identifier that, by pre-agreement with one or more Application Software Supplier, marks the certificate as being an EV Certificate. - -**EV Policies**: Auditable EV Certificate practices, policies and procedures, such as a certification practice statement and certificate policy, that are developed, implemented, and enforced by the CA and its Root CA. - -**EV Processes**: The keys, software, processes, and procedures by which the CA verifies Certificate Data under this Guideline, issues EV Certificates, maintains a Repository, and revokes EV Certificates. - -**Extended Validation Certificate**: See EV Certificate. - -**Government Agency**: In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of Private Organizations is established (e.g., the government agency that issued the Certificate of Incorporation). In the context of Business Entities, the government agency in the jurisdiction of operation that registers business entities. In the case of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities. - -**Guidelines**: This document. - -**Incorporating Agency**: In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of the entity is registered (e.g., the government agency that issues certificates of formation or incorporation). In the context of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities. - -**Independent Confirmation From Applicant**: Confirmation of a particular fact received by the CA pursuant to the provisions of the Guidelines or binding upon the Applicant. - -**Individual**: A natural person. - -**International Organization**: An organization founded by a constituent document, e.g., a charter, treaty, convention or similar document, signed by, or on behalf of, a minimum of two Sovereign State governments. - -**Jurisdiction of Incorporation**: In the context of a Private Organization, the country and (where applicable) the state or province or locality where the organization's legal existence was established by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the context of a Government Entity, the country and (where applicable) the state or province where the Entity's legal existence was created by law. - -**Jurisdiction of Registration**: In the case of a Business Entity, the state, province, or locality where the organization has registered its business presence by means of filings by a Principal Individual involved in the business. - -**Latin Notary**: A person with legal training whose commission under applicable law not only includes authority to authenticate the execution of a signature on a document but also responsibility for the correctness and content of the document. A Latin Notary is sometimes referred to as a Civil Law Notary. - -**Legal Entity**: A Private Organization, Government Entity, Business Entity, or Non-Commercial Entity. - -**Legal Existence**: A Private Organization, Government Entity, or Business Entity has Legal Existence if it has been validly formed and not otherwise terminated, dissolved, or abandoned. - -**Legal Practitioner**: A person who is either a lawyer or a Latin Notary as described in these Guidelines and competent to render an opinion on factual claims of the Applicant. - -**Maximum Validity Period**: - - 1. The maximum time period for which the issued EV Certificate is valid. - 2. The maximum period after validation by the CA that certain Applicant information may be relied upon in issuing an EV Certificate pursuant to these Guidelines. - -**Notary**: A person whose commission under applicable law includes authority to authenticate the execution of a signature on a document. - -**Place of Business**: The location of any facility (such as a factory, retail store, warehouse, etc) where the Applicant's business is conducted. - -**Principal Individual**: An individual of a Private Organization, Government Entity, or Business Entity that is either an owner, partner, managing member, director, or officer, as identified by their title of employment, or an employee, contractor or agent authorized by such entity or organization to conduct business related to the request, issuance, and use of EV Certificates. - -**Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. - -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 17.6](#176-auditor-qualification). - -**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 11.11.6](#11116-qualified-government-information-source). - -**Qualified Government Tax Information Source**: A Qualified Governmental Information Source that specifically contains tax information relating to Private Organizations, Business Entities, or Individuals. - -**Qualified Independent Information Source**: A regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information. - -**Registration Agency**: A Governmental Agency that registers business information in connection with an entity's business formation or authorization to conduct business under a license, charter or other certification. A Registration Agency MAY include, but is not limited to - - i. a State Department of Corporations or a Secretary of State; - ii. a licensing agency, such as a State Department of Insurance; or - iii. a chartering agency, such as a state office or department of financial regulation, banking or finance, or a federal agency such as the Office of the Comptroller of the Currency or Office of Thrift Supervision. - -**Registration Reference**: A unique identifier assigned to a Legal Entity. - -**Registration Scheme**: A scheme for assigning a Registration Reference meeting the requirements identified in [Appendix H](#appendix-h--registration-schemes). - -**Registered Agent**: An individual or entity that is: - - i. authorized by the Applicant to receive service of process and business communications on behalf of the Applicant; and - ii. listed in the official records of the Applicant's Jurisdiction of Incorporation as acting in the role specified in (i) above. - -**Registered Office**: The official address of a company, as recorded with the Incorporating Agency, to which official documents are sent and at which legal notices are received. - -**Registration Number**: The unique number assigned to a Private Organization by the Incorporating Agency in such entity's Jurisdiction of Incorporation. - -**Regulated Financial Institution**: A financial institution that is regulated, supervised, and examined by governmental, national, state or provincial, or local authorities. - -**Root Key Generation Script**: A documented plan of procedures to be performed for the generation of the Root CA Key Pair. - -**Signing Authority**: One or more Certificate Approvers designated to act on behalf of the Applicant. - -**Superior Government Entity**: Based on the structure of government in a political subdivision, the Government Entity or Entities that have the ability to manage, direct and control the activities of the Applicant. - -**Suspect code**: Code that contains malicious functionality or serious vulnerabilities, including spyware, malware and other code that installs without the user's consent and/or resists its own removal, and code that can be exploited in ways not intended by its designers to compromise the trustworthiness of the platforms on which it executes. - -**Translator**: An individual or Business Entity that possesses the requisite knowledge and expertise to accurately translate the words of a document written in one language to the native language of the CA. - -**Verified Accountant Letter**: A document meeting the requirements specified in [Section 11.11.2](#11112-verified-accountant-letter). - -**Verified Legal Opinion**: A document meeting the requirements specified in [Section 11.11.1](#11111-verified-legal-opinion). - -**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 11.5](#115-verified-method-of-communication) as a reliable way of communicating with the Applicant. - -**Verified Professional Letter**: A Verified Accountant Letter or Verified Legal Opinion. - -**WebTrust EV Program**: The additional audit procedures specified for CAs that issue EV Certificates by the AICPA/CICA to be used in conjunction with its WebTrust Program for Certification Authorities. - -**WebTrust Program for CAs**: The then-current version of the AICPA/CICA WebTrust Program for Certification Authorities. - -**WebTrust Seal of Assurance**: An affirmation of compliance resulting from the WebTrust Program for CAs. - -# 5. Abbreviations and Acronyms - -Abbreviations and Acronyms are defined in the Baseline Requirements except as otherwise defined herein: - -| **Acronym** | **Meaning** | -| --- | --- | -| BIPM | International Bureau of Weights and Measures | -| BIS | (US Government) Bureau of Industry and Security | -| CEO | Chief Executive Officer | -| CFO | Chief Financial Officer | -| CIO | Chief Information Officer | -| CISO | Chief Information Security Officer | -| COO | Chief Operating Officer | -| CPA | Chartered Professional Accountant | -| CSO | Chief Security Officer | -| EV | Extended Validation | -| gTLD | Generic Top-Level Domain | -| IFAC | International Federation of Accountants | -| IRS | Internal Revenue Service | -| ISP | Internet Service Provider | -| QGIS | Qualified Government Information Source | -| QTIS | Qualified Government Tax Information Source | -| QIIS | Qualified Independent Information Source | -| SEC | (US Government) Securities and Exchange Commission | -| UTC(k) | National realization of Coordinated Universal Time | - -# 6. Conventions - -Terms not otherwise defined in these Guidelines shall be as defined in applicable agreements, user manuals, certification practice statements (CPS), and certificate policies (CP) of the CA issuing EV Certificates. - -The key words "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in these Guidelines shall be interpreted in accordance with RFC 2119. - -By convention, this document omits time and timezones when listing effective requirements such as dates. Except when explicitly specified, the associated time with a date shall be 00:00:00 UTC. - -# 7. Certificate Warranties and Representations - -## 7.1. EV Certificate Warranties - -When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following: - -A. **Legal Existence**: The CA has confirmed with the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or Registration; -B. **Identity**: The CA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject named in the EV Certificate matches the name on the official government records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration, and if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business; -C. **Right to Use Domain Name**: The CA has taken all steps reasonably necessary to verify that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate has the right to use all the Domain Name(s) listed in the EV Certificate; -D. **Authorization for EV Certificate**: The CA has taken all steps reasonably necessary to verify that the Subject named in the EV Certificate has authorized the issuance of the EV Certificate; -E. **Accuracy of Information**: The CA has taken all steps reasonably necessary to verify that all of the other information in the EV Certificate is accurate, as of the date the EV Certificate was issued; -F. **Subscriber Agreement**: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or, if they are affiliated, the Applicant Representative has acknowledged and accepted the Terms of Use; -G. **Status**: The CA will follow the requirements of these Guidelines and maintain a 24 x 7 online-accessible Repository with current information regarding the status of the EV Certificate as Valid or revoked; and -H. **Revocation**: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the revocation reasons specified in these Guidelines. - -## 7.2. By the Applicant - -EV Certificate Applicants make the commitments and warranties set forth in Section 9.6.3 of the Baseline Requirements for the benefit of the CA and Certificate Beneficiaries. - -# 8. Community and Applicability - -## 8.1. Issuance of EV Certificates - -The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements. - -If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly. - -## 8.2. EV Policies - -### 8.2.1. Implementation - -Each CA must develop, implement, enforce, display prominently on its Web site, and periodically update as necessary its own auditable EV Certificate practices, policies and procedures, such as a Certification Practice Statement (CPS) and Certificate Policy (CP) that: - -A. Implement the requirements of these Guidelines as they are revised from time-to-time; - -B. Implement the requirements of - - i. the then-current WebTrust Program for CAs, and - ii. the then-current WebTrust EV Program or ETSI TS 102 042 for EVCP or ETSI EN 319 411-1 for EVCP policy; and - -C. Specify the CA's and its Root CA's entire root certificate hierarchy including all roots that its EV Certificates depend on for proof of those EV Certificates' authenticity. - -### 8.2.2. Disclosure - -Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 17.1](#171-eligible-audit-schemes)). - -The CA's Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647. The Certificate Policy and/or Certification Practice Statement MUST include all material required by RFC 3647. - -## 8.3. Commitment to Comply with Recommendations - -Each CA SHALL publicly give effect to these Guidelines and represent that they will adhere to the latest published version by incorporating them into their respective EV Policies, using a clause such as the following (which must include a link to the official version of these Guidelines): - -> [Name of CA] conforms to the current version of the CA/Browser Forum Guidelines for Issuance and Management of Extended Validation Certificates published at . In the event of any inconsistency between this document and those Guidelines, those Guidelines take precedence over this document. - -In addition, the CA MUST include (directly or by reference) the applicable requirements of these Guidelines in all contracts with Subordinate CAs, RAs, Enterprise RAs, and subcontractors that involve or relate to the issuance or maintenance of EV Certificates. The CA MUST enforce compliance with such terms. - -## 8.4. Insurance - -Each CA SHALL maintain the following insurance related to their respective performance and obligations under these Guidelines: - -A. Commercial General Liability insurance (occurrence form) with policy limits of at least two million US dollars in coverage; and - -B. Professional Liability/Errors and Omissions insurance, with policy limits of at least five million US dollars in coverage, and including coverage for: - i. claims for damages arising out of an act, error, or omission, unintentional breach of contract, or neglect in issuing or maintaining EV Certificates, and; - ii. claims for damages arising out of infringement of the proprietary rights of any third party (excluding copyright, and trademark infringement), and invasion of privacy and advertising injury. - -Such insurance must be with a company rated no less than A- as to Policy Holder's Rating in the current edition of Best's Insurance Guide (or with an association of companies each of the members of which are so rated). - -A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that it has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0. - -## 8.5. Obtaining EV Certificates - -### 8.5.1. General - -The CA MAY only issue EV Certificates to Applicants that meet the Private Organization, Government Entity, Business Entity and Non-Commercial Entity requirements specified below. - -### 8.5.2. Private Organization Subjects - -An Applicant qualifies as a Private Organization if: - -1. The entity's legal existence is created or recognized by a by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument); - -2. The entity designated with the Incorporating or Registration Agency a Registered Agent, a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration), or an equivalent facility; - -3. The entity is not designated on the records of the Incorporating or Registration Agency by labels such as "inactive," "invalid," "not current," or the equivalent; - -4. The entity has a verifiable physical existence and business presence; - -5. The entity's Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and - -6. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - -### 8.5.3. Government Entity Subjects - -An Applicant qualifies as a Government Entity if: - -1. The entity's legal existence was established by the political subdivision in which the entity operates; - -2. The entity is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and - -3. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - -### 8.5.4. Business Entity Subjects - -An Applicant qualifies as a Business Entity if: - -1. The entity is a legally recognized entity that filed certain forms with a Registration Agency in its jurisdiction, the Registration Agency issued or approved the entity's charter, certificate, or license, and the entity's existence can be verified with that Registration Agency; - -2. The entity has a verifiable physical existence and business presence; - -3. At least one Principal Individual associated with the entity is identified and validated by the CA; - -4. The identified Principal Individual attests to the representations made in the Subscriber Agreement; - -5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 11.3](#113-verification-of-applicants-legal-existence-and-identity--assumed-name); - -6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and - -7. The entity and the identified Principal Individual associated with the entity are not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - -### 8.5.5. Non-Commercial Entity Subjects - -An Applicant qualifies as a Non-Commercial Entity if: - -1. The Applicant is an International Organization Entity, created under a charter, treaty, convention or equivalent instrument that was signed by, or on behalf of, more than one country's government. The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility; and - -2. The Applicant is not headquartered in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and - -3. The Applicant is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - -Subsidiary organizations or agencies of an entity that qualifies as a Non-Commercial Entity also qualifies for EV Certificates as a Non-Commercial Entity. - -# 9. EV Certificate Content and Profile - -This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate. - -## 9.1. Issuer Information - -Issuer Information listed in an EV Certificate MUST comply with Section 7.1.4.1 of the Baseline Requirements. - -## 9.2. Subject Distinguished Name Fields - -Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: - -### 9.2.1. Subject Organization Name Field - -__Certificate Field__: `subject:organizationName` (OID 2.5.4.10) -__Required/Optional__: Required -__Contents__: This field MUST contain the Subject's full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows "Company Name Incorporated" the CA MAY include "Company Name, Inc." - -When abbreviating a Subject's full legal name as allowed by this subsection, the CA MUST use abbreviations that are not misleading in the Jurisdiction of Incorporation or Registration. - -In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. - -If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#11121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. - -### 9.2.2. Subject Common Name Field - -__Certificate Field__: `subject:commonName` (OID: 2.5.4.3) -__Required/Optional__: Deprecated (Discouraged, but not prohibited) -__Contents__: If present, this field MUST contain a single Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This field MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. - -### 9.2.3. Subject Business Category Field - -__Certificate Field__: `subject:businessCategory` (OID: 2.5.4.15) -__Required/Optional__: Required -__Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 8.5.2](#852-private-organization-subjects), [Section 8.5.3](#853-government-entity-subjects), [Section 8.5.4](#854-business-entity-subjects) or [Section 8.5.5](#855-non-commercial-entity-subjects), respectively. - -### 9.2.4. Subject Jurisdiction of Incorporation or Registration Field - -__Certificate Fields__: - -Locality (if required): - `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1) - -State or province (if required): - `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2) - -Country: - `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) - -__Required/Optional__: Required -__Contents__: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction. - -Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. - -### 9.2.5. Subject Registration Number Field - -__Certificate Field__: `subject:serialNumber` (OID: 2.5.4.5) -__Required/Optional__: __Required__ -__Contents__: For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats. - -For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity. - -For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats. - -Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. - -### 9.2.6. Subject Physical Address of Place of Business Field - -__Certificate Fields__: - Number and street: `subject:streetAddress` (OID: 2.5.4.9) - City or town: `subject:localityName` (OID: 2.5.4.7) - State or province (where applicable): `subject:stateOrProvinceName` (OID: 2.5.4.8) - Country: `subject:countryName` (OID: 2.5.4.6) - Postal code: `subject:postalCode` (OID: 2.5.4.17) -__Required/Optional__: As stated in Section 7.1.4.2.2 d, e, f, g and h of the Baseline Requirements. -__Contents__: This field MUST contain the address of the physical location of the Subject's Place of Business. - -### 9.2.7. Subject Organizational Unit Name Field - -__Certificate Field__: `subject:organizationalUnitName` (OID: 2.5.4.11) -__Required/Optional/Prohibited:__ __Prohibited__. - -### 9.2.8. Subject Organization Identifier Field - -__Certificate Field__: `subject:organizationIdentifier` (OID: 2.5.4.97) -__Required/Optional__: Optional -__Contents__: If present, this field MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. - -The organizationIdentifier MUST be encoded as a PrintableString or UTF8String. - -The Registration Scheme MUST be identified using the using the following structure in the presented order: - -* 3 character Registration Scheme identifier; -* 2 character ISO 3166 country code for the nation in which the Registration Scheme is operated, or if the scheme is operated globally ISO 3166 code "XG" shall be used; -* For the NTR Registration Scheme identifier, if required under [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated, preceded by plus "+" (0x2B (ASCII), U+002B (UTF-8)); -* a hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); -* Registration Reference allocated in accordance with the identified Registration Scheme - -Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. - -As in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. - -Examples: - -* `NTRGB-12345678` (NTR scheme, Great Britain, Unique Identifier at Country level is 12345678) -* `NTRUS+CA-12345678` (NTR Scheme, United States - California, Unique identifier at State level is 12345678) -* `VATDE-123456789` (VAT Scheme, Germany, Unique Identifier at Country Level is 12345678) -* `PSDBE-NBB-1234.567.890` (PSD Scheme, Belgium, NCA's identifier is NBB, Subject Unique Identifier assigned by the NCA is 1234.567.890) - -Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) are currently recognized as valid under these guidelines. - -The CA SHALL: - -1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 9.2.1](#921-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field); -2. further verify the Registration Reference matches other information verified in accordance with [Section 11](#11-verification-requirements); -3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; -4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). - -### 9.2.9. Other Subject Attributes - -CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 9.2](#92-subject-distinguished-name-fields). - -## 9.3. Certificate Policy Identification - -### 9.3.1. EV Certificate Policy Identification Requirements - -This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy. - -### 9.3.2. EV Subscriber Certificates - -Each EV Certificate issued by the CA to a Subscriber MUST contain a policy identifier that is either defined by these Guidelines or the CA in the certificate's `certificatePolicies` extension that: - -1. indicates which CA policy statement relates to that Certificate, -2. asserts the CA's adherence to and compliance with these Guidelines, and -3. is either the CA/Browser Forum’s EV policy identifier or a policy identifier that, by pre-agreement with the Application Software Supplier, marks the Certificate as being an EV Certificate. - -The following Certificate Policy identifier is the CA/Browser Forum’s EV policy identifier: -`{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines (1) } (2.23.140.1.1)`, if the Certificate complies with these Guidelines. - -### 9.3.3. Root CA Certificates - -The Application Software Supplier identifies Root CAs that are approved to issue EV Certificates by storing EV policy identifiers in metadata associated with Root CA Certificates. - -### 9.3.4. EV Subordinate CA Certificates - -1. Certificates issued to Subordinate CAs that are not controlled by the issuing CA MUST contain one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA. -2. Certificates issued to Subordinate CAs that are controlled by the Root CA MAY contain the special `anyPolicy` identifier (OID: 2.5.29.32.0). - -### 9.3.5. Subscriber Certificates - -A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate's `certificatePolicies` extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines. - -## 9.4. Maximum Validity Period For EV Certificate - -The Validity Period for an EV Certificate SHALL NOT exceed 398 days. - -It is RECOMMENDED that EV Subscriber Certificates have a Maximum Validity Period of twelve months. - -## 9.5. Subscriber Public Key - -The requirements in Section 6.1.1.3 of the Baseline Requirements apply equally to EV Certificates. - -## 9.6. Certificate Serial Number - -The requirements in Section 7.1 of the Baseline Requirements apply equally to EV Certificates. - -## 9.7. Additional Technical Requirements for EV Certificates - -All provisions of the Baseline Requirements concerning Minimum Cryptographic Algorithms, Key Sizes, and Certificate Extensions apply to EV Certificates with the following exceptions: - -1. If a Subordinate CA Certificates is issued to a Subordinate CA not controlled by the entity that controls the Root CA, the policy identifiers in the `certificatePolicies` extension MUST include the CA's Extended Validation policy identifier. - - Otherwise, it MAY contain the anyPolicy identifier. - -2. The following fields MUST be present if the Subordinate CA is not controlled by the entity that controls the Root CA. - - * `certificatePolicies:policyQualifiers:policyQualifierId` - - `id-qt 1` [RFC 5280] - - * `certificatePolicies:policyQualifiers:qualifier:cPSuri` - - HTTP URL for the Root CA's Certification Practice Statement - -3. The `certificatePolicies` extension in EV Certificates issued to Subscribers MUST include the following: - - * `certificatePolicies:policyIdentifier` (Required) - - The Issuer's EV policy identifier - - * `certificatePolicies:policyQualifiers:policyQualifierId` (Required) - - `id-qt 1` [RFC 5280] - - * `certificatePolicies:policyQualifiers:qualifier:cPSuri` (Required) - - HTTP URL for the Subordinate CA's Certification Practice Statement - -4. The `cRLDistributionPoints` extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an `authorityInformationAccess` extension. - -## 9.8. Certificate Extensions - -The extensions listed in [Section 9.8](#98-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 9.8](#98-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. - -If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 9.8](#98-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. - -### 9.8.1. Subject Alternative Name Extension - -__Certificate Field__: `subjectAltName:dNSName` -__Required/Optional__: __Required__ -__Contents__: This extension MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This extension MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. - -### 9.8.2. CA/Browser Forum Organization Identifier Extension - -__Extension Name__: `cabfOrganizationIdentifier` (OID: 2.23.140.3.1) -__Verbose OID__: `{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }` -__Required/Optional__: __Optional (but see below)__ -__Contents__: If the subject:organizationIdentifier is present, this field MUST be present. - -If present, this extension MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. - -The Registration Scheme MUST be encoded as described by the following ASN.1 grammar: - -```ASN.1 -id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) international-organizations(23) - ca-browser-forum(140) certificate-extensions(3) - cabf-organizationIdentifier(1) -} - -ext-CABFOrganizationIdentifier EXTENSION ::= { - SYNTAX CABFOrganizationIdentifier - IDENTIFIED BY id-CABFOrganizationIdentifier -} - -CABFOrganizationIdentifier ::= SEQUENCE { - registrationSchemeIdentifier PrintableString (SIZE(3)), - registrationCountry PrintableString (SIZE(2)), - registrationStateOrProvince [0] IMPLICIT PrintableString - (SIZE(0..128)) OPTIONAL, - registrationReference UTF8String -} -``` - -where the subfields have the same values, meanings, and restrictions described in [Section 9.2.8](#928-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 9.2.8](#928-subject-organization-identifier-field). - -# 10. EV Certificate Request Requirements - -## 10.1. General Requirements - -### 10.1.1. Documentation Requirements - -The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. - -### 10.1.2. Role Requirements - -The following Applicant roles are required for the issuance of an EV Certificate. - -1. **Certificate Requester**: The EV Certificate Request MUST be submitted by an authorized Certificate Requester. A Certificate Requester is a natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. - -2. **Certificate Approver**: The EV Certificate Request MUST be approved by an authorized Certificate Approver. A Certificate Approver is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to - - i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and - ii. to approve EV Certificate Requests submitted by other Certificate Requesters. - -3. **Contract Signer**: A Subscriber Agreement applicable to the requested EV Certificate MUST be signed by an authorized Contract Signer. A Contract Signer is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. - -4. **Applicant Representative**: In the case where the CA and the Subscriber are affiliated, Terms of Use applicable to the requested EV Certificate MUST be acknowledged and agreed to by an authorized Applicant Representative. An Applicant Representative is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to acknowledge and agree to the Terms of Use. - -The Applicant MAY authorize one individual to occupy two or more of these roles. The Applicant MAY authorize more than one individual to occupy any of these roles. - -## 10.2. EV Certificate Request Requirements - -The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 11.14](#1114-requirements-for-re-use-of-existing-documentation). - -## 10.3. Requirements for Subscriber Agreement and Terms of Use - -Section 9.6.3 of the Baseline Requirements applies equally to EV Certificates. In cases where the Certificate Request does not contain all necessary information about the Applicant, the CA MUST additionally confirm the data with the Certificate Approver or Contract Signer rather than the Certificate Requester. - -# 11. Verification Requirements - -## 11.1. General Overview - -This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement. - -### 11.1.1. Verification Requirements – Overview - -Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following: - -1. Verify Applicant's existence and identity, including; - - A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity)), - - B. Verify the Applicant's physical existence (business presence at a physical address), and - - C. Verify the Applicant's operational existence (business activity). - -2. Verify the Applicant is a registered holder, or has control, of the Domain Name(s) to be included in the EV Certificate; - -3. Verify a reliable means of communication with the entity to be named as the Subject in the Certificate; - -4. Verify the Applicant's authorization for the EV Certificate, including; - - A. Verify the name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester, - - B. Verify that a Contract Signer signed the Subscriber Agreement or that a duly authorized Applicant Representative acknowledged and agreed to the Terms of Use; and - - C. Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request. - -### 11.1.2. Acceptable Methods of Verification – Overview - -As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 11.2 through 11.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. - -### 11.1.3. Disclosure of Verification Sources - -Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means. - -This Agency Information SHALL include at least the following: - -* Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency (such as a name, jurisdiction, and website); and, -* The accepted value or values for each of the `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1), `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2), and `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and, -* The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and, -* A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list. - -The CA MUST document where to obtain this information within Section 3.2 of the CA's Certificate Policy and/or Certification Practice Statement. - -## 11.2. Verification of Applicant's Legal Existence and Identity - -### 11.2.1. Verification Requirements - -To verify the Applicant's legal existence and identity, the CA MUST do the following. - -1. **Private Organization Subjects** - - A. **Legal Existence**: Verify that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated) with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, and not designated on the records of the Incorporating or Registration Agency by labels such as "inactive", "invalid", "not current", or the equivalent. - B. **Organization Name**: Verify that the Applicant's formal legal name as recorded with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Incorporation or Registration. - D. **Registered Agent**: Obtain the identity and address of the Applicant's Registered Agent or Registered Office (as applicable in the Applicant's Jurisdiction of Incorporation or Registration). - -2. **Government Entity Subjects** - - A. **Legal Existence**: Verify that the Applicant is a legally recognized Government Entity, in existence in the political subdivision in which such Government Entity operates. - B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of incorporation, registration, or formation, or the identifier for the legislative act that created the Government Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity. - -3. **Business Entity Subjects** - - A. **Legal Existence**: Verify that the Applicant is engaged in business under the name submitted by the Applicant in the Application. - B. **Organization Name**: Verify that the Applicant's formal legal name as recognized by the Registration Agency in the Applicant's Jurisdiction of Registration matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: Attempt to obtain the specific unique Registration Number assigned to the Applicant by the Registration Agency in the Applicant's Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Registration. - D. **Principal Individual**: Verify the identity of the identified Principal Individual. - -4. **Non-Commercial Entity Subjects (International Organizations)** - - A. **Legal Existence**: Verify that the Applicant is a legally recognized International Organization Entity. - B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity. - -### 11.2.2. Acceptable Method of Verification - -1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. - -2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: - i. a Qualified Government Information Source in the political subdivision in which such Government Entity operates; - ii. a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or - iii. from a judge that is an active member of the federal, state or local judiciary within that political subdivision. - - Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 11.11.1](#11111-verified-legal-opinion). - - Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. - -3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 11.2.1](#1121-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. - -4. **Principal Individual**: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency's face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation. - - A. **Face-To-Face Validation**: The face-to-face validation MUST be conducted before either an employee of the CA, a Latin Notary, a Notary (or equivalent in the Applicant's jurisdiction), a Lawyer, or Accountant (Third-Party Validator). The Principal Individual(s) MUST present the following documentation (Vetting Documents) directly to the Third-Party Validator: - - i. A Personal Statement that includes the following information: - - 1. Full name or names by which a person is, or has been, known (including all other names used); - 2. Residential Address at which he/she can be located; - 3. Date of birth; and - 4. An affirmation that all of the information contained in the Certificate Request is true and correct. - - ii. A current signed government-issued identification document that includes a photo of the Individual and is signed by the Individual such as: - - 1. A passport; - 2. A driver's license; - 3. A personal identification card; - 4. A concealed weapons permit; or - 5. A military ID. - - iii. At least two secondary documentary evidences to establish his/her identity that include the name of the Individual, one of which MUST be from a financial institution. - - 1. Acceptable financial institution documents include: - - a. A major credit card, provided that it contains an expiration date and it has not expired' - b. A debit card from a regulated financial institution, provided that it contains an expiration date and it has not expired, - c. A mortgage statement from a recognizable lender that is less than six months old, - d. A bank statement from a regulated financial institution that is less than six months old. - - 2. Acceptable non-financial documents include: - - a. Recent original utility bills or certificates from a utility company confirming the arrangement to pay for the services at a fixed address (not a mobile/cellular telephone bill), - b. A copy of a statement for payment of a lease, provided that the statement is dated within the past six months, - c. A certified copy of a birth certificate, - d. A local authority tax bill for the current year, - e. A certified copy of a court order, such as a divorce certificate, annulment papers, or adoption papers. - - The Third-Party Validator performing the face-to-face validation MUST: - - i. Attest to the signing of the Personal Statement and the identity of the signer; and - ii. Identify the original Vetting Documents used to perform the identification. In addition, the Third-Party Validator MUST attest on a copy of the current signed government-issued photo identification document that it is a full, true, and accurate reproduction of the original. - - B. **Verification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), lawyer, or accountant in the jurisdiction of the Individual's residency, and that the Third-Party Validator actually did perform the services and did attest to the signature of the Individual. - - C. **Cross-checking of Information**: The CA MUST obtain the signed and attested Personal Statement together with the attested copy of the current signed government-issued photo identification document. The CA MUST review the documentation to determine that the information is consistent, matches the information in the application, and identifies the Individual. The CA MAY rely on electronic copies of this documentation, provided that: - - i. the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and - ii. electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA's jurisdiction. - -5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (4) MUST be verified either: - - A. With reference to the constituent document under which the International Organization was formed; or - B. Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or - C. Directly against any current list of qualified entities that the CA/Browser Forum may maintain at www.cabforum.org. - D. In cases where the International Organization applying for the EV Certificate is an organ or agency - including a non-governmental organization of a verified International Organization, then the CA may verify the International Organization Applicant directly with the verified umbrella International Organization of which the Applicant is an organ or agency. - -6. The CA may rely on a Verified Professional Letter to establish the Applicant's information listed in (1)-(5) above if: - - i. the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and - ii. the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS. - -## 11.3. Verification of Applicant's Legal Existence and Identity – Assumed Name - -### 11.3.1. Verification Requirements - -If, in addition to the Applicant's formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, the Applicant's identity, as asserted in the EV Certificate, is to contain any assumed name (also known as "doing business as", "DBA", or "d/b/a" in the US, and "trading as" in the UK) under which the Applicant conducts business, the CA MUST verify that: - - i. the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and - ii. that such filing continues to be valid. - -### 11.3.2. Acceptable Method of Verification - -To verify any assumed name under which the Applicant conducts business: - -1. The CA MAY verify the assumed name through use of a Qualified Government Information Source operated by, or on behalf of, an appropriate government agency in the jurisdiction of the Applicant's Place of Business, or by direct contact with such government agency in person or via mail, e-mail, Web address, or telephone; or -2. The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. -3. The CA MAY rely on a Verified Professional Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. - -## 11.4. Verification of Applicant's Physical Existence - -### 11.4.1. Address of Applicant's Place of Business - -1. **Verification Requirements**: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business. - -2. **Acceptable Methods of Verification** - - A. **Place of Business in the Country of Incorporation or Registration** - - i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence: - - 1. For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business; - - 2. For Applicants who are not listed at the same Place of Business address in the current version of either at least one QIIS or QTIS, the CA MUST confirm that the address provided by the Applicant in the EV Certificate Request is the Applicant's or a Parent/Subsidiary Company's business address, by obtaining documentation of a site visit to the business address, which MUST be performed by a reliable individual or firm. The documentation of the site visit MUST: - - a. Verify that the Applicant's business is located at the exact address stated in the EV Certificate Request (e.g., via permanent signage, employee confirmation, etc.), - b. Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location, - c. Indicate whether there is a permanent sign (that cannot be moved) that identifies the Applicant, - d. Indicate whether there is evidence that the Applicant is conducting ongoing business activities at the site (not that it is just, for example, a mail drop, P.O. box, etc.), and - e. Include one or more photos of - i. the exterior of the site (showing signage indicating the Applicant's name, if present, and showing the street address if possible), and - ii. the interior reception area or workspace. - - ii. For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there. - iii. For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction. - iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. - - B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. - -## 11.5. Verified Method of Communication - -### 11.5.1. Verification Requirements - -To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant. - -### 11.5.2. Acceptable Methods of Verification - -To verify a Verified Method of Communication with the Applicant, the CA MUST: - -A. Verify that the Verified Method of Communication belongs to the Applicant, or a Parent/Subsidiary or Affiliate of the Applicant, by matching it with one of the Applicant's Parent/Subsidiary or Affiliate's Places of Business in: - - i. records provided by the applicable phone company; - ii. a QGIS, QTIS, or QIIS; or - iii. a Verified Professional Letter; and - -B. Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication. - -## 11.6. Verification of Applicant's Operational Existence - -### 11.6.1. Verification Requirements - -The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. - -### 11.6.2. Acceptable Methods of Verification - -To verify the Applicant's ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: - -1. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; - -2. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; - -3. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or - -4. Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. - -## 11.7. Verification of Applicant's Domain Name - -### 11.7.1. Verification Requirements - -1. For each Fully-Qualified Domain Name listed in a Certificate which is not an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant's control over the Onion Domain Name in accordance with Appendix B of the Baseline Requirements. - -2. **Mixed Character Set Domain Names**: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization. - -## 11.8. Verification of Name, Title, and Authority of Contract Signer and Certificate Approver - -### 11.8.1. Verification Requirements - -For both the Contract Signer and the Certificate Approver, the CA MUST verify the following. - -1. **Name, Title and Agency**: The CA MUST verify the name and title of the Contract Signer and the Certificate Approver, as applicable. The CA MUST also verify that the Contract Signer and the Certificate Approver are agents representing the Applicant. -2. **Signing Authority of Contract Signer**: The CA MUST verify that the Contract Signer is authorized by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant, including a contract that designates one or more Certificate Approvers on behalf of the Applicant. -3. **EV Authority of Certificate Approver**: The CA MUST verify, through a source other than the Certificate Approver him- or herself, that the Certificate Approver is expressly authorized by the Applicant to do the following, as of the date of the EV Certificate Request: - - A. Submit, and, if applicable, authorize a Certificate Requester to submit, the EV Certificate Request on behalf of the Applicant; and - B. Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and - C. Approve EV Certificate Requests submitted by a Certificate Requester. - -### 11.8.2. Acceptable Methods of Verification – Name, Title and Agency - -Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. - -1. **Name and Title**: The CA MAY verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such a role is in fact the named person designated to act in such role. - -2. **Agency**: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: - - A. Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; - B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or - C. Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant. - - The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. - -### 11.8.3. Acceptable Methods of Verification – Authority - -Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: - -1. **Verified Professional Letter**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Professional Letter; -2. **Corporate Resolution**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a properly authenticated corporate resolution that confirms that the person has been granted such Signing Authority, provided that such resolution is - - i. certified by the appropriate corporate officer (e.g., secretary), and - ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification; - -3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); -4. **Contract between CA and Applicant**: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; -5. **Prior Equivalent Authority**: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority. - - A. Prior Equivalent Authority of a Contract Signer MAY be relied upon for confirmation or verification of the signing authority of the Contract Signer when the Contract Signer has executed a binding contract between the CA and the Applicant with a legally valid and enforceable seal or handwritten signature and only when the contract was executed more than 90 days prior to the EV Certificate application. The CA MUST record sufficient details of the previous agreement to correctly identify it and associate it with the EV application. Such details MAY include any of the following: - - i. Agreement title, - ii. Date of Contract Signer's signature, - iii. Contract reference number, and - iv. Filing location. - - B. Prior Equivalent Authority of a Certificate Approver MAY be relied upon for confirmation or verification of the EV Authority of the Certificate Approver when the Certificate Approver has performed one or more of the following: - - i. Under contract to the CA, has served (or is serving) as an Enterprise RA for the Applicant, or - ii. Has participated in the approval of one or more certificate requests, for certificates issued by the CA and which are currently and verifiably in use by the Applicant. In this case the CA MUST have contacted the Certificate Approver by phone at a previously validated phone number or have accepted a signed and notarized letter approving the certificate request. - -6. **QIIS or QGIS**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by a QIIS or QGIS that identifies the Contract Signer and/or the Certificate Approver as a corporate officer, sole proprietor, or other senior official of the Applicant. - -7. **Contract Signer's Representation/Warranty**: Provided that the CA verifies that the Contract Signer is an employee or agent of the Applicant, the CA MAY rely on the signing authority of the Contract Signer by obtaining a duly executed representation or warranty from the Contract Signer that includes the following acknowledgments: - - A. That the Applicant authorizes the Contract Signer to sign the Subscriber Agreement on the Applicant's behalf, - B. That the Subscriber Agreement is a legally valid and enforceable agreement, - C. That, upon execution of the Subscriber Agreement, the Applicant will be bound by all of its terms and conditions, - D. That serious consequences attach to the misuse of an EV certificate, and - E. The contract signer has the authority to obtain the digital equivalent of a corporate seal, stamp or officer's signature to establish the authenticity of the company's Web site. - -Note: An example of an acceptable representation/warranty appears in [Appendix E](#appendix-e---sample-contract-signers-representationwarranty-informative). - -### 11.8.4. Pre-Authorized Certificate Approver - -Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA: - -1. Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and - -2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 11.8.3](#1183-acceptable-methods-of-verification--authority). - -The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s). - -Such an agreement MUST provide that the Applicant shall be obligated under the Subscriber Agreement for all EV Certificates issued at the request of, or approved by, such Certificate Approver(s) until such EV Authority is revoked, and MUST include mutually agreed-upon provisions for: - - i. authenticating the Certificate Approver when EV Certificate Requests are approved, - ii. periodic re-confirmation of the EV Authority of the Certificate Approver, - iii. secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and - iv. such other appropriate precautions as are reasonably necessary. - -## 11.9. Verification of Signature on Subscriber Agreement and EV Certificate Requests - -Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. - -### 11.9.1. Verification Requirements - -1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. - -2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. - -### 11.9.2. Acceptable Methods of Signature Verification - -Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following: - -1. Contacting the Applicant using a Verified Method of Communication for the Applicant, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; - -2. A letter mailed to the Applicant's or Agent's address, as verified through independent means in accordance with these Guidelines, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response through a Verified Method of Communication from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; - -3. Use of a signature process that establishes the name and title of the signer in a secure manner, such as through use of an appropriately secure login process that identifies the signer before signing, or through use of a digital signature made with reference to an appropriately verified certificate; or - -4. Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer. - -## 11.10. Verification of Approval of EV Certificate Request - -### 11.10.1. Verification Requirements - -In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. - -### 11.10.2. Acceptable Methods of Verification - -Acceptable methods of verifying the Certificate Approver's approval of an EV Certificate Request include: - -1. Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request; -2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or -3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). - -## 11.11. Verification of Certain Information Sources - -### 11.11.1. Verified Legal Opinion - -1. **Verification Requirements**: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements: - - A. **Status of Author**: The CA MUST verify that the legal opinion is authored by an independent legal practitioner retained by and representing the Applicant (or an in-house legal practitioner employed by the Applicant) (Legal Practitioner) who is either: - - i. A lawyer (or solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility, or - ii. A Latin Notary who is currently commissioned or licensed to practice in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility (and that such jurisdiction recognizes the role of the Latin Notary); - - B. **Basis of Opinion**: The CA MUST verify that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Legal Opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the Legal Practitioner's professional judgment and expertise; - C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Legal Opinion. - -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Legal Opinion are: - - A. **Status of Author**: The CA MUST verify the professional status of the author of the legal opinion by directly contacting the authority responsible for registering or licensing such Legal Practitioner(s) in the applicable jurisdiction; - B. **Basis of Opinion**: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as [Appendix B](#appendix-b---sample-attorney-opinions-confirming-specified-information); - C. **Authenticity**: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner's assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS. - - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.1](#11111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. - -### 11.11.2. Verified Accountant Letter - -1. **Verification Requirements**: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements: - - A. **Status of Author**: The CA MUST verify that the accountant letter is authored by an Accounting Practitioner retained or employed by the Applicant and licensed within the country of the Applicant's Jurisdiction of Incorporation, Jurisdiction of Registration, or country where the Applicant maintains an office or physical facility. Verification of license MUST be through the member organization or regulatory organization in the Accounting Practitioner's country or jurisdiction that is appropriate to contact when verifying an accountant's license to practice in that country or jurisdiction. Such country or jurisdiction must have an accounting standards body that maintains full membership status with the International Federation of Accountants. - B. **Basis of Opinion**: The CA MUST verify that the Accounting Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Accountant Letter are based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the Accounting Practitioner's professional judgment and expertise; - C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Accountant Letter. - -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Accountant Letter are listed here. - - A. **Status of Author**: The CA MUST verify the professional status of the author of the accountant letter by directly contacting the authority responsible for registering or licensing such Accounting Practitioners in the applicable jurisdiction. - B. **Basis of Opinion**: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as [Appendix C](#appendix-c---sample-accountant-letters-confirming-specified-information). - C. **Authenticity**: To confirm the authenticity of the accountant's opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner's assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS. - - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.2](#11112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. - -### 11.11.3. Face-to-Face Validation - -1. **Verification Requirements**: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements: - - A. **Qualification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), Lawyer, or Accountant in the jurisdiction of the individual's residency; - B. **Document Chain of Custody**: The CA MUST verify that the Third-Party Validator viewed the Vetting Documents in a face-to-face meeting with the individual being validated; - C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the attestation and vetting documents. - -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for vetting documents are: - - A. **Qualification of Third-Party Validator**: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction; - B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; - C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 11.11.3](#11113-face-to-face-validation) (1)(A), no further verification of authenticity is required. - -### 11.11.4. Independent Confirmation From Applicant - -An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is: - -A. Received by the CA from a Confirming Person (someone other than the person who is the subject of the inquiry) that has the appropriate authority to confirm such a fact, and who represents that he/she has confirmed such fact; -B. Received by the CA in a manner that authenticates and verifies the source of the confirmation; and -C. Binding on the Applicant. - -An Independent Confirmation from the Applicant MAY be obtained via the following procedure: - -1. **Confirmation Request**: The CA MUST initiate a Confirmation Request via an appropriate out-of-band communication, requesting verification or confirmation of the particular fact at issue as follows: - - A. **Addressee**: The Confirmation Request MUST be directed to: - - i. A position within the Applicant's organization that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current QGIS, QIIS, QTIS, Verified Legal Opinion, Verified Accountant Letter, or by contacting the Applicant using a Verified Method of Communication; or - ii. The Applicant's Registered Agent or Registered Office in the Jurisdiction of Incorporation as listed in the official records of the Incorporating Agency, with instructions that it be forwarded to an appropriate Confirming Person; or - iii. A named individual verified to be in the direct line of management above the Contract Signer or Certificate Approver by contacting the Applicant's Human Resources Department by phone or mail (at the phone number or address for the Applicant's Place of Business, verified in accordance with these Guidelines). - - B. **Means of Communication**: The Confirmation Request MUST be directed to the Confirming Person in a manner reasonably likely to reach such person. The following options are acceptable: - - i. By paper mail addressed to the Confirming Person at: - - 1. The address of the Applicant's Place of Business as verified by the CA in accordance with these Guidelines, or - 2. The business address for such Confirming Person specified in a current QGIS, QTIS, QIIS, Verified Professional Letter, or - 3. The address of the Applicant's Registered Agent or Registered Office listed in the official records of the Jurisdiction of Incorporation, or - - ii. By e-mail addressed to the Confirming Person at the business e-mail address for such person listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter; or - iii. By telephone call to the Confirming Person, where such person is contacted by calling the main phone number of the Applicant's Place of Business (verified in accordance with these Guidelines) and asking to speak to such person, and a person taking the call identifies him- or herself as such person; or - iv. By facsimile to the Confirming Person at the Place of Business. The facsimile number must be listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter. The cover page must be clearly addressed to the Confirming Person. - -2. **Confirmation Response**: The CA MUST receive a response to the Confirmation Request from a Confirming Person that confirms the particular fact at issue. Such response MAY be provided to the CA by telephone, by e-mail, or by paper mail, so long as the CA can reliably verify that it was provided by a Confirming Person in response to the Confirmation Request. - -3. The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if: - - A. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias; - B. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person. - -### 11.11.5. Qualified Independent Information Source - -A Qualified Independent Information Source (QIIS) is a regularly-updated and publicly available database that is generally recognized as a dependable source for certain information. A database qualifies as a QIIS if the CA determines that: - -1. Industries other than the certificate industry rely on the database for accurate location, contact, or other information; and - -2. The database provider updates its data on at least an annual basis. - -The CA SHALL use a documented process to check the accuracy of the database and ensure its data is acceptable, including reviewing the database provider's terms of use. The CA SHALL NOT use any data in a QIIS that the CA knows is - - i. self-reported and - ii. not verified by the QIIS as accurate. - -Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. - -### 11.11.6. Qualified Government Information Source - -A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity. - -### 11.11.7. Qualified Government Tax Information Source - -A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States). - -## 11.12. Other Verification Requirements - -### 11.12.1. High Risk Status - -The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirements apply equally to EV Certificates. - -### 11.12.2. Denied Lists and Other Legal Block Lists - -1. **Verification Requirements**: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant's Jurisdiction of Incorporation, Registration, or Place of Business: - - A. Is identified on any government denied list, list of prohibited persons, or other list that prohibits doing business with such organization or person under the laws of the country of the CA's jurisdiction(s) of operation; or - B. Has its Jurisdiction of Incorporation, Registration, or Place of Business in any country with which the laws of the CA's jurisdiction prohibit doing business. - - The CA MUST NOT issue any EV Certificate to the Applicant if either the Applicant, the Contract Signer, or Certificate Approver or if the Applicant's Jurisdiction of Incorporation or Registration or Place of Business is on any such list. - -2. **Acceptable Methods of Verification** The CA MUST take reasonable steps to verify with the following lists and regulations: - - A. If the CA has operations in the U.S., the CA MUST take reasonable steps to verify with the following US Government denied lists and regulations: - - i. BIS Denied Persons List - [https://www.bis.doc.gov/index.php/the-denied-persons-list](https://www.bis.doc.gov/index.php/the-denied-persons-list) - ii. BIS Denied Entities List - [https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list](https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list) - iii. US Treasury Department List of Specially Designated Nationals and Blocked Persons - [https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx](https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx) - iv. US Government export regulations - - B. If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country. - -### 11.12.3. Parent/Subsidiary/Affiliate Relationship - -A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 11.4.1](#1141-address-of-applicants-place-of-business), [Section 11.5](#115-verified-method-of-communication), [Section 11.6.1](#1161-verification-requirements), or [Section 11.7.1](#1171-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: - -1. QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS; -2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); -3. Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; -4. Verified Professional Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter; or -5. Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is: - - i. certified by the appropriate corporate officer (e.g., secretary), and - ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. - -## 11.13. Final Cross-Correlation and Due Diligence - -1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. -2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. -3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: - - A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or - B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). - -In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. - -## 11.14. Requirements for Re-use of Existing Documentation - -For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. - -### 11.14.1. Validation For Existing Subscribers - -If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: - -1. The Principal Individual verified under [Section 11.2.2](#1122-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; -2. The Applicant's Place of Business under [Section 11.4.1](#1141-address-of-applicants-place-of-business); -3. The Applicant's Verified Method of Communication required by [Section 11.5](#115-verified-method-of-communication) but still MUST perform the verification required by [Section 11.5.2](#1152-acceptable-methods-of-verification) (B); -4. The Applicant's Operational Existence under [Section 11.6](#116-verification-of-applicants-operational-existence); -5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 11.8](#118-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and -6. The Applicant's right to use the specified Domain Name under [Section 11.7](#117-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. - -### 11.14.2. Re-issuance Requests - -A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: - -1. The expiration date of the replacement certificate is the same as the expiration date of the EV Certificate that is being replaced, and -2. The Subject Information of the Certificate is the same as the Subject in the EV Certificate that is being replaced. - -### 11.14.3. Age of Validated Data - -1. Except for reissuance of an EV Certificate under [Section 11.14.2](#11142-re-issuance-requests) and except when permitted otherwise in [Section 11.14.1](#11141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: - - A. Legal existence and identity – 398 days; - B. Assumed name – 398 days; - C. Address of Place of Business – 398 days; - D. Verified Method of Communication – 398 days; - E. Operational existence – 398 days; - F. Domain Name – 398 days; - G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. - -2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. -3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). -4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). - -# 12. Certificate Issuance by a Root CA - -Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. - -Root CA Private Keys MUST NOT be used to sign EV Certificates. - -# 13. Certificate Revocation and Status Checking - -The requirements in Section 4.9 of the Baseline Requirements apply equally to EV Certificates. - -# 14. Employee and third party issues - -## 14.1. Trustworthiness and Competence - -### 14.1.1. Identity and Background Verification - -Prior to the commencement of employment of any person by the CA for engagement in the EV Processes, whether as an employee, agent, or an independent contractor of the CA, the CA MUST: - -1. **Verify the Identity of Such Person**: Verification of identity MUST be performed through: - - A. The personal (physical) presence of such person before trusted persons who perform human resource or security functions, and - B. The verification of well-recognized forms of government-issued photo identification (e.g., passports and/or drivers licenses); - - and - -2. **Verify the Trustworthiness of Such Person**: Verification of trustworthiness SHALL include background checks, which address at least the following, or their equivalent: - - A. Confirmation of previous employment, - B. Check of professional references; - C. Confirmation of the highest or most-relevant educational qualification obtained; - D. Search of criminal records (local, state or provincial, and national) where allowed by the jurisdiction in which the person will be employed; - - and - -3. In the case of employees already in the employ of the CA at the time of adoption of these Guidelines whose identity and background has not previously been verified as set forth above, the CA SHALL conduct such verification within three months of the date of adoption of these Guidelines. - -### 14.1.2. Training and Skills Level - -The requirements in Section 5.3.3 of the Baseline Requirements apply equally to EV Certificates and these Guidelines. The required internal examination must relate to the EV Certificate validation criteria outlined in these Guidelines. - -### 14.1.3. Separation of Duties - -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 11.13](#1113-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. -2. Such controls MUST be auditable. - -## 14.2. Delegation of Functions to Registration Authorities and Subcontractors - -### 14.2.1. General - -The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 14.1](#141-trustworthiness-and-competence). - -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 14](#14-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 15](#15-data-records). - -### 14.2.2. Enterprise RAs - -The CA MAY contractually authorize a Subscriber to perform the RA function and authorize the CA to issue additional EV Certificates. In such case, the Subscriber SHALL be considered an Enterprise RA, and the following requirements SHALL apply: - -1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; -2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and -3. The Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. - -Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 17.1](#171-eligible-audit-schemes). In all other cases, the requirements of [Section 17.1](#171-eligible-audit-schemes) SHALL apply. - -### 14.2.3. Guidelines Compliance Obligation - -In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. - -### 14.2.4. Allocation of Liability - -As specified in Section 9.8 of the Baseline Requirements. - -# 15. Data Records - -As specified in Section 5.4 of the Baseline Requirements. - -# 16. Data Security - -As specified in Section 5 of the Baseline Requirements. In addition, systems used to process and approve EV Certificate Requests MUST require actions by at least two trusted persons before creating an EV Certificate. - -# 17. Audit - -## 17.1. Eligible Audit Schemes - -A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: - -i. WebTrust Program for CAs audit and WebTrust EV Program audit, -ii. ETSI TS 102 042 audit for EVCP, or -iii. ETSI EN 319 411-1 audit for EVCP policy. - -If the CA is a Government Entity, an audit of the CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in one of the above audit schemes and certifies that the government CA has successfully passed the audit. - -EV audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor. - -## 17.2. Audit Period - -CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 17.1](#171-eligible-audit-schemes). - -## 17.3 Audit Record - -CAs SHOULD make its audit report publicly available no later than three months after the end of the audit period. If there is a delay greater than three months and if so requested by an Application Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. - -## 17.4. Pre-Issuance Readiness Audit - -1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program. -2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042. -3. If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI EN 319 411-1 for EVCP. -4. If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI TS 102 042 EVCP audit or an ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: - i. a point-in-time readiness assessment audit against the WebTrust for CA Program, or - ii. a point-in-time readiness assessment audit against the WebTrust EV Program, the ETSI TS 102 042 EVCP, or the ETSI EN 319 411-1 for EVCP policy. - -The CA MUST complete any required point-in-time readiness assessment no earlier than twelve (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. - -## 17.5. Regular Self Audits - -During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. - -## 17.6. Auditor Qualification - -A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. - -## 17.7. Root CA Key Pair Generation - -All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair and Certificate generation process: - - 1. Documented its Root CA key generation and protection procedures in its Certificate Policy, and its Certification Practices Statement; - 2. Included appropriate detail in its Root Key Generation Script; - 3. Maintained effective controls to provide reasonable assurance that the Root CA key pair was generated and protected in conformity with the procedures described in its CP/CPS and with its Root Key Generation Script; - 4. Performed, during the Root CA key generation process, all the procedures required by its Root Key Generation Script. - -# 18. Liability and Indemnification - -CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. - -A CA's indemnification obligations and a Root CA's obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements. - -# Appendix A - User Agent Verification (Normative) - -The CA MUST host test Web pages that allow Application Software Suppliers to test their software with EV Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host separate Web pages using certificates that are: - - i. valid; - ii. revoked; and - iii. expired. - -# Appendix B - Sample Attorney Opinions Confirming Specified Information - -**(Informative)** - -[Law Firm Letterhead] - -[Date] - -| To: | **(Name of Issuing Certification Authority)(Address / fax number of Issuing CA – may be sent by fax or email attachment)** | -| --- | --- | -| Re: | **EV Certificate Request No. (CA Reference Number)** | -| Client: | **(Exact company name of Client – see footnote 1)** | -| Client Representative: | **(Exact name of Client Representative who signed the Application – see footnote 2)** | -| Application Date: | **(Insert date of Client's Application to the Issuing CA)** | - -This firm represents _[__exact__ company name of Client]_ [^1] ("Client"), who has submitted the Application to you dated as of the Application Date shown above ("Application"). We have been asked by our Client to present you with our opinion as stated in this letter. - -[Insert customary preliminary matters for opinion letters in your jurisdiction.] - -On this basis, we hereby offer the following opinion: - -1. That [exact company name of Client] ("Company") is a duly formed [corporation, LLC, etc.] that is "active," "valid," "current," or the equivalent under the laws of the state/province of [name of governing jurisdiction where Client is incorporated or registered] and is not under any legal disability known to the author of this letter. - -2. That Company conducts business under the assumed name or "DBA"_[assumed name of the Applicant]_ and has registered such name with the appropriate government agency in the jurisdiction of its place of business below. - -3. That _[name of Client's Representative]_[^2] has authority to act on behalf of Company to: [_select as appropriate_] (a) provide the information about Company required for issuance of the EV Certificates as contained in the attached Application, (b) request one or more EV Certificates and to designate other persons to request EV Certificates, and (c) agree to the relevant contractual obligations contained in the Subscriber Agreement on behalf of Company. - -4. That Company has a physical presence and its place of business is at the following location: - - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - -5. That Company can be contacted at its stated place of business at the following telephone number: - - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - -6. That Company has an active current Demand Deposit Account with a regulated financial institution. - -7. That Company has the right to use the following Domain Name in identifying itself on the Internet: - - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - -Insert customary limitations and disclaimers for opinion letters in your jurisdiction. - -(Name and signature) - -_[Jurisdiction(s) in which attorney / Latin notary is admitted to practice]_[^3] - -cc: [Send copy to Client_]_ - -[^1]: This must be the Client's exact corporate name, as registered with the relevant Incorporating Agency in the Client's Jurisdiction of Incorporation. This is the name that will be included in the EV Certificate. - -[^2]: If necessary to establish the Client Representative's actual authority, you may rely on a Power of Attorney from an officer of Client who has authority to delegate the authority to the Client Representative. - -[^3]: This letter may be issued by in-house counsel for the Client so long as permitted by the rules of your jurisdiction. - -# Appendix C - Sample Accountant Letters Confirming Specified Information - -**(Informative)** - -It is acceptable for professional accountants to provide letters that address specified matters. The letters would be provided in accordance with the professional standards in the jurisdiction in which the accountant practices. - -Two examples of the letter that might be prepared by an accountant in the United States and in Canada follow: - -## UNITED STATES - -To the [Certification Authority] and Management of [Client]: - -We have performed the procedures enumerated below, which were agreed to by the Managements of Client, solely to assist you in evaluating the company's application for an Extended Validation (EV) Certificate, dated......................., 20...... This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. The sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose. - -| Specified Information: | Procedure:(Note 1: These are illustrative of the procedures that would be undertaken and are designed to meet the needs of the Certification Authorities issuing Extended Validation Certificates) | Results: (Note 2: If you are unavailable to perform any of the stated procedure, this should be noted in this column. Any exceptions should be noted in a separate paragraph below) | -| --- | --- | --- | -| | | | -| Legal Name - 123456 Delaware corporation | Agree legal name to permanent audit file information (If audit has been completed). | Legal name on the application agrees with the information contained in our permanent file with respect to Client.(If there is no permanent file, state this fact) | -| | | | -| Doing business as - "Name" | Agree name to government data base of business names | The name "Name" is registered with the (name of database to which the name was agreed) | -| | | | -| Physical location - "Address Information" | Visit the location at the address | Site visit completed at Address | -| | | | -| Business Phone Number - 555 999 9999 | Phone the number provided and confirm that it was answered by the named organization | Phoned Business Number and noted that it was answered with the Doing Business As name. This would provided by the receptionist | -| | | | -| Bank Account – "Bank Name", "Account Number" | Request a letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | Received letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | -| | | | -| The corporate officers are "NAMED" (verified officer) | Agree Names to annual shareholders meeting minutes (Note - not required to personally know the officers) | Agreed Names listed as corporate officers on the application to minute books maintained by the Client | -| | | | -| Name of application signer and approver | Obtain letter from verified Officer confirming the names of the application signer and approver | Obtained letter from the President confirming the names of the duly authorized names of the application signer and approver as they appear in the application | - -We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation Certificate. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you. - -This report is intended solely for the information and use of the Certification Authority and managements of Client, and is not intended to be and should not be used by anyone other than these specified parties. - -[Signature] - -[Date] - -## CANADA - -To: [Name of Certification Authority] - -Re: Client Limited [Applicant] - -As specifically agreed, I/we have performed the following procedures in connection with the above company's application for an Extended Validation (EV) Certificate, dated ......................., 20.... with respect to the following specified information contained in the application - -| Specified Information: | Procedure:(Note 1: These are illustrative of the procedures that would be undertaken and are designed to meet the needs of the Certification Authorities issuing Extended Validation Certificates) | Results: (Note 2: If you are unavailable to perform any of the stated procedure, this should be noted in this column. Any exceptions should be noted in a separate paragraph below) | -| --- | --- | --- | -| | | | -| Legal Name - 123456 Ontario limited | Agree legal name to permanent audit file information (If audit has been completed) | Legal name on the application agrees with the information contained in our permanent file with respect to Client.(If there is no permanent file, state this fact) | -| | | | -| Doing business as - "Name" | Agree name to government data base of business names | The name "Name" is registered with the (name of database to which the name was agreed) | -| | | | -| Physical location - "Address Information" | Visit the location at the address | Site visit completed at Address | -| | | | -| Business Phone Number - 555 999 9999 | Phone the number provided and confirm that it was answered by the named organization | Phoned Business Number and noted that it was answered with the Doing Business As name. This would provided by the receptionist | -| | | | -| Bank Account – "Bank Name", "Account Number" | Request a letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | Received letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | -| | | | -| The corporate officers are "NAMED" (verified officer) | Agree Names to annual shareholders meeting minutes (Note - not required to personally know the officers) | Agreed Names listed as corporate officers on the application to minute books maintained by the Client | -| | | | -| Name of application signer and approver | Obtain letter from verified Officer confirming the names of the application signer and approver | Obtained letter from the President confirming the names of the duly authorized names of the application signer and approver as they appear in the application | - -As a result of applying the above procedures, I/we found [no / the following] exceptions [list of exceptions]. However, these procedures do not constitute an audit of the company's application for an EV Certificate, and therefore I express no opinion on the application dated ......................., 20..... - -This letter is for use solely in connection with the application for an Extended Validation Certificate by [Client] dated ......................., 20...... - -City - -(signed) ...................................... - -# Appendix D - Country-Specific Interpretative Guidelines (Normative) - -NOTE: This appendix provides alternative interpretations of the EV Guidelines for countries that have a language, cultural, technical, or legal reason for deviating from a strict interpretation of the EV Guidelines. More specific information for particular countries may be added to this appendix in the future. - -## 1. Organization Names - -1. Non-Latin Organization Name - - Where an EV Applicant's organization name is not registered with a QGIS in _Latin_ characters and the Applicant's foreign character organization name and registration have been verified with a QGIS in accordance with these Guidelines, a CA MAY include a Latin character organization name in the EV Certificate. In such a case, the CA MUST follow the procedures laid down in this section. - -2. Romanized Names - - In order to include a transliteration/Romanization of the registered name, the Romanization MUST be verified by the CA using a system officially recognized by the Government in the Applicant's Jurisdiction of Incorporation. - - If the CA can not rely on a transliteration/Romanization of the registered name using a system officially recognized by the Government in the Applicant's Jurisdiction of Incorporation, then it MUST rely on one of the options below, in order of preference: - - A. A system recognized by the International Organization for Standardization (ISO); - B. A system recognized by the United Nations; or - C. A Lawyer's Opinion or Accountant's Letter confirming the proper Romanization of the registered name. - -3. Translated Name - - In order to include a Latin character name in the EV certificate that is not a direct Romanization of the registered name (e.g. an English Name) the CA MUST verify that the Latin character name is: - - A. Included in the Articles of Incorporation (or equivalent document) filed as part of the organization registration; or - B. Recognized by a QTIS in the Applicant's Jurisdiction of Incorporation as the Applicant's recognized name for tax filings; or - C. Confirmed with a QIIS to be the name associated with the registered organization; or - D. Confirmed by a Verified Legal Opinion or Accountant's Letter to be a translated trading name associated with the registered organization. - -### Country-Specific Procedures - -#### D-1. Japan - -As interpretation of the procedures set out above: - -1. Organization Names - - A. The Revised Hepburn method of Romanization, as well as Kunrei-shiki and Nihon-shiki methods described in ISO 3602, are acceptable for Japanese Romanizations. - B. The CA MAY verify the Romanized transliteration, language translation (e.g. English name), or other recognized Roman-letter substitute of the Applicant's formal legal name with either a QIIS, Verified Legal Opinion, or Verified Accountant Letter. - C. The CA MAY use the Financial Services Agency to verify a Romanized, translated, or other recognized Roman-letter substitute name. When used, the CA MUST verify that the translated English is recorded in the audited Financial Statements. - D. When relying on Articles of Incorporation to verify a Romanized, translated, or other recognized Roman-letter substitute name, the Articles of Incorporation MUST be accompanied either: by a document, signed with the original Japanese Corporate Stamp, that proves that the Articles of Incorporation are authentic and current, or by a Verified Legal Opinion or a Verified Accountant Letter. The CA MUST verify the authenticity of the Corporate Stamp. - E. A Romanized, translated, or other recognized Roman-lettered substitute name confirmed in accordance with this [Appendix D-1](#d-1-japan) stored in the ROBINS database operated by JIPDEC MAY be relied upon by a CA for determining the allowed organization name during any issuance or renewal process of an EV Certificate without the need to re-perform the above procedures. - -2. Accounting Practitioner - - In Japan: - - A. Accounting Practitioner includes either a certified public accountant (公認会計士 - Konin-kaikei-shi) or a licensed tax accountant (税理士 – Zei-ri-shi). - B. The CA MUST verify the professional status of the Accounting Practitioner through direct contact with the relevant local member association that is affiliated with either the Japanese Institute of Certified Public Accountants ([http://www.hp.jicpa.or.jp](http://www.hp.jicpa.or.jp/)), the Japan Federation of Certified Tax Accountant's Associations ([http://www.nichizeiren.or.jp](http://www.nichizeiren.or.jp/)), or any other authoritative source recognized by the Japanese Ministry of Finance ([http://www.mof.go.jp](http://www.mof.go.jp/)) as providing the current registration status of such professionals. - -3. Legal Practitioner - - In Japan: - - A. Legal Practitioner includes any of the following: - - - a licensed lawyer (弁護士 - Ben-go-shi), - - a judicial scrivener (司法書士 - Shiho-sho-shi lawyer), - - an administrative solicitor (行政書士 - Gyosei-sho-shi Lawyer), - - or a notary public (公証人 - Ko-sho-nin). - - For purposes of the EV Guidelines, a Japanese Notary Public is considered equivalent to a Latin Notary. - - B. The CA MUST verify the professional status of the Legal Practitioner by direct contact through the relevant local member association that is affiliated with one of the following national associations: - - - the Japan Federation of Bar Associations ([http://www.nichibenren.or.jp](http://www.nichibenren.or.jp/)), - - the Japan Federation of Shiho-Shoshi Lawyer's Associations ([http://www.shiho-shoshi.or.jp](http://www.shiho-shoshi.or.jp/)), - - the Japan Federation of Administrative Solicitors ([http://www.gyosei.or.jp](http://www.gyosei.or.jp/)), - - the Japan National Notaries Association ([http://www.koshonin.gr.jp](http://www.koshonin.gr.jp/)), or - - any other authoritative source recognized by the Japanese Ministry of Justice ([http://www.moj.go.jp](http://www.moj.go.jp/)) as providing the current registration status of such professionals. - -# Appendix E - Sample Contract Signer's Representation/Warranty (Informative) - -A CA may rely on the Contract Signer's authority to enter into the Subscriber Agreement using a representation/warranty executed by the Contract Signer. An example of an acceptable warranty is as follows: - -[CA] and Applicant are entering into a legally valid and enforceable Subscriber Agreement that creates extensive obligations on Applicant. An EV Certificate serves as a form of digital identity for Applicant. The loss or misuse of this identity can result in great harm to the Applicant. By signing this Subscriber Agreement, the contract signer acknowledges that they have the authority to obtain the digital equivalent of a company stamp, seal, or (where applicable) officer's signature to establish the authenticity of the company's website, and that [Applicant name] is responsible for all uses of its EV Certificate. By signing this Agreement on behalf of [Applicant name], the contract signer represents that the contract signer - - i. is acting as an authorized representative of [Applicant name], - ii. is expressly authorized by [Applicant name] to sign Subscriber Agreements and approve EV Certificate requests on Applicant's behalf, and - iii. has confirmed Applicant's right to use the domain(s) to be included in EV Certificates. - -# Appendix F – Unused - -This appendix is intentionally left blank. - -# Appendix G – Abstract Syntax Notation One module for EV certificates - -```ASN.1 -CABFSelectedAttributeTypes { - joint‐iso‐itu‐t(2) international‐organizations(23) - ca‐browser‐forum(140) module(4) - cabfSelectedAttributeTypes(1) 1 } -DEFINITIONS ::= -BEGIN --- EXPORTS All -IMPORTS - -- from Rec. ITU-T X.501 | ISO/IEC 9594-2 - selectedAttributeTypes, ID, ldap-enterprise - FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) - usefulDefinitions(0) 7} - - -- from the X.500 series - ub-locality-name, ub-state-name - FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 7} - - -- from Rec. ITU-T X.520 | ISO/IEC 9594-6 - DirectoryString{}, CountryName - FROM SelectedAttributeTypes selectedAttributeTypes; - -id-evat-jurisdiction ID ::= {ldap-enterprise 311 ev(60) 2 1} -id-evat-jurisdiction-localityName ID ::= {id-evat-jurisdiction 1} -id-evat-jurisdiction-stateOrProvinceName ID ::= {id-evat-jurisdiction 2} -id-evat-jurisdiction-countryName ID ::= {id-evat-jurisdiction 3} - -jurisdictionLocalityName ATTRIBUTE ::= { - SUBTYPE OF name - WITH SYNTAX DirectoryString{ub-locality-name} - LDAP-SYNTAX directoryString.&id - LDAP-NAME {"jurisdictionL"} - ID id-evat-jurisdiction-localityName } - -jurisdictionStateOrProvinceName ATTRIBUTE ::= { - SUBTYPE OF name - WITH SYNTAX DirectoryString{ub-state-name} - LDAP-SYNTAX directoryString.&id - LDAP-NAME {"jurisdictionST"} - ID id-evat-jurisdiction-stateOrProvinceName } - -jurisdictionCountryName ATTRIBUTE ::= { - SUBTYPE OF name - WITH SYNTAX CountryName - SINGLE VALUE TRUE - LDAP-SYNTAX countryString.&id - LDAP-NAME {"jurisdictionC"} - ID id-evat-jurisdiction-countryName } - -END -``` - -# Appendix H – Registration Schemes - -The following Registration Schemes are currently recognized as valid under these -guidelines: - -* **NTR**: - - The information carried in this field shall be the same as held in - Subject Registration Number Field as specified in - [Section 9.2.5](#925-subject-registration-number-field) and the country code - used in the Registration Scheme identifier shall match that of the - subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). - - Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 - includes more than the country code, the additional locality information shall - be included as specified in [Section 9.2.8](#928-subject-organization-identifier-field) - and/or [Section 9.8.2](#982-cabrowser-forum-organization-identifier-extension). - -* **VAT**: - - Reference allocated by the national tax authorities to a Legal Entity. This - information shall be validated using information provided by the national tax - authority against the organization as identified by the Subject Organization - Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and - Subject Registration Number Field (see - Section 9.2.5](#925-subject-registration-number-field)) within the context of - the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). - -* **PSD**: - - Authorization number as specified in ETSI TS 119 495 clause 4.4 - allocated to a payment service provider and containing the information as - specified in ETSI TS 119 495 clause 5.2.1. This information SHALL be - obtained directly from the national competent authority register for - payment services or from an information source approved by a government - agency, regulatory body, or legislation for this purpose. This information - SHALL be validated by being matched directly or indirectly (for example, by - matching a globally unique registration number) against the organization as - identified by the Subject Organization Name Field (see - [Section 9.2.1](#921-subject-organization-name-field)) and - Subject Registration Number Field (see - [Section 9.2.5](#925-subject-registration-number-field)) within the context of - the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). - The stated address of the organization combined with the organization name - SHALL NOT be the only information used to disambiguate the organization. +# 1. INTRODUCTION +## 1.1 Overview +## 1.2 Document name and identification +## 1.3 PKI participants +### 1.3.1 Certification authorities +### 1.3.2 Registration authorities +### 1.3.3 Subscribers +### 1.3.4 Relying parties +### 1.3.5 Other participants +## 1.4 Certificate usage +### 1.4.1 Appropriate certificate uses +### 1.4.2 Prohibited certificate uses +## 1.5 Policy administration +### 1.5.1 Organization administering the document +### 1.5.2 Contact person +### 1.5.3 Person determining CPS suitability for the policy +### 1.5.4 CPS approval procedures +## 1.6 Definitions and acronyms +# 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES +## 2.1 Repositories +## 2.2 Publication of certification information +## 2.3 Time or frequency of publication +## 2.4 Access controls on repositories +# 3. IDENTIFICATION AND AUTHENTICATION (11) +## 3.1 Naming +### 3.1.1 Types of names +### 3.1.2 Need for names to be meaningful +### 3.1.3 Anonymity or pseudonymity of subscribers +### 3.1.4 Rules for interpreting various name forms +### 3.1.5 Uniqueness of names +### 3.1.6 Recognition, authentication, and role of trademarks +## 3.2 Initial identity validation +### 3.2.1 Method to prove possession of private key +### 3.2.2 Authentication of organization identity +### 3.2.3 Authentication of individual identity +### 3.2.4 Non-verified subscriber information +### 3.2.5 Validation of authority +### 3.2.6 Criteria for interoperation +## 3.3 Identification and authentication for re-key requests +### 3.3.1 Identification and authentication for routine re-key +### 3.3.2 Identification and authentication for re-key after revocation +## 3.4 Identification and authentication for revocation request +# 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS +## 4.1 Certificate Application +### 4.1.1 Who can submit a certificate application +### 4.1.2 Enrollment process and responsibilities +## 4.2 Certificate application processing +### 4.2.1 Performing identification and authentication functions +### 4.2.2 Approval or rejection of certificate applications +### 4.2.3 Time to process certificate applications +## 4.3 Certificate issuance +### 4.3.1 CA actions during certificate issuance +### 4.3.2 Notification to subscriber by the CA of issuance of certificate +## 4.4 Certificate acceptance +### 4.4.1 Conduct constituting certificate acceptance +### 4.4.2 Publication of the certificate by the CA +### 4.4.3 Notification of certificate issuance by the CA to other entities +## 4.5 Key pair and certificate usage +### 4.5.1 Subscriber private key and certificate usage +### 4.5.2 Relying party public key and certificate usage +## 4.6 Certificate renewal +### 4.6.1 Circumstance for certificate renewal +### 4.6.2 Who may request renewal +### 4.6.3 Processing certificate renewal requests +### 4.6.4 Notification of new certificate issuance to subscriber +### 4.6.5 Conduct constituting acceptance of a renewal certificate +### 4.6.6 Publication of the renewal certificate by the CA +### 4.6.7 Notification of certificate issuance by the CA to other entities +## 4.7 Certificate re-key +### 4.7.1 Circumstance for certificate re-key +### 4.7.2 Who may request certification of a new public key +### 4.7.3 Processing certificate re-keying requests +### 4.7.4 Notification of new certificate issuance to subscriber +### 4.7.5 Conduct constituting acceptance of a re-keyed certificate +### 4.7.6 Publication of the re-keyed certificate by the CA +### 4.7.7 Notification of certificate issuance by the CA to other entities +## 4.8 Certificate modification +### 4.8.1 Circumstance for certificate modification +### 4.8.2 Who may request certificate modification +### 4.8.3 Processing certificate modification requests +### 4.8.4 Notification of new certificate issuance to subscriber +### 4.8.5 Conduct constituting acceptance of modified certificate +### 4.8.6 Publication of the modified certificate by the CA +### 4.8.7 Notification of certificate issuance by the CA to other entities +## 4.9 Certificate revocation and suspension +### 4.9.1 Circumstances for revocation +### 4.9.2 Who can request revocation +### 4.9.3 Procedure for revocation request +### 4.9.4 Revocation request grace period +### 4.9.5 Time within which CA must process the revocation request +### 4.9.6 Revocation checking requirement for relying parties +### 4.9.7 CRL issuance frequency (if applicable) +### 4.9.8 Maximum latency for CRLs (if applicable) +### 4.9.9 On-line revocation/status checking availability +### 4.9.10 On-line revocation checking requirements +### 4.9.11 Other forms of revocation advertisements available +### 4.9.12 Special requirements re key compromise +### 4.9.13 Circumstances for suspension +### 4.9.14 Who can request suspension +### 4.9.15 Procedure for suspension request +### 4.9.16 Limits on suspension period +## 4.10 Certificate status services +### 4.10.1 Operational characteristics +### 4.10.2 Service availability +### 4.10.3 Optional features +## 4.11 End of subscription +## 4.12 Key escrow and recovery +### 4.12.1 Key escrow and recovery policy and practices +### 4.12.2 Session key encapsulation and recovery policy and practices +# 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS (11) +## 5.1 Physical controls +### 5.1.1 Site location and construction +### 5.1.2 Physical access +### 5.1.3 Power and air conditioning +### 5.1.4 Water exposures +### 5.1.5 Fire prevention and protection +### 5.1.6 Media storage +### 5.1.7 Waste disposal +### 5.1.8 Off-site backup +## 5.2 Procedural controls +### 5.2.1 Trusted roles +### 5.2.2 Number of persons required per task +### 5.2.3 Identification and authentication for each role +### 5.2.4 Roles requiring separation of duties +## 5.3 Personnel controls +### 5.3.1 Qualifications, experience, and clearance requirements +### 5.3.2 Background check procedures +### 5.3.3 Training requirements +### 5.3.4 Retraining frequency and requirements +### 5.3.5 Job rotation frequency and sequence +### 5.3.6 Sanctions for unauthorized actions +### 5.3.7 Independent contractor requirements +### 5.3.8 Documentation supplied to personnel +## 5.4 Audit logging procedures +### 5.4.1 Types of events recorded +### 5.4.2 Frequency of processing log +### 5.4.3 Retention period for audit log +### 5.4.4 Protection of audit log +### 5.4.5 Audit log backup procedures +### 5.4.6 Audit collection system (internal vs. external) +### 5.4.7 Notification to event-causing subject +### 5.4.8 Vulnerability assessments +## 5.5 Records archival +### 5.5.1 Types of records archived +### 5.5.2 Retention period for archive +### 5.5.3 Protection of archive +### 5.5.4 Archive backup procedures +### 5.5.5 Requirements for time-stamping of records +### 5.5.6 Archive collection system (internal or external) +### 5.5.7 Procedures to obtain and verify archive information +## 5.6 Key changeover +## 5.7 Compromise and disaster recovery +### 5.7.1 Incident and compromise handling procedures +### 5.7.2 Computing resources, software, and/or data are corrupted +### 5.7.3 Entity private key compromise procedures +### 5.7.4 Business continuity capabilities after a disaster +## 5.8 CA or RA termination +# 6. TECHNICAL SECURITY CONTROLS (11) +## 6.1 Key pair generation and installation +### 6.1.1 Key pair generation +### 6.1.2 Private key delivery to subscriber +### 6.1.3 Public key delivery to certificate issuer +### 6.1.4 CA public key delivery to relying parties +### 6.1.5 Key sizes +### 6.1.6 Public key parameters generation and quality checking +### 6.1.7 Key usage purposes (as per X.509 v3 key usage field) +## 6.2 Private Key Protection and Cryptographic Module Engineering Controls +### 6.2.1 Cryptographic module standards and controls +### 6.2.2 Private key (n out of m) multi-person control +### 6.2.3 Private key escrow +### 6.2.4 Private key backup +### 6.2.5 Private key archival +### 6.2.6 Private key transfer into or from a cryptographic module +### 6.2.7 Private key storage on cryptographic module +### 6.2.8 Method of activating private key +### 6.2.9 Method of deactivating private key +### 6.2.10 Method of destroying private key +### 6.2.11 Cryptographic Module Rating +## 6.3 Other aspects of key pair management +### 6.3.1 Public key archival +### 6.3.2 Certificate operational periods and key pair usage periods +## 6.4 Activation data +### 6.4.1 Activation data generation and installation +### 6.4.2 Activation data protection +### 6.4.3 Other aspects of activation data +## 6.5 Computer security controls +### 6.5.1 Specific computer security technical requirements +### 6.5.2 Computer security rating +## 6.6 Life cycle technical controls +### 6.6.1 System development controls +### 6.6.2 Security management controls +### 6.6.3 Life cycle security controls +## 6.7 Network security controls +## 6.8 Time-stamping +# 7. CERTIFICATE, CRL, AND OCSP PROFILES +## 7.1 Certificate profile +### 7.1.1 Version number(s) +### 7.1.2 Certificate extensions +### 7.1.3 Algorithm object identifiers +### 7.1.4 Name forms +### 7.1.5 Name constraints +### 7.1.6 Certificate policy object identifier +### 7.1.7 Usage of Policy Constraints extension +### 7.1.8 Policy qualifiers syntax and semantics +### 7.1.9 Processing semantics for the critical Certificate Policies extension +## 7.2 CRL profile +### 7.2.1 Version number(s) +### 7.2.2 CRL and CRL entry extensions +## 7.3 OCSP profile +### 7.3.1 Version number(s) +### 7.3.2 OCSP extensions +# 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS +## 8.1 Frequency or circumstances of assessment +## 8.2 Identity/qualifications of assessor +## 8.3 Assessor's relationship to assessed entity +## 8.4 Topics covered by assessment +## 8.5 Actions taken as a result of deficiency +## 8.6 Communication of results +# 9. OTHER BUSINESS AND LEGAL MATTERS +## 9.1 Fees +### 9.1.1 Certificate issuance or renewal fees +### 9.1.2 Certificate access fees +### 9.1.3 Revocation or status information access fees +### 9.1.4 Fees for other services +### 9.1.5 Refund policy +## 9.2 Financial responsibility +### 9.2.1 Insurance coverage +### 9.2.2 Other assets +### 9.2.3 Insurance or warranty coverage for end-entities +## 9.3 Confidentiality of business information +### 9.3.1 Scope of confidential information +### 9.3.2 Information not within the scope of confidential information +### 9.3.3 Responsibility to protect confidential information +## 9.4 Privacy of personal information +### 9.4.1 Privacy plan +### 9.4.2 Information treated as private +### 9.4.3 Information not deemed private +### 9.4.4 Responsibility to protect private information +### 9.4.5 Notice and consent to use private information +### 9.4.6 Disclosure pursuant to judicial or administrative process +### 9.4.7 Other information disclosure circumstances +## 9.5 Intellectual property rights +## 9.6 Representations and warranties +### 9.6.1 CA representations and warranties +### 9.6.2 RA representations and warranties +### 9.6.3 Subscriber representations and warranties +### 9.6.4 Relying party representations and warranties +### 9.6.5 Representations and warranties of other participants +## 9.7 Disclaimers of warranties +## 9.8 Limitations of liability +## 9.9 Indemnities +## 9.10 Term and termination +### 9.10.1 Term +### 9.10.2 Termination +### 9.10.3 Effect of termination and survival +## 9.11 Individual notices and communications with participants +## 9.12 Amendments +### 9.12.1 Procedure for amendment +### 9.12.2 Notification mechanism and period +### 9.12.3 Circumstances under which OID must be changed +## 9.13 Dispute resolution provisions +## 9.14 Governing law +## 9.15 Compliance with applicable law +## 9.16 Miscellaneous provisions +### 9.16.1 Entire agreement +### 9.16.2 Assignment +### 9.16.3 Severability +### 9.16.4 Enforcement (attorneys' fees and waiver of rights) +### 9.16.5 Force Majeure +## 9.17 Other provisions From 144a4146007da70fa498c2522ea851e9f5fde93e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 7 Jun 2023 15:02:12 -0700 Subject: [PATCH 03/48] Update EVG.md --- docs/EVG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 5b8495ba..2999d19d 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -3,9 +3,9 @@ title: Guidelines for the Issuance and Management of Extended Validation Certifi subtitle: Version 2.0.0 author: - CA/Browser Forum -date: 30 November, 2022 +date: 8 June, 2023 copyright: | - Copyright 2022 CA/Browser Forum + Copyright 2023 CA/Browser Forum This work is licensed under the Creative Commons Attribution 4.0 International license. --- From bda87f7632baa8effc307b7b759376a2044cc8f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 7 Jun 2023 15:09:57 -0700 Subject: [PATCH 04/48] Create EVG original --- docs/EVG original | 1740 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1740 insertions(+) create mode 100644 docs/EVG original diff --git a/docs/EVG original b/docs/EVG original new file mode 100644 index 00000000..4f1d5df9 --- /dev/null +++ b/docs/EVG original @@ -0,0 +1,1740 @@ +--- +title: Guidelines for the Issuance and Management of Extended Validation Certificates +subtitle: Version 1.8.0 +author: + - CA/Browser Forum +date: 30 November, 2022 +copyright: | + Copyright 2022 CA/Browser Forum + + This work is licensed under the Creative Commons Attribution 4.0 International license. +--- + +# Introduction + +The Guidelines describe an integrated set of technologies, protocols, identity proofing, lifecycle management, and auditing practices specifying the minimum requirements that must be met in order to issue and maintain Extended Validation Certificates ("EV Certificates") concerning an organization. Subject Organization information from valid EV Certificates can then be used in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site or other services they are accessing. Although initially intended for use in establishing Web-based data communication conduits via TLS/SSL protocols, extensions are envisioned for S/MIME, time-stamping, VoIP, IM, Web services, etc. + +The primary purposes of Extended Validation Certificates are to: 1) identify the legal entity that controls a Web or service site, and 2) enable encrypted communications with that site. The secondary purposes include significantly enhancing cybersecurity by helping establish the legitimacy of an organization claiming to operate a Web site, and providing a vehicle that can be used to assist in addressing problems related to distributing malware, phishing, identity theft, and diverse forms of online fraud. + +**Notice to Readers** + +The Guidelines for the Issuance and Management of Extended Validation Certificates present criteria established by the CA/Browser Forum for use by certification authorities when issuing, maintaining, and revoking certain digital certificates for use in Internet Web site commerce. These Guidelines may be revised from time to time, as appropriate, in accordance with procedures adopted by the CA/Browser Forum. Questions or suggestions concerning these guidelines may be directed to the CA/Browser Forum at . + +**The CA/Browser Forum** + +The CA/Browser Forum is a voluntary open organization of certification authorities and suppliers of Internet browsers and other relying-party software applications. Membership is listed at . + +## Document History + +| **Ver.** | **Ballot** | **Description** | **Adopted** | **Effective\*** | +|-|-|-----|--|--| +| 1.4.0 | 72 | Reorganize EV Documents | 29 May 2012 | 29 May 2012 | +| 1.4.1 | 75 | NameConstraints Criticality Flag | 8 June 2012 | 8 June 2012 | +| 1.4.2 | 101 | EV 11.10.2 Accountants | 31 May 2013 | 31 May 2013 | +| 1.4.3 | 104 | Domain verification for EV Certificates | 9 July 2013 | 9 July 2013 | +| 1.4.4 | 113 | Revision to QIIS in EV Guidelines | 13 Jan 2014 | 13 Jan 2014 | +| 1.4.5 | 114 | Improvements to the EV Definitions | 28 Jan 2014 | 28 Jan 2014 | +| 1.4.6 | 119 | Remove "OfIncorporation" from OID descriptions in EVG 9.2.5 | 24 Mar 2014 | 24 Mar 2014 | +| 1.4.7 | 120 | Affiliate Authority to Verify Domain | 5 June 2014 | 5 June 2014 | +| 1.4.8 | 124 | Business Entity Clarification | 5 June 2014 | 5 June 2014 | +| 1.4.9 | 127 | Verification of Name, Title and Agency | 17 July 2014 | 17 July 2014 | +| 1.5.0 | 126 | Operational Existence | 24 July 2014 | 24 July 2014 | +| 1.5.1 | 131 | Verified Method of Communication | 12 Sept 2014 | 12 Sept 2014 | +| 1.5.2 | 123 | Reuse of Information | 16 Oct. 2014 | 16 Oct. 2014 | +| 1.5.3 | 144 | Validation rules for .onion names | 18 Feb. 2015 | 18 Feb. 2015 | +| 1.5.4 | 146 | Convert Baseline Requirements to RFC 3647 Framework | 16 Apr. 2015 | 16 Apr. 2015 | +| 1.5.5 | 145 | Operational Existence for Government Entities | 5 Mar. 2015 | 5 Mar. 2015 | +| 1.5.6 | 147 | Attorney-Accountant Letter Changes | 25 June 2015 | 25 June 2015 | +| 1.5.7 | 151 | Addition of Optional OIDs for Indicating Level of Validation | 28 Sept 2015 | 28 Sept 2015 | +| 1.5.8 | 162 | Sunset of Exceptions | 15 Mar 2016 | 15 Mar 2016 | +| 1.5.9 | 163 | Fix Errata in EV Guidelines 11.2.1 | 18 Mar 2016 | 18 Mar 2016 | +| 1.6.0 | 171 | Updating ETSI Standards | 1 July 2016 | 1 July 2016 | +| 1.6.1 | 180 | In EV 11.7.1, removed outdated cross-reference to BR 3.2.2.4(7) | 7 Jan. 2017 | 7 Jan. 2017 | +| 1.6.2 | 103 | 825-day Certificate Lifetimes | 17 Mar. 2017 | 17 Mar. 2017 | +| 1.6.3 | 198 | .Onion Revisions (declared invalid) | 7 May 2017 | 8 June 2017 | +| 1.6.4 | 191 | Clarify Place of Business Information | 23 May 2017 | 23 June 2017 | +| 1.6.5 | 201 | .onion Revisions | 8 June 2017 | 8 July 2017 | +| 1.6.6 | 192 | Notary revision | 28 June 2017 | 28 July 2017 | +| 1.6.7 | 207 | ASN.1 Jurisdiction | 23 October 2017 | 23 November 2017 | +| 1.6.8 | 217 | Sunset RFC 2527 | 21 Dec 2017 | 9 Mar 2018 | +| 1.6.9 | SC16 | Other Subject Attributes | 15 Mar 2019 | 16 Apr 2019 | +| 1.7.0 | SC17 | Alternative registration numbers for EV certificates | 21 May 2019 | 21 June 2019 | +| 1.7.1 | SC24 | Fall cleanup v2 | 12 Nov 2019 | 19 Dec 2019 | +| 1.7.2 | SC27 | Version 3 Onion Certificates | 19-Feb-2020 | 27-Mar-2020 | +| 1.7.3 | SC30 | Disclosure of Registration / Incorporating Agency | 13-Jul-2020 | 20-Aug-2020 | +| 1.7.3 | SC31 | Browser Alignment | 16-Jul-2020 | 20-Aug-2020 | +| 1.7.4 | SC35 | Cleanups and Clarifications | 9-Sep-2020 | 19-Oct-2020 | +| 1.7.5 | SC41 | Reformatting the BRs, EVGs, and NCSSRs | 24-Feb-2021 | 5-Apr-2021 | +| 1.7.6 | SC42 | 398-day Re-use Period | 22-Apr-2021 | 2-Jun-2021 | +| 1.7.7 | SC47 | Sunset subject:organizationalUnitName | 30-Jun-2021 | 16-Aug-2021 | +| 1.7.8 | SC48 | Domain Name and IP Address Encoding | 22-Jul-2021 | 25-Aug-2021 | +| 1.7.9 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | +| 1.8.0 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | + +\* Effective Date and Additionally Relevant Compliance Date(s) + +## Relevant Dates + +| **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | +|--|--|----------| +| 2020-01-31 | [9.2.8](#928-subject-organization-identifier-field) | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | +| 2020-09-01 | [9.4](#94-maximum-validity-period-for-ev-certificate) & Appendix F | Certificates issued MUST NOT have a Validity Period greater than 398 days. | +| 2020-10-01 | [11.1.3](#1113-disclosure-of-verification-sources) | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | +| 2022-09-01 | [9.2.7](#927-subject-organizational-unit-name-field) | CAs MUST NOT include the organizationalUnitName field in the Subject | + +**Implementers' Note**: Version 1.3 of these EV Guidelines was published on 20 November 2010 and supplemented through May 2012 when version 1.4 was published. ETSI TS 102 042 and ETSI TR 101 564 Technical Report: Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs reference version 1.3 of these EV Guidelines, and ETSI Draft EN 319 411-1 references version 1.4. Version 1.4.5 of Webtrust(r) for Certification Authorities – Extended Validation Audit Criteria references version 1.4.5 of these EV Guidelines. As illustrated in the Document History table above, the CA/Browser Forum continues to improve relevant industry guidelines, including this document, the Baseline Requirements, and the Network and Certificate System Security Requirements. We encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty. We will respond to implementation questions directed to questions@cabforum.org. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. + +# 1. Scope + +These Guidelines for the issuance and management of Extended Validation Certificates describe certain of the minimum requirements that a Certification Authority must meet in order to issue Extended Validation Certificates. Subject Organization information from Valid EV Certificates may be displayed in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site they are accessing. These Guidelines incorporate the Baseline Requirements established by the CA/Browser Forum by reference. A copy of the Baseline Requirements is available on the CA/Browser Forum's website at . + +These Guidelines address the basic issue of validating Subject identity information in EV Certificates and some related matters. They do not address all of the related matters, such as certain technical and operational ones. This version of the Guidelines addresses only requirements for EV Certificates intended to be used for SSL/TLS authentication on the Internet and for code signing. Similar requirements for S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions. + +These Guidelines do not address the verification of information, or the issuance, use, maintenance, or revocation of EV Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, where its Root CA Certificate is not distributed by any Application Software Supplier. + +# 2. Purpose + +## 2.1. Purpose of EV Certificates + +EV Certificates are intended for establishing Web-based data communication conduits via the TLS/SSL protocols and for verifying the authenticity of executable code. + +### 2.1.1. Primary Purposes + +The primary purposes of an EV Certificate are to: + +1. **Identify the legal entity that controls a Web site**: Provide a reasonable assurance to the user of an Internet browser that the Web site the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information; and + +2. **Enable encrypted communications with a Web site**: Facilitate the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a Web site. + +### 2.1.2. Secondary Purposes + +The secondary purposes of an EV Certificate are to help establish the legitimacy of a business claiming to operate a Web site or distribute executable code, and to provide a vehicle that can be used to assist in addressing problems related to phishing, malware, and other forms of online identity fraud. By providing more reliable third-party verified identity and address information regarding the business, EV Certificates may help to: + +1. Make it more difficult to mount phishing and other online identity fraud attacks using Certificates; +2. Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves to users; and +3. Assist law enforcement organizations in their investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the Subject. + +### 2.1.3. Excluded Purposes + +EV Certificates focus only on the identity of the Subject named in the Certificate, and not on the behavior of the Subject. As such, an EV Certificate is **not** intended to provide any assurances, or otherwise represent or warrant: + +1. That the Subject named in the EV Certificate is actively engaged in doing business; +2. That the Subject named in the EV Certificate complies with applicable laws; +3. That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or +4. That it is "safe" to do business with the Subject named in the EV Certificate. + +# 3. References + +See Baseline Requirements, which are available at . + +# 4. Definitions + +Capitalized Terms are defined in the Baseline Requirements except where provided below: + +**Accounting Practitioner**: A certified public accountant, chartered accountant, or a person with an equivalent license within the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility; provided that an accounting standards body in the jurisdiction maintains full (not "suspended" or "associate") membership status with the International Federation of Accountants. + +**Baseline Requirements**: The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates as published by the CA/Browser Forum and any amendments to such document. + +**Business Entity**: Any entity that is not a Private Organization, Government Entity, or Non-Commercial Entity as defined herein. Examples include, but are not limited to, general partnerships, unincorporated associations, sole proprietorships, etc. + +**Certificate Approver**: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to + + i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and + ii. to approve EV Certificate Requests submitted by other Certificate Requesters. + +**Certificate Requester**: A natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. + +**Confirmation Request**: An appropriate out-of-band communication requesting verification or confirmation of the particular fact at issue. + +**Confirming Person**: A position within an Applicant's organization that confirms the particular fact at issue. + +**Contract Signer**: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. + +**Demand Deposit Account**: A deposit account held at a bank or other financial institution, the funds deposited in which are payable on demand. The primary purpose of demand accounts is to facilitate cashless payments by means of check, bank draft, direct debit, electronic funds transfer, etc. Usage varies among countries, but a demand deposit account is commonly known as a share draft account, a current account, or a checking account. + +**EV Authority**: A source other than the Certificate Approver, through which verification occurs that the Certificate Approver is expressly authorized by the Applicant, as of the date of the EV Certificate Request, to take the Request actions described in these Guidelines. + +**EV Certificate**: A certificate that contains subject information specified in these Guidelines and that has been validated in accordance with these Guidelines. + +**EV Certificate Beneficiaries**: Persons to whom the CA and its Root CA make specified EV Certificate Warranties. + +**EV Certificate Renewal**: The process whereby an Applicant who has a valid unexpired and non-revoked EV Certificate makes an application, to the CA that issued the original certificate, for a newly issued EV Certificate for the same organizational name and Domain Name prior to the expiration of the Applicant's existing EV Certificate but with a new 'valid to' date beyond the expiry of the current EV Certificate. + +**EV Certificate Reissuance**: The process whereby an Applicant who has a valid unexpired and non-revoked EV Certificate makes an application, to the CA that issued the original certificate, for a newly issued EV Certificate for the same organizational name and Domain Name prior to the expiration of the Applicant's existing EV Certificate but with a 'valid to' date that matches that of the current EV Certificate. + +**EV Certificate Request**: A request from an Applicant to the CA requesting that the CA issue an EV Certificate to the Applicant, which request is validly authorized by the Applicant and signed by the Applicant Representative. + +**EV Certificate Warranties**: In conjunction with the CA issuing an EV Certificate, the CA and its Root CA, during the period when the EV Certificate is Valid, promise that the CA has followed the requirements of these Guidelines and the CA's EV Policies in issuing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. + +**EV OID**: An identifying number, in the form of an "object identifier," that is included in the `certificatePolicies` field of a certificate that: + + i. indicates which CA policy statement relates to that certificate, and + ii. is either the CA/Browser Forum EV policy identifier or a policy identifier that, by pre-agreement with one or more Application Software Supplier, marks the certificate as being an EV Certificate. + +**EV Policies**: Auditable EV Certificate practices, policies and procedures, such as a certification practice statement and certificate policy, that are developed, implemented, and enforced by the CA and its Root CA. + +**EV Processes**: The keys, software, processes, and procedures by which the CA verifies Certificate Data under this Guideline, issues EV Certificates, maintains a Repository, and revokes EV Certificates. + +**Extended Validation Certificate**: See EV Certificate. + +**Government Agency**: In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of Private Organizations is established (e.g., the government agency that issued the Certificate of Incorporation). In the context of Business Entities, the government agency in the jurisdiction of operation that registers business entities. In the case of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities. + +**Guidelines**: This document. + +**Incorporating Agency**: In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of the entity is registered (e.g., the government agency that issues certificates of formation or incorporation). In the context of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities. + +**Independent Confirmation From Applicant**: Confirmation of a particular fact received by the CA pursuant to the provisions of the Guidelines or binding upon the Applicant. + +**Individual**: A natural person. + +**International Organization**: An organization founded by a constituent document, e.g., a charter, treaty, convention or similar document, signed by, or on behalf of, a minimum of two Sovereign State governments. + +**Jurisdiction of Incorporation**: In the context of a Private Organization, the country and (where applicable) the state or province or locality where the organization's legal existence was established by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the context of a Government Entity, the country and (where applicable) the state or province where the Entity's legal existence was created by law. + +**Jurisdiction of Registration**: In the case of a Business Entity, the state, province, or locality where the organization has registered its business presence by means of filings by a Principal Individual involved in the business. + +**Latin Notary**: A person with legal training whose commission under applicable law not only includes authority to authenticate the execution of a signature on a document but also responsibility for the correctness and content of the document. A Latin Notary is sometimes referred to as a Civil Law Notary. + +**Legal Entity**: A Private Organization, Government Entity, Business Entity, or Non-Commercial Entity. + +**Legal Existence**: A Private Organization, Government Entity, or Business Entity has Legal Existence if it has been validly formed and not otherwise terminated, dissolved, or abandoned. + +**Legal Practitioner**: A person who is either a lawyer or a Latin Notary as described in these Guidelines and competent to render an opinion on factual claims of the Applicant. + +**Maximum Validity Period**: + + 1. The maximum time period for which the issued EV Certificate is valid. + 2. The maximum period after validation by the CA that certain Applicant information may be relied upon in issuing an EV Certificate pursuant to these Guidelines. + +**Notary**: A person whose commission under applicable law includes authority to authenticate the execution of a signature on a document. + +**Place of Business**: The location of any facility (such as a factory, retail store, warehouse, etc) where the Applicant's business is conducted. + +**Principal Individual**: An individual of a Private Organization, Government Entity, or Business Entity that is either an owner, partner, managing member, director, or officer, as identified by their title of employment, or an employee, contractor or agent authorized by such entity or organization to conduct business related to the request, issuance, and use of EV Certificates. + +**Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. + +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 17.6](#176-auditor-qualification). + +**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 11.11.6](#11116-qualified-government-information-source). + +**Qualified Government Tax Information Source**: A Qualified Governmental Information Source that specifically contains tax information relating to Private Organizations, Business Entities, or Individuals. + +**Qualified Independent Information Source**: A regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information. + +**Registration Agency**: A Governmental Agency that registers business information in connection with an entity's business formation or authorization to conduct business under a license, charter or other certification. A Registration Agency MAY include, but is not limited to + + i. a State Department of Corporations or a Secretary of State; + ii. a licensing agency, such as a State Department of Insurance; or + iii. a chartering agency, such as a state office or department of financial regulation, banking or finance, or a federal agency such as the Office of the Comptroller of the Currency or Office of Thrift Supervision. + +**Registration Reference**: A unique identifier assigned to a Legal Entity. + +**Registration Scheme**: A scheme for assigning a Registration Reference meeting the requirements identified in [Appendix H](#appendix-h--registration-schemes). + +**Registered Agent**: An individual or entity that is: + + i. authorized by the Applicant to receive service of process and business communications on behalf of the Applicant; and + ii. listed in the official records of the Applicant's Jurisdiction of Incorporation as acting in the role specified in (i) above. + +**Registered Office**: The official address of a company, as recorded with the Incorporating Agency, to which official documents are sent and at which legal notices are received. + +**Registration Number**: The unique number assigned to a Private Organization by the Incorporating Agency in such entity's Jurisdiction of Incorporation. + +**Regulated Financial Institution**: A financial institution that is regulated, supervised, and examined by governmental, national, state or provincial, or local authorities. + +**Root Key Generation Script**: A documented plan of procedures to be performed for the generation of the Root CA Key Pair. + +**Signing Authority**: One or more Certificate Approvers designated to act on behalf of the Applicant. + +**Superior Government Entity**: Based on the structure of government in a political subdivision, the Government Entity or Entities that have the ability to manage, direct and control the activities of the Applicant. + +**Suspect code**: Code that contains malicious functionality or serious vulnerabilities, including spyware, malware and other code that installs without the user's consent and/or resists its own removal, and code that can be exploited in ways not intended by its designers to compromise the trustworthiness of the platforms on which it executes. + +**Translator**: An individual or Business Entity that possesses the requisite knowledge and expertise to accurately translate the words of a document written in one language to the native language of the CA. + +**Verified Accountant Letter**: A document meeting the requirements specified in [Section 11.11.2](#11112-verified-accountant-letter). + +**Verified Legal Opinion**: A document meeting the requirements specified in [Section 11.11.1](#11111-verified-legal-opinion). + +**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 11.5](#115-verified-method-of-communication) as a reliable way of communicating with the Applicant. + +**Verified Professional Letter**: A Verified Accountant Letter or Verified Legal Opinion. + +**WebTrust EV Program**: The additional audit procedures specified for CAs that issue EV Certificates by the AICPA/CICA to be used in conjunction with its WebTrust Program for Certification Authorities. + +**WebTrust Program for CAs**: The then-current version of the AICPA/CICA WebTrust Program for Certification Authorities. + +**WebTrust Seal of Assurance**: An affirmation of compliance resulting from the WebTrust Program for CAs. + +# 5. Abbreviations and Acronyms + +Abbreviations and Acronyms are defined in the Baseline Requirements except as otherwise defined herein: + +| **Acronym** | **Meaning** | +| --- | --- | +| BIPM | International Bureau of Weights and Measures | +| BIS | (US Government) Bureau of Industry and Security | +| CEO | Chief Executive Officer | +| CFO | Chief Financial Officer | +| CIO | Chief Information Officer | +| CISO | Chief Information Security Officer | +| COO | Chief Operating Officer | +| CPA | Chartered Professional Accountant | +| CSO | Chief Security Officer | +| EV | Extended Validation | +| gTLD | Generic Top-Level Domain | +| IFAC | International Federation of Accountants | +| IRS | Internal Revenue Service | +| ISP | Internet Service Provider | +| QGIS | Qualified Government Information Source | +| QTIS | Qualified Government Tax Information Source | +| QIIS | Qualified Independent Information Source | +| SEC | (US Government) Securities and Exchange Commission | +| UTC(k) | National realization of Coordinated Universal Time | + +# 6. Conventions + +Terms not otherwise defined in these Guidelines shall be as defined in applicable agreements, user manuals, certification practice statements (CPS), and certificate policies (CP) of the CA issuing EV Certificates. + +The key words "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in these Guidelines shall be interpreted in accordance with RFC 2119. + +By convention, this document omits time and timezones when listing effective requirements such as dates. Except when explicitly specified, the associated time with a date shall be 00:00:00 UTC. + +# 7. Certificate Warranties and Representations + +## 7.1. EV Certificate Warranties + +When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following: + +A. **Legal Existence**: The CA has confirmed with the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or Registration; +B. **Identity**: The CA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject named in the EV Certificate matches the name on the official government records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration, and if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business; +C. **Right to Use Domain Name**: The CA has taken all steps reasonably necessary to verify that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate has the right to use all the Domain Name(s) listed in the EV Certificate; +D. **Authorization for EV Certificate**: The CA has taken all steps reasonably necessary to verify that the Subject named in the EV Certificate has authorized the issuance of the EV Certificate; +E. **Accuracy of Information**: The CA has taken all steps reasonably necessary to verify that all of the other information in the EV Certificate is accurate, as of the date the EV Certificate was issued; +F. **Subscriber Agreement**: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or, if they are affiliated, the Applicant Representative has acknowledged and accepted the Terms of Use; +G. **Status**: The CA will follow the requirements of these Guidelines and maintain a 24 x 7 online-accessible Repository with current information regarding the status of the EV Certificate as Valid or revoked; and +H. **Revocation**: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the revocation reasons specified in these Guidelines. + +## 7.2. By the Applicant + +EV Certificate Applicants make the commitments and warranties set forth in Section 9.6.3 of the Baseline Requirements for the benefit of the CA and Certificate Beneficiaries. + +# 8. Community and Applicability + +## 8.1. Issuance of EV Certificates + +The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements. + +If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly. + +## 8.2. EV Policies + +### 8.2.1. Implementation + +Each CA must develop, implement, enforce, display prominently on its Web site, and periodically update as necessary its own auditable EV Certificate practices, policies and procedures, such as a Certification Practice Statement (CPS) and Certificate Policy (CP) that: + +A. Implement the requirements of these Guidelines as they are revised from time-to-time; + +B. Implement the requirements of + + i. the then-current WebTrust Program for CAs, and + ii. the then-current WebTrust EV Program or ETSI TS 102 042 for EVCP or ETSI EN 319 411-1 for EVCP policy; and + +C. Specify the CA's and its Root CA's entire root certificate hierarchy including all roots that its EV Certificates depend on for proof of those EV Certificates' authenticity. + +### 8.2.2. Disclosure + +Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 17.1](#171-eligible-audit-schemes)). + +The CA's Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647. The Certificate Policy and/or Certification Practice Statement MUST include all material required by RFC 3647. + +## 8.3. Commitment to Comply with Recommendations + +Each CA SHALL publicly give effect to these Guidelines and represent that they will adhere to the latest published version by incorporating them into their respective EV Policies, using a clause such as the following (which must include a link to the official version of these Guidelines): + +> [Name of CA] conforms to the current version of the CA/Browser Forum Guidelines for Issuance and Management of Extended Validation Certificates published at . In the event of any inconsistency between this document and those Guidelines, those Guidelines take precedence over this document. + +In addition, the CA MUST include (directly or by reference) the applicable requirements of these Guidelines in all contracts with Subordinate CAs, RAs, Enterprise RAs, and subcontractors that involve or relate to the issuance or maintenance of EV Certificates. The CA MUST enforce compliance with such terms. + +## 8.4. Insurance + +Each CA SHALL maintain the following insurance related to their respective performance and obligations under these Guidelines: + +A. Commercial General Liability insurance (occurrence form) with policy limits of at least two million US dollars in coverage; and + +B. Professional Liability/Errors and Omissions insurance, with policy limits of at least five million US dollars in coverage, and including coverage for: + i. claims for damages arising out of an act, error, or omission, unintentional breach of contract, or neglect in issuing or maintaining EV Certificates, and; + ii. claims for damages arising out of infringement of the proprietary rights of any third party (excluding copyright, and trademark infringement), and invasion of privacy and advertising injury. + +Such insurance must be with a company rated no less than A- as to Policy Holder's Rating in the current edition of Best's Insurance Guide (or with an association of companies each of the members of which are so rated). + +A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that it has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0. + +## 8.5. Obtaining EV Certificates + +### 8.5.1. General + +The CA MAY only issue EV Certificates to Applicants that meet the Private Organization, Government Entity, Business Entity and Non-Commercial Entity requirements specified below. + +### 8.5.2. Private Organization Subjects + +An Applicant qualifies as a Private Organization if: + +1. The entity's legal existence is created or recognized by a by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument); + +2. The entity designated with the Incorporating or Registration Agency a Registered Agent, a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration), or an equivalent facility; + +3. The entity is not designated on the records of the Incorporating or Registration Agency by labels such as "inactive," "invalid," "not current," or the equivalent; + +4. The entity has a verifiable physical existence and business presence; + +5. The entity's Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + +6. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + +### 8.5.3. Government Entity Subjects + +An Applicant qualifies as a Government Entity if: + +1. The entity's legal existence was established by the political subdivision in which the entity operates; + +2. The entity is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + +3. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + +### 8.5.4. Business Entity Subjects + +An Applicant qualifies as a Business Entity if: + +1. The entity is a legally recognized entity that filed certain forms with a Registration Agency in its jurisdiction, the Registration Agency issued or approved the entity's charter, certificate, or license, and the entity's existence can be verified with that Registration Agency; + +2. The entity has a verifiable physical existence and business presence; + +3. At least one Principal Individual associated with the entity is identified and validated by the CA; + +4. The identified Principal Individual attests to the representations made in the Subscriber Agreement; + +5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 11.3](#113-verification-of-applicants-legal-existence-and-identity--assumed-name); + +6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + +7. The entity and the identified Principal Individual associated with the entity are not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + +### 8.5.5. Non-Commercial Entity Subjects + +An Applicant qualifies as a Non-Commercial Entity if: + +1. The Applicant is an International Organization Entity, created under a charter, treaty, convention or equivalent instrument that was signed by, or on behalf of, more than one country's government. The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility; and + +2. The Applicant is not headquartered in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + +3. The Applicant is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + +Subsidiary organizations or agencies of an entity that qualifies as a Non-Commercial Entity also qualifies for EV Certificates as a Non-Commercial Entity. + +# 9. EV Certificate Content and Profile + +This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate. + +## 9.1. Issuer Information + +Issuer Information listed in an EV Certificate MUST comply with Section 7.1.4.1 of the Baseline Requirements. + +## 9.2. Subject Distinguished Name Fields + +Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: + +### 9.2.1. Subject Organization Name Field + +__Certificate Field__: `subject:organizationName` (OID 2.5.4.10) +__Required/Optional__: Required +__Contents__: This field MUST contain the Subject's full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows "Company Name Incorporated" the CA MAY include "Company Name, Inc." + +When abbreviating a Subject's full legal name as allowed by this subsection, the CA MUST use abbreviations that are not misleading in the Jurisdiction of Incorporation or Registration. + +In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. + +If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#11121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. + +### 9.2.2. Subject Common Name Field + +__Certificate Field__: `subject:commonName` (OID: 2.5.4.3) +__Required/Optional__: Deprecated (Discouraged, but not prohibited) +__Contents__: If present, this field MUST contain a single Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This field MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. + +### 9.2.3. Subject Business Category Field + +__Certificate Field__: `subject:businessCategory` (OID: 2.5.4.15) +__Required/Optional__: Required +__Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 8.5.2](#852-private-organization-subjects), [Section 8.5.3](#853-government-entity-subjects), [Section 8.5.4](#854-business-entity-subjects) or [Section 8.5.5](#855-non-commercial-entity-subjects), respectively. + +### 9.2.4. Subject Jurisdiction of Incorporation or Registration Field + +__Certificate Fields__: + +Locality (if required): + `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1) + +State or province (if required): + `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2) + +Country: + `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) + +__Required/Optional__: Required +__Contents__: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction. + +Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. + +### 9.2.5. Subject Registration Number Field + +__Certificate Field__: `subject:serialNumber` (OID: 2.5.4.5) +__Required/Optional__: __Required__ +__Contents__: For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats. + +For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity. + +For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats. + +Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. + +### 9.2.6. Subject Physical Address of Place of Business Field + +__Certificate Fields__: + Number and street: `subject:streetAddress` (OID: 2.5.4.9) + City or town: `subject:localityName` (OID: 2.5.4.7) + State or province (where applicable): `subject:stateOrProvinceName` (OID: 2.5.4.8) + Country: `subject:countryName` (OID: 2.5.4.6) + Postal code: `subject:postalCode` (OID: 2.5.4.17) +__Required/Optional__: As stated in Section 7.1.4.2.2 d, e, f, g and h of the Baseline Requirements. +__Contents__: This field MUST contain the address of the physical location of the Subject's Place of Business. + +### 9.2.7. Subject Organizational Unit Name Field + +__Certificate Field__: `subject:organizationalUnitName` (OID: 2.5.4.11) +__Required/Optional/Prohibited:__ __Prohibited__. + +### 9.2.8. Subject Organization Identifier Field + +__Certificate Field__: `subject:organizationIdentifier` (OID: 2.5.4.97) +__Required/Optional__: Optional +__Contents__: If present, this field MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. + +The organizationIdentifier MUST be encoded as a PrintableString or UTF8String. + +The Registration Scheme MUST be identified using the using the following structure in the presented order: + +* 3 character Registration Scheme identifier; +* 2 character ISO 3166 country code for the nation in which the Registration Scheme is operated, or if the scheme is operated globally ISO 3166 code "XG" shall be used; +* For the NTR Registration Scheme identifier, if required under [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated, preceded by plus "+" (0x2B (ASCII), U+002B (UTF-8)); +* a hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); +* Registration Reference allocated in accordance with the identified Registration Scheme + +Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. + +As in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. + +Examples: + +* `NTRGB-12345678` (NTR scheme, Great Britain, Unique Identifier at Country level is 12345678) +* `NTRUS+CA-12345678` (NTR Scheme, United States - California, Unique identifier at State level is 12345678) +* `VATDE-123456789` (VAT Scheme, Germany, Unique Identifier at Country Level is 12345678) +* `PSDBE-NBB-1234.567.890` (PSD Scheme, Belgium, NCA's identifier is NBB, Subject Unique Identifier assigned by the NCA is 1234.567.890) + +Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) are currently recognized as valid under these guidelines. + +The CA SHALL: + +1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 9.2.1](#921-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field); +2. further verify the Registration Reference matches other information verified in accordance with [Section 11](#11-verification-requirements); +3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; +4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). + +### 9.2.9. Other Subject Attributes + +CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 9.2](#92-subject-distinguished-name-fields). + +## 9.3. Certificate Policy Identification + +### 9.3.1. EV Certificate Policy Identification Requirements + +This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy. + +### 9.3.2. EV Subscriber Certificates + +Each EV Certificate issued by the CA to a Subscriber MUST contain a policy identifier that is either defined by these Guidelines or the CA in the certificate's `certificatePolicies` extension that: + +1. indicates which CA policy statement relates to that Certificate, +2. asserts the CA's adherence to and compliance with these Guidelines, and +3. is either the CA/Browser Forum’s EV policy identifier or a policy identifier that, by pre-agreement with the Application Software Supplier, marks the Certificate as being an EV Certificate. + +The following Certificate Policy identifier is the CA/Browser Forum’s EV policy identifier: +`{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines (1) } (2.23.140.1.1)`, if the Certificate complies with these Guidelines. + +### 9.3.3. Root CA Certificates + +The Application Software Supplier identifies Root CAs that are approved to issue EV Certificates by storing EV policy identifiers in metadata associated with Root CA Certificates. + +### 9.3.4. EV Subordinate CA Certificates + +1. Certificates issued to Subordinate CAs that are not controlled by the issuing CA MUST contain one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA. +2. Certificates issued to Subordinate CAs that are controlled by the Root CA MAY contain the special `anyPolicy` identifier (OID: 2.5.29.32.0). + +### 9.3.5. Subscriber Certificates + +A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate's `certificatePolicies` extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines. + +## 9.4. Maximum Validity Period For EV Certificate + +The Validity Period for an EV Certificate SHALL NOT exceed 398 days. + +It is RECOMMENDED that EV Subscriber Certificates have a Maximum Validity Period of twelve months. + +## 9.5. Subscriber Public Key + +The requirements in Section 6.1.1.3 of the Baseline Requirements apply equally to EV Certificates. + +## 9.6. Certificate Serial Number + +The requirements in Section 7.1 of the Baseline Requirements apply equally to EV Certificates. + +## 9.7. Additional Technical Requirements for EV Certificates + +All provisions of the Baseline Requirements concerning Minimum Cryptographic Algorithms, Key Sizes, and Certificate Extensions apply to EV Certificates with the following exceptions: + +1. If a Subordinate CA Certificates is issued to a Subordinate CA not controlled by the entity that controls the Root CA, the policy identifiers in the `certificatePolicies` extension MUST include the CA's Extended Validation policy identifier. + + Otherwise, it MAY contain the anyPolicy identifier. + +2. The following fields MUST be present if the Subordinate CA is not controlled by the entity that controls the Root CA. + + * `certificatePolicies:policyQualifiers:policyQualifierId` + + `id-qt 1` [RFC 5280] + + * `certificatePolicies:policyQualifiers:qualifier:cPSuri` + + HTTP URL for the Root CA's Certification Practice Statement + +3. The `certificatePolicies` extension in EV Certificates issued to Subscribers MUST include the following: + + * `certificatePolicies:policyIdentifier` (Required) + + The Issuer's EV policy identifier + + * `certificatePolicies:policyQualifiers:policyQualifierId` (Required) + + `id-qt 1` [RFC 5280] + + * `certificatePolicies:policyQualifiers:qualifier:cPSuri` (Required) + + HTTP URL for the Subordinate CA's Certification Practice Statement + +4. The `cRLDistributionPoints` extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an `authorityInformationAccess` extension. + +## 9.8. Certificate Extensions + +The extensions listed in [Section 9.8](#98-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 9.8](#98-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. + +If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 9.8](#98-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. + +### 9.8.1. Subject Alternative Name Extension + +__Certificate Field__: `subjectAltName:dNSName` +__Required/Optional__: __Required__ +__Contents__: This extension MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This extension MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. + +### 9.8.2. CA/Browser Forum Organization Identifier Extension + +__Extension Name__: `cabfOrganizationIdentifier` (OID: 2.23.140.3.1) +__Verbose OID__: `{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }` +__Required/Optional__: __Optional (but see below)__ +__Contents__: If the subject:organizationIdentifier is present, this field MUST be present. + +If present, this extension MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. + +The Registration Scheme MUST be encoded as described by the following ASN.1 grammar: + +```ASN.1 +id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) international-organizations(23) + ca-browser-forum(140) certificate-extensions(3) + cabf-organizationIdentifier(1) +} + +ext-CABFOrganizationIdentifier EXTENSION ::= { + SYNTAX CABFOrganizationIdentifier + IDENTIFIED BY id-CABFOrganizationIdentifier +} + +CABFOrganizationIdentifier ::= SEQUENCE { + registrationSchemeIdentifier PrintableString (SIZE(3)), + registrationCountry PrintableString (SIZE(2)), + registrationStateOrProvince [0] IMPLICIT PrintableString + (SIZE(0..128)) OPTIONAL, + registrationReference UTF8String +} +``` + +where the subfields have the same values, meanings, and restrictions described in [Section 9.2.8](#928-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 9.2.8](#928-subject-organization-identifier-field). + +# 10. EV Certificate Request Requirements + +## 10.1. General Requirements + +### 10.1.1. Documentation Requirements + +The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. + +### 10.1.2. Role Requirements + +The following Applicant roles are required for the issuance of an EV Certificate. + +1. **Certificate Requester**: The EV Certificate Request MUST be submitted by an authorized Certificate Requester. A Certificate Requester is a natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. + +2. **Certificate Approver**: The EV Certificate Request MUST be approved by an authorized Certificate Approver. A Certificate Approver is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to + + i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and + ii. to approve EV Certificate Requests submitted by other Certificate Requesters. + +3. **Contract Signer**: A Subscriber Agreement applicable to the requested EV Certificate MUST be signed by an authorized Contract Signer. A Contract Signer is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. + +4. **Applicant Representative**: In the case where the CA and the Subscriber are affiliated, Terms of Use applicable to the requested EV Certificate MUST be acknowledged and agreed to by an authorized Applicant Representative. An Applicant Representative is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to acknowledge and agree to the Terms of Use. + +The Applicant MAY authorize one individual to occupy two or more of these roles. The Applicant MAY authorize more than one individual to occupy any of these roles. + +## 10.2. EV Certificate Request Requirements + +The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 11.14](#1114-requirements-for-re-use-of-existing-documentation). + +## 10.3. Requirements for Subscriber Agreement and Terms of Use + +Section 9.6.3 of the Baseline Requirements applies equally to EV Certificates. In cases where the Certificate Request does not contain all necessary information about the Applicant, the CA MUST additionally confirm the data with the Certificate Approver or Contract Signer rather than the Certificate Requester. + +# 11. Verification Requirements + +## 11.1. General Overview + +This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement. + +### 11.1.1. Verification Requirements – Overview + +Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following: + +1. Verify Applicant's existence and identity, including; + + A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity)), + + B. Verify the Applicant's physical existence (business presence at a physical address), and + + C. Verify the Applicant's operational existence (business activity). + +2. Verify the Applicant is a registered holder, or has control, of the Domain Name(s) to be included in the EV Certificate; + +3. Verify a reliable means of communication with the entity to be named as the Subject in the Certificate; + +4. Verify the Applicant's authorization for the EV Certificate, including; + + A. Verify the name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester, + + B. Verify that a Contract Signer signed the Subscriber Agreement or that a duly authorized Applicant Representative acknowledged and agreed to the Terms of Use; and + + C. Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request. + +### 11.1.2. Acceptable Methods of Verification – Overview + +As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 11.2 through 11.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. + +### 11.1.3. Disclosure of Verification Sources + +Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means. + +This Agency Information SHALL include at least the following: + +* Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency (such as a name, jurisdiction, and website); and, +* The accepted value or values for each of the `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1), `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2), and `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and, +* The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and, +* A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list. + +The CA MUST document where to obtain this information within Section 3.2 of the CA's Certificate Policy and/or Certification Practice Statement. + +## 11.2. Verification of Applicant's Legal Existence and Identity + +### 11.2.1. Verification Requirements + +To verify the Applicant's legal existence and identity, the CA MUST do the following. + +1. **Private Organization Subjects** + + A. **Legal Existence**: Verify that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated) with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, and not designated on the records of the Incorporating or Registration Agency by labels such as "inactive", "invalid", "not current", or the equivalent. + B. **Organization Name**: Verify that the Applicant's formal legal name as recorded with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Incorporation or Registration. + D. **Registered Agent**: Obtain the identity and address of the Applicant's Registered Agent or Registered Office (as applicable in the Applicant's Jurisdiction of Incorporation or Registration). + +2. **Government Entity Subjects** + + A. **Legal Existence**: Verify that the Applicant is a legally recognized Government Entity, in existence in the political subdivision in which such Government Entity operates. + B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of incorporation, registration, or formation, or the identifier for the legislative act that created the Government Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity. + +3. **Business Entity Subjects** + + A. **Legal Existence**: Verify that the Applicant is engaged in business under the name submitted by the Applicant in the Application. + B. **Organization Name**: Verify that the Applicant's formal legal name as recognized by the Registration Agency in the Applicant's Jurisdiction of Registration matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: Attempt to obtain the specific unique Registration Number assigned to the Applicant by the Registration Agency in the Applicant's Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Registration. + D. **Principal Individual**: Verify the identity of the identified Principal Individual. + +4. **Non-Commercial Entity Subjects (International Organizations)** + + A. **Legal Existence**: Verify that the Applicant is a legally recognized International Organization Entity. + B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity. + +### 11.2.2. Acceptable Method of Verification + +1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. + +2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: + i. a Qualified Government Information Source in the political subdivision in which such Government Entity operates; + ii. a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or + iii. from a judge that is an active member of the federal, state or local judiciary within that political subdivision. + + Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 11.11.1](#11111-verified-legal-opinion). + + Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. + +3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 11.2.1](#1121-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. + +4. **Principal Individual**: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency's face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation. + + A. **Face-To-Face Validation**: The face-to-face validation MUST be conducted before either an employee of the CA, a Latin Notary, a Notary (or equivalent in the Applicant's jurisdiction), a Lawyer, or Accountant (Third-Party Validator). The Principal Individual(s) MUST present the following documentation (Vetting Documents) directly to the Third-Party Validator: + + i. A Personal Statement that includes the following information: + + 1. Full name or names by which a person is, or has been, known (including all other names used); + 2. Residential Address at which he/she can be located; + 3. Date of birth; and + 4. An affirmation that all of the information contained in the Certificate Request is true and correct. + + ii. A current signed government-issued identification document that includes a photo of the Individual and is signed by the Individual such as: + + 1. A passport; + 2. A driver's license; + 3. A personal identification card; + 4. A concealed weapons permit; or + 5. A military ID. + + iii. At least two secondary documentary evidences to establish his/her identity that include the name of the Individual, one of which MUST be from a financial institution. + + 1. Acceptable financial institution documents include: + + a. A major credit card, provided that it contains an expiration date and it has not expired' + b. A debit card from a regulated financial institution, provided that it contains an expiration date and it has not expired, + c. A mortgage statement from a recognizable lender that is less than six months old, + d. A bank statement from a regulated financial institution that is less than six months old. + + 2. Acceptable non-financial documents include: + + a. Recent original utility bills or certificates from a utility company confirming the arrangement to pay for the services at a fixed address (not a mobile/cellular telephone bill), + b. A copy of a statement for payment of a lease, provided that the statement is dated within the past six months, + c. A certified copy of a birth certificate, + d. A local authority tax bill for the current year, + e. A certified copy of a court order, such as a divorce certificate, annulment papers, or adoption papers. + + The Third-Party Validator performing the face-to-face validation MUST: + + i. Attest to the signing of the Personal Statement and the identity of the signer; and + ii. Identify the original Vetting Documents used to perform the identification. In addition, the Third-Party Validator MUST attest on a copy of the current signed government-issued photo identification document that it is a full, true, and accurate reproduction of the original. + + B. **Verification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), lawyer, or accountant in the jurisdiction of the Individual's residency, and that the Third-Party Validator actually did perform the services and did attest to the signature of the Individual. + + C. **Cross-checking of Information**: The CA MUST obtain the signed and attested Personal Statement together with the attested copy of the current signed government-issued photo identification document. The CA MUST review the documentation to determine that the information is consistent, matches the information in the application, and identifies the Individual. The CA MAY rely on electronic copies of this documentation, provided that: + + i. the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and + ii. electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA's jurisdiction. + +5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (4) MUST be verified either: + + A. With reference to the constituent document under which the International Organization was formed; or + B. Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or + C. Directly against any current list of qualified entities that the CA/Browser Forum may maintain at www.cabforum.org. + D. In cases where the International Organization applying for the EV Certificate is an organ or agency - including a non-governmental organization of a verified International Organization, then the CA may verify the International Organization Applicant directly with the verified umbrella International Organization of which the Applicant is an organ or agency. + +6. The CA may rely on a Verified Professional Letter to establish the Applicant's information listed in (1)-(5) above if: + + i. the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and + ii. the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS. + +## 11.3. Verification of Applicant's Legal Existence and Identity – Assumed Name + +### 11.3.1. Verification Requirements + +If, in addition to the Applicant's formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, the Applicant's identity, as asserted in the EV Certificate, is to contain any assumed name (also known as "doing business as", "DBA", or "d/b/a" in the US, and "trading as" in the UK) under which the Applicant conducts business, the CA MUST verify that: + + i. the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and + ii. that such filing continues to be valid. + +### 11.3.2. Acceptable Method of Verification + +To verify any assumed name under which the Applicant conducts business: + +1. The CA MAY verify the assumed name through use of a Qualified Government Information Source operated by, or on behalf of, an appropriate government agency in the jurisdiction of the Applicant's Place of Business, or by direct contact with such government agency in person or via mail, e-mail, Web address, or telephone; or +2. The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. +3. The CA MAY rely on a Verified Professional Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. + +## 11.4. Verification of Applicant's Physical Existence + +### 11.4.1. Address of Applicant's Place of Business + +1. **Verification Requirements**: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business. + +2. **Acceptable Methods of Verification** + + A. **Place of Business in the Country of Incorporation or Registration** + + i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence: + + 1. For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business; + + 2. For Applicants who are not listed at the same Place of Business address in the current version of either at least one QIIS or QTIS, the CA MUST confirm that the address provided by the Applicant in the EV Certificate Request is the Applicant's or a Parent/Subsidiary Company's business address, by obtaining documentation of a site visit to the business address, which MUST be performed by a reliable individual or firm. The documentation of the site visit MUST: + + a. Verify that the Applicant's business is located at the exact address stated in the EV Certificate Request (e.g., via permanent signage, employee confirmation, etc.), + b. Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location, + c. Indicate whether there is a permanent sign (that cannot be moved) that identifies the Applicant, + d. Indicate whether there is evidence that the Applicant is conducting ongoing business activities at the site (not that it is just, for example, a mail drop, P.O. box, etc.), and + e. Include one or more photos of + i. the exterior of the site (showing signage indicating the Applicant's name, if present, and showing the street address if possible), and + ii. the interior reception area or workspace. + + ii. For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there. + iii. For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction. + iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. + + B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. + +## 11.5. Verified Method of Communication + +### 11.5.1. Verification Requirements + +To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant. + +### 11.5.2. Acceptable Methods of Verification + +To verify a Verified Method of Communication with the Applicant, the CA MUST: + +A. Verify that the Verified Method of Communication belongs to the Applicant, or a Parent/Subsidiary or Affiliate of the Applicant, by matching it with one of the Applicant's Parent/Subsidiary or Affiliate's Places of Business in: + + i. records provided by the applicable phone company; + ii. a QGIS, QTIS, or QIIS; or + iii. a Verified Professional Letter; and + +B. Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication. + +## 11.6. Verification of Applicant's Operational Existence + +### 11.6.1. Verification Requirements + +The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. + +### 11.6.2. Acceptable Methods of Verification + +To verify the Applicant's ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: + +1. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; + +2. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; + +3. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or + +4. Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. + +## 11.7. Verification of Applicant's Domain Name + +### 11.7.1. Verification Requirements + +1. For each Fully-Qualified Domain Name listed in a Certificate which is not an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant's control over the Onion Domain Name in accordance with Appendix B of the Baseline Requirements. + +2. **Mixed Character Set Domain Names**: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization. + +## 11.8. Verification of Name, Title, and Authority of Contract Signer and Certificate Approver + +### 11.8.1. Verification Requirements + +For both the Contract Signer and the Certificate Approver, the CA MUST verify the following. + +1. **Name, Title and Agency**: The CA MUST verify the name and title of the Contract Signer and the Certificate Approver, as applicable. The CA MUST also verify that the Contract Signer and the Certificate Approver are agents representing the Applicant. +2. **Signing Authority of Contract Signer**: The CA MUST verify that the Contract Signer is authorized by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant, including a contract that designates one or more Certificate Approvers on behalf of the Applicant. +3. **EV Authority of Certificate Approver**: The CA MUST verify, through a source other than the Certificate Approver him- or herself, that the Certificate Approver is expressly authorized by the Applicant to do the following, as of the date of the EV Certificate Request: + + A. Submit, and, if applicable, authorize a Certificate Requester to submit, the EV Certificate Request on behalf of the Applicant; and + B. Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and + C. Approve EV Certificate Requests submitted by a Certificate Requester. + +### 11.8.2. Acceptable Methods of Verification – Name, Title and Agency + +Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. + +1. **Name and Title**: The CA MAY verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such a role is in fact the named person designated to act in such role. + +2. **Agency**: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: + + A. Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; + B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or + C. Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant. + + The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. + +### 11.8.3. Acceptable Methods of Verification – Authority + +Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: + +1. **Verified Professional Letter**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Professional Letter; +2. **Corporate Resolution**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a properly authenticated corporate resolution that confirms that the person has been granted such Signing Authority, provided that such resolution is + + i. certified by the appropriate corporate officer (e.g., secretary), and + ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification; + +3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); +4. **Contract between CA and Applicant**: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; +5. **Prior Equivalent Authority**: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority. + + A. Prior Equivalent Authority of a Contract Signer MAY be relied upon for confirmation or verification of the signing authority of the Contract Signer when the Contract Signer has executed a binding contract between the CA and the Applicant with a legally valid and enforceable seal or handwritten signature and only when the contract was executed more than 90 days prior to the EV Certificate application. The CA MUST record sufficient details of the previous agreement to correctly identify it and associate it with the EV application. Such details MAY include any of the following: + + i. Agreement title, + ii. Date of Contract Signer's signature, + iii. Contract reference number, and + iv. Filing location. + + B. Prior Equivalent Authority of a Certificate Approver MAY be relied upon for confirmation or verification of the EV Authority of the Certificate Approver when the Certificate Approver has performed one or more of the following: + + i. Under contract to the CA, has served (or is serving) as an Enterprise RA for the Applicant, or + ii. Has participated in the approval of one or more certificate requests, for certificates issued by the CA and which are currently and verifiably in use by the Applicant. In this case the CA MUST have contacted the Certificate Approver by phone at a previously validated phone number or have accepted a signed and notarized letter approving the certificate request. + +6. **QIIS or QGIS**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by a QIIS or QGIS that identifies the Contract Signer and/or the Certificate Approver as a corporate officer, sole proprietor, or other senior official of the Applicant. + +7. **Contract Signer's Representation/Warranty**: Provided that the CA verifies that the Contract Signer is an employee or agent of the Applicant, the CA MAY rely on the signing authority of the Contract Signer by obtaining a duly executed representation or warranty from the Contract Signer that includes the following acknowledgments: + + A. That the Applicant authorizes the Contract Signer to sign the Subscriber Agreement on the Applicant's behalf, + B. That the Subscriber Agreement is a legally valid and enforceable agreement, + C. That, upon execution of the Subscriber Agreement, the Applicant will be bound by all of its terms and conditions, + D. That serious consequences attach to the misuse of an EV certificate, and + E. The contract signer has the authority to obtain the digital equivalent of a corporate seal, stamp or officer's signature to establish the authenticity of the company's Web site. + +Note: An example of an acceptable representation/warranty appears in [Appendix E](#appendix-e---sample-contract-signers-representationwarranty-informative). + +### 11.8.4. Pre-Authorized Certificate Approver + +Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA: + +1. Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and + +2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 11.8.3](#1183-acceptable-methods-of-verification--authority). + +The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s). + +Such an agreement MUST provide that the Applicant shall be obligated under the Subscriber Agreement for all EV Certificates issued at the request of, or approved by, such Certificate Approver(s) until such EV Authority is revoked, and MUST include mutually agreed-upon provisions for: + + i. authenticating the Certificate Approver when EV Certificate Requests are approved, + ii. periodic re-confirmation of the EV Authority of the Certificate Approver, + iii. secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and + iv. such other appropriate precautions as are reasonably necessary. + +## 11.9. Verification of Signature on Subscriber Agreement and EV Certificate Requests + +Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. + +### 11.9.1. Verification Requirements + +1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. + +2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. + +### 11.9.2. Acceptable Methods of Signature Verification + +Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following: + +1. Contacting the Applicant using a Verified Method of Communication for the Applicant, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; + +2. A letter mailed to the Applicant's or Agent's address, as verified through independent means in accordance with these Guidelines, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response through a Verified Method of Communication from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; + +3. Use of a signature process that establishes the name and title of the signer in a secure manner, such as through use of an appropriately secure login process that identifies the signer before signing, or through use of a digital signature made with reference to an appropriately verified certificate; or + +4. Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer. + +## 11.10. Verification of Approval of EV Certificate Request + +### 11.10.1. Verification Requirements + +In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. + +### 11.10.2. Acceptable Methods of Verification + +Acceptable methods of verifying the Certificate Approver's approval of an EV Certificate Request include: + +1. Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request; +2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or +3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). + +## 11.11. Verification of Certain Information Sources + +### 11.11.1. Verified Legal Opinion + +1. **Verification Requirements**: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements: + + A. **Status of Author**: The CA MUST verify that the legal opinion is authored by an independent legal practitioner retained by and representing the Applicant (or an in-house legal practitioner employed by the Applicant) (Legal Practitioner) who is either: + + i. A lawyer (or solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility, or + ii. A Latin Notary who is currently commissioned or licensed to practice in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility (and that such jurisdiction recognizes the role of the Latin Notary); + + B. **Basis of Opinion**: The CA MUST verify that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Legal Opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the Legal Practitioner's professional judgment and expertise; + C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Legal Opinion. + +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Legal Opinion are: + + A. **Status of Author**: The CA MUST verify the professional status of the author of the legal opinion by directly contacting the authority responsible for registering or licensing such Legal Practitioner(s) in the applicable jurisdiction; + B. **Basis of Opinion**: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as [Appendix B](#appendix-b---sample-attorney-opinions-confirming-specified-information); + C. **Authenticity**: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner's assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS. + + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.1](#11111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. + +### 11.11.2. Verified Accountant Letter + +1. **Verification Requirements**: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements: + + A. **Status of Author**: The CA MUST verify that the accountant letter is authored by an Accounting Practitioner retained or employed by the Applicant and licensed within the country of the Applicant's Jurisdiction of Incorporation, Jurisdiction of Registration, or country where the Applicant maintains an office or physical facility. Verification of license MUST be through the member organization or regulatory organization in the Accounting Practitioner's country or jurisdiction that is appropriate to contact when verifying an accountant's license to practice in that country or jurisdiction. Such country or jurisdiction must have an accounting standards body that maintains full membership status with the International Federation of Accountants. + B. **Basis of Opinion**: The CA MUST verify that the Accounting Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Accountant Letter are based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the Accounting Practitioner's professional judgment and expertise; + C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Accountant Letter. + +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Accountant Letter are listed here. + + A. **Status of Author**: The CA MUST verify the professional status of the author of the accountant letter by directly contacting the authority responsible for registering or licensing such Accounting Practitioners in the applicable jurisdiction. + B. **Basis of Opinion**: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as [Appendix C](#appendix-c---sample-accountant-letters-confirming-specified-information). + C. **Authenticity**: To confirm the authenticity of the accountant's opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner's assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS. + + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.2](#11112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. + +### 11.11.3. Face-to-Face Validation + +1. **Verification Requirements**: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements: + + A. **Qualification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), Lawyer, or Accountant in the jurisdiction of the individual's residency; + B. **Document Chain of Custody**: The CA MUST verify that the Third-Party Validator viewed the Vetting Documents in a face-to-face meeting with the individual being validated; + C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the attestation and vetting documents. + +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for vetting documents are: + + A. **Qualification of Third-Party Validator**: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction; + B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; + C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 11.11.3](#11113-face-to-face-validation) (1)(A), no further verification of authenticity is required. + +### 11.11.4. Independent Confirmation From Applicant + +An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is: + +A. Received by the CA from a Confirming Person (someone other than the person who is the subject of the inquiry) that has the appropriate authority to confirm such a fact, and who represents that he/she has confirmed such fact; +B. Received by the CA in a manner that authenticates and verifies the source of the confirmation; and +C. Binding on the Applicant. + +An Independent Confirmation from the Applicant MAY be obtained via the following procedure: + +1. **Confirmation Request**: The CA MUST initiate a Confirmation Request via an appropriate out-of-band communication, requesting verification or confirmation of the particular fact at issue as follows: + + A. **Addressee**: The Confirmation Request MUST be directed to: + + i. A position within the Applicant's organization that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current QGIS, QIIS, QTIS, Verified Legal Opinion, Verified Accountant Letter, or by contacting the Applicant using a Verified Method of Communication; or + ii. The Applicant's Registered Agent or Registered Office in the Jurisdiction of Incorporation as listed in the official records of the Incorporating Agency, with instructions that it be forwarded to an appropriate Confirming Person; or + iii. A named individual verified to be in the direct line of management above the Contract Signer or Certificate Approver by contacting the Applicant's Human Resources Department by phone or mail (at the phone number or address for the Applicant's Place of Business, verified in accordance with these Guidelines). + + B. **Means of Communication**: The Confirmation Request MUST be directed to the Confirming Person in a manner reasonably likely to reach such person. The following options are acceptable: + + i. By paper mail addressed to the Confirming Person at: + + 1. The address of the Applicant's Place of Business as verified by the CA in accordance with these Guidelines, or + 2. The business address for such Confirming Person specified in a current QGIS, QTIS, QIIS, Verified Professional Letter, or + 3. The address of the Applicant's Registered Agent or Registered Office listed in the official records of the Jurisdiction of Incorporation, or + + ii. By e-mail addressed to the Confirming Person at the business e-mail address for such person listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter; or + iii. By telephone call to the Confirming Person, where such person is contacted by calling the main phone number of the Applicant's Place of Business (verified in accordance with these Guidelines) and asking to speak to such person, and a person taking the call identifies him- or herself as such person; or + iv. By facsimile to the Confirming Person at the Place of Business. The facsimile number must be listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter. The cover page must be clearly addressed to the Confirming Person. + +2. **Confirmation Response**: The CA MUST receive a response to the Confirmation Request from a Confirming Person that confirms the particular fact at issue. Such response MAY be provided to the CA by telephone, by e-mail, or by paper mail, so long as the CA can reliably verify that it was provided by a Confirming Person in response to the Confirmation Request. + +3. The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if: + + A. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias; + B. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person. + +### 11.11.5. Qualified Independent Information Source + +A Qualified Independent Information Source (QIIS) is a regularly-updated and publicly available database that is generally recognized as a dependable source for certain information. A database qualifies as a QIIS if the CA determines that: + +1. Industries other than the certificate industry rely on the database for accurate location, contact, or other information; and + +2. The database provider updates its data on at least an annual basis. + +The CA SHALL use a documented process to check the accuracy of the database and ensure its data is acceptable, including reviewing the database provider's terms of use. The CA SHALL NOT use any data in a QIIS that the CA knows is + + i. self-reported and + ii. not verified by the QIIS as accurate. + +Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. + +### 11.11.6. Qualified Government Information Source + +A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity. + +### 11.11.7. Qualified Government Tax Information Source + +A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States). + +## 11.12. Other Verification Requirements + +### 11.12.1. High Risk Status + +The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirements apply equally to EV Certificates. + +### 11.12.2. Denied Lists and Other Legal Block Lists + +1. **Verification Requirements**: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant's Jurisdiction of Incorporation, Registration, or Place of Business: + + A. Is identified on any government denied list, list of prohibited persons, or other list that prohibits doing business with such organization or person under the laws of the country of the CA's jurisdiction(s) of operation; or + B. Has its Jurisdiction of Incorporation, Registration, or Place of Business in any country with which the laws of the CA's jurisdiction prohibit doing business. + + The CA MUST NOT issue any EV Certificate to the Applicant if either the Applicant, the Contract Signer, or Certificate Approver or if the Applicant's Jurisdiction of Incorporation or Registration or Place of Business is on any such list. + +2. **Acceptable Methods of Verification** The CA MUST take reasonable steps to verify with the following lists and regulations: + + A. If the CA has operations in the U.S., the CA MUST take reasonable steps to verify with the following US Government denied lists and regulations: + + i. BIS Denied Persons List - [https://www.bis.doc.gov/index.php/the-denied-persons-list](https://www.bis.doc.gov/index.php/the-denied-persons-list) + ii. BIS Denied Entities List - [https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list](https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list) + iii. US Treasury Department List of Specially Designated Nationals and Blocked Persons - [https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx](https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx) + iv. US Government export regulations + + B. If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country. + +### 11.12.3. Parent/Subsidiary/Affiliate Relationship + +A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 11.4.1](#1141-address-of-applicants-place-of-business), [Section 11.5](#115-verified-method-of-communication), [Section 11.6.1](#1161-verification-requirements), or [Section 11.7.1](#1171-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: + +1. QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS; +2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); +3. Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; +4. Verified Professional Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter; or +5. Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is: + + i. certified by the appropriate corporate officer (e.g., secretary), and + ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. + +## 11.13. Final Cross-Correlation and Due Diligence + +1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. +2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. +3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. +4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: + + A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or + B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). + +In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. + +## 11.14. Requirements for Re-use of Existing Documentation + +For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. + +### 11.14.1. Validation For Existing Subscribers + +If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: + +1. The Principal Individual verified under [Section 11.2.2](#1122-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; +2. The Applicant's Place of Business under [Section 11.4.1](#1141-address-of-applicants-place-of-business); +3. The Applicant's Verified Method of Communication required by [Section 11.5](#115-verified-method-of-communication) but still MUST perform the verification required by [Section 11.5.2](#1152-acceptable-methods-of-verification) (B); +4. The Applicant's Operational Existence under [Section 11.6](#116-verification-of-applicants-operational-existence); +5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 11.8](#118-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and +6. The Applicant's right to use the specified Domain Name under [Section 11.7](#117-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. + +### 11.14.2. Re-issuance Requests + +A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: + +1. The expiration date of the replacement certificate is the same as the expiration date of the EV Certificate that is being replaced, and +2. The Subject Information of the Certificate is the same as the Subject in the EV Certificate that is being replaced. + +### 11.14.3. Age of Validated Data + +1. Except for reissuance of an EV Certificate under [Section 11.14.2](#11142-re-issuance-requests) and except when permitted otherwise in [Section 11.14.1](#11141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: + + A. Legal existence and identity – 398 days; + B. Assumed name – 398 days; + C. Address of Place of Business – 398 days; + D. Verified Method of Communication – 398 days; + E. Operational existence – 398 days; + F. Domain Name – 398 days; + G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. + +2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. +3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). +4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). + +# 12. Certificate Issuance by a Root CA + +Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. + +Root CA Private Keys MUST NOT be used to sign EV Certificates. + +# 13. Certificate Revocation and Status Checking + +The requirements in Section 4.9 of the Baseline Requirements apply equally to EV Certificates. + +# 14. Employee and third party issues + +## 14.1. Trustworthiness and Competence + +### 14.1.1. Identity and Background Verification + +Prior to the commencement of employment of any person by the CA for engagement in the EV Processes, whether as an employee, agent, or an independent contractor of the CA, the CA MUST: + +1. **Verify the Identity of Such Person**: Verification of identity MUST be performed through: + + A. The personal (physical) presence of such person before trusted persons who perform human resource or security functions, and + B. The verification of well-recognized forms of government-issued photo identification (e.g., passports and/or drivers licenses); + + and + +2. **Verify the Trustworthiness of Such Person**: Verification of trustworthiness SHALL include background checks, which address at least the following, or their equivalent: + + A. Confirmation of previous employment, + B. Check of professional references; + C. Confirmation of the highest or most-relevant educational qualification obtained; + D. Search of criminal records (local, state or provincial, and national) where allowed by the jurisdiction in which the person will be employed; + + and + +3. In the case of employees already in the employ of the CA at the time of adoption of these Guidelines whose identity and background has not previously been verified as set forth above, the CA SHALL conduct such verification within three months of the date of adoption of these Guidelines. + +### 14.1.2. Training and Skills Level + +The requirements in Section 5.3.3 of the Baseline Requirements apply equally to EV Certificates and these Guidelines. The required internal examination must relate to the EV Certificate validation criteria outlined in these Guidelines. + +### 14.1.3. Separation of Duties + +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 11.13](#1113-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. +2. Such controls MUST be auditable. + +## 14.2. Delegation of Functions to Registration Authorities and Subcontractors + +### 14.2.1. General + +The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence). +Affiliates and/or RAs must comply with the qualification requirements of [Section 14.1](#141-trustworthiness-and-competence). + +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 14](#14-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 15](#15-data-records). + +### 14.2.2. Enterprise RAs + +The CA MAY contractually authorize a Subscriber to perform the RA function and authorize the CA to issue additional EV Certificates. In such case, the Subscriber SHALL be considered an Enterprise RA, and the following requirements SHALL apply: + +1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; +2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and +3. The Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. + +Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 17.1](#171-eligible-audit-schemes). In all other cases, the requirements of [Section 17.1](#171-eligible-audit-schemes) SHALL apply. + +### 14.2.3. Guidelines Compliance Obligation + +In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. + +### 14.2.4. Allocation of Liability + +As specified in Section 9.8 of the Baseline Requirements. + +# 15. Data Records + +As specified in Section 5.4 of the Baseline Requirements. + +# 16. Data Security + +As specified in Section 5 of the Baseline Requirements. In addition, systems used to process and approve EV Certificate Requests MUST require actions by at least two trusted persons before creating an EV Certificate. + +# 17. Audit + +## 17.1. Eligible Audit Schemes + +A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: + +i. WebTrust Program for CAs audit and WebTrust EV Program audit, +ii. ETSI TS 102 042 audit for EVCP, or +iii. ETSI EN 319 411-1 audit for EVCP policy. + +If the CA is a Government Entity, an audit of the CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in one of the above audit schemes and certifies that the government CA has successfully passed the audit. + +EV audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor. + +## 17.2. Audit Period + +CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 17.1](#171-eligible-audit-schemes). + +## 17.3 Audit Record + +CAs SHOULD make its audit report publicly available no later than three months after the end of the audit period. If there is a delay greater than three months and if so requested by an Application Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. + +## 17.4. Pre-Issuance Readiness Audit + +1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program. +2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042. +3. If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI EN 319 411-1 for EVCP. +4. If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI TS 102 042 EVCP audit or an ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: + i. a point-in-time readiness assessment audit against the WebTrust for CA Program, or + ii. a point-in-time readiness assessment audit against the WebTrust EV Program, the ETSI TS 102 042 EVCP, or the ETSI EN 319 411-1 for EVCP policy. + +The CA MUST complete any required point-in-time readiness assessment no earlier than twelve (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. + +## 17.5. Regular Self Audits + +During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. + +## 17.6. Auditor Qualification + +A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. + +## 17.7. Root CA Key Pair Generation + +All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair and Certificate generation process: + + 1. Documented its Root CA key generation and protection procedures in its Certificate Policy, and its Certification Practices Statement; + 2. Included appropriate detail in its Root Key Generation Script; + 3. Maintained effective controls to provide reasonable assurance that the Root CA key pair was generated and protected in conformity with the procedures described in its CP/CPS and with its Root Key Generation Script; + 4. Performed, during the Root CA key generation process, all the procedures required by its Root Key Generation Script. + +# 18. Liability and Indemnification + +CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. + +A CA's indemnification obligations and a Root CA's obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements. + +# Appendix A - User Agent Verification (Normative) + +The CA MUST host test Web pages that allow Application Software Suppliers to test their software with EV Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host separate Web pages using certificates that are: + + i. valid; + ii. revoked; and + iii. expired. + +# Appendix B - Sample Attorney Opinions Confirming Specified Information + +**(Informative)** + +[Law Firm Letterhead] + +[Date] + +| To: | **(Name of Issuing Certification Authority)(Address / fax number of Issuing CA – may be sent by fax or email attachment)** | +| --- | --- | +| Re: | **EV Certificate Request No. (CA Reference Number)** | +| Client: | **(Exact company name of Client – see footnote 1)** | +| Client Representative: | **(Exact name of Client Representative who signed the Application – see footnote 2)** | +| Application Date: | **(Insert date of Client's Application to the Issuing CA)** | + +This firm represents _[__exact__ company name of Client]_ [^1] ("Client"), who has submitted the Application to you dated as of the Application Date shown above ("Application"). We have been asked by our Client to present you with our opinion as stated in this letter. + +[Insert customary preliminary matters for opinion letters in your jurisdiction.] + +On this basis, we hereby offer the following opinion: + +1. That [exact company name of Client] ("Company") is a duly formed [corporation, LLC, etc.] that is "active," "valid," "current," or the equivalent under the laws of the state/province of [name of governing jurisdiction where Client is incorporated or registered] and is not under any legal disability known to the author of this letter. + +2. That Company conducts business under the assumed name or "DBA"_[assumed name of the Applicant]_ and has registered such name with the appropriate government agency in the jurisdiction of its place of business below. + +3. That _[name of Client's Representative]_[^2] has authority to act on behalf of Company to: [_select as appropriate_] (a) provide the information about Company required for issuance of the EV Certificates as contained in the attached Application, (b) request one or more EV Certificates and to designate other persons to request EV Certificates, and (c) agree to the relevant contractual obligations contained in the Subscriber Agreement on behalf of Company. + +4. That Company has a physical presence and its place of business is at the following location: + + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +5. That Company can be contacted at its stated place of business at the following telephone number: + + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +6. That Company has an active current Demand Deposit Account with a regulated financial institution. + +7. That Company has the right to use the following Domain Name in identifying itself on the Internet: + + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +Insert customary limitations and disclaimers for opinion letters in your jurisdiction. + +(Name and signature) + +_[Jurisdiction(s) in which attorney / Latin notary is admitted to practice]_[^3] + +cc: [Send copy to Client_]_ + +[^1]: This must be the Client's exact corporate name, as registered with the relevant Incorporating Agency in the Client's Jurisdiction of Incorporation. This is the name that will be included in the EV Certificate. + +[^2]: If necessary to establish the Client Representative's actual authority, you may rely on a Power of Attorney from an officer of Client who has authority to delegate the authority to the Client Representative. + +[^3]: This letter may be issued by in-house counsel for the Client so long as permitted by the rules of your jurisdiction. + +# Appendix C - Sample Accountant Letters Confirming Specified Information + +**(Informative)** + +It is acceptable for professional accountants to provide letters that address specified matters. The letters would be provided in accordance with the professional standards in the jurisdiction in which the accountant practices. + +Two examples of the letter that might be prepared by an accountant in the United States and in Canada follow: + +## UNITED STATES + +To the [Certification Authority] and Management of [Client]: + +We have performed the procedures enumerated below, which were agreed to by the Managements of Client, solely to assist you in evaluating the company's application for an Extended Validation (EV) Certificate, dated......................., 20...... This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. The sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose. + +| Specified Information: | Procedure:(Note 1: These are illustrative of the procedures that would be undertaken and are designed to meet the needs of the Certification Authorities issuing Extended Validation Certificates) | Results: (Note 2: If you are unavailable to perform any of the stated procedure, this should be noted in this column. Any exceptions should be noted in a separate paragraph below) | +| --- | --- | --- | +| | | | +| Legal Name - 123456 Delaware corporation | Agree legal name to permanent audit file information (If audit has been completed). | Legal name on the application agrees with the information contained in our permanent file with respect to Client.(If there is no permanent file, state this fact) | +| | | | +| Doing business as - "Name" | Agree name to government data base of business names | The name "Name" is registered with the (name of database to which the name was agreed) | +| | | | +| Physical location - "Address Information" | Visit the location at the address | Site visit completed at Address | +| | | | +| Business Phone Number - 555 999 9999 | Phone the number provided and confirm that it was answered by the named organization | Phoned Business Number and noted that it was answered with the Doing Business As name. This would provided by the receptionist | +| | | | +| Bank Account – "Bank Name", "Account Number" | Request a letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | Received letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | +| | | | +| The corporate officers are "NAMED" (verified officer) | Agree Names to annual shareholders meeting minutes (Note - not required to personally know the officers) | Agreed Names listed as corporate officers on the application to minute books maintained by the Client | +| | | | +| Name of application signer and approver | Obtain letter from verified Officer confirming the names of the application signer and approver | Obtained letter from the President confirming the names of the duly authorized names of the application signer and approver as they appear in the application | + +We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation Certificate. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you. + +This report is intended solely for the information and use of the Certification Authority and managements of Client, and is not intended to be and should not be used by anyone other than these specified parties. + +[Signature] + +[Date] + +## CANADA + +To: [Name of Certification Authority] + +Re: Client Limited [Applicant] + +As specifically agreed, I/we have performed the following procedures in connection with the above company's application for an Extended Validation (EV) Certificate, dated ......................., 20.... with respect to the following specified information contained in the application + +| Specified Information: | Procedure:(Note 1: These are illustrative of the procedures that would be undertaken and are designed to meet the needs of the Certification Authorities issuing Extended Validation Certificates) | Results: (Note 2: If you are unavailable to perform any of the stated procedure, this should be noted in this column. Any exceptions should be noted in a separate paragraph below) | +| --- | --- | --- | +| | | | +| Legal Name - 123456 Ontario limited | Agree legal name to permanent audit file information (If audit has been completed) | Legal name on the application agrees with the information contained in our permanent file with respect to Client.(If there is no permanent file, state this fact) | +| | | | +| Doing business as - "Name" | Agree name to government data base of business names | The name "Name" is registered with the (name of database to which the name was agreed) | +| | | | +| Physical location - "Address Information" | Visit the location at the address | Site visit completed at Address | +| | | | +| Business Phone Number - 555 999 9999 | Phone the number provided and confirm that it was answered by the named organization | Phoned Business Number and noted that it was answered with the Doing Business As name. This would provided by the receptionist | +| | | | +| Bank Account – "Bank Name", "Account Number" | Request a letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | Received letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | +| | | | +| The corporate officers are "NAMED" (verified officer) | Agree Names to annual shareholders meeting minutes (Note - not required to personally know the officers) | Agreed Names listed as corporate officers on the application to minute books maintained by the Client | +| | | | +| Name of application signer and approver | Obtain letter from verified Officer confirming the names of the application signer and approver | Obtained letter from the President confirming the names of the duly authorized names of the application signer and approver as they appear in the application | + +As a result of applying the above procedures, I/we found [no / the following] exceptions [list of exceptions]. However, these procedures do not constitute an audit of the company's application for an EV Certificate, and therefore I express no opinion on the application dated ......................., 20..... + +This letter is for use solely in connection with the application for an Extended Validation Certificate by [Client] dated ......................., 20...... + +City + +(signed) ...................................... + +# Appendix D - Country-Specific Interpretative Guidelines (Normative) + +NOTE: This appendix provides alternative interpretations of the EV Guidelines for countries that have a language, cultural, technical, or legal reason for deviating from a strict interpretation of the EV Guidelines. More specific information for particular countries may be added to this appendix in the future. + +## 1. Organization Names + +1. Non-Latin Organization Name + + Where an EV Applicant's organization name is not registered with a QGIS in _Latin_ characters and the Applicant's foreign character organization name and registration have been verified with a QGIS in accordance with these Guidelines, a CA MAY include a Latin character organization name in the EV Certificate. In such a case, the CA MUST follow the procedures laid down in this section. + +2. Romanized Names + + In order to include a transliteration/Romanization of the registered name, the Romanization MUST be verified by the CA using a system officially recognized by the Government in the Applicant's Jurisdiction of Incorporation. + + If the CA can not rely on a transliteration/Romanization of the registered name using a system officially recognized by the Government in the Applicant's Jurisdiction of Incorporation, then it MUST rely on one of the options below, in order of preference: + + A. A system recognized by the International Organization for Standardization (ISO); + B. A system recognized by the United Nations; or + C. A Lawyer's Opinion or Accountant's Letter confirming the proper Romanization of the registered name. + +3. Translated Name + + In order to include a Latin character name in the EV certificate that is not a direct Romanization of the registered name (e.g. an English Name) the CA MUST verify that the Latin character name is: + + A. Included in the Articles of Incorporation (or equivalent document) filed as part of the organization registration; or + B. Recognized by a QTIS in the Applicant's Jurisdiction of Incorporation as the Applicant's recognized name for tax filings; or + C. Confirmed with a QIIS to be the name associated with the registered organization; or + D. Confirmed by a Verified Legal Opinion or Accountant's Letter to be a translated trading name associated with the registered organization. + +### Country-Specific Procedures + +#### D-1. Japan + +As interpretation of the procedures set out above: + +1. Organization Names + + A. The Revised Hepburn method of Romanization, as well as Kunrei-shiki and Nihon-shiki methods described in ISO 3602, are acceptable for Japanese Romanizations. + B. The CA MAY verify the Romanized transliteration, language translation (e.g. English name), or other recognized Roman-letter substitute of the Applicant's formal legal name with either a QIIS, Verified Legal Opinion, or Verified Accountant Letter. + C. The CA MAY use the Financial Services Agency to verify a Romanized, translated, or other recognized Roman-letter substitute name. When used, the CA MUST verify that the translated English is recorded in the audited Financial Statements. + D. When relying on Articles of Incorporation to verify a Romanized, translated, or other recognized Roman-letter substitute name, the Articles of Incorporation MUST be accompanied either: by a document, signed with the original Japanese Corporate Stamp, that proves that the Articles of Incorporation are authentic and current, or by a Verified Legal Opinion or a Verified Accountant Letter. The CA MUST verify the authenticity of the Corporate Stamp. + E. A Romanized, translated, or other recognized Roman-lettered substitute name confirmed in accordance with this [Appendix D-1](#d-1-japan) stored in the ROBINS database operated by JIPDEC MAY be relied upon by a CA for determining the allowed organization name during any issuance or renewal process of an EV Certificate without the need to re-perform the above procedures. + +2. Accounting Practitioner + + In Japan: + + A. Accounting Practitioner includes either a certified public accountant (公認会計士 - Konin-kaikei-shi) or a licensed tax accountant (税理士 – Zei-ri-shi). + B. The CA MUST verify the professional status of the Accounting Practitioner through direct contact with the relevant local member association that is affiliated with either the Japanese Institute of Certified Public Accountants ([http://www.hp.jicpa.or.jp](http://www.hp.jicpa.or.jp/)), the Japan Federation of Certified Tax Accountant's Associations ([http://www.nichizeiren.or.jp](http://www.nichizeiren.or.jp/)), or any other authoritative source recognized by the Japanese Ministry of Finance ([http://www.mof.go.jp](http://www.mof.go.jp/)) as providing the current registration status of such professionals. + +3. Legal Practitioner + + In Japan: + + A. Legal Practitioner includes any of the following: + + - a licensed lawyer (弁護士 - Ben-go-shi), + - a judicial scrivener (司法書士 - Shiho-sho-shi lawyer), + - an administrative solicitor (行政書士 - Gyosei-sho-shi Lawyer), + - or a notary public (公証人 - Ko-sho-nin). + + For purposes of the EV Guidelines, a Japanese Notary Public is considered equivalent to a Latin Notary. + + B. The CA MUST verify the professional status of the Legal Practitioner by direct contact through the relevant local member association that is affiliated with one of the following national associations: + + - the Japan Federation of Bar Associations ([http://www.nichibenren.or.jp](http://www.nichibenren.or.jp/)), + - the Japan Federation of Shiho-Shoshi Lawyer's Associations ([http://www.shiho-shoshi.or.jp](http://www.shiho-shoshi.or.jp/)), + - the Japan Federation of Administrative Solicitors ([http://www.gyosei.or.jp](http://www.gyosei.or.jp/)), + - the Japan National Notaries Association ([http://www.koshonin.gr.jp](http://www.koshonin.gr.jp/)), or + - any other authoritative source recognized by the Japanese Ministry of Justice ([http://www.moj.go.jp](http://www.moj.go.jp/)) as providing the current registration status of such professionals. + +# Appendix E - Sample Contract Signer's Representation/Warranty (Informative) + +A CA may rely on the Contract Signer's authority to enter into the Subscriber Agreement using a representation/warranty executed by the Contract Signer. An example of an acceptable warranty is as follows: + +[CA] and Applicant are entering into a legally valid and enforceable Subscriber Agreement that creates extensive obligations on Applicant. An EV Certificate serves as a form of digital identity for Applicant. The loss or misuse of this identity can result in great harm to the Applicant. By signing this Subscriber Agreement, the contract signer acknowledges that they have the authority to obtain the digital equivalent of a company stamp, seal, or (where applicable) officer's signature to establish the authenticity of the company's website, and that [Applicant name] is responsible for all uses of its EV Certificate. By signing this Agreement on behalf of [Applicant name], the contract signer represents that the contract signer + + i. is acting as an authorized representative of [Applicant name], + ii. is expressly authorized by [Applicant name] to sign Subscriber Agreements and approve EV Certificate requests on Applicant's behalf, and + iii. has confirmed Applicant's right to use the domain(s) to be included in EV Certificates. + +# Appendix F – Unused + +This appendix is intentionally left blank. + +# Appendix G – Abstract Syntax Notation One module for EV certificates + +```ASN.1 +CABFSelectedAttributeTypes { + joint‐iso‐itu‐t(2) international‐organizations(23) + ca‐browser‐forum(140) module(4) + cabfSelectedAttributeTypes(1) 1 } +DEFINITIONS ::= +BEGIN +-- EXPORTS All +IMPORTS + -- from Rec. ITU-T X.501 | ISO/IEC 9594-2 + selectedAttributeTypes, ID, ldap-enterprise + FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) + usefulDefinitions(0) 7} + + -- from the X.500 series + ub-locality-name, ub-state-name + FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 7} + + -- from Rec. ITU-T X.520 | ISO/IEC 9594-6 + DirectoryString{}, CountryName + FROM SelectedAttributeTypes selectedAttributeTypes; + +id-evat-jurisdiction ID ::= {ldap-enterprise 311 ev(60) 2 1} +id-evat-jurisdiction-localityName ID ::= {id-evat-jurisdiction 1} +id-evat-jurisdiction-stateOrProvinceName ID ::= {id-evat-jurisdiction 2} +id-evat-jurisdiction-countryName ID ::= {id-evat-jurisdiction 3} + +jurisdictionLocalityName ATTRIBUTE ::= { + SUBTYPE OF name + WITH SYNTAX DirectoryString{ub-locality-name} + LDAP-SYNTAX directoryString.&id + LDAP-NAME {"jurisdictionL"} + ID id-evat-jurisdiction-localityName } + +jurisdictionStateOrProvinceName ATTRIBUTE ::= { + SUBTYPE OF name + WITH SYNTAX DirectoryString{ub-state-name} + LDAP-SYNTAX directoryString.&id + LDAP-NAME {"jurisdictionST"} + ID id-evat-jurisdiction-stateOrProvinceName } + +jurisdictionCountryName ATTRIBUTE ::= { + SUBTYPE OF name + WITH SYNTAX CountryName + SINGLE VALUE TRUE + LDAP-SYNTAX countryString.&id + LDAP-NAME {"jurisdictionC"} + ID id-evat-jurisdiction-countryName } + +END +``` + +# Appendix H – Registration Schemes + +The following Registration Schemes are currently recognized as valid under these +guidelines: + +* **NTR**: + + The information carried in this field shall be the same as held in + Subject Registration Number Field as specified in + [Section 9.2.5](#925-subject-registration-number-field) and the country code + used in the Registration Scheme identifier shall match that of the + subject’s jurisdiction as specified in + [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + + Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 + includes more than the country code, the additional locality information shall + be included as specified in [Section 9.2.8](#928-subject-organization-identifier-field) + and/or [Section 9.8.2](#982-cabrowser-forum-organization-identifier-extension). + +* **VAT**: + + Reference allocated by the national tax authorities to a Legal Entity. This + information shall be validated using information provided by the national tax + authority against the organization as identified by the Subject Organization + Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and + Subject Registration Number Field (see + Section 9.2.5](#925-subject-registration-number-field)) within the context of + the subject’s jurisdiction as specified in + [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + +* **PSD**: + + Authorization number as specified in ETSI TS 119 495 clause 4.4 + allocated to a payment service provider and containing the information as + specified in ETSI TS 119 495 clause 5.2.1. This information SHALL be + obtained directly from the national competent authority register for + payment services or from an information source approved by a government + agency, regulatory body, or legislation for this purpose. This information + SHALL be validated by being matched directly or indirectly (for example, by + matching a globally unique registration number) against the organization as + identified by the Subject Organization Name Field (see + [Section 9.2.1](#921-subject-organization-name-field)) and + Subject Registration Number Field (see + [Section 9.2.5](#925-subject-registration-number-field)) within the context of + the subject’s jurisdiction as specified in + [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + The stated address of the organization combined with the organization name + SHALL NOT be the only information used to disambiguate the organization. From 929b6e21a0f52d2f5a650133ca9b6c7bdf8d279e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 7 Jun 2023 15:52:48 -0700 Subject: [PATCH 05/48] Update EVG.md --- docs/EVG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 2999d19d..7213d610 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -12,6 +12,17 @@ copyright: | # 1. INTRODUCTION ## 1.1 Overview +The Guidelines describe an integrated set of technologies, protocols, identity proofing, lifecycle management, and auditing practices specifying the minimum requirements that must be met in order to issue and maintain Extended Validation Certificates ("EV Certificates") concerning an organization. Subject Organization information from valid EV Certificates can then be used in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site or other services they are accessing. Although initially intended for use in establishing Web-based data communication conduits via TLS/SSL protocols, extensions are envisioned for S/MIME, time-stamping, VoIP, IM, Web services, etc. + +The primary purposes of Extended Validation Certificates are to: 1) identify the legal entity that controls a Web or service site, and 2) enable encrypted communications with that site. The secondary purposes include significantly enhancing cybersecurity by helping establish the legitimacy of an organization claiming to operate a Web site, and providing a vehicle that can be used to assist in addressing problems related to distributing malware, phishing, identity theft, and diverse forms of online fraud. + +**Notice to Readers** + +The Guidelines for the Issuance and Management of Extended Validation Certificates present criteria established by the CA/Browser Forum for use by certification authorities when issuing, maintaining, and revoking certain digital certificates for use in Internet Web site commerce. These Guidelines may be revised from time to time, as appropriate, in accordance with procedures adopted by the CA/Browser Forum. Questions or suggestions concerning these guidelines may be directed to the CA/Browser Forum at . + +**The CA/Browser Forum** + +The CA/Browser Forum is a voluntary open organization of certification authorities and suppliers of Internet browsers and other relying-party software applications. Membership is listed at . ## 1.2 Document name and identification ## 1.3 PKI participants ### 1.3.1 Certification authorities From 2d7d8ba99e0f4e46ba5826773479731a5a921849 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 5 Jul 2023 17:56:27 +0200 Subject: [PATCH 06/48] Update EVG.md --- docs/EVG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 7213d610..e11a9309 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -271,6 +271,11 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti ### 9.6.5 Representations and warranties of other participants ## 9.7 Disclaimers of warranties ## 9.8 Limitations of liability +CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a +CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and +provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying +Party per EV Certificate. + ## 9.9 Indemnities ## 9.10 Term and termination ### 9.10.1 Term From f0db2909b3aec9ee037669b9f796934bdee7e116 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 5 Jul 2023 17:58:29 +0200 Subject: [PATCH 07/48] Update EVG.md --- docs/EVG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index e11a9309..474653ba 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -275,8 +275,9 @@ CAs MAY limit their liability as described in Section 9.8 of the Baseline Requir CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. - ## 9.9 Indemnities +A CA’s indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are +set forth in Section 9.9 of the Baseline Requirements. ## 9.10 Term and termination ### 9.10.1 Term ### 9.10.2 Termination From 866b87fb7dff8abba00fb5efb3e5a1eae0c86f0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 5 Jul 2023 18:21:29 +0200 Subject: [PATCH 08/48] Update EVG.md --- docs/EVG.md | 386 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 386 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 474653ba..c389dbc1 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -181,6 +181,21 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti # 6. TECHNICAL SECURITY CONTROLS (11) ## 6.1 Key pair generation and installation ### 6.1.1 Key pair generation +All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. +However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key +Pair generation ceremony MUST be witnessed by the CA’s Qualified Auditor in order to observe the +process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. +The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair +and Certificate generation process: + + 1. Documented its Root CA key generation and protection procedures in its Certificate Policy, + and its Certification Practices Statement; + 2. Included appropriate detail in its Root Key Generation Script; + 3. Maintained effective controls to provide reasonable assurance that the Root CA key pair was + generated and protected in conformity with the procedures described in its CP/CPS and with + its Root Key Generation Script; + 4. Performed, during the Root CA key generation process, all the procedures required by its + Root Key Generation Script. ### 6.1.2 Private key delivery to subscriber ### 6.1.3 Public key delivery to certificate issuer ### 6.1.4 CA public key delivery to relying parties @@ -233,12 +248,59 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti ### 7.3.1 Version number(s) ### 7.3.2 OCSP extensions # 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS +A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following +schemes: + i. WebTrust Program for CAs audit and WebTrust EV Program audit, + ii. ETSI TS 102 042 audit for EVCP, or + iii. ETSI EN 319 411‐1 audit for EVCP policy. + +If the CA is a Government Entity, an audit of the CA by the appropriate internal government +auditing agency is acceptable in lieu of the audits specified above, provided that such internal +government auditing agency publicly certifies in writing that its audit addresses the criteria +specified in one of the above audit schemes and certifies that the government CA has successfully +passed the audit. +EV audits MUST cover all CA obligations under these Guidelines regardless of whether they are +performed directly by the CA or delegated to an RA or subcontractor. ## 8.1 Frequency or circumstances of assessment +CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of Section 17.1 ## 8.2 Identity/qualifications of assessor +A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the +CA’s audit. ## 8.3 Assessor's relationship to assessed entity ## 8.4 Topics covered by assessment ## 8.5 Actions taken as a result of deficiency ## 8.6 Communication of results +CAs SHOULD make its audit report publicly available no later than three months after the end of +the audit period. If there is a delay greater than three months and if so requested by an Application +Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. +## 8.7 Pre-issuance Readiness Audit +1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV + Certificates, the CA and its Root CA MUST successfully complete a point‐in‐time readiness + assessment audit against the WebTrust EV Program. +2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA + and its Root CA MUST successfully complete a point‐in‐time readiness assessment audit + against ETSI TS 102 042. +3. If the CA has a currently valid ETSI EN 319 411‐1 audit for EVCP policy, then, before issuing EV + Certificates, the CA and its Root CA MUST successfully complete a point‐in‐time readiness + assessment audit against ETSI EN 319 411‐1 for EVCP. +4. If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI TS + 102 042 EVCP audit or an ETSI EN 319 411‐1 audit for EVCP policy, then, before issuing EV + Certificates, the CA and its Root CA MUST successfully complete either: + i. a point‐in‐time readiness assessment audit against the WebTrust for CA Program, or + ii. a point‐in‐time readiness assessment audit against the WebTrust EV Program, the ETSI + TS 102 042 EVCP, or the ETSI EN 319 411‐1 for EVCP policy. + +The CA MUST complete any required point‐in‐time readiness assessment no earlier than twelve +(12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such +scheme within ninety (90) days of issuing the first EV Certificate. +## 8.8 Self audits +During the period in which it issues EV Certificates, the CA MUST strictly control its service quality +by performing ongoing self audits against a randomly selected sample of at least three percent of +the EV Certificates it has issued in the period beginning immediately after the last sample was +taken. For all EV Certificates where the Final Cross‐Correlation and Due Diligence requirements of +Section 11.13 is performed by an RA, the CA MUST strictly control its service quality by performing +ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates +it has issued in the period beginning immediately after the last sample was taken. # 9. OTHER BUSINESS AND LEGAL MATTERS ## 9.1 Fees ### 9.1.1 Certificate issuance or renewal fees @@ -297,3 +359,327 @@ set forth in Section 9.9 of the Baseline Requirements. ### 9.16.4 Enforcement (attorneys' fees and waiver of rights) ### 9.16.5 Force Majeure ## 9.17 Other provisions +# Appendix A - User Agent Verification (Normative) +The CA MUST host test Web pages that allow Application Software Suppliers to test their software +with EV Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host +separate Web pages using certificates that are: +i. valid; +ii. revoked; and +iii. expired. + +# Appendix B - Sample Attorney Opinions Confirming Specified Information + +**(Informative)** + +[Law Firm Letterhead] + +[Date] + +| To: | **(Name of Issuing Certification Authority)(Address / fax number of Issuing CA – may be sent by fax or email attachment)** | +| --- | --- | +| Re: | **EV Certificate Request No. (CA Reference Number)** | +| Client: | **(Exact company name of Client – see footnote 1)** | +| Client Representative: | **(Exact name of Client Representative who signed the Application – see footnote 2)** | +| Application Date: | **(Insert date of Client's Application to the Issuing CA)** | + +This firm represents _[__exact__ company name of Client]_ [^1] ("Client"), who has submitted the Application to you dated as of the Application Date shown above ("Application"). We have been asked by our Client to present you with our opinion as stated in this letter. + +[Insert customary preliminary matters for opinion letters in your jurisdiction.] + +On this basis, we hereby offer the following opinion: + +1. That [exact company name of Client] ("Company") is a duly formed [corporation, LLC, etc.] that is "active," "valid," "current," or the equivalent under the laws of the state/province of [name of governing jurisdiction where Client is incorporated or registered] and is not under any legal disability known to the author of this letter. + +2. That Company conducts business under the assumed name or "DBA"_[assumed name of the Applicant]_ and has registered such name with the appropriate government agency in the jurisdiction of its place of business below. + +3. That _[name of Client's Representative]_[^2] has authority to act on behalf of Company to: [_select as appropriate_] (a) provide the information about Company required for issuance of the EV Certificates as contained in the attached Application, (b) request one or more EV Certificates and to designate other persons to request EV Certificates, and (c) agree to the relevant contractual obligations contained in the Subscriber Agreement on behalf of Company. + +4. That Company has a physical presence and its place of business is at the following location: + + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +5. That Company can be contacted at its stated place of business at the following telephone number: + + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +6. That Company has an active current Demand Deposit Account with a regulated financial institution. + +7. That Company has the right to use the following Domain Name in identifying itself on the Internet: + + \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + +Insert customary limitations and disclaimers for opinion letters in your jurisdiction. + +(Name and signature) + +_[Jurisdiction(s) in which attorney / Latin notary is admitted to practice]_[^3] + +cc: [Send copy to Client_]_ + +[^1]: This must be the Client's exact corporate name, as registered with the relevant Incorporating Agency in the Client's Jurisdiction of Incorporation. This is the name that will be included in the EV Certificate. + +[^2]: If necessary to establish the Client Representative's actual authority, you may rely on a Power of Attorney from an officer of Client who has authority to delegate the authority to the Client Representative. + +[^3]: This letter may be issued by in-house counsel for the Client so long as permitted by the rules of your jurisdiction. + +# Appendix C - Sample Accountant Letters Confirming Specified Information + +**(Informative)** + +It is acceptable for professional accountants to provide letters that address specified matters. The letters would be provided in accordance with the professional standards in the jurisdiction in which the accountant practices. + +Two examples of the letter that might be prepared by an accountant in the United States and in Canada follow: + +## UNITED STATES + +To the [Certification Authority] and Management of [Client]: + +We have performed the procedures enumerated below, which were agreed to by the Managements of Client, solely to assist you in evaluating the company's application for an Extended Validation (EV) Certificate, dated......................., 20...... This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. The sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose. + +| Specified Information: | Procedure:(Note 1: These are illustrative of the procedures that would be undertaken and are designed to meet the needs of the Certification Authorities issuing Extended Validation Certificates) | Results: (Note 2: If you are unavailable to perform any of the stated procedure, this should be noted in this column. Any exceptions should be noted in a separate paragraph below) | +| --- | --- | --- | +| | | | +| Legal Name - 123456 Delaware corporation | Agree legal name to permanent audit file information (If audit has been completed). | Legal name on the application agrees with the information contained in our permanent file with respect to Client.(If there is no permanent file, state this fact) | +| | | | +| Doing business as - "Name" | Agree name to government data base of business names | The name "Name" is registered with the (name of database to which the name was agreed) | +| | | | +| Physical location - "Address Information" | Visit the location at the address | Site visit completed at Address | +| | | | +| Business Phone Number - 555 999 9999 | Phone the number provided and confirm that it was answered by the named organization | Phoned Business Number and noted that it was answered with the Doing Business As name. This would provided by the receptionist | +| | | | +| Bank Account – "Bank Name", "Account Number" | Request a letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | Received letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | +| | | | +| The corporate officers are "NAMED" (verified officer) | Agree Names to annual shareholders meeting minutes (Note - not required to personally know the officers) | Agreed Names listed as corporate officers on the application to minute books maintained by the Client | +| | | | +| Name of application signer and approver | Obtain letter from verified Officer confirming the names of the application signer and approver | Obtained letter from the President confirming the names of the duly authorized names of the application signer and approver as they appear in the application | + +We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation Certificate. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you. + +This report is intended solely for the information and use of the Certification Authority and managements of Client, and is not intended to be and should not be used by anyone other than these specified parties. + +[Signature] + +[Date] + +## CANADA + +To: [Name of Certification Authority] + +Re: Client Limited [Applicant] + +As specifically agreed, I/we have performed the following procedures in connection with the above company's application for an Extended Validation (EV) Certificate, dated ......................., 20.... with respect to the following specified information contained in the application + +| Specified Information: | Procedure:(Note 1: These are illustrative of the procedures that would be undertaken and are designed to meet the needs of the Certification Authorities issuing Extended Validation Certificates) | Results: (Note 2: If you are unavailable to perform any of the stated procedure, this should be noted in this column. Any exceptions should be noted in a separate paragraph below) | +| --- | --- | --- | +| | | | +| Legal Name - 123456 Ontario limited | Agree legal name to permanent audit file information (If audit has been completed) | Legal name on the application agrees with the information contained in our permanent file with respect to Client.(If there is no permanent file, state this fact) | +| | | | +| Doing business as - "Name" | Agree name to government data base of business names | The name "Name" is registered with the (name of database to which the name was agreed) | +| | | | +| Physical location - "Address Information" | Visit the location at the address | Site visit completed at Address | +| | | | +| Business Phone Number - 555 999 9999 | Phone the number provided and confirm that it was answered by the named organization | Phoned Business Number and noted that it was answered with the Doing Business As name. This would provided by the receptionist | +| | | | +| Bank Account – "Bank Name", "Account Number" | Request a letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | Received letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | +| | | | +| The corporate officers are "NAMED" (verified officer) | Agree Names to annual shareholders meeting minutes (Note - not required to personally know the officers) | Agreed Names listed as corporate officers on the application to minute books maintained by the Client | +| | | | +| Name of application signer and approver | Obtain letter from verified Officer confirming the names of the application signer and approver | Obtained letter from the President confirming the names of the duly authorized names of the application signer and approver as they appear in the application | + +As a result of applying the above procedures, I/we found [no / the following] exceptions [list of exceptions]. However, these procedures do not constitute an audit of the company's application for an EV Certificate, and therefore I express no opinion on the application dated ......................., 20..... + +This letter is for use solely in connection with the application for an Extended Validation Certificate by [Client] dated ......................., 20...... + +City + +(signed) ...................................... + +# Appendix D - Country-Specific Interpretative Guidelines (Normative) + +NOTE: This appendix provides alternative interpretations of the EV Guidelines for countries that have a language, cultural, technical, or legal reason for deviating from a strict interpretation of the EV Guidelines. More specific information for particular countries may be added to this appendix in the future. + +## 1. Organization Names + +1. Non-Latin Organization Name + + Where an EV Applicant's organization name is not registered with a QGIS in _Latin_ characters and the Applicant's foreign character organization name and registration have been verified with a QGIS in accordance with these Guidelines, a CA MAY include a Latin character organization name in the EV Certificate. In such a case, the CA MUST follow the procedures laid down in this section. + +2. Romanized Names + + In order to include a transliteration/Romanization of the registered name, the Romanization MUST be verified by the CA using a system officially recognized by the Government in the Applicant's Jurisdiction of Incorporation. + + If the CA can not rely on a transliteration/Romanization of the registered name using a system officially recognized by the Government in the Applicant's Jurisdiction of Incorporation, then it MUST rely on one of the options below, in order of preference: + + A. A system recognized by the International Organization for Standardization (ISO); + B. A system recognized by the United Nations; or + C. A Lawyer's Opinion or Accountant's Letter confirming the proper Romanization of the registered name. + +3. Translated Name + + In order to include a Latin character name in the EV certificate that is not a direct Romanization of the registered name (e.g. an English Name) the CA MUST verify that the Latin character name is: + + A. Included in the Articles of Incorporation (or equivalent document) filed as part of the organization registration; or + B. Recognized by a QTIS in the Applicant's Jurisdiction of Incorporation as the Applicant's recognized name for tax filings; or + C. Confirmed with a QIIS to be the name associated with the registered organization; or + D. Confirmed by a Verified Legal Opinion or Accountant's Letter to be a translated trading name associated with the registered organization. + +### Country-Specific Procedures + +#### D-1. Japan + +As interpretation of the procedures set out above: + +1. Organization Names + + A. The Revised Hepburn method of Romanization, as well as Kunrei-shiki and Nihon-shiki methods described in ISO 3602, are acceptable for Japanese Romanizations. + B. The CA MAY verify the Romanized transliteration, language translation (e.g. English name), or other recognized Roman-letter substitute of the Applicant's formal legal name with either a QIIS, Verified Legal Opinion, or Verified Accountant Letter. + C. The CA MAY use the Financial Services Agency to verify a Romanized, translated, or other recognized Roman-letter substitute name. When used, the CA MUST verify that the translated English is recorded in the audited Financial Statements. + D. When relying on Articles of Incorporation to verify a Romanized, translated, or other recognized Roman-letter substitute name, the Articles of Incorporation MUST be accompanied either: by a document, signed with the original Japanese Corporate Stamp, that proves that the Articles of Incorporation are authentic and current, or by a Verified Legal Opinion or a Verified Accountant Letter. The CA MUST verify the authenticity of the Corporate Stamp. + E. A Romanized, translated, or other recognized Roman-lettered substitute name confirmed in accordance with this [Appendix D-1](#d-1-japan) stored in the ROBINS database operated by JIPDEC MAY be relied upon by a CA for determining the allowed organization name during any issuance or renewal process of an EV Certificate without the need to re-perform the above procedures. + +2. Accounting Practitioner + + In Japan: + + A. Accounting Practitioner includes either a certified public accountant (公認会計士 - Konin-kaikei-shi) or a licensed tax accountant (税理士 – Zei-ri-shi). + B. The CA MUST verify the professional status of the Accounting Practitioner through direct contact with the relevant local member association that is affiliated with either the Japanese Institute of Certified Public Accountants ([http://www.hp.jicpa.or.jp](http://www.hp.jicpa.or.jp/)), the Japan Federation of Certified Tax Accountant's Associations ([http://www.nichizeiren.or.jp](http://www.nichizeiren.or.jp/)), or any other authoritative source recognized by the Japanese Ministry of Finance ([http://www.mof.go.jp](http://www.mof.go.jp/)) as providing the current registration status of such professionals. + +3. Legal Practitioner + + In Japan: + + A. Legal Practitioner includes any of the following: + + - a licensed lawyer (弁護士 - Ben-go-shi), + - a judicial scrivener (司法書士 - Shiho-sho-shi lawyer), + - an administrative solicitor (行政書士 - Gyosei-sho-shi Lawyer), + - or a notary public (公証人 - Ko-sho-nin). + + For purposes of the EV Guidelines, a Japanese Notary Public is considered equivalent to a Latin Notary. + + B. The CA MUST verify the professional status of the Legal Practitioner by direct contact through the relevant local member association that is affiliated with one of the following national associations: + + - the Japan Federation of Bar Associations ([http://www.nichibenren.or.jp](http://www.nichibenren.or.jp/)), + - the Japan Federation of Shiho-Shoshi Lawyer's Associations ([http://www.shiho-shoshi.or.jp](http://www.shiho-shoshi.or.jp/)), + - the Japan Federation of Administrative Solicitors ([http://www.gyosei.or.jp](http://www.gyosei.or.jp/)), + - the Japan National Notaries Association ([http://www.koshonin.gr.jp](http://www.koshonin.gr.jp/)), or + - any other authoritative source recognized by the Japanese Ministry of Justice ([http://www.moj.go.jp](http://www.moj.go.jp/)) as providing the current registration status of such professionals. + +# Appendix E - Sample Contract Signer's Representation/Warranty (Informative) + +A CA may rely on the Contract Signer's authority to enter into the Subscriber Agreement using a representation/warranty executed by the Contract Signer. An example of an acceptable warranty is as follows: + +[CA] and Applicant are entering into a legally valid and enforceable Subscriber Agreement that creates extensive obligations on Applicant. An EV Certificate serves as a form of digital identity for Applicant. The loss or misuse of this identity can result in great harm to the Applicant. By signing this Subscriber Agreement, the contract signer acknowledges that they have the authority to obtain the digital equivalent of a company stamp, seal, or (where applicable) officer's signature to establish the authenticity of the company's website, and that [Applicant name] is responsible for all uses of its EV Certificate. By signing this Agreement on behalf of [Applicant name], the contract signer represents that the contract signer + + i. is acting as an authorized representative of [Applicant name], + ii. is expressly authorized by [Applicant name] to sign Subscriber Agreements and approve EV Certificate requests on Applicant's behalf, and + iii. has confirmed Applicant's right to use the domain(s) to be included in EV Certificates. + +# Appendix F – Unused + +This appendix is intentionally left blank. + +# Appendix G – Abstract Syntax Notation One module for EV certificates + +```ASN.1 +CABFSelectedAttributeTypes { + joint‐iso‐itu‐t(2) international‐organizations(23) + ca‐browser‐forum(140) module(4) + cabfSelectedAttributeTypes(1) 1 } +DEFINITIONS ::= +BEGIN +-- EXPORTS All +IMPORTS + -- from Rec. ITU-T X.501 | ISO/IEC 9594-2 + selectedAttributeTypes, ID, ldap-enterprise + FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) + usefulDefinitions(0) 7} + + -- from the X.500 series + ub-locality-name, ub-state-name + FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 7} + + -- from Rec. ITU-T X.520 | ISO/IEC 9594-6 + DirectoryString{}, CountryName + FROM SelectedAttributeTypes selectedAttributeTypes; + +id-evat-jurisdiction ID ::= {ldap-enterprise 311 ev(60) 2 1} +id-evat-jurisdiction-localityName ID ::= {id-evat-jurisdiction 1} +id-evat-jurisdiction-stateOrProvinceName ID ::= {id-evat-jurisdiction 2} +id-evat-jurisdiction-countryName ID ::= {id-evat-jurisdiction 3} + +jurisdictionLocalityName ATTRIBUTE ::= { + SUBTYPE OF name + WITH SYNTAX DirectoryString{ub-locality-name} + LDAP-SYNTAX directoryString.&id + LDAP-NAME {"jurisdictionL"} + ID id-evat-jurisdiction-localityName } + +jurisdictionStateOrProvinceName ATTRIBUTE ::= { + SUBTYPE OF name + WITH SYNTAX DirectoryString{ub-state-name} + LDAP-SYNTAX directoryString.&id + LDAP-NAME {"jurisdictionST"} + ID id-evat-jurisdiction-stateOrProvinceName } + +jurisdictionCountryName ATTRIBUTE ::= { + SUBTYPE OF name + WITH SYNTAX CountryName + SINGLE VALUE TRUE + LDAP-SYNTAX countryString.&id + LDAP-NAME {"jurisdictionC"} + ID id-evat-jurisdiction-countryName } + +END +``` + +# Appendix H – Registration Schemes + +The following Registration Schemes are currently recognized as valid under these +guidelines: + +* **NTR**: + + The information carried in this field shall be the same as held in + Subject Registration Number Field as specified in + [Section 9.2.5](#925-subject-registration-number-field) and the country code + used in the Registration Scheme identifier shall match that of the + subject’s jurisdiction as specified in + [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + + Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 + includes more than the country code, the additional locality information shall + be included as specified in [Section 9.2.8](#928-subject-organization-identifier-field) + and/or [Section 9.8.2](#982-cabrowser-forum-organization-identifier-extension). + +* **VAT**: + + Reference allocated by the national tax authorities to a Legal Entity. This + information shall be validated using information provided by the national tax + authority against the organization as identified by the Subject Organization + Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and + Subject Registration Number Field (see + Section 9.2.5](#925-subject-registration-number-field)) within the context of + the subject’s jurisdiction as specified in + [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + +* **PSD**: + + Authorization number as specified in ETSI TS 119 495 clause 4.4 + allocated to a payment service provider and containing the information as + specified in ETSI TS 119 495 clause 5.2.1. This information SHALL be + obtained directly from the national competent authority register for + payment services or from an information source approved by a government + agency, regulatory body, or legislation for this purpose. This information + SHALL be validated by being matched directly or indirectly (for example, by + matching a globally unique registration number) against the organization as + identified by the Subject Organization Name Field (see + [Section 9.2.1](#921-subject-organization-name-field)) and + Subject Registration Number Field (see + [Section 9.2.5](#925-subject-registration-number-field)) within the context of + the subject’s jurisdiction as specified in + [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + The stated address of the organization combined with the organization name + SHALL NOT be the only information used to disambiguate the organization. From e38309f4fc0e76acbd388cc51005ea9cee86f5f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 5 Jul 2023 18:24:08 +0200 Subject: [PATCH 09/48] Update EVG.md --- docs/EVG.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index c389dbc1..41256ae5 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -333,13 +333,9 @@ it has issued in the period beginning immediately after the last sample was take ### 9.6.5 Representations and warranties of other participants ## 9.7 Disclaimers of warranties ## 9.8 Limitations of liability -CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a -CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and -provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying -Party per EV Certificate. +CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. ## 9.9 Indemnities -A CA’s indemnification obligations and a Root CA’s obligations with respect to subordinate CAs are -set forth in Section 9.9 of the Baseline Requirements. +A CA's indemnification obligations and a Root CA's obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements. ## 9.10 Term and termination ### 9.10.1 Term ### 9.10.2 Termination From c3365ef6f9a7da32ba364684c42075450c123f64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 5 Jul 2023 18:25:06 +0200 Subject: [PATCH 10/48] Update EVG.md --- docs/EVG.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 41256ae5..27eca0f4 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -294,13 +294,7 @@ The CA MUST complete any required point‐in‐time readiness assessment no earl (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. ## 8.8 Self audits -During the period in which it issues EV Certificates, the CA MUST strictly control its service quality -by performing ongoing self audits against a randomly selected sample of at least three percent of -the EV Certificates it has issued in the period beginning immediately after the last sample was -taken. For all EV Certificates where the Final Cross‐Correlation and Due Diligence requirements of -Section 11.13 is performed by an RA, the CA MUST strictly control its service quality by performing -ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates -it has issued in the period beginning immediately after the last sample was taken. +During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. # 9. OTHER BUSINESS AND LEGAL MATTERS ## 9.1 Fees ### 9.1.1 Certificate issuance or renewal fees From f10dd3a05159ba7af88539e6af6413ccb09973ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 5 Jul 2023 18:29:12 +0200 Subject: [PATCH 11/48] Update EVG.md --- docs/EVG.md | 90 +++++++++++++++++++---------------------------------- 1 file changed, 32 insertions(+), 58 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 27eca0f4..bacf6c29 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -181,21 +181,13 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti # 6. TECHNICAL SECURITY CONTROLS (11) ## 6.1 Key pair generation and installation ### 6.1.1 Key pair generation -All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. -However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key -Pair generation ceremony MUST be witnessed by the CA’s Qualified Auditor in order to observe the -process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. -The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair -and Certificate generation process: - - 1. Documented its Root CA key generation and protection procedures in its Certificate Policy, - and its Certification Practices Statement; +All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair and Certificate generation process: + + 1. Documented its Root CA key generation and protection procedures in its Certificate Policy, and its Certification Practices Statement; 2. Included appropriate detail in its Root Key Generation Script; - 3. Maintained effective controls to provide reasonable assurance that the Root CA key pair was - generated and protected in conformity with the procedures described in its CP/CPS and with - its Root Key Generation Script; - 4. Performed, during the Root CA key generation process, all the procedures required by its - Root Key Generation Script. + 3. Maintained effective controls to provide reasonable assurance that the Root CA key pair was generated and protected in conformity with the procedures described in its CP/CPS and with its Root Key Generation Script; + 4. Performed, during the Root CA key generation process, all the procedures required by its Root Key Generation Script. + ### 6.1.2 Private key delivery to subscriber ### 6.1.3 Public key delivery to certificate issuer ### 6.1.4 CA public key delivery to relying parties @@ -248,51 +240,34 @@ and Certificate generation process: ### 7.3.1 Version number(s) ### 7.3.2 OCSP extensions # 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS -A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following -schemes: - i. WebTrust Program for CAs audit and WebTrust EV Program audit, - ii. ETSI TS 102 042 audit for EVCP, or - iii. ETSI EN 319 411‐1 audit for EVCP policy. - -If the CA is a Government Entity, an audit of the CA by the appropriate internal government -auditing agency is acceptable in lieu of the audits specified above, provided that such internal -government auditing agency publicly certifies in writing that its audit addresses the criteria -specified in one of the above audit schemes and certifies that the government CA has successfully -passed the audit. -EV audits MUST cover all CA obligations under these Guidelines regardless of whether they are -performed directly by the CA or delegated to an RA or subcontractor. +A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: + +i. WebTrust Program for CAs audit and WebTrust EV Program audit, +ii. ETSI TS 102 042 audit for EVCP, or +iii. ETSI EN 319 411-1 audit for EVCP policy. + +If the CA is a Government Entity, an audit of the CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in one of the above audit schemes and certifies that the government CA has successfully passed the audit. + ## 8.1 Frequency or circumstances of assessment -CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of Section 17.1 +CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 17.1](#171-eligible-audit-schemes). ## 8.2 Identity/qualifications of assessor -A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the -CA’s audit. +A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. ## 8.3 Assessor's relationship to assessed entity ## 8.4 Topics covered by assessment ## 8.5 Actions taken as a result of deficiency ## 8.6 Communication of results -CAs SHOULD make its audit report publicly available no later than three months after the end of -the audit period. If there is a delay greater than three months and if so requested by an Application -Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. +CAs SHOULD make its audit report publicly available no later than three months after the end of the audit period. If there is a delay greater than three months and if so requested by an Application Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. ## 8.7 Pre-issuance Readiness Audit -1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV - Certificates, the CA and its Root CA MUST successfully complete a point‐in‐time readiness - assessment audit against the WebTrust EV Program. -2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA - and its Root CA MUST successfully complete a point‐in‐time readiness assessment audit - against ETSI TS 102 042. -3. If the CA has a currently valid ETSI EN 319 411‐1 audit for EVCP policy, then, before issuing EV - Certificates, the CA and its Root CA MUST successfully complete a point‐in‐time readiness - assessment audit against ETSI EN 319 411‐1 for EVCP. -4. If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI TS - 102 042 EVCP audit or an ETSI EN 319 411‐1 audit for EVCP policy, then, before issuing EV - Certificates, the CA and its Root CA MUST successfully complete either: - i. a point‐in‐time readiness assessment audit against the WebTrust for CA Program, or - ii. a point‐in‐time readiness assessment audit against the WebTrust EV Program, the ETSI - TS 102 042 EVCP, or the ETSI EN 319 411‐1 for EVCP policy. - -The CA MUST complete any required point‐in‐time readiness assessment no earlier than twelve -(12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such -scheme within ninety (90) days of issuing the first EV Certificate. + +1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program. +2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042. +3. If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI EN 319 411-1 for EVCP. +4. If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI TS 102 042 EVCP audit or an ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: + i. a point-in-time readiness assessment audit against the WebTrust for CA Program, or + ii. a point-in-time readiness assessment audit against the WebTrust EV Program, the ETSI TS 102 042 EVCP, or the ETSI EN 319 411-1 for EVCP policy. + +The CA MUST complete any required point-in-time readiness assessment no earlier than twelve (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. + ## 8.8 Self audits During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. # 9. OTHER BUSINESS AND LEGAL MATTERS @@ -350,12 +325,11 @@ A CA's indemnification obligations and a Root CA's obligations with respect to s ### 9.16.5 Force Majeure ## 9.17 Other provisions # Appendix A - User Agent Verification (Normative) -The CA MUST host test Web pages that allow Application Software Suppliers to test their software -with EV Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host -separate Web pages using certificates that are: -i. valid; -ii. revoked; and -iii. expired. +The CA MUST host test Web pages that allow Application Software Suppliers to test their software with EV Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host separate Web pages using certificates that are: + + i. valid; + ii. revoked; and + iii. expired. # Appendix B - Sample Attorney Opinions Confirming Specified Information From 19fd8df712859689ab4879b7db2b538f7ab7698b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 5 Jul 2023 18:34:55 +0200 Subject: [PATCH 12/48] Update EVG.md --- docs/EVG.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index bacf6c29..57f2aa41 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -44,7 +44,7 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti ## 2.2 Publication of certification information ## 2.3 Time or frequency of publication ## 2.4 Access controls on repositories -# 3. IDENTIFICATION AND AUTHENTICATION (11) +# 3. IDENTIFICATION AND AUTHENTICATION ## 3.1 Naming ### 3.1.1 Types of names ### 3.1.2 Need for names to be meaningful @@ -130,7 +130,8 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti ## 4.12 Key escrow and recovery ### 4.12.1 Key escrow and recovery policy and practices ### 4.12.2 Session key encapsulation and recovery policy and practices -# 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS (11) +# 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS +As specified in Section 5 of the Baseline Requirements. In addition, systems used to process and approve EV Certificate Requests MUST require actions by at least two trusted persons before creating an EV Certificate. ## 5.1 Physical controls ### 5.1.1 Site location and construction ### 5.1.2 Physical access @@ -155,6 +156,8 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti ### 5.3.7 Independent contractor requirements ### 5.3.8 Documentation supplied to personnel ## 5.4 Audit logging procedures +As specified in Section 5.4 of the Baseline Requirements. + ### 5.4.1 Types of events recorded ### 5.4.2 Frequency of processing log ### 5.4.3 Retention period for audit log @@ -178,7 +181,7 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti ### 5.7.3 Entity private key compromise procedures ### 5.7.4 Business continuity capabilities after a disaster ## 5.8 CA or RA termination -# 6. TECHNICAL SECURITY CONTROLS (11) +# 6. TECHNICAL SECURITY CONTROLS ## 6.1 Key pair generation and installation ### 6.1.1 Key pair generation All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair and Certificate generation process: From 865500b5264785b44ed2457e9207a1ad783a0627 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 6 Jul 2023 13:13:05 +0200 Subject: [PATCH 13/48] Update EVG.md --- docs/EVG.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 57f2aa41..7f440e2f 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -27,6 +27,21 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti ## 1.3 PKI participants ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities +The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence). +Affiliates and/or RAs must comply with the qualification requirements of [Section 14.1](#141-trustworthiness-and-competence). + +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 14](#14-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 15](#15-data-records). + +In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. +#### 1.3.2.1 Enterprise Registration authorities +The CA MAY contractually authorize a Subscriber to perform the RA function and authorize the CA to issue additional EV Certificates. In such case, the Subscriber SHALL be considered an Enterprise RA, and the following requirements SHALL apply: + +1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; +2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and +3. The Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. + +Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 17.1](#171-eligible-audit-schemes). In all other cases, the requirements of [Section 17.1](#171-eligible-audit-schemes) SHALL apply. + ### 1.3.3 Subscribers ### 1.3.4 Relying parties ### 1.3.5 Other participants @@ -146,10 +161,33 @@ As specified in Section 5 of the Baseline Requirements. In addition, systems use ### 5.2.2 Number of persons required per task ### 5.2.3 Identification and authentication for each role ### 5.2.4 Roles requiring separation of duties +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 11.13](#1113-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. +2. Such controls MUST be auditable. ## 5.3 Personnel controls ### 5.3.1 Qualifications, experience, and clearance requirements ### 5.3.2 Background check procedures +Prior to the commencement of employment of any person by the CA for engagement in the EV Processes, whether as an employee, agent, or an independent contractor of the CA, the CA MUST: + +1. **Verify the Identity of Such Person**: Verification of identity MUST be performed through: + + A. The personal (physical) presence of such person before trusted persons who perform human resource or security functions, and + B. The verification of well-recognized forms of government-issued photo identification (e.g., passports and/or drivers licenses); + + and + +2. **Verify the Trustworthiness of Such Person**: Verification of trustworthiness SHALL include background checks, which address at least the following, or their equivalent: + + A. Confirmation of previous employment, + B. Check of professional references; + C. Confirmation of the highest or most-relevant educational qualification obtained; + D. Search of criminal records (local, state or provincial, and national) where allowed by the jurisdiction in which the person will be employed; + + and + +3. In the case of employees already in the employ of the CA at the time of adoption of these Guidelines whose identity and background has not previously been verified as set forth above, the CA SHALL conduct such verification within three months of the date of adoption of these Guidelines. + ### 5.3.3 Training requirements +The requirements in Section 5.3.3 of the Baseline Requirements apply equally to EV Certificates and these Guidelines. The required internal examination must relate to the EV Certificate validation criteria outlined in these Guidelines. ### 5.3.4 Retraining frequency and requirements ### 5.3.5 Job rotation frequency and sequence ### 5.3.6 Sanctions for unauthorized actions From 3cd5f4db6f171d0af512349aec4f3ae20b990581 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 6 Jul 2023 13:26:49 +0200 Subject: [PATCH 14/48] Update EVG.md --- docs/EVG.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 7f440e2f..4726eaeb 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -82,12 +82,34 @@ Enterprise RAs that authorize the issuance of EV Certificates solely for its own ## 4.1 Certificate Application ### 4.1.1 Who can submit a certificate application ### 4.1.2 Enrollment process and responsibilities +The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. +The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 11.14](#1114-requirements-for-re-use-of-existing-documentation). + ## 4.2 Certificate application processing ### 4.2.1 Performing identification and authentication functions +The following Applicant roles are required for the issuance of an EV Certificate. + +1. **Certificate Requester**: The EV Certificate Request MUST be submitted by an authorized Certificate Requester. A Certificate Requester is a natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. + +2. **Certificate Approver**: The EV Certificate Request MUST be approved by an authorized Certificate Approver. A Certificate Approver is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to + + i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and + ii. to approve EV Certificate Requests submitted by other Certificate Requesters. + +3. **Contract Signer**: A Subscriber Agreement applicable to the requested EV Certificate MUST be signed by an authorized Contract Signer. A Contract Signer is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. + +4. **Applicant Representative**: In the case where the CA and the Subscriber are affiliated, Terms of Use applicable to the requested EV Certificate MUST be acknowledged and agreed to by an authorized Applicant Representative. An Applicant Representative is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to acknowledge and agree to the Terms of Use. + +The Applicant MAY authorize one individual to occupy two or more of these roles. The Applicant MAY authorize more than one individual to occupy any of these roles. + ### 4.2.2 Approval or rejection of certificate applications ### 4.2.3 Time to process certificate applications ## 4.3 Certificate issuance ### 4.3.1 CA actions during certificate issuance +Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. + +Root CA Private Keys MUST NOT be used to sign EV Certificates. + ### 4.3.2 Notification to subscriber by the CA of issuance of certificate ## 4.4 Certificate acceptance ### 4.4.1 Conduct constituting certificate acceptance @@ -339,6 +361,7 @@ During the period in which it issues EV Certificates, the CA MUST strictly contr ### 9.6.1 CA representations and warranties ### 9.6.2 RA representations and warranties ### 9.6.3 Subscriber representations and warranties +Section 9.6.3 of the Baseline Requirements applies equally to EV Certificates. In cases where the Certificate Request does not contain all necessary information about the Applicant, the CA MUST additionally confirm the data with the Certificate Approver or Contract Signer rather than the Certificate Requester. ### 9.6.4 Relying party representations and warranties ### 9.6.5 Representations and warranties of other participants ## 9.7 Disclaimers of warranties From 74580a85b41a6aefc61413802900e08cb82f0e4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 6 Jul 2023 15:49:56 +0200 Subject: [PATCH 15/48] Update EVG.md --- docs/EVG.md | 169 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 169 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 4726eaeb..02a7533a 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -54,6 +54,175 @@ Enterprise RAs that authorize the issuance of EV Certificates solely for its own ### 1.5.3 Person determining CPS suitability for the policy ### 1.5.4 CPS approval procedures ## 1.6 Definitions and acronyms +### 1.6.1 Definitions +Capitalized Terms are defined in the Baseline Requirements except where provided below: + +**Accounting Practitioner**: A certified public accountant, chartered accountant, or a person with an equivalent license within the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility; provided that an accounting standards body in the jurisdiction maintains full (not "suspended" or "associate") membership status with the International Federation of Accountants. + +**Baseline Requirements**: The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates as published by the CA/Browser Forum and any amendments to such document. + +**Business Entity**: Any entity that is not a Private Organization, Government Entity, or Non-Commercial Entity as defined herein. Examples include, but are not limited to, general partnerships, unincorporated associations, sole proprietorships, etc. + +**Certificate Approver**: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to + + i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and + ii. to approve EV Certificate Requests submitted by other Certificate Requesters. + +**Certificate Requester**: A natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. + +**Confirmation Request**: An appropriate out-of-band communication requesting verification or confirmation of the particular fact at issue. + +**Confirming Person**: A position within an Applicant's organization that confirms the particular fact at issue. + +**Contract Signer**: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. + +**Demand Deposit Account**: A deposit account held at a bank or other financial institution, the funds deposited in which are payable on demand. The primary purpose of demand accounts is to facilitate cashless payments by means of check, bank draft, direct debit, electronic funds transfer, etc. Usage varies among countries, but a demand deposit account is commonly known as a share draft account, a current account, or a checking account. + +**EV Authority**: A source other than the Certificate Approver, through which verification occurs that the Certificate Approver is expressly authorized by the Applicant, as of the date of the EV Certificate Request, to take the Request actions described in these Guidelines. + +**EV Certificate**: A certificate that contains subject information specified in these Guidelines and that has been validated in accordance with these Guidelines. + +**EV Certificate Beneficiaries**: Persons to whom the CA and its Root CA make specified EV Certificate Warranties. + +**EV Certificate Renewal**: The process whereby an Applicant who has a valid unexpired and non-revoked EV Certificate makes an application, to the CA that issued the original certificate, for a newly issued EV Certificate for the same organizational name and Domain Name prior to the expiration of the Applicant's existing EV Certificate but with a new 'valid to' date beyond the expiry of the current EV Certificate. + +**EV Certificate Reissuance**: The process whereby an Applicant who has a valid unexpired and non-revoked EV Certificate makes an application, to the CA that issued the original certificate, for a newly issued EV Certificate for the same organizational name and Domain Name prior to the expiration of the Applicant's existing EV Certificate but with a 'valid to' date that matches that of the current EV Certificate. + +**EV Certificate Request**: A request from an Applicant to the CA requesting that the CA issue an EV Certificate to the Applicant, which request is validly authorized by the Applicant and signed by the Applicant Representative. + +**EV Certificate Warranties**: In conjunction with the CA issuing an EV Certificate, the CA and its Root CA, during the period when the EV Certificate is Valid, promise that the CA has followed the requirements of these Guidelines and the CA's EV Policies in issuing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. + +**EV OID**: An identifying number, in the form of an "object identifier," that is included in the `certificatePolicies` field of a certificate that: + + i. indicates which CA policy statement relates to that certificate, and + ii. is either the CA/Browser Forum EV policy identifier or a policy identifier that, by pre-agreement with one or more Application Software Supplier, marks the certificate as being an EV Certificate. + +**EV Policies**: Auditable EV Certificate practices, policies and procedures, such as a certification practice statement and certificate policy, that are developed, implemented, and enforced by the CA and its Root CA. + +**EV Processes**: The keys, software, processes, and procedures by which the CA verifies Certificate Data under this Guideline, issues EV Certificates, maintains a Repository, and revokes EV Certificates. + +**Extended Validation Certificate**: See EV Certificate. + +**Government Agency**: In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of Private Organizations is established (e.g., the government agency that issued the Certificate of Incorporation). In the context of Business Entities, the government agency in the jurisdiction of operation that registers business entities. In the case of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities. + +**Guidelines**: This document. + +**Incorporating Agency**: In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of the entity is registered (e.g., the government agency that issues certificates of formation or incorporation). In the context of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities. + +**Independent Confirmation From Applicant**: Confirmation of a particular fact received by the CA pursuant to the provisions of the Guidelines or binding upon the Applicant. + +**Individual**: A natural person. + +**International Organization**: An organization founded by a constituent document, e.g., a charter, treaty, convention or similar document, signed by, or on behalf of, a minimum of two Sovereign State governments. + +**Jurisdiction of Incorporation**: In the context of a Private Organization, the country and (where applicable) the state or province or locality where the organization's legal existence was established by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the context of a Government Entity, the country and (where applicable) the state or province where the Entity's legal existence was created by law. + +**Jurisdiction of Registration**: In the case of a Business Entity, the state, province, or locality where the organization has registered its business presence by means of filings by a Principal Individual involved in the business. + +**Latin Notary**: A person with legal training whose commission under applicable law not only includes authority to authenticate the execution of a signature on a document but also responsibility for the correctness and content of the document. A Latin Notary is sometimes referred to as a Civil Law Notary. + +**Legal Entity**: A Private Organization, Government Entity, Business Entity, or Non-Commercial Entity. + +**Legal Existence**: A Private Organization, Government Entity, or Business Entity has Legal Existence if it has been validly formed and not otherwise terminated, dissolved, or abandoned. + +**Legal Practitioner**: A person who is either a lawyer or a Latin Notary as described in these Guidelines and competent to render an opinion on factual claims of the Applicant. + +**Maximum Validity Period**: + + 1. The maximum time period for which the issued EV Certificate is valid. + 2. The maximum period after validation by the CA that certain Applicant information may be relied upon in issuing an EV Certificate pursuant to these Guidelines. + +**Notary**: A person whose commission under applicable law includes authority to authenticate the execution of a signature on a document. + +**Place of Business**: The location of any facility (such as a factory, retail store, warehouse, etc) where the Applicant's business is conducted. + +**Principal Individual**: An individual of a Private Organization, Government Entity, or Business Entity that is either an owner, partner, managing member, director, or officer, as identified by their title of employment, or an employee, contractor or agent authorized by such entity or organization to conduct business related to the request, issuance, and use of EV Certificates. + +**Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. + +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 17.6](#176-auditor-qualification). + +**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 11.11.6](#11116-qualified-government-information-source). + +**Qualified Government Tax Information Source**: A Qualified Governmental Information Source that specifically contains tax information relating to Private Organizations, Business Entities, or Individuals. + +**Qualified Independent Information Source**: A regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information. + +**Registration Agency**: A Governmental Agency that registers business information in connection with an entity's business formation or authorization to conduct business under a license, charter or other certification. A Registration Agency MAY include, but is not limited to + + i. a State Department of Corporations or a Secretary of State; + ii. a licensing agency, such as a State Department of Insurance; or + iii. a chartering agency, such as a state office or department of financial regulation, banking or finance, or a federal agency such as the Office of the Comptroller of the Currency or Office of Thrift Supervision. + +**Registration Reference**: A unique identifier assigned to a Legal Entity. + +**Registration Scheme**: A scheme for assigning a Registration Reference meeting the requirements identified in [Appendix H](#appendix-h--registration-schemes). + +**Registered Agent**: An individual or entity that is: + + i. authorized by the Applicant to receive service of process and business communications on behalf of the Applicant; and + ii. listed in the official records of the Applicant's Jurisdiction of Incorporation as acting in the role specified in (i) above. + +**Registered Office**: The official address of a company, as recorded with the Incorporating Agency, to which official documents are sent and at which legal notices are received. + +**Registration Number**: The unique number assigned to a Private Organization by the Incorporating Agency in such entity's Jurisdiction of Incorporation. + +**Regulated Financial Institution**: A financial institution that is regulated, supervised, and examined by governmental, national, state or provincial, or local authorities. + +**Root Key Generation Script**: A documented plan of procedures to be performed for the generation of the Root CA Key Pair. + +**Signing Authority**: One or more Certificate Approvers designated to act on behalf of the Applicant. + +**Superior Government Entity**: Based on the structure of government in a political subdivision, the Government Entity or Entities that have the ability to manage, direct and control the activities of the Applicant. + +**Suspect code**: Code that contains malicious functionality or serious vulnerabilities, including spyware, malware and other code that installs without the user's consent and/or resists its own removal, and code that can be exploited in ways not intended by its designers to compromise the trustworthiness of the platforms on which it executes. + +**Translator**: An individual or Business Entity that possesses the requisite knowledge and expertise to accurately translate the words of a document written in one language to the native language of the CA. + +**Verified Accountant Letter**: A document meeting the requirements specified in [Section 11.11.2](#11112-verified-accountant-letter). + +**Verified Legal Opinion**: A document meeting the requirements specified in [Section 11.11.1](#11111-verified-legal-opinion). + +**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 11.5](#115-verified-method-of-communication) as a reliable way of communicating with the Applicant. + +**Verified Professional Letter**: A Verified Accountant Letter or Verified Legal Opinion. + +**WebTrust EV Program**: The additional audit procedures specified for CAs that issue EV Certificates by the AICPA/CICA to be used in conjunction with its WebTrust Program for Certification Authorities. + +**WebTrust Program for CAs**: The then-current version of the AICPA/CICA WebTrust Program for Certification Authorities. + +**WebTrust Seal of Assurance**: An affirmation of compliance resulting from the WebTrust Program for CAs. +### 1.6.2 Acronyms +Abbreviations and Acronyms are defined in the Baseline Requirements except as otherwise defined herein: + +| **Acronym** | **Meaning** | +| --- | --- | +| BIPM | International Bureau of Weights and Measures | +| BIS | (US Government) Bureau of Industry and Security | +| CEO | Chief Executive Officer | +| CFO | Chief Financial Officer | +| CIO | Chief Information Officer | +| CISO | Chief Information Security Officer | +| COO | Chief Operating Officer | +| CPA | Chartered Professional Accountant | +| CSO | Chief Security Officer | +| EV | Extended Validation | +| gTLD | Generic Top-Level Domain | +| IFAC | International Federation of Accountants | +| IRS | Internal Revenue Service | +| ISP | Internet Service Provider | +| QGIS | Qualified Government Information Source | +| QTIS | Qualified Government Tax Information Source | +| QIIS | Qualified Independent Information Source | +| SEC | (US Government) Securities and Exchange Commission | +| UTC(k) | National realization of Coordinated Universal Time | +### 1.6.3 Conventions +Terms not otherwise defined in these Guidelines shall be as defined in applicable agreements, user manuals, certification practice statements (CPS), and certificate policies (CP) of the CA issuing EV Certificates. + +The key words "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in these Guidelines shall be interpreted in accordance with RFC 2119. + +By convention, this document omits time and timezones when listing effective requirements such as dates. Except when explicitly specified, the associated time with a date shall be 00:00:00 UTC. + # 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES ## 2.1 Repositories ## 2.2 Publication of certification information From 7385ccde2b4075c778d72a75599b79dc9f2661e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 6 Jul 2023 15:57:23 +0200 Subject: [PATCH 16/48] Update EVG.md --- docs/EVG.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 02a7533a..d3bf69ce 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -216,7 +216,9 @@ Abbreviations and Acronyms are defined in the Baseline Requirements except as ot | QIIS | Qualified Independent Information Source | | SEC | (US Government) Securities and Exchange Commission | | UTC(k) | National realization of Coordinated Universal Time | -### 1.6.3 Conventions +### 1.6.3 References +See Baseline Requirements, which are available at . +### 1.6.4 Conventions Terms not otherwise defined in these Guidelines shall be as defined in applicable agreements, user manuals, certification practice statements (CPS), and certificate policies (CP) of the CA issuing EV Certificates. The key words "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in these Guidelines shall be interpreted in accordance with RFC 2119. @@ -528,9 +530,22 @@ During the period in which it issues EV Certificates, the CA MUST strictly contr ## 9.5 Intellectual property rights ## 9.6 Representations and warranties ### 9.6.1 CA representations and warranties +When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following: + +A. **Legal Existence**: The CA has confirmed with the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or Registration; +B. **Identity**: The CA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject named in the EV Certificate matches the name on the official government records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration, and if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business; +C. **Right to Use Domain Name**: The CA has taken all steps reasonably necessary to verify that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate has the right to use all the Domain Name(s) listed in the EV Certificate; +D. **Authorization for EV Certificate**: The CA has taken all steps reasonably necessary to verify that the Subject named in the EV Certificate has authorized the issuance of the EV Certificate; +E. **Accuracy of Information**: The CA has taken all steps reasonably necessary to verify that all of the other information in the EV Certificate is accurate, as of the date the EV Certificate was issued; +F. **Subscriber Agreement**: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or, if they are affiliated, the Applicant Representative has acknowledged and accepted the Terms of Use; +G. **Status**: The CA will follow the requirements of these Guidelines and maintain a 24 x 7 online-accessible Repository with current information regarding the status of the EV Certificate as Valid or revoked; and +H. **Revocation**: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the revocation reasons specified in these Guidelines. + ### 9.6.2 RA representations and warranties ### 9.6.3 Subscriber representations and warranties Section 9.6.3 of the Baseline Requirements applies equally to EV Certificates. In cases where the Certificate Request does not contain all necessary information about the Applicant, the CA MUST additionally confirm the data with the Certificate Approver or Contract Signer rather than the Certificate Requester. + +EV Certificate Applicants make the commitments and warranties set forth in Section 9.6.3 of the Baseline Requirements for the benefit of the CA and Certificate Beneficiaries. ### 9.6.4 Relying party representations and warranties ### 9.6.5 Representations and warranties of other participants ## 9.7 Disclaimers of warranties From 6db5f95cb2e49ea3886c6318b12ba2055bb2e6b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 7 Jul 2023 17:10:45 +0200 Subject: [PATCH 17/48] Update EVG.md --- docs/EVG.md | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index d3bf69ce..84366720 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -24,6 +24,65 @@ The Guidelines for the Issuance and Management of Extended Validation Certificat The CA/Browser Forum is a voluntary open organization of certification authorities and suppliers of Internet browsers and other relying-party software applications. Membership is listed at . ## 1.2 Document name and identification +### 1.2.1 Revisions +| **Ver.** | **Ballot** | **Description** | **Adopted** | **Effective\*** | +|-|-|-----|--|--| +| 1.4.0 | 72 | Reorganize EV Documents | 29 May 2012 | 29 May 2012 | +| 1.4.1 | 75 | NameConstraints Criticality Flag | 8 June 2012 | 8 June 2012 | +| 1.4.2 | 101 | EV 11.10.2 Accountants | 31 May 2013 | 31 May 2013 | +| 1.4.3 | 104 | Domain verification for EV Certificates | 9 July 2013 | 9 July 2013 | +| 1.4.4 | 113 | Revision to QIIS in EV Guidelines | 13 Jan 2014 | 13 Jan 2014 | +| 1.4.5 | 114 | Improvements to the EV Definitions | 28 Jan 2014 | 28 Jan 2014 | +| 1.4.6 | 119 | Remove "OfIncorporation" from OID descriptions in EVG 9.2.5 | 24 Mar 2014 | 24 Mar 2014 | +| 1.4.7 | 120 | Affiliate Authority to Verify Domain | 5 June 2014 | 5 June 2014 | +| 1.4.8 | 124 | Business Entity Clarification | 5 June 2014 | 5 June 2014 | +| 1.4.9 | 127 | Verification of Name, Title and Agency | 17 July 2014 | 17 July 2014 | +| 1.5.0 | 126 | Operational Existence | 24 July 2014 | 24 July 2014 | +| 1.5.1 | 131 | Verified Method of Communication | 12 Sept 2014 | 12 Sept 2014 | +| 1.5.2 | 123 | Reuse of Information | 16 Oct. 2014 | 16 Oct. 2014 | +| 1.5.3 | 144 | Validation rules for .onion names | 18 Feb. 2015 | 18 Feb. 2015 | +| 1.5.4 | 146 | Convert Baseline Requirements to RFC 3647 Framework | 16 Apr. 2015 | 16 Apr. 2015 | +| 1.5.5 | 145 | Operational Existence for Government Entities | 5 Mar. 2015 | 5 Mar. 2015 | +| 1.5.6 | 147 | Attorney-Accountant Letter Changes | 25 June 2015 | 25 June 2015 | +| 1.5.7 | 151 | Addition of Optional OIDs for Indicating Level of Validation | 28 Sept 2015 | 28 Sept 2015 | +| 1.5.8 | 162 | Sunset of Exceptions | 15 Mar 2016 | 15 Mar 2016 | +| 1.5.9 | 163 | Fix Errata in EV Guidelines 11.2.1 | 18 Mar 2016 | 18 Mar 2016 | +| 1.6.0 | 171 | Updating ETSI Standards | 1 July 2016 | 1 July 2016 | +| 1.6.1 | 180 | In EV 11.7.1, removed outdated cross-reference to BR 3.2.2.4(7) | 7 Jan. 2017 | 7 Jan. 2017 | +| 1.6.2 | 103 | 825-day Certificate Lifetimes | 17 Mar. 2017 | 17 Mar. 2017 | +| 1.6.3 | 198 | .Onion Revisions (declared invalid) | 7 May 2017 | 8 June 2017 | +| 1.6.4 | 191 | Clarify Place of Business Information | 23 May 2017 | 23 June 2017 | +| 1.6.5 | 201 | .onion Revisions | 8 June 2017 | 8 July 2017 | +| 1.6.6 | 192 | Notary revision | 28 June 2017 | 28 July 2017 | +| 1.6.7 | 207 | ASN.1 Jurisdiction | 23 October 2017 | 23 November 2017 | +| 1.6.8 | 217 | Sunset RFC 2527 | 21 Dec 2017 | 9 Mar 2018 | +| 1.6.9 | SC16 | Other Subject Attributes | 15 Mar 2019 | 16 Apr 2019 | +| 1.7.0 | SC17 | Alternative registration numbers for EV certificates | 21 May 2019 | 21 June 2019 | +| 1.7.1 | SC24 | Fall cleanup v2 | 12 Nov 2019 | 19 Dec 2019 | +| 1.7.2 | SC27 | Version 3 Onion Certificates | 19-Feb-2020 | 27-Mar-2020 | +| 1.7.3 | SC30 | Disclosure of Registration / Incorporating Agency | 13-Jul-2020 | 20-Aug-2020 | +| 1.7.3 | SC31 | Browser Alignment | 16-Jul-2020 | 20-Aug-2020 | +| 1.7.4 | SC35 | Cleanups and Clarifications | 9-Sep-2020 | 19-Oct-2020 | +| 1.7.5 | SC41 | Reformatting the BRs, EVGs, and NCSSRs | 24-Feb-2021 | 5-Apr-2021 | +| 1.7.6 | SC42 | 398-day Re-use Period | 22-Apr-2021 | 2-Jun-2021 | +| 1.7.7 | SC47 | Sunset subject:organizationalUnitName | 30-Jun-2021 | 16-Aug-2021 | +| 1.7.8 | SC48 | Domain Name and IP Address Encoding | 22-Jul-2021 | 25-Aug-2021 | +| 1.7.9 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | +| 1.8.0 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | + +\* Effective Date and Additionally Relevant Compliance Date(s) + +## Relevant Dates + +| **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | +|--|--|----------| +| 2020-01-31 | [9.2.8](#928-subject-organization-identifier-field) | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | +| 2020-09-01 | [9.4](#94-maximum-validity-period-for-ev-certificate) & Appendix F | Certificates issued MUST NOT have a Validity Period greater than 398 days. | +| 2020-10-01 | [11.1.3](#1113-disclosure-of-verification-sources) | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | +| 2022-09-01 | [9.2.7](#927-subject-organizational-unit-name-field) | CAs MUST NOT include the organizationalUnitName field in the Subject | + +**Implementers' Note**: Version 1.3 of these EV Guidelines was published on 20 November 2010 and supplemented through May 2012 when version 1.4 was published. ETSI TS 102 042 and ETSI TR 101 564 Technical Report: Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs reference version 1.3 of these EV Guidelines, and ETSI Draft EN 319 411-1 references version 1.4. Version 1.4.5 of Webtrust(r) for Certification Authorities – Extended Validation Audit Criteria references version 1.4.5 of these EV Guidelines. As illustrated in the Document History table above, the CA/Browser Forum continues to improve relevant industry guidelines, including this document, the Baseline Requirements, and the Network and Certificate System Security Requirements. We encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty. We will respond to implementation questions directed to questions@cabforum.org. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. + ## 1.3 PKI participants ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities From f720f180c51cfb7f0d11da1766d6ce0dee69f558 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 7 Jul 2023 17:17:11 +0200 Subject: [PATCH 18/48] Update EVG.md --- docs/EVG.md | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 84366720..80132a79 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -11,7 +11,6 @@ copyright: | --- # 1. INTRODUCTION -## 1.1 Overview The Guidelines describe an integrated set of technologies, protocols, identity proofing, lifecycle management, and auditing practices specifying the minimum requirements that must be met in order to issue and maintain Extended Validation Certificates ("EV Certificates") concerning an organization. Subject Organization information from valid EV Certificates can then be used in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site or other services they are accessing. Although initially intended for use in establishing Web-based data communication conduits via TLS/SSL protocols, extensions are envisioned for S/MIME, time-stamping, VoIP, IM, Web services, etc. The primary purposes of Extended Validation Certificates are to: 1) identify the legal entity that controls a Web or service site, and 2) enable encrypted communications with that site. The secondary purposes include significantly enhancing cybersecurity by helping establish the legitimacy of an organization claiming to operate a Web site, and providing a vehicle that can be used to assist in addressing problems related to distributing malware, phishing, identity theft, and diverse forms of online fraud. @@ -23,6 +22,13 @@ The Guidelines for the Issuance and Management of Extended Validation Certificat **The CA/Browser Forum** The CA/Browser Forum is a voluntary open organization of certification authorities and suppliers of Internet browsers and other relying-party software applications. Membership is listed at . +## 1.1 Scope +These Guidelines for the issuance and management of Extended Validation Certificates describe certain of the minimum requirements that a Certification Authority must meet in order to issue Extended Validation Certificates. Subject Organization information from Valid EV Certificates may be displayed in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site they are accessing. These Guidelines incorporate the Baseline Requirements established by the CA/Browser Forum by reference. A copy of the Baseline Requirements is available on the CA/Browser Forum's website at . + +These Guidelines address the basic issue of validating Subject identity information in EV Certificates and some related matters. They do not address all of the related matters, such as certain technical and operational ones. This version of the Guidelines addresses only requirements for EV Certificates intended to be used for SSL/TLS authentication on the Internet and for code signing. Similar requirements for S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions. + +These Guidelines do not address the verification of information, or the issuance, use, maintenance, or revocation of EV Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, where its Root CA Certificate is not distributed by any Application Software Supplier. + ## 1.2 Document name and identification ### 1.2.1 Revisions | **Ver.** | **Ballot** | **Description** | **Adopted** | **Effective\*** | @@ -106,7 +112,31 @@ Enterprise RAs that authorize the issuance of EV Certificates solely for its own ### 1.3.5 Other participants ## 1.4 Certificate usage ### 1.4.1 Appropriate certificate uses +EV Certificates are intended for establishing Web-based data communication conduits via the TLS/SSL protocols and for verifying the authenticity of executable code. + +#### 1.4.1.1. Primary Purposes + +The primary purposes of an EV Certificate are to: + +1. **Identify the legal entity that controls a Web site**: Provide a reasonable assurance to the user of an Internet browser that the Web site the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information; and + +2. **Enable encrypted communications with a Web site**: Facilitate the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a Web site. + +#### 1.4.1.2. Secondary Purposes + +The secondary purposes of an EV Certificate are to help establish the legitimacy of a business claiming to operate a Web site or distribute executable code, and to provide a vehicle that can be used to assist in addressing problems related to phishing, malware, and other forms of online identity fraud. By providing more reliable third-party verified identity and address information regarding the business, EV Certificates may help to: + +1. Make it more difficult to mount phishing and other online identity fraud attacks using Certificates; +2. Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves to users; and +3. Assist law enforcement organizations in their investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the Subject. + ### 1.4.2 Prohibited certificate uses +EV Certificates focus only on the identity of the Subject named in the Certificate, and not on the behavior of the Subject. As such, an EV Certificate is **not** intended to provide any assurances, or otherwise represent or warrant: + +1. That the Subject named in the EV Certificate is actively engaged in doing business; +2. That the Subject named in the EV Certificate complies with applicable laws; +3. That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or +4. That it is "safe" to do business with the Subject named in the EV Certificate. ## 1.5 Policy administration ### 1.5.1 Organization administering the document ### 1.5.2 Contact person From c4a3652d256760380e09e702aff2c2312a516d1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 7 Jul 2023 17:19:43 +0200 Subject: [PATCH 19/48] Update EVG.md --- docs/EVG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 80132a79..f1299daa 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -622,12 +622,19 @@ During the period in which it issues EV Certificates, the CA MUST strictly contr When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following: A. **Legal Existence**: The CA has confirmed with the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or Registration; + B. **Identity**: The CA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject named in the EV Certificate matches the name on the official government records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration, and if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business; + C. **Right to Use Domain Name**: The CA has taken all steps reasonably necessary to verify that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate has the right to use all the Domain Name(s) listed in the EV Certificate; + D. **Authorization for EV Certificate**: The CA has taken all steps reasonably necessary to verify that the Subject named in the EV Certificate has authorized the issuance of the EV Certificate; + E. **Accuracy of Information**: The CA has taken all steps reasonably necessary to verify that all of the other information in the EV Certificate is accurate, as of the date the EV Certificate was issued; + F. **Subscriber Agreement**: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or, if they are affiliated, the Applicant Representative has acknowledged and accepted the Terms of Use; + G. **Status**: The CA will follow the requirements of these Guidelines and maintain a 24 x 7 online-accessible Repository with current information regarding the status of the EV Certificate as Valid or revoked; and + H. **Revocation**: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the revocation reasons specified in these Guidelines. ### 9.6.2 RA representations and warranties From aaf240a4b8873344465b0087d22053b65218b4fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 7 Jul 2023 17:39:46 +0200 Subject: [PATCH 20/48] Update EVG.md --- docs/EVG.md | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index f1299daa..7c6faa3d 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -315,8 +315,29 @@ The key words "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMME By convention, this document omits time and timezones when listing effective requirements such as dates. Except when explicitly specified, the associated time with a date shall be 00:00:00 UTC. # 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES +Each CA must develop, implement, enforce, display prominently on its Web site, and periodically update as necessary its own auditable EV Certificate practices, policies and procedures, such as a Certification Practice Statement (CPS) and Certificate Policy (CP) that: + +A. Implement the requirements of these Guidelines as they are revised from time-to-time; + +B. Implement the requirements of + + i. the then-current WebTrust Program for CAs, and + ii. the then-current WebTrust EV Program or ETSI TS 102 042 for EVCP or ETSI EN 319 411-1 for EVCP policy; and + +C. Specify the CA's and its Root CA's entire root certificate hierarchy including all roots that its EV Certificates depend on for proof of those EV Certificates' authenticity. + ## 2.1 Repositories ## 2.2 Publication of certification information +Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 17.1](#171-eligible-audit-schemes)). + +The CA's Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647. The Certificate Policy and/or Certification Practice Statement MUST include all material required by RFC 3647. + +Each CA SHALL publicly give effect to these Guidelines and represent that they will adhere to the latest published version by incorporating them into their respective EV Policies, using a clause such as the following (which must include a link to the official version of these Guidelines): + +> [Name of CA] conforms to the current version of the CA/Browser Forum Guidelines for Issuance and Management of Extended Validation Certificates published at . In the event of any inconsistency between this document and those Guidelines, those Guidelines take precedence over this document. + +In addition, the CA MUST include (directly or by reference) the applicable requirements of these Guidelines in all contracts with Subordinate CAs, RAs, Enterprise RAs, and subcontractors that involve or relate to the issuance or maintenance of EV Certificates. The CA MUST enforce compliance with such terms. + ## 2.3 Time or frequency of publication ## 2.4 Access controls on repositories # 3. IDENTIFICATION AND AUTHENTICATION @@ -341,6 +362,64 @@ By convention, this document omits time and timezones when listing effective req # 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ## 4.1 Certificate Application ### 4.1.1 Who can submit a certificate application +The CA MAY only issue EV Certificates to Applicants that meet the Private Organization, Government Entity, Business Entity and Non-Commercial Entity requirements specified below. + +#### 4.1.1.1 Private Organization Subjects + +An Applicant qualifies as a Private Organization if: + +1. The entity's legal existence is created or recognized by a by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument); + +2. The entity designated with the Incorporating or Registration Agency a Registered Agent, a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration), or an equivalent facility; + +3. The entity is not designated on the records of the Incorporating or Registration Agency by labels such as "inactive," "invalid," "not current," or the equivalent; + +4. The entity has a verifiable physical existence and business presence; + +5. The entity's Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + +6. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + +#### 4.1.1.2. Government Entity Subjects + +An Applicant qualifies as a Government Entity if: + +1. The entity's legal existence was established by the political subdivision in which the entity operates; + +2. The entity is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + +3. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + +#### 4.1.1.3. Business Entity Subjects + +An Applicant qualifies as a Business Entity if: + +1. The entity is a legally recognized entity that filed certain forms with a Registration Agency in its jurisdiction, the Registration Agency issued or approved the entity's charter, certificate, or license, and the entity's existence can be verified with that Registration Agency; + +2. The entity has a verifiable physical existence and business presence; + +3. At least one Principal Individual associated with the entity is identified and validated by the CA; + +4. The identified Principal Individual attests to the representations made in the Subscriber Agreement; + +5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 11.3](#113-verification-of-applicants-legal-existence-and-identity--assumed-name); + +6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + +7. The entity and the identified Principal Individual associated with the entity are not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + +#### 4.1.1.4. Non-Commercial Entity Subjects + +An Applicant qualifies as a Non-Commercial Entity if: + +1. The Applicant is an International Organization Entity, created under a charter, treaty, convention or equivalent instrument that was signed by, or on behalf of, more than one country's government. The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility; and + +2. The Applicant is not headquartered in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + +3. The Applicant is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + +Subsidiary organizations or agencies of an entity that qualifies as a Non-Commercial Entity also qualifies for EV Certificates as a Non-Commercial Entity. + ### 4.1.2 Enrollment process and responsibilities The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 11.14](#1114-requirements-for-re-use-of-existing-documentation). @@ -602,6 +681,18 @@ During the period in which it issues EV Certificates, the CA MUST strictly contr ### 9.1.5 Refund policy ## 9.2 Financial responsibility ### 9.2.1 Insurance coverage +Each CA SHALL maintain the following insurance related to their respective performance and obligations under these Guidelines: + +A. Commercial General Liability insurance (occurrence form) with policy limits of at least two million US dollars in coverage; and + +B. Professional Liability/Errors and Omissions insurance, with policy limits of at least five million US dollars in coverage, and including coverage for: + i. claims for damages arising out of an act, error, or omission, unintentional breach of contract, or neglect in issuing or maintaining EV Certificates, and; + ii. claims for damages arising out of infringement of the proprietary rights of any third party (excluding copyright, and trademark infringement), and invasion of privacy and advertising injury. + +Such insurance must be with a company rated no less than A- as to Policy Holder's Rating in the current edition of Best's Insurance Guide (or with an association of companies each of the members of which are so rated). + +A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that it has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0. + ### 9.2.2 Other assets ### 9.2.3 Insurance or warranty coverage for end-entities ## 9.3 Confidentiality of business information @@ -665,6 +756,10 @@ A CA's indemnification obligations and a Root CA's obligations with respect to s ### 9.16.1 Entire agreement ### 9.16.2 Assignment ### 9.16.3 Severability +The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements. + +If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly. + ### 9.16.4 Enforcement (attorneys' fees and waiver of rights) ### 9.16.5 Force Majeure ## 9.17 Other provisions From 8dd5d749b1475f4249647cf7e7381e89e5899d9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 7 Jul 2023 17:41:32 +0200 Subject: [PATCH 21/48] Update EVG.md --- docs/EVG.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 7c6faa3d..07dbb928 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -114,7 +114,7 @@ Enterprise RAs that authorize the issuance of EV Certificates solely for its own ### 1.4.1 Appropriate certificate uses EV Certificates are intended for establishing Web-based data communication conduits via the TLS/SSL protocols and for verifying the authenticity of executable code. -#### 1.4.1.1. Primary Purposes +#### 1.4.1.1 Primary Purposes The primary purposes of an EV Certificate are to: @@ -122,7 +122,7 @@ The primary purposes of an EV Certificate are to: 2. **Enable encrypted communications with a Web site**: Facilitate the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a Web site. -#### 1.4.1.2. Secondary Purposes +#### 1.4.1.2 Secondary Purposes The secondary purposes of an EV Certificate are to help establish the legitimacy of a business claiming to operate a Web site or distribute executable code, and to provide a vehicle that can be used to assist in addressing problems related to phishing, malware, and other forms of online identity fraud. By providing more reliable third-party verified identity and address information regarding the business, EV Certificates may help to: @@ -380,7 +380,7 @@ An Applicant qualifies as a Private Organization if: 6. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. -#### 4.1.1.2. Government Entity Subjects +#### 4.1.1.2 Government Entity Subjects An Applicant qualifies as a Government Entity if: @@ -390,7 +390,7 @@ An Applicant qualifies as a Government Entity if: 3. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. -#### 4.1.1.3. Business Entity Subjects +#### 4.1.1.3 Business Entity Subjects An Applicant qualifies as a Business Entity if: @@ -408,7 +408,7 @@ An Applicant qualifies as a Business Entity if: 7. The entity and the identified Principal Individual associated with the entity are not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. -#### 4.1.1.4. Non-Commercial Entity Subjects +#### 4.1.1.4 Non-Commercial Entity Subjects An Applicant qualifies as a Non-Commercial Entity if: From 0d57d032b75ce615d70a69716b1a29cc9c895a0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 10 Jul 2023 16:18:03 +0200 Subject: [PATCH 22/48] Update EVG.md --- docs/EVG.md | 186 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 186 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 07dbb928..c96cb24b 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -628,10 +628,196 @@ All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally t ## 7.1 Certificate profile ### 7.1.1 Version number(s) ### 7.1.2 Certificate extensions +The extensions listed in [Section 9.8](#98-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 9.8](#98-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. + +If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 9.8](#98-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. + +### 9.8.1. Subject Alternative Name Extension + +__Certificate Field__: `subjectAltName:dNSName` +__Required/Optional__: __Required__ +__Contents__: This extension MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This extension MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. + +### 9.8.2. CA/Browser Forum Organization Identifier Extension + +__Extension Name__: `cabfOrganizationIdentifier` (OID: 2.23.140.3.1) +__Verbose OID__: `{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }` +__Required/Optional__: __Optional (but see below)__ +__Contents__: If the subject:organizationIdentifier is present, this field MUST be present. + +If present, this extension MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. + +The Registration Scheme MUST be encoded as described by the following ASN.1 grammar: + +```ASN.1 +id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) international-organizations(23) + ca-browser-forum(140) certificate-extensions(3) + cabf-organizationIdentifier(1) +} + +ext-CABFOrganizationIdentifier EXTENSION ::= { + SYNTAX CABFOrganizationIdentifier + IDENTIFIED BY id-CABFOrganizationIdentifier +} + +CABFOrganizationIdentifier ::= SEQUENCE { + registrationSchemeIdentifier PrintableString (SIZE(3)), + registrationCountry PrintableString (SIZE(2)), + registrationStateOrProvince [0] IMPLICIT PrintableString + (SIZE(0..128)) OPTIONAL, + registrationReference UTF8String +} +``` + +where the subfields have the same values, meanings, and restrictions described in [Section 9.2.8](#928-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 9.2.8](#928-subject-organization-identifier-field). + ### 7.1.3 Algorithm object identifiers ### 7.1.4 Name forms +## 9.2. Subject Distinguished Name Fields + +Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: + +### 9.2.1. Subject Organization Name Field + +__Certificate Field__: `subject:organizationName` (OID 2.5.4.10) +__Required/Optional__: Required +__Contents__: This field MUST contain the Subject's full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows "Company Name Incorporated" the CA MAY include "Company Name, Inc." + +When abbreviating a Subject's full legal name as allowed by this subsection, the CA MUST use abbreviations that are not misleading in the Jurisdiction of Incorporation or Registration. + +In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. + +If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#11121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. + +### 9.2.2. Subject Common Name Field + +__Certificate Field__: `subject:commonName` (OID: 2.5.4.3) +__Required/Optional__: Deprecated (Discouraged, but not prohibited) +__Contents__: If present, this field MUST contain a single Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This field MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. + +### 9.2.3. Subject Business Category Field + +__Certificate Field__: `subject:businessCategory` (OID: 2.5.4.15) +__Required/Optional__: Required +__Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 8.5.2](#852-private-organization-subjects), [Section 8.5.3](#853-government-entity-subjects), [Section 8.5.4](#854-business-entity-subjects) or [Section 8.5.5](#855-non-commercial-entity-subjects), respectively. + +### 9.2.4. Subject Jurisdiction of Incorporation or Registration Field + +__Certificate Fields__: + +Locality (if required): + `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1) + +State or province (if required): + `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2) + +Country: + `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) + +__Required/Optional__: Required +__Contents__: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction. + +Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. + +### 9.2.5. Subject Registration Number Field + +__Certificate Field__: `subject:serialNumber` (OID: 2.5.4.5) +__Required/Optional__: __Required__ +__Contents__: For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats. + +For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity. + +For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats. + +Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. + +### 9.2.6. Subject Physical Address of Place of Business Field + +__Certificate Fields__: + Number and street: `subject:streetAddress` (OID: 2.5.4.9) + City or town: `subject:localityName` (OID: 2.5.4.7) + State or province (where applicable): `subject:stateOrProvinceName` (OID: 2.5.4.8) + Country: `subject:countryName` (OID: 2.5.4.6) + Postal code: `subject:postalCode` (OID: 2.5.4.17) +__Required/Optional__: As stated in Section 7.1.4.2.2 d, e, f, g and h of the Baseline Requirements. +__Contents__: This field MUST contain the address of the physical location of the Subject's Place of Business. + +### 9.2.7. Subject Organizational Unit Name Field + +__Certificate Field__: `subject:organizationalUnitName` (OID: 2.5.4.11) +__Required/Optional/Prohibited:__ __Prohibited__. + +### 9.2.8. Subject Organization Identifier Field + +__Certificate Field__: `subject:organizationIdentifier` (OID: 2.5.4.97) +__Required/Optional__: Optional +__Contents__: If present, this field MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. + +The organizationIdentifier MUST be encoded as a PrintableString or UTF8String. + +The Registration Scheme MUST be identified using the using the following structure in the presented order: + +* 3 character Registration Scheme identifier; +* 2 character ISO 3166 country code for the nation in which the Registration Scheme is operated, or if the scheme is operated globally ISO 3166 code "XG" shall be used; +* For the NTR Registration Scheme identifier, if required under [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated, preceded by plus "+" (0x2B (ASCII), U+002B (UTF-8)); +* a hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); +* Registration Reference allocated in accordance with the identified Registration Scheme + +Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. + +As in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. + +Examples: + +* `NTRGB-12345678` (NTR scheme, Great Britain, Unique Identifier at Country level is 12345678) +* `NTRUS+CA-12345678` (NTR Scheme, United States - California, Unique identifier at State level is 12345678) +* `VATDE-123456789` (VAT Scheme, Germany, Unique Identifier at Country Level is 12345678) +* `PSDBE-NBB-1234.567.890` (PSD Scheme, Belgium, NCA's identifier is NBB, Subject Unique Identifier assigned by the NCA is 1234.567.890) + +Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) are currently recognized as valid under these guidelines. + +The CA SHALL: + +1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 9.2.1](#921-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field); +2. further verify the Registration Reference matches other information verified in accordance with [Section 11](#11-verification-requirements); +3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; +4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). + +### 9.2.9. Other Subject Attributes + +CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 9.2](#92-subject-distinguished-name-fields). + ### 7.1.5 Name constraints ### 7.1.6 Certificate policy object identifier +### 9.3.1. EV Certificate Policy Identification Requirements + +This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy. + +### 9.3.2. EV Subscriber Certificates + +Each EV Certificate issued by the CA to a Subscriber MUST contain a policy identifier that is either defined by these Guidelines or the CA in the certificate's `certificatePolicies` extension that: + +1. indicates which CA policy statement relates to that Certificate, +2. asserts the CA's adherence to and compliance with these Guidelines, and +3. is either the CA/Browser Forum’s EV policy identifier or a policy identifier that, by pre-agreement with the Application Software Supplier, marks the Certificate as being an EV Certificate. + +The following Certificate Policy identifier is the CA/Browser Forum’s EV policy identifier: +`{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines (1) } (2.23.140.1.1)`, if the Certificate complies with these Guidelines. + +### 9.3.3. Root CA Certificates + +The Application Software Supplier identifies Root CAs that are approved to issue EV Certificates by storing EV policy identifiers in metadata associated with Root CA Certificates. + +### 9.3.4. EV Subordinate CA Certificates + +1. Certificates issued to Subordinate CAs that are not controlled by the issuing CA MUST contain one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA. +2. Certificates issued to Subordinate CAs that are controlled by the Root CA MAY contain the special `anyPolicy` identifier (OID: 2.5.29.32.0). + +### 9.3.5. Subscriber Certificates + +A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate's `certificatePolicies` extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines. + ### 7.1.7 Usage of Policy Constraints extension ### 7.1.8 Policy qualifiers syntax and semantics ### 7.1.9 Processing semantics for the critical Certificate Policies extension From 703de2393c488210342fb228cbfb6c26a7865461 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 10 Jul 2023 16:30:18 +0200 Subject: [PATCH 23/48] Update EVG.md --- docs/EVG.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index c96cb24b..bc83d82e 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -611,6 +611,9 @@ All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally t ## 6.3 Other aspects of key pair management ### 6.3.1 Public key archival ### 6.3.2 Certificate operational periods and key pair usage periods +The Validity Period for an EV Certificate SHALL NOT exceed 398 days. + +It is RECOMMENDED that EV Subscriber Certificates have a Maximum Validity Period of twelve months. ## 6.4 Activation data ### 6.4.1 Activation data generation and installation ### 6.4.2 Activation data protection @@ -626,6 +629,8 @@ All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally t ## 6.8 Time-stamping # 7. CERTIFICATE, CRL, AND OCSP PROFILES ## 7.1 Certificate profile +This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate. + ### 7.1.1 Version number(s) ### 7.1.2 Certificate extensions The extensions listed in [Section 9.8](#98-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 9.8](#98-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. @@ -674,6 +679,9 @@ where the subfields have the same values, meanings, and restrictions described i ### 7.1.3 Algorithm object identifiers ### 7.1.4 Name forms +## 9.1. Issuer Information + +Issuer Information listed in an EV Certificate MUST comply with Section 7.1.4.1 of the Baseline Requirements. ## 9.2. Subject Distinguished Name Fields Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: @@ -788,6 +796,41 @@ The CA SHALL: CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 9.2](#92-subject-distinguished-name-fields). +## 9.7. Additional Technical Requirements for EV Certificates + +All provisions of the Baseline Requirements concerning Minimum Cryptographic Algorithms, Key Sizes, and Certificate Extensions apply to EV Certificates with the following exceptions: + +1. If a Subordinate CA Certificates is issued to a Subordinate CA not controlled by the entity that controls the Root CA, the policy identifiers in the `certificatePolicies` extension MUST include the CA's Extended Validation policy identifier. + + Otherwise, it MAY contain the anyPolicy identifier. + +2. The following fields MUST be present if the Subordinate CA is not controlled by the entity that controls the Root CA. + + * `certificatePolicies:policyQualifiers:policyQualifierId` + + `id-qt 1` [RFC 5280] + + * `certificatePolicies:policyQualifiers:qualifier:cPSuri` + + HTTP URL for the Root CA's Certification Practice Statement + +3. The `certificatePolicies` extension in EV Certificates issued to Subscribers MUST include the following: + + * `certificatePolicies:policyIdentifier` (Required) + + The Issuer's EV policy identifier + + * `certificatePolicies:policyQualifiers:policyQualifierId` (Required) + + `id-qt 1` [RFC 5280] + + * `certificatePolicies:policyQualifiers:qualifier:cPSuri` (Required) + + HTTP URL for the Subordinate CA's Certification Practice Statement + +4. The `cRLDistributionPoints` extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an `authorityInformationAccess` extension. + + ### 7.1.5 Name constraints ### 7.1.6 Certificate policy object identifier ### 9.3.1. EV Certificate Policy Identification Requirements From c416fe5800dafa274e001be25d78931830a9cbe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 10 Jul 2023 16:49:18 +0200 Subject: [PATCH 24/48] Update EVG.md --- docs/EVG.md | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index bc83d82e..9fd152e2 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -637,13 +637,13 @@ The extensions listed in [Section 9.8](#98-certificate-extensions) are recommend If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 9.8](#98-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. -### 9.8.1. Subject Alternative Name Extension +#### 7.1.2.1 Subject Alternative Name Extension __Certificate Field__: `subjectAltName:dNSName` __Required/Optional__: __Required__ __Contents__: This extension MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This extension MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. -### 9.8.2. CA/Browser Forum Organization Identifier Extension +#### 7.1.2.2 CA/Browser Forum Organization Identifier Extension __Extension Name__: `cabfOrganizationIdentifier` (OID: 2.23.140.3.1) __Verbose OID__: `{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }` @@ -679,14 +679,14 @@ where the subfields have the same values, meanings, and restrictions described i ### 7.1.3 Algorithm object identifiers ### 7.1.4 Name forms -## 9.1. Issuer Information +#### 7.1.4.1 Issuer Information Issuer Information listed in an EV Certificate MUST comply with Section 7.1.4.1 of the Baseline Requirements. -## 9.2. Subject Distinguished Name Fields +#### 7.1.4.2 Subject Distinguished Name Fields Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: -### 9.2.1. Subject Organization Name Field +##### 7.1.4.2.1 Subject Organization Name Field __Certificate Field__: `subject:organizationName` (OID 2.5.4.10) __Required/Optional__: Required @@ -698,19 +698,19 @@ In addition, an assumed name or DBA name used by the Subject MAY be included at If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#11121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. -### 9.2.2. Subject Common Name Field +##### 7.1.4.2.2 Subject Common Name Field __Certificate Field__: `subject:commonName` (OID: 2.5.4.3) __Required/Optional__: Deprecated (Discouraged, but not prohibited) __Contents__: If present, this field MUST contain a single Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This field MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. -### 9.2.3. Subject Business Category Field +##### 7.1.4.2.3 Subject Business Category Field __Certificate Field__: `subject:businessCategory` (OID: 2.5.4.15) __Required/Optional__: Required __Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 8.5.2](#852-private-organization-subjects), [Section 8.5.3](#853-government-entity-subjects), [Section 8.5.4](#854-business-entity-subjects) or [Section 8.5.5](#855-non-commercial-entity-subjects), respectively. -### 9.2.4. Subject Jurisdiction of Incorporation or Registration Field +##### 7.1.4.2.4 Subject Jurisdiction of Incorporation or Registration Field __Certificate Fields__: @@ -728,7 +728,7 @@ __Contents__: These fields MUST NOT contain information that is not relevant to Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. -### 9.2.5. Subject Registration Number Field +##### 7.1.4.2.5 Subject Registration Number Field __Certificate Field__: `subject:serialNumber` (OID: 2.5.4.5) __Required/Optional__: __Required__ @@ -740,7 +740,7 @@ For Business Entities, the Registration Number that was received by the Business Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. -### 9.2.6. Subject Physical Address of Place of Business Field +##### 7.1.4.2.6 Subject Physical Address of Place of Business Field __Certificate Fields__: Number and street: `subject:streetAddress` (OID: 2.5.4.9) @@ -751,12 +751,12 @@ __Certificate Fields__: __Required/Optional__: As stated in Section 7.1.4.2.2 d, e, f, g and h of the Baseline Requirements. __Contents__: This field MUST contain the address of the physical location of the Subject's Place of Business. -### 9.2.7. Subject Organizational Unit Name Field +##### 7.1.4.2.7 Subject Organizational Unit Name Field __Certificate Field__: `subject:organizationalUnitName` (OID: 2.5.4.11) __Required/Optional/Prohibited:__ __Prohibited__. -### 9.2.8. Subject Organization Identifier Field +##### 7.1.4.2.8 Subject Organization Identifier Field __Certificate Field__: `subject:organizationIdentifier` (OID: 2.5.4.97) __Required/Optional__: Optional @@ -792,11 +792,11 @@ The CA SHALL: 3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; 4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). -### 9.2.9. Other Subject Attributes +##### 7.1.4.2.9 Other Subject Attributes CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 9.2](#92-subject-distinguished-name-fields). -## 9.7. Additional Technical Requirements for EV Certificates +#### 7.1.4.3 Additional Technical Requirements for EV Certificates All provisions of the Baseline Requirements concerning Minimum Cryptographic Algorithms, Key Sizes, and Certificate Extensions apply to EV Certificates with the following exceptions: @@ -833,11 +833,9 @@ All provisions of the Baseline Requirements concerning Minimum Cryptographic Alg ### 7.1.5 Name constraints ### 7.1.6 Certificate policy object identifier -### 9.3.1. EV Certificate Policy Identification Requirements - This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy. -### 9.3.2. EV Subscriber Certificates +#### 7.1.6.1 EV Subscriber Certificates Each EV Certificate issued by the CA to a Subscriber MUST contain a policy identifier that is either defined by these Guidelines or the CA in the certificate's `certificatePolicies` extension that: @@ -848,16 +846,16 @@ Each EV Certificate issued by the CA to a Subscriber MUST contain a policy ident The following Certificate Policy identifier is the CA/Browser Forum’s EV policy identifier: `{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines (1) } (2.23.140.1.1)`, if the Certificate complies with these Guidelines. -### 9.3.3. Root CA Certificates +#### 7.1.6.2 Root CA Certificates The Application Software Supplier identifies Root CAs that are approved to issue EV Certificates by storing EV policy identifiers in metadata associated with Root CA Certificates. -### 9.3.4. EV Subordinate CA Certificates +#### 7.1.6.3 EV Subordinate CA Certificates 1. Certificates issued to Subordinate CAs that are not controlled by the issuing CA MUST contain one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA. 2. Certificates issued to Subordinate CAs that are controlled by the Root CA MAY contain the special `anyPolicy` identifier (OID: 2.5.29.32.0). -### 9.3.5. Subscriber Certificates +#### 7.1.6.4 Subscriber Certificates A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate's `certificatePolicies` extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines. From 861309e9f06e652336b52ec6f7d5514c69c0eca0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 10 Jul 2023 17:39:50 +0200 Subject: [PATCH 25/48] Update EVG.md --- docs/EVG.md | 68 +++++++++++++++++++++++++++-------------------------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 9fd152e2..2cf2d84f 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -93,9 +93,9 @@ These Guidelines do not address the verification of information, or the issuance ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 14.1](#141-trustworthiness-and-competence). +Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-trustworthiness-and-competence). -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 14](#14-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 15](#15-data-records). +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 5.4](#54-data-records). In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. #### 1.3.2.1 Enterprise Registration authorities @@ -105,7 +105,7 @@ The CA MAY contractually authorize a Subscriber to perform the RA function and a 2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and 3. The Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. -Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 17.1](#171-eligible-audit-schemes). In all other cases, the requirements of [Section 17.1](#171-eligible-audit-schemes) SHALL apply. +Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 8.1](#81-eligible-audit-schemes). In all other cases, the requirements of [Section 8.1](#81-eligible-audit-schemes) SHALL apply. ### 1.3.3 Subscribers ### 1.3.4 Relying parties @@ -229,7 +229,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 17.6](#176-auditor-qualification). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-auditor-qualification). **Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 11.11.6](#11116-qualified-government-information-source). @@ -328,7 +328,7 @@ C. Specify the CA's and its Root CA's entire root certificate hierarchy includi ## 2.1 Repositories ## 2.2 Publication of certification information -Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 17.1](#171-eligible-audit-schemes)). +Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 8.1](#81-eligible-audit-schemes)). The CA's Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647. The Certificate Policy and/or Certification Practice Statement MUST include all material required by RFC 3647. @@ -633,9 +633,9 @@ This section sets forth minimum requirements for the content of the EV Certifica ### 7.1.1 Version number(s) ### 7.1.2 Certificate extensions -The extensions listed in [Section 9.8](#98-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 9.8](#98-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. +The extensions listed in [Section 7.1.2](#712-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 7.1.2](#712-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. -If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 9.8](#98-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. +If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 7.1.2](#712-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. #### 7.1.2.1 Subject Alternative Name Extension @@ -675,7 +675,7 @@ CABFOrganizationIdentifier ::= SEQUENCE { } ``` -where the subfields have the same values, meanings, and restrictions described in [Section 9.2.8](#928-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 9.2.8](#928-subject-organization-identifier-field). +where the subfields have the same values, meanings, and restrictions described in [Section 7.1.4.2.1](#71421-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 7.1.4.2.1](#71421-subject-organization-identifier-field). ### 7.1.3 Algorithm object identifiers ### 7.1.4 Name forms @@ -708,7 +708,7 @@ __Contents__: If present, this field MUST contain a single Domain Name(s) owned __Certificate Field__: `subject:businessCategory` (OID: 2.5.4.15) __Required/Optional__: Required -__Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 8.5.2](#852-private-organization-subjects), [Section 8.5.3](#853-government-entity-subjects), [Section 8.5.4](#854-business-entity-subjects) or [Section 8.5.5](#855-non-commercial-entity-subjects), respectively. +__Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 4.1.1.1](#4111-private-organization-subjects), [Section 4.1.1.2](#4112-government-entity-subjects), [Section 4.1.1.3](#4113-business-entity-subjects) or [Section 4.1.1.4](#4114-non-commercial-entity-subjects), respectively. ##### 7.1.4.2.4 Subject Jurisdiction of Incorporation or Registration Field @@ -768,13 +768,13 @@ The Registration Scheme MUST be identified using the using the following structu * 3 character Registration Scheme identifier; * 2 character ISO 3166 country code for the nation in which the Registration Scheme is operated, or if the scheme is operated globally ISO 3166 code "XG" shall be used; -* For the NTR Registration Scheme identifier, if required under [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated, preceded by plus "+" (0x2B (ASCII), U+002B (UTF-8)); +* For the NTR Registration Scheme identifier, if required under [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field), a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated, preceded by plus "+" (0x2B (ASCII), U+002B (UTF-8)); * a hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); * Registration Reference allocated in accordance with the identified Registration Scheme Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. -As in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. +As in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. Examples: @@ -787,14 +787,14 @@ Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) a The CA SHALL: -1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 9.2.1](#921-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field); +1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 7.1.4.2.1](#71421-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field); 2. further verify the Registration Reference matches other information verified in accordance with [Section 11](#11-verification-requirements); 3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; 4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). ##### 7.1.4.2.9 Other Subject Attributes -CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 9.2](#92-subject-distinguished-name-fields). +CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 7.1.4.2](#7142-subject-distinguished-name-fields). #### 7.1.4.3 Additional Technical Requirements for EV Certificates @@ -869,6 +869,7 @@ A Certificate issued to a Subscriber MUST contain one or more policy identifier( ### 7.3.1 Version number(s) ### 7.3.2 OCSP extensions # 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS +## 8.1 Elegible Audit Schemes A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: i. WebTrust Program for CAs audit and WebTrust EV Program audit, @@ -877,16 +878,16 @@ iii. ETSI EN 319 411-1 audit for EVCP policy. If the CA is a Government Entity, an audit of the CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in one of the above audit schemes and certifies that the government CA has successfully passed the audit. -## 8.1 Frequency or circumstances of assessment -CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 17.1](#171-eligible-audit-schemes). -## 8.2 Identity/qualifications of assessor +## 8.2 Frequency or circumstances of assessment +CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 8.1](#81-eligible-audit-schemes). +## 8.3 Identity/qualifications of assessor A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. -## 8.3 Assessor's relationship to assessed entity -## 8.4 Topics covered by assessment -## 8.5 Actions taken as a result of deficiency -## 8.6 Communication of results +## 8.4 Assessor's relationship to assessed entity +## 8.5 Topics covered by assessment +## 8.6 Actions taken as a result of deficiency +## 8.7 Communication of results CAs SHOULD make its audit report publicly available no later than three months after the end of the audit period. If there is a delay greater than three months and if so requested by an Application Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. -## 8.7 Pre-issuance Readiness Audit +## 8.8 Pre-issuance Readiness Audit 1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program. 2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042. @@ -897,7 +898,7 @@ CAs SHOULD make its audit report publicly available no later than three months a The CA MUST complete any required point-in-time readiness assessment no earlier than twelve (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. -## 8.8 Self audits +## 8.9 Self audits During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. # 9. OTHER BUSINESS AND LEGAL MATTERS ## 9.1 Fees @@ -985,11 +986,12 @@ A CA's indemnification obligations and a Root CA's obligations with respect to s ### 9.16.3 Severability The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements. -If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly. +If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA/Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly. ### 9.16.4 Enforcement (attorneys' fees and waiver of rights) ### 9.16.5 Force Majeure ## 9.17 Other provisions + # Appendix A - User Agent Verification (Normative) The CA MUST host test Web pages that allow Application Software Suppliers to test their software with EV Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host separate Web pages using certificates that are: @@ -1274,26 +1276,26 @@ guidelines: The information carried in this field shall be the same as held in Subject Registration Number Field as specified in - [Section 9.2.5](#925-subject-registration-number-field) and the country code + [Section 7.1.4.2.5](#71425-subject-registration-number-field) and the country code used in the Registration Scheme identifier shall match that of the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field). Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 includes more than the country code, the additional locality information shall - be included as specified in [Section 9.2.8](#928-subject-organization-identifier-field) - and/or [Section 9.8.2](#982-cabrowser-forum-organization-identifier-extension). + be included as specified in [Section 7.1.4.2.8](#71428-subject-organization-identifier-field) + and/or [Section 7.1.2.2](#7122-cabrowser-forum-organization-identifier-extension). * **VAT**: Reference allocated by the national tax authorities to a Legal Entity. This information shall be validated using information provided by the national tax authority against the organization as identified by the Subject Organization - Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and + Name Field (see [Section 7.1.4.2.1](#71421-subject-organization-name-field)) and Subject Registration Number Field (see - Section 9.2.5](#925-subject-registration-number-field)) within the context of + Section 7.1.4.2.5](#71425-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field). * **PSD**: @@ -1306,10 +1308,10 @@ guidelines: SHALL be validated by being matched directly or indirectly (for example, by matching a globally unique registration number) against the organization as identified by the Subject Organization Name Field (see - [Section 9.2.1](#921-subject-organization-name-field)) and + [Section 7.1.4.2.1](#71421-subject-organization-name-field)) and Subject Registration Number Field (see - [Section 9.2.5](#925-subject-registration-number-field)) within the context of + [Section 7.1.4.2.5](#71425-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field). The stated address of the organization combined with the organization name SHALL NOT be the only information used to disambiguate the organization. From a74150bff8949d13a70a3fbb9ff56b6b2fdea9a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Tue, 11 Jul 2023 13:28:03 +0200 Subject: [PATCH 26/48] Update EVG.md --- docs/EVG.md | 568 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 568 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 2cf2d84f..22aa9e19 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -349,6 +349,574 @@ In addition, the CA MUST include (directly or by reference) the applicable requi ### 3.1.5 Uniqueness of names ### 3.1.6 Recognition, authentication, and role of trademarks ## 3.2 Initial identity validation + +## 11.1. General Overview + +This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement. + +### 11.1.1. Verification Requirements – Overview + +Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following: + +1. Verify Applicant's existence and identity, including; + + A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity)), + + B. Verify the Applicant's physical existence (business presence at a physical address), and + + C. Verify the Applicant's operational existence (business activity). + +2. Verify the Applicant is a registered holder, or has control, of the Domain Name(s) to be included in the EV Certificate; + +3. Verify a reliable means of communication with the entity to be named as the Subject in the Certificate; + +4. Verify the Applicant's authorization for the EV Certificate, including; + + A. Verify the name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester, + + B. Verify that a Contract Signer signed the Subscriber Agreement or that a duly authorized Applicant Representative acknowledged and agreed to the Terms of Use; and + + C. Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request. + +### 11.1.2. Acceptable Methods of Verification – Overview + +As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 11.2 through 11.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. + +### 11.1.3. Disclosure of Verification Sources + +Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means. + +This Agency Information SHALL include at least the following: + +* Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency (such as a name, jurisdiction, and website); and, +* The accepted value or values for each of the `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1), `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2), and `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and, +* The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and, +* A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list. + +The CA MUST document where to obtain this information within Section 3.2 of the CA's Certificate Policy and/or Certification Practice Statement. + +## 11.2. Verification of Applicant's Legal Existence and Identity + +### 11.2.1. Verification Requirements + +To verify the Applicant's legal existence and identity, the CA MUST do the following. + +1. **Private Organization Subjects** + + A. **Legal Existence**: Verify that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated) with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, and not designated on the records of the Incorporating or Registration Agency by labels such as "inactive", "invalid", "not current", or the equivalent. + B. **Organization Name**: Verify that the Applicant's formal legal name as recorded with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Incorporation or Registration. + D. **Registered Agent**: Obtain the identity and address of the Applicant's Registered Agent or Registered Office (as applicable in the Applicant's Jurisdiction of Incorporation or Registration). + +2. **Government Entity Subjects** + + A. **Legal Existence**: Verify that the Applicant is a legally recognized Government Entity, in existence in the political subdivision in which such Government Entity operates. + B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of incorporation, registration, or formation, or the identifier for the legislative act that created the Government Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity. + +3. **Business Entity Subjects** + + A. **Legal Existence**: Verify that the Applicant is engaged in business under the name submitted by the Applicant in the Application. + B. **Organization Name**: Verify that the Applicant's formal legal name as recognized by the Registration Agency in the Applicant's Jurisdiction of Registration matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: Attempt to obtain the specific unique Registration Number assigned to the Applicant by the Registration Agency in the Applicant's Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Registration. + D. **Principal Individual**: Verify the identity of the identified Principal Individual. + +4. **Non-Commercial Entity Subjects (International Organizations)** + + A. **Legal Existence**: Verify that the Applicant is a legally recognized International Organization Entity. + B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity. + +### 11.2.2. Acceptable Method of Verification + +1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. + +2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: + i. a Qualified Government Information Source in the political subdivision in which such Government Entity operates; + ii. a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or + iii. from a judge that is an active member of the federal, state or local judiciary within that political subdivision. + + Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 11.11.1](#11111-verified-legal-opinion). + + Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. + +3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 11.2.1](#1121-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. + +4. **Principal Individual**: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency's face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation. + + A. **Face-To-Face Validation**: The face-to-face validation MUST be conducted before either an employee of the CA, a Latin Notary, a Notary (or equivalent in the Applicant's jurisdiction), a Lawyer, or Accountant (Third-Party Validator). The Principal Individual(s) MUST present the following documentation (Vetting Documents) directly to the Third-Party Validator: + + i. A Personal Statement that includes the following information: + + 1. Full name or names by which a person is, or has been, known (including all other names used); + 2. Residential Address at which he/she can be located; + 3. Date of birth; and + 4. An affirmation that all of the information contained in the Certificate Request is true and correct. + + ii. A current signed government-issued identification document that includes a photo of the Individual and is signed by the Individual such as: + + 1. A passport; + 2. A driver's license; + 3. A personal identification card; + 4. A concealed weapons permit; or + 5. A military ID. + + iii. At least two secondary documentary evidences to establish his/her identity that include the name of the Individual, one of which MUST be from a financial institution. + + 1. Acceptable financial institution documents include: + + a. A major credit card, provided that it contains an expiration date and it has not expired' + b. A debit card from a regulated financial institution, provided that it contains an expiration date and it has not expired, + c. A mortgage statement from a recognizable lender that is less than six months old, + d. A bank statement from a regulated financial institution that is less than six months old. + + 2. Acceptable non-financial documents include: + + a. Recent original utility bills or certificates from a utility company confirming the arrangement to pay for the services at a fixed address (not a mobile/cellular telephone bill), + b. A copy of a statement for payment of a lease, provided that the statement is dated within the past six months, + c. A certified copy of a birth certificate, + d. A local authority tax bill for the current year, + e. A certified copy of a court order, such as a divorce certificate, annulment papers, or adoption papers. + + The Third-Party Validator performing the face-to-face validation MUST: + + i. Attest to the signing of the Personal Statement and the identity of the signer; and + ii. Identify the original Vetting Documents used to perform the identification. In addition, the Third-Party Validator MUST attest on a copy of the current signed government-issued photo identification document that it is a full, true, and accurate reproduction of the original. + + B. **Verification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), lawyer, or accountant in the jurisdiction of the Individual's residency, and that the Third-Party Validator actually did perform the services and did attest to the signature of the Individual. + + C. **Cross-checking of Information**: The CA MUST obtain the signed and attested Personal Statement together with the attested copy of the current signed government-issued photo identification document. The CA MUST review the documentation to determine that the information is consistent, matches the information in the application, and identifies the Individual. The CA MAY rely on electronic copies of this documentation, provided that: + + i. the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and + ii. electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA's jurisdiction. + +5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (4) MUST be verified either: + + A. With reference to the constituent document under which the International Organization was formed; or + B. Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or + C. Directly against any current list of qualified entities that the CA/Browser Forum may maintain at www.cabforum.org. + D. In cases where the International Organization applying for the EV Certificate is an organ or agency - including a non-governmental organization of a verified International Organization, then the CA may verify the International Organization Applicant directly with the verified umbrella International Organization of which the Applicant is an organ or agency. + +6. The CA may rely on a Verified Professional Letter to establish the Applicant's information listed in (1)-(5) above if: + + i. the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and + ii. the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS. + +## 11.3. Verification of Applicant's Legal Existence and Identity – Assumed Name + +### 11.3.1. Verification Requirements + +If, in addition to the Applicant's formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, the Applicant's identity, as asserted in the EV Certificate, is to contain any assumed name (also known as "doing business as", "DBA", or "d/b/a" in the US, and "trading as" in the UK) under which the Applicant conducts business, the CA MUST verify that: + + i. the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and + ii. that such filing continues to be valid. + +### 11.3.2. Acceptable Method of Verification + +To verify any assumed name under which the Applicant conducts business: + +1. The CA MAY verify the assumed name through use of a Qualified Government Information Source operated by, or on behalf of, an appropriate government agency in the jurisdiction of the Applicant's Place of Business, or by direct contact with such government agency in person or via mail, e-mail, Web address, or telephone; or +2. The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. +3. The CA MAY rely on a Verified Professional Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. + +## 11.4. Verification of Applicant's Physical Existence + +### 11.4.1. Address of Applicant's Place of Business + +1. **Verification Requirements**: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business. + +2. **Acceptable Methods of Verification** + + A. **Place of Business in the Country of Incorporation or Registration** + + i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence: + + 1. For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business; + + 2. For Applicants who are not listed at the same Place of Business address in the current version of either at least one QIIS or QTIS, the CA MUST confirm that the address provided by the Applicant in the EV Certificate Request is the Applicant's or a Parent/Subsidiary Company's business address, by obtaining documentation of a site visit to the business address, which MUST be performed by a reliable individual or firm. The documentation of the site visit MUST: + + a. Verify that the Applicant's business is located at the exact address stated in the EV Certificate Request (e.g., via permanent signage, employee confirmation, etc.), + b. Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location, + c. Indicate whether there is a permanent sign (that cannot be moved) that identifies the Applicant, + d. Indicate whether there is evidence that the Applicant is conducting ongoing business activities at the site (not that it is just, for example, a mail drop, P.O. box, etc.), and + e. Include one or more photos of + i. the exterior of the site (showing signage indicating the Applicant's name, if present, and showing the street address if possible), and + ii. the interior reception area or workspace. + + ii. For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there. + iii. For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction. + iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. + + B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. + +## 11.5. Verified Method of Communication + +### 11.5.1. Verification Requirements + +To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant. + +### 11.5.2. Acceptable Methods of Verification + +To verify a Verified Method of Communication with the Applicant, the CA MUST: + +A. Verify that the Verified Method of Communication belongs to the Applicant, or a Parent/Subsidiary or Affiliate of the Applicant, by matching it with one of the Applicant's Parent/Subsidiary or Affiliate's Places of Business in: + + i. records provided by the applicable phone company; + ii. a QGIS, QTIS, or QIIS; or + iii. a Verified Professional Letter; and + +B. Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication. + +## 11.6. Verification of Applicant's Operational Existence + +### 11.6.1. Verification Requirements + +The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. + +### 11.6.2. Acceptable Methods of Verification + +To verify the Applicant's ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: + +1. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; + +2. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; + +3. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or + +4. Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. + +## 11.7. Verification of Applicant's Domain Name + +### 11.7.1. Verification Requirements + +1. For each Fully-Qualified Domain Name listed in a Certificate which is not an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant's control over the Onion Domain Name in accordance with Appendix B of the Baseline Requirements. + +2. **Mixed Character Set Domain Names**: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization. + +## 11.8. Verification of Name, Title, and Authority of Contract Signer and Certificate Approver + +### 11.8.1. Verification Requirements + +For both the Contract Signer and the Certificate Approver, the CA MUST verify the following. + +1. **Name, Title and Agency**: The CA MUST verify the name and title of the Contract Signer and the Certificate Approver, as applicable. The CA MUST also verify that the Contract Signer and the Certificate Approver are agents representing the Applicant. +2. **Signing Authority of Contract Signer**: The CA MUST verify that the Contract Signer is authorized by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant, including a contract that designates one or more Certificate Approvers on behalf of the Applicant. +3. **EV Authority of Certificate Approver**: The CA MUST verify, through a source other than the Certificate Approver him- or herself, that the Certificate Approver is expressly authorized by the Applicant to do the following, as of the date of the EV Certificate Request: + + A. Submit, and, if applicable, authorize a Certificate Requester to submit, the EV Certificate Request on behalf of the Applicant; and + B. Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and + C. Approve EV Certificate Requests submitted by a Certificate Requester. + +### 11.8.2. Acceptable Methods of Verification – Name, Title and Agency + +Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. + +1. **Name and Title**: The CA MAY verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such a role is in fact the named person designated to act in such role. + +2. **Agency**: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: + + A. Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; + B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or + C. Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant. + + The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. + +### 11.8.3. Acceptable Methods of Verification – Authority + +Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: + +1. **Verified Professional Letter**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Professional Letter; +2. **Corporate Resolution**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a properly authenticated corporate resolution that confirms that the person has been granted such Signing Authority, provided that such resolution is + + i. certified by the appropriate corporate officer (e.g., secretary), and + ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification; + +3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); +4. **Contract between CA and Applicant**: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; +5. **Prior Equivalent Authority**: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority. + + A. Prior Equivalent Authority of a Contract Signer MAY be relied upon for confirmation or verification of the signing authority of the Contract Signer when the Contract Signer has executed a binding contract between the CA and the Applicant with a legally valid and enforceable seal or handwritten signature and only when the contract was executed more than 90 days prior to the EV Certificate application. The CA MUST record sufficient details of the previous agreement to correctly identify it and associate it with the EV application. Such details MAY include any of the following: + + i. Agreement title, + ii. Date of Contract Signer's signature, + iii. Contract reference number, and + iv. Filing location. + + B. Prior Equivalent Authority of a Certificate Approver MAY be relied upon for confirmation or verification of the EV Authority of the Certificate Approver when the Certificate Approver has performed one or more of the following: + + i. Under contract to the CA, has served (or is serving) as an Enterprise RA for the Applicant, or + ii. Has participated in the approval of one or more certificate requests, for certificates issued by the CA and which are currently and verifiably in use by the Applicant. In this case the CA MUST have contacted the Certificate Approver by phone at a previously validated phone number or have accepted a signed and notarized letter approving the certificate request. + +6. **QIIS or QGIS**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by a QIIS or QGIS that identifies the Contract Signer and/or the Certificate Approver as a corporate officer, sole proprietor, or other senior official of the Applicant. + +7. **Contract Signer's Representation/Warranty**: Provided that the CA verifies that the Contract Signer is an employee or agent of the Applicant, the CA MAY rely on the signing authority of the Contract Signer by obtaining a duly executed representation or warranty from the Contract Signer that includes the following acknowledgments: + + A. That the Applicant authorizes the Contract Signer to sign the Subscriber Agreement on the Applicant's behalf, + B. That the Subscriber Agreement is a legally valid and enforceable agreement, + C. That, upon execution of the Subscriber Agreement, the Applicant will be bound by all of its terms and conditions, + D. That serious consequences attach to the misuse of an EV certificate, and + E. The contract signer has the authority to obtain the digital equivalent of a corporate seal, stamp or officer's signature to establish the authenticity of the company's Web site. + +Note: An example of an acceptable representation/warranty appears in [Appendix E](#appendix-e---sample-contract-signers-representationwarranty-informative). + +### 11.8.4. Pre-Authorized Certificate Approver + +Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA: + +1. Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and + +2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 11.8.3](#1183-acceptable-methods-of-verification--authority). + +The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s). + +Such an agreement MUST provide that the Applicant shall be obligated under the Subscriber Agreement for all EV Certificates issued at the request of, or approved by, such Certificate Approver(s) until such EV Authority is revoked, and MUST include mutually agreed-upon provisions for: + + i. authenticating the Certificate Approver when EV Certificate Requests are approved, + ii. periodic re-confirmation of the EV Authority of the Certificate Approver, + iii. secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and + iv. such other appropriate precautions as are reasonably necessary. + +## 11.9. Verification of Signature on Subscriber Agreement and EV Certificate Requests + +Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. + +### 11.9.1. Verification Requirements + +1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. + +2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. + +### 11.9.2. Acceptable Methods of Signature Verification + +Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following: + +1. Contacting the Applicant using a Verified Method of Communication for the Applicant, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; + +2. A letter mailed to the Applicant's or Agent's address, as verified through independent means in accordance with these Guidelines, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response through a Verified Method of Communication from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; + +3. Use of a signature process that establishes the name and title of the signer in a secure manner, such as through use of an appropriately secure login process that identifies the signer before signing, or through use of a digital signature made with reference to an appropriately verified certificate; or + +4. Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer. + +## 11.10. Verification of Approval of EV Certificate Request + +### 11.10.1. Verification Requirements + +In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. + +### 11.10.2. Acceptable Methods of Verification + +Acceptable methods of verifying the Certificate Approver's approval of an EV Certificate Request include: + +1. Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request; +2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or +3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). + +## 11.11. Verification of Certain Information Sources + +### 11.11.1. Verified Legal Opinion + +1. **Verification Requirements**: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements: + + A. **Status of Author**: The CA MUST verify that the legal opinion is authored by an independent legal practitioner retained by and representing the Applicant (or an in-house legal practitioner employed by the Applicant) (Legal Practitioner) who is either: + + i. A lawyer (or solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility, or + ii. A Latin Notary who is currently commissioned or licensed to practice in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility (and that such jurisdiction recognizes the role of the Latin Notary); + + B. **Basis of Opinion**: The CA MUST verify that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Legal Opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the Legal Practitioner's professional judgment and expertise; + C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Legal Opinion. + +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Legal Opinion are: + + A. **Status of Author**: The CA MUST verify the professional status of the author of the legal opinion by directly contacting the authority responsible for registering or licensing such Legal Practitioner(s) in the applicable jurisdiction; + B. **Basis of Opinion**: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as [Appendix B](#appendix-b---sample-attorney-opinions-confirming-specified-information); + C. **Authenticity**: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner's assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS. + + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.1](#11111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. + +### 11.11.2. Verified Accountant Letter + +1. **Verification Requirements**: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements: + + A. **Status of Author**: The CA MUST verify that the accountant letter is authored by an Accounting Practitioner retained or employed by the Applicant and licensed within the country of the Applicant's Jurisdiction of Incorporation, Jurisdiction of Registration, or country where the Applicant maintains an office or physical facility. Verification of license MUST be through the member organization or regulatory organization in the Accounting Practitioner's country or jurisdiction that is appropriate to contact when verifying an accountant's license to practice in that country or jurisdiction. Such country or jurisdiction must have an accounting standards body that maintains full membership status with the International Federation of Accountants. + B. **Basis of Opinion**: The CA MUST verify that the Accounting Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Accountant Letter are based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the Accounting Practitioner's professional judgment and expertise; + C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Accountant Letter. + +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Accountant Letter are listed here. + + A. **Status of Author**: The CA MUST verify the professional status of the author of the accountant letter by directly contacting the authority responsible for registering or licensing such Accounting Practitioners in the applicable jurisdiction. + B. **Basis of Opinion**: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as [Appendix C](#appendix-c---sample-accountant-letters-confirming-specified-information). + C. **Authenticity**: To confirm the authenticity of the accountant's opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner's assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS. + + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.2](#11112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. + +### 11.11.3. Face-to-Face Validation + +1. **Verification Requirements**: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements: + + A. **Qualification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), Lawyer, or Accountant in the jurisdiction of the individual's residency; + B. **Document Chain of Custody**: The CA MUST verify that the Third-Party Validator viewed the Vetting Documents in a face-to-face meeting with the individual being validated; + C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the attestation and vetting documents. + +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for vetting documents are: + + A. **Qualification of Third-Party Validator**: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction; + B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; + C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 11.11.3](#11113-face-to-face-validation) (1)(A), no further verification of authenticity is required. + +### 11.11.4. Independent Confirmation From Applicant + +An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is: + +A. Received by the CA from a Confirming Person (someone other than the person who is the subject of the inquiry) that has the appropriate authority to confirm such a fact, and who represents that he/she has confirmed such fact; +B. Received by the CA in a manner that authenticates and verifies the source of the confirmation; and +C. Binding on the Applicant. + +An Independent Confirmation from the Applicant MAY be obtained via the following procedure: + +1. **Confirmation Request**: The CA MUST initiate a Confirmation Request via an appropriate out-of-band communication, requesting verification or confirmation of the particular fact at issue as follows: + + A. **Addressee**: The Confirmation Request MUST be directed to: + + i. A position within the Applicant's organization that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current QGIS, QIIS, QTIS, Verified Legal Opinion, Verified Accountant Letter, or by contacting the Applicant using a Verified Method of Communication; or + ii. The Applicant's Registered Agent or Registered Office in the Jurisdiction of Incorporation as listed in the official records of the Incorporating Agency, with instructions that it be forwarded to an appropriate Confirming Person; or + iii. A named individual verified to be in the direct line of management above the Contract Signer or Certificate Approver by contacting the Applicant's Human Resources Department by phone or mail (at the phone number or address for the Applicant's Place of Business, verified in accordance with these Guidelines). + + B. **Means of Communication**: The Confirmation Request MUST be directed to the Confirming Person in a manner reasonably likely to reach such person. The following options are acceptable: + + i. By paper mail addressed to the Confirming Person at: + + 1. The address of the Applicant's Place of Business as verified by the CA in accordance with these Guidelines, or + 2. The business address for such Confirming Person specified in a current QGIS, QTIS, QIIS, Verified Professional Letter, or + 3. The address of the Applicant's Registered Agent or Registered Office listed in the official records of the Jurisdiction of Incorporation, or + + ii. By e-mail addressed to the Confirming Person at the business e-mail address for such person listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter; or + iii. By telephone call to the Confirming Person, where such person is contacted by calling the main phone number of the Applicant's Place of Business (verified in accordance with these Guidelines) and asking to speak to such person, and a person taking the call identifies him- or herself as such person; or + iv. By facsimile to the Confirming Person at the Place of Business. The facsimile number must be listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter. The cover page must be clearly addressed to the Confirming Person. + +2. **Confirmation Response**: The CA MUST receive a response to the Confirmation Request from a Confirming Person that confirms the particular fact at issue. Such response MAY be provided to the CA by telephone, by e-mail, or by paper mail, so long as the CA can reliably verify that it was provided by a Confirming Person in response to the Confirmation Request. + +3. The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if: + + A. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias; + B. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person. + +### 11.11.5. Qualified Independent Information Source + +A Qualified Independent Information Source (QIIS) is a regularly-updated and publicly available database that is generally recognized as a dependable source for certain information. A database qualifies as a QIIS if the CA determines that: + +1. Industries other than the certificate industry rely on the database for accurate location, contact, or other information; and + +2. The database provider updates its data on at least an annual basis. + +The CA SHALL use a documented process to check the accuracy of the database and ensure its data is acceptable, including reviewing the database provider's terms of use. The CA SHALL NOT use any data in a QIIS that the CA knows is + + i. self-reported and + ii. not verified by the QIIS as accurate. + +Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. + +### 11.11.6. Qualified Government Information Source + +A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity. + +### 11.11.7. Qualified Government Tax Information Source + +A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States). + +## 11.12. Other Verification Requirements + +### 11.12.1. High Risk Status + +The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirements apply equally to EV Certificates. + +### 11.12.2. Denied Lists and Other Legal Block Lists + +1. **Verification Requirements**: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant's Jurisdiction of Incorporation, Registration, or Place of Business: + + A. Is identified on any government denied list, list of prohibited persons, or other list that prohibits doing business with such organization or person under the laws of the country of the CA's jurisdiction(s) of operation; or + B. Has its Jurisdiction of Incorporation, Registration, or Place of Business in any country with which the laws of the CA's jurisdiction prohibit doing business. + + The CA MUST NOT issue any EV Certificate to the Applicant if either the Applicant, the Contract Signer, or Certificate Approver or if the Applicant's Jurisdiction of Incorporation or Registration or Place of Business is on any such list. + +2. **Acceptable Methods of Verification** The CA MUST take reasonable steps to verify with the following lists and regulations: + + A. If the CA has operations in the U.S., the CA MUST take reasonable steps to verify with the following US Government denied lists and regulations: + + i. BIS Denied Persons List - [https://www.bis.doc.gov/index.php/the-denied-persons-list](https://www.bis.doc.gov/index.php/the-denied-persons-list) + ii. BIS Denied Entities List - [https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list](https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list) + iii. US Treasury Department List of Specially Designated Nationals and Blocked Persons - [https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx](https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx) + iv. US Government export regulations + + B. If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country. + +### 11.12.3. Parent/Subsidiary/Affiliate Relationship + +A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 11.4.1](#1141-address-of-applicants-place-of-business), [Section 11.5](#115-verified-method-of-communication), [Section 11.6.1](#1161-verification-requirements), or [Section 11.7.1](#1171-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: + +1. QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS; +2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); +3. Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; +4. Verified Professional Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter; or +5. Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is: + + i. certified by the appropriate corporate officer (e.g., secretary), and + ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. + +## 11.13. Final Cross-Correlation and Due Diligence + +1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. +2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. +3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. +4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: + + A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or + B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). + +In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. + +## 11.14. Requirements for Re-use of Existing Documentation + +For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. + +### 11.14.1. Validation For Existing Subscribers + +If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: + +1. The Principal Individual verified under [Section 11.2.2](#1122-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; +2. The Applicant's Place of Business under [Section 11.4.1](#1141-address-of-applicants-place-of-business); +3. The Applicant's Verified Method of Communication required by [Section 11.5](#115-verified-method-of-communication) but still MUST perform the verification required by [Section 11.5.2](#1152-acceptable-methods-of-verification) (B); +4. The Applicant's Operational Existence under [Section 11.6](#116-verification-of-applicants-operational-existence); +5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 11.8](#118-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and +6. The Applicant's right to use the specified Domain Name under [Section 11.7](#117-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. + +### 11.14.2. Re-issuance Requests + +A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: + +1. The expiration date of the replacement certificate is the same as the expiration date of the EV Certificate that is being replaced, and +2. The Subject Information of the Certificate is the same as the Subject in the EV Certificate that is being replaced. + +### 11.14.3. Age of Validated Data + +1. Except for reissuance of an EV Certificate under [Section 11.14.2](#11142-re-issuance-requests) and except when permitted otherwise in [Section 11.14.1](#11141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: + + A. Legal existence and identity – 398 days; + B. Assumed name – 398 days; + C. Address of Place of Business – 398 days; + D. Verified Method of Communication – 398 days; + E. Operational existence – 398 days; + F. Domain Name – 398 days; + G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. + +2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. +3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). +4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). + + + + ### 3.2.1 Method to prove possession of private key ### 3.2.2 Authentication of organization identity ### 3.2.3 Authentication of individual identity From b154615747abc981f440ba640da1d20e24242a41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Tue, 11 Jul 2023 13:50:29 +0200 Subject: [PATCH 27/48] Update EVG.md --- docs/EVG.md | 96 ++++++++++++++++++++++++++--------------------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 22aa9e19..644259ee 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -350,11 +350,11 @@ In addition, the CA MUST include (directly or by reference) the applicable requi ### 3.1.6 Recognition, authentication, and role of trademarks ## 3.2 Initial identity validation -## 11.1. General Overview +### 3.2.1 General Overview This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement. -### 11.1.1. Verification Requirements – Overview +#### 3.2.1.1 Verification Requirements – Overview Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following: @@ -378,11 +378,11 @@ Before issuing an EV Certificate, the CA MUST ensure that all Subject organizati C. Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request. -### 11.1.2. Acceptable Methods of Verification – Overview +#### 3.2.1.2 Acceptable Methods of Verification – Overview As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 11.2 through 11.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. -### 11.1.3. Disclosure of Verification Sources +#### 3.2.1.3 Disclosure of Verification Sources Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means. @@ -395,9 +395,9 @@ This Agency Information SHALL include at least the following: The CA MUST document where to obtain this information within Section 3.2 of the CA's Certificate Policy and/or Certification Practice Statement. -## 11.2. Verification of Applicant's Legal Existence and Identity +### 3.2.2 Verification of Applicant's Legal Existence and Identity -### 11.2.1. Verification Requirements +#### 3.2.2.1 Verification Requirements To verify the Applicant's legal existence and identity, the CA MUST do the following. @@ -427,7 +427,7 @@ To verify the Applicant's legal existence and identity, the CA MUST do the follo B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity. -### 11.2.2. Acceptable Method of Verification +#### 3.2.2.2 Acceptable Method of Verification 1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. @@ -502,16 +502,16 @@ To verify the Applicant's legal existence and identity, the CA MUST do the follo i. the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and ii. the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS. -## 11.3. Verification of Applicant's Legal Existence and Identity – Assumed Name +### 3.2.3 Verification of Applicant's Legal Existence and Identity – Assumed Name -### 11.3.1. Verification Requirements +#### 3.2.3.1 Verification Requirements If, in addition to the Applicant's formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, the Applicant's identity, as asserted in the EV Certificate, is to contain any assumed name (also known as "doing business as", "DBA", or "d/b/a" in the US, and "trading as" in the UK) under which the Applicant conducts business, the CA MUST verify that: i. the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and ii. that such filing continues to be valid. -### 11.3.2. Acceptable Method of Verification +#### 3.2.3.2 Acceptable Method of Verification To verify any assumed name under which the Applicant conducts business: @@ -519,9 +519,9 @@ To verify any assumed name under which the Applicant conducts business: 2. The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. 3. The CA MAY rely on a Verified Professional Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. -## 11.4. Verification of Applicant's Physical Existence +### 3.2.4 Verification of Applicant's Physical Existence -### 11.4.1. Address of Applicant's Place of Business +#### 3.2.4.1 Address of Applicant's Place of Business 1. **Verification Requirements**: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business. @@ -549,13 +549,13 @@ To verify any assumed name under which the Applicant conducts business: B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. -## 11.5. Verified Method of Communication +### 3.2.5 Verified Method of Communication -### 11.5.1. Verification Requirements +#### 3.2.5.1 Verification Requirements To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant. -### 11.5.2. Acceptable Methods of Verification +#### 3.2.5.2 Acceptable Methods of Verification To verify a Verified Method of Communication with the Applicant, the CA MUST: @@ -567,13 +567,13 @@ A. Verify that the Verified Method of Communication belongs to the Applicant, o B. Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication. -## 11.6. Verification of Applicant's Operational Existence +### 3.2.6 Verification of Applicant's Operational Existence -### 11.6.1. Verification Requirements +#### 3.2.6.1 Verification Requirements The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. -### 11.6.2. Acceptable Methods of Verification +#### 3.2.6.2 Acceptable Methods of Verification To verify the Applicant's ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: @@ -585,17 +585,17 @@ To verify the Applicant's ability to engage in business, the CA MUST verify the 4. Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. -## 11.7. Verification of Applicant's Domain Name +#### 3.2.7 Verification of Applicant's Domain Name -### 11.7.1. Verification Requirements +#### 3.2.7.1 Verification Requirements 1. For each Fully-Qualified Domain Name listed in a Certificate which is not an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant's control over the Onion Domain Name in accordance with Appendix B of the Baseline Requirements. 2. **Mixed Character Set Domain Names**: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization. -## 11.8. Verification of Name, Title, and Authority of Contract Signer and Certificate Approver +### 3.2.8 Verification of Name, Title, and Authority of Contract Signer and Certificate Approver -### 11.8.1. Verification Requirements +#### 3.2.8.1 Verification Requirements For both the Contract Signer and the Certificate Approver, the CA MUST verify the following. @@ -607,7 +607,7 @@ For both the Contract Signer and the Certificate Approver, the CA MUST verify th B. Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and C. Approve EV Certificate Requests submitted by a Certificate Requester. -### 11.8.2. Acceptable Methods of Verification – Name, Title and Agency +#### 3.2.8.2 Acceptable Methods of Verification – Name, Title and Agency Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. @@ -621,7 +621,7 @@ Acceptable methods of verification of the name, title, and agency status of the The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. -### 11.8.3. Acceptable Methods of Verification – Authority +#### 3.2.8.3 Acceptable Methods of Verification – Authority Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: @@ -659,7 +659,7 @@ Acceptable methods of verification of the Signing Authority of the Contract Sign Note: An example of an acceptable representation/warranty appears in [Appendix E](#appendix-e---sample-contract-signers-representationwarranty-informative). -### 11.8.4. Pre-Authorized Certificate Approver +#### 3.2.8.4 Pre-Authorized Certificate Approver Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA: @@ -676,17 +676,17 @@ Such an agreement MUST provide that the Applicant shall be obligated under the S iii. secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and iv. such other appropriate precautions as are reasonably necessary. -## 11.9. Verification of Signature on Subscriber Agreement and EV Certificate Requests +### 3.2.9 Verification of Signature on Subscriber Agreement and EV Certificate Requests Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. -### 11.9.1. Verification Requirements +#### 3.2.9.1 Verification Requirements 1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. 2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. -### 11.9.2. Acceptable Methods of Signature Verification +#### 3.2.9.2 Acceptable Methods of Signature Verification Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following: @@ -698,13 +698,13 @@ Acceptable methods of authenticating the signature of the Certificate Requester 4. Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer. -## 11.10. Verification of Approval of EV Certificate Request +### 3.2.10 Verification of Approval of EV Certificate Request -### 11.10.1. Verification Requirements +#### 3.2.10.1 Verification Requirements In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. -### 11.10.2. Acceptable Methods of Verification +#### 3.2.10.2 Acceptable Methods of Verification Acceptable methods of verifying the Certificate Approver's approval of an EV Certificate Request include: @@ -712,9 +712,9 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer 2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or 3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). -## 11.11. Verification of Certain Information Sources +### 3.2.11 Verification of Certain Information Sources -### 11.11.1. Verified Legal Opinion +#### 3.2.11.1 Verified Legal Opinion 1. **Verification Requirements**: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements: @@ -734,7 +734,7 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.1](#11111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. -### 11.11.2. Verified Accountant Letter +#### 3.2.11.2 Verified Accountant Letter 1. **Verification Requirements**: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements: @@ -750,7 +750,7 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.2](#11112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. -### 11.11.3. Face-to-Face Validation +#### 3.2.11.3 Face-to-Face Validation 1. **Verification Requirements**: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements: @@ -764,7 +764,7 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 11.11.3](#11113-face-to-face-validation) (1)(A), no further verification of authenticity is required. -### 11.11.4. Independent Confirmation From Applicant +#### 3.2.11.4 Independent Confirmation From Applicant An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is: @@ -801,7 +801,7 @@ An Independent Confirmation from the Applicant MAY be obtained via the following A. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias; B. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person. -### 11.11.5. Qualified Independent Information Source +#### 3.2.11.5 Qualified Independent Information Source A Qualified Independent Information Source (QIIS) is a regularly-updated and publicly available database that is generally recognized as a dependable source for certain information. A database qualifies as a QIIS if the CA determines that: @@ -816,21 +816,21 @@ The CA SHALL use a documented process to check the accuracy of the database and Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. -### 11.11.6. Qualified Government Information Source +#### 3.2.11.6 Qualified Government Information Source A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity. -### 11.11.7. Qualified Government Tax Information Source +#### 3.2.11.7 Qualified Government Tax Information Source A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States). -## 11.12. Other Verification Requirements +### 3.2.12 Other Verification Requirements -### 11.12.1. High Risk Status +#### 3.2.12.1 High Risk Status The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirements apply equally to EV Certificates. -### 11.12.2. Denied Lists and Other Legal Block Lists +#### 3.2.12.2 Denied Lists and Other Legal Block Lists 1. **Verification Requirements**: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant's Jurisdiction of Incorporation, Registration, or Place of Business: @@ -850,7 +850,7 @@ The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirem B. If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country. -### 11.12.3. Parent/Subsidiary/Affiliate Relationship +#### 3.2.12.3 Parent/Subsidiary/Affiliate Relationship A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 11.4.1](#1141-address-of-applicants-place-of-business), [Section 11.5](#115-verified-method-of-communication), [Section 11.6.1](#1161-verification-requirements), or [Section 11.7.1](#1171-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: @@ -863,7 +863,7 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi i. certified by the appropriate corporate officer (e.g., secretary), and ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. -## 11.13. Final Cross-Correlation and Due Diligence +### 3.2.13 Final Cross-Correlation and Due Diligence 1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. 2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. @@ -876,11 +876,11 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. -## 11.14. Requirements for Re-use of Existing Documentation +### 3.2.14 Requirements for Re-use of Existing Documentation For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. -### 11.14.1. Validation For Existing Subscribers +#### 3.2.14.1 Validation For Existing Subscribers If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: @@ -891,14 +891,14 @@ If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY 5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 11.8](#118-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and 6. The Applicant's right to use the specified Domain Name under [Section 11.7](#117-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. -### 11.14.2. Re-issuance Requests +#### 3.2.14.2 Re-issuance Requests A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: 1. The expiration date of the replacement certificate is the same as the expiration date of the EV Certificate that is being replaced, and 2. The Subject Information of the Certificate is the same as the Subject in the EV Certificate that is being replaced. -### 11.14.3. Age of Validated Data +#### 3.2.14.3 Age of Validated Data 1. Except for reissuance of an EV Certificate under [Section 11.14.2](#11142-re-issuance-requests) and except when permitted otherwise in [Section 11.14.1](#11141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: From c7602c6578f657a8db67391502516e74cefa7c9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Tue, 11 Jul 2023 14:09:04 +0200 Subject: [PATCH 28/48] Update EVG.md --- docs/EVG.md | 94 ++++++++++++++++++++++++++--------------------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 644259ee..c8295a45 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -92,7 +92,7 @@ These Guidelines do not address the verification of information, or the issuance ## 1.3 PKI participants ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities -The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence). +The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence). Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-trustworthiness-and-competence). The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 5.4](#54-data-records). @@ -103,7 +103,7 @@ The CA MAY contractually authorize a Subscriber to perform the RA function and a 1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; 2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and -3. The Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. +3. The Final Cross-Correlation and Due Diligence requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 8.1](#81-eligible-audit-schemes). In all other cases, the requirements of [Section 8.1](#81-eligible-audit-schemes) SHALL apply. @@ -231,7 +231,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-auditor-qualification). -**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 11.11.6](#11116-qualified-government-information-source). +**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.11.6](#32116-qualified-government-information-source). **Qualified Government Tax Information Source**: A Qualified Governmental Information Source that specifically contains tax information relating to Private Organizations, Business Entities, or Individuals. @@ -268,11 +268,11 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Translator**: An individual or Business Entity that possesses the requisite knowledge and expertise to accurately translate the words of a document written in one language to the native language of the CA. -**Verified Accountant Letter**: A document meeting the requirements specified in [Section 11.11.2](#11112-verified-accountant-letter). +**Verified Accountant Letter**: A document meeting the requirements specified in [Section 3.2.11.2](#32112-verified-accountant-letter). -**Verified Legal Opinion**: A document meeting the requirements specified in [Section 11.11.1](#11111-verified-legal-opinion). +**Verified Legal Opinion**: A document meeting the requirements specified in [Section 3.2.11.1](#32111-verified-legal-opinion). -**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 11.5](#115-verified-method-of-communication) as a reliable way of communicating with the Applicant. +**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 3.2.5](#325-verified-method-of-communication) as a reliable way of communicating with the Applicant. **Verified Professional Letter**: A Verified Accountant Letter or Verified Legal Opinion. @@ -360,7 +360,7 @@ Before issuing an EV Certificate, the CA MUST ensure that all Subject organizati 1. Verify Applicant's existence and identity, including; - A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity)), + A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 3.2.2](#322-verification-of-applicants-legal-existence-and-identity)), B. Verify the Applicant's physical existence (business presence at a physical address), and @@ -380,7 +380,7 @@ Before issuing an EV Certificate, the CA MUST ensure that all Subject organizati #### 3.2.1.2 Acceptable Methods of Verification – Overview -As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 11.2 through 11.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. +As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 3.2.2 through 3.2.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. #### 3.2.1.3 Disclosure of Verification Sources @@ -429,18 +429,18 @@ To verify the Applicant's legal existence and identity, the CA MUST do the follo #### 3.2.2.2 Acceptable Method of Verification -1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. +1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 3.2.2.1](#3221-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. -2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: +2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 3.2.2.1](#3221-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: i. a Qualified Government Information Source in the political subdivision in which such Government Entity operates; ii. a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or iii. from a judge that is an active member of the federal, state or local judiciary within that political subdivision. - Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 11.11.1](#11111-verified-legal-opinion). + Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 3.2.11.1](#32111-verified-legal-opinion). Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. -3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 11.2.1](#1121-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. +3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 3.2.2.1](#3221-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. 4. **Principal Individual**: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency's face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation. @@ -490,7 +490,7 @@ To verify the Applicant's legal existence and identity, the CA MUST do the follo i. the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and ii. electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA's jurisdiction. -5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (4) MUST be verified either: +5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 3.2.2.1](#3221-verification-requirements) (4) MUST be verified either: A. With reference to the constituent document under which the International Organization was formed; or B. Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or @@ -529,7 +529,7 @@ To verify any assumed name under which the Applicant conducts business: A. **Place of Business in the Country of Incorporation or Registration** - i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence: + i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 3.2.2](#322-verification-of-applicants-legal-existence-and-identity) to verify legal existence: 1. For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business; @@ -545,7 +545,7 @@ To verify any assumed name under which the Applicant conducts business: ii. For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there. iii. For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction. - iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. + iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 3.2.2](#322-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. @@ -571,7 +571,7 @@ B. Confirm the Verified Method of Communication by using it to obtain an affirm #### 3.2.6.1 Verification Requirements -The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. +The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 3.2.2](#322-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. #### 3.2.6.2 Acceptable Methods of Verification @@ -616,7 +616,7 @@ Acceptable methods of verification of the name, title, and agency status of the 2. **Agency**: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: A. Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; - B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or + B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 3.2.11.4](#32114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or C. Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant. The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. @@ -631,7 +631,7 @@ Acceptable methods of verification of the Signing Authority of the Contract Sign i. certified by the appropriate corporate officer (e.g., secretary), and ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification; -3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); +3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 3.2.11.4](#32114-independent-confirmation-from-applicant)); 4. **Contract between CA and Applicant**: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; 5. **Prior Equivalent Authority**: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority. @@ -665,7 +665,7 @@ Where the CA and Applicant contemplate the submission of multiple future EV Cert 1. Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and -2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 11.8.3](#1183-acceptable-methods-of-verification--authority). +2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 3.2.8.3](#3283-acceptable-methods-of-verification--authority). The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s). @@ -678,13 +678,13 @@ Such an agreement MUST provide that the Applicant shall be obligated under the S ### 3.2.9 Verification of Signature on Subscriber Agreement and EV Certificate Requests -Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. +Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 3.2.8.4](#3284-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. #### 3.2.9.1 Verification Requirements 1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. -2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. +2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 3.2.10](#3210-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. #### 3.2.9.2 Acceptable Methods of Signature Verification @@ -710,7 +710,7 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer 1. Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request; 2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or -3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). +3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 3.2.9](#329-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). ### 3.2.11 Verification of Certain Information Sources @@ -732,7 +732,7 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer B. **Basis of Opinion**: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as [Appendix B](#appendix-b---sample-attorney-opinions-confirming-specified-information); C. **Authenticity**: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner's assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS. - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.1](#11111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 3.2.11.1](#32111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. #### 3.2.11.2 Verified Accountant Letter @@ -748,7 +748,7 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer B. **Basis of Opinion**: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as [Appendix C](#appendix-c---sample-accountant-letters-confirming-specified-information). C. **Authenticity**: To confirm the authenticity of the accountant's opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner's assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS. - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.2](#11112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 3.2.11.2](#32112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. #### 3.2.11.3 Face-to-Face Validation @@ -762,7 +762,7 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer A. **Qualification of Third-Party Validator**: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction; B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; - C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 11.11.3](#11113-face-to-face-validation) (1)(A), no further verification of authenticity is required. + C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 3.2.11.3](#32113-face-to-face-validation) (1)(A), no further verification of authenticity is required. #### 3.2.11.4 Independent Confirmation From Applicant @@ -852,10 +852,10 @@ The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirem #### 3.2.12.3 Parent/Subsidiary/Affiliate Relationship -A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 11.4.1](#1141-address-of-applicants-place-of-business), [Section 11.5](#115-verified-method-of-communication), [Section 11.6.1](#1161-verification-requirements), or [Section 11.7.1](#1171-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: +A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 3.2.4.1](#3241-address-of-applicants-place-of-business), [Section 3.2.5](#325-verified-method-of-communication), [Section 3.2.6.1](#3261-verification-requirements), or [Section 3.2.7.1](#3271-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: 1. QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS; -2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); +2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 3.2.11.4](#32114-independent-confirmation-from-applicant)); 3. Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; 4. Verified Professional Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter; or 5. Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is: @@ -868,13 +868,13 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi 1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. 2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. 3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: +4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or - B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). + B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-regular-self-audits) and [Section 8.3](#83-auditor-qualification). -In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. +In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. ### 3.2.14 Requirements for Re-use of Existing Documentation @@ -884,12 +884,12 @@ For each EV Certificate Request, including requests to renew existing EV Certifi If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: -1. The Principal Individual verified under [Section 11.2.2](#1122-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; -2. The Applicant's Place of Business under [Section 11.4.1](#1141-address-of-applicants-place-of-business); -3. The Applicant's Verified Method of Communication required by [Section 11.5](#115-verified-method-of-communication) but still MUST perform the verification required by [Section 11.5.2](#1152-acceptable-methods-of-verification) (B); -4. The Applicant's Operational Existence under [Section 11.6](#116-verification-of-applicants-operational-existence); -5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 11.8](#118-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and -6. The Applicant's right to use the specified Domain Name under [Section 11.7](#117-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. +1. The Principal Individual verified under [Section 3.2.2.2](#3222-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; +2. The Applicant's Place of Business under [Section 3.2.4.1](#3241-address-of-applicants-place-of-business); +3. The Applicant's Verified Method of Communication required by [Section 3.2.5](#325-verified-method-of-communication) but still MUST perform the verification required by [Section 3.2.5.2](#3252-acceptable-methods-of-verification) (B); +4. The Applicant's Operational Existence under [Section 3.2.6](#326-verification-of-applicants-operational-existence); +5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 3.2.8](#328-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and +6. The Applicant's right to use the specified Domain Name under [Section 3.2.7](#327-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. #### 3.2.14.2 Re-issuance Requests @@ -900,7 +900,7 @@ A CA may rely on a previously verified certificate request to issue a replacemen #### 3.2.14.3 Age of Validated Data -1. Except for reissuance of an EV Certificate under [Section 11.14.2](#11142-re-issuance-requests) and except when permitted otherwise in [Section 11.14.1](#11141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: +1. Except for reissuance of an EV Certificate under [Section 3.2.14.2](#32142-re-issuance-requests) and except when permitted otherwise in [Section 3.2.14.1](#32141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: A. Legal existence and identity – 398 days; B. Assumed name – 398 days; @@ -911,8 +911,8 @@ A CA may rely on a previously verified certificate request to issue a replacemen G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. 2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. -3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). -4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). +3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 3.2.9](#329-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 3.2.10](#3210-verification-of-approval-of-ev-certificate-request). +4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.14.1](#32141-validation-for-existing-subscribers). @@ -970,7 +970,7 @@ An Applicant qualifies as a Business Entity if: 4. The identified Principal Individual attests to the representations made in the Subscriber Agreement; -5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 11.3](#113-verification-of-applicants-legal-existence-and-identity--assumed-name); +5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 3.2.3](#323-verification-of-applicants-legal-existence-and-identity--assumed-name); 6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and @@ -990,7 +990,7 @@ Subsidiary organizations or agencies of an entity that qualifies as a Non-Commer ### 4.1.2 Enrollment process and responsibilities The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. -The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 11.14](#1114-requirements-for-re-use-of-existing-documentation). +The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 3.2.14](#3214-requirements-for-re-use-of-existing-documentation). ## 4.2 Certificate application processing ### 4.2.1 Performing identification and authentication functions @@ -1090,7 +1090,7 @@ As specified in Section 5 of the Baseline Requirements. In addition, systems use ### 5.2.2 Number of persons required per task ### 5.2.3 Identification and authentication for each role ### 5.2.4 Roles requiring separation of duties -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 11.13](#1113-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. 2. Such controls MUST be auditable. ## 5.3 Personnel controls ### 5.3.1 Qualifications, experience, and clearance requirements @@ -1294,7 +1294,7 @@ Country: __Required/Optional__: Required __Contents__: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction. -Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. +Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 3.2.1.3](#3213-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. ##### 7.1.4.2.5 Subject Registration Number Field @@ -1306,7 +1306,7 @@ For Government Entities that do not have a Registration Number or readily verifi For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats. -Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. +Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 3.2.1.3](#3213-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. ##### 7.1.4.2.6 Subject Physical Address of Place of Business Field @@ -1356,7 +1356,7 @@ Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) a The CA SHALL: 1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 7.1.4.2.1](#71421-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field); -2. further verify the Registration Reference matches other information verified in accordance with [Section 11](#11-verification-requirements); +2. further verify the Registration Reference matches other information verified in accordance with [Section 3.2](#32-verification-requirements); 3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; 4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). @@ -1467,7 +1467,7 @@ CAs SHOULD make its audit report publicly available no later than three months a The CA MUST complete any required point-in-time readiness assessment no earlier than twelve (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. ## 8.9 Self audits -During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. +During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. # 9. OTHER BUSINESS AND LEGAL MATTERS ## 9.1 Fees ### 9.1.1 Certificate issuance or renewal fees From 0e6ba795d3fde484879b28c46759e2eb3a05ba03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 10:57:50 +0200 Subject: [PATCH 29/48] Delete EVG original --- docs/EVG original | 1740 --------------------------------------------- 1 file changed, 1740 deletions(-) delete mode 100644 docs/EVG original diff --git a/docs/EVG original b/docs/EVG original deleted file mode 100644 index 4f1d5df9..00000000 --- a/docs/EVG original +++ /dev/null @@ -1,1740 +0,0 @@ ---- -title: Guidelines for the Issuance and Management of Extended Validation Certificates -subtitle: Version 1.8.0 -author: - - CA/Browser Forum -date: 30 November, 2022 -copyright: | - Copyright 2022 CA/Browser Forum - - This work is licensed under the Creative Commons Attribution 4.0 International license. ---- - -# Introduction - -The Guidelines describe an integrated set of technologies, protocols, identity proofing, lifecycle management, and auditing practices specifying the minimum requirements that must be met in order to issue and maintain Extended Validation Certificates ("EV Certificates") concerning an organization. Subject Organization information from valid EV Certificates can then be used in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site or other services they are accessing. Although initially intended for use in establishing Web-based data communication conduits via TLS/SSL protocols, extensions are envisioned for S/MIME, time-stamping, VoIP, IM, Web services, etc. - -The primary purposes of Extended Validation Certificates are to: 1) identify the legal entity that controls a Web or service site, and 2) enable encrypted communications with that site. The secondary purposes include significantly enhancing cybersecurity by helping establish the legitimacy of an organization claiming to operate a Web site, and providing a vehicle that can be used to assist in addressing problems related to distributing malware, phishing, identity theft, and diverse forms of online fraud. - -**Notice to Readers** - -The Guidelines for the Issuance and Management of Extended Validation Certificates present criteria established by the CA/Browser Forum for use by certification authorities when issuing, maintaining, and revoking certain digital certificates for use in Internet Web site commerce. These Guidelines may be revised from time to time, as appropriate, in accordance with procedures adopted by the CA/Browser Forum. Questions or suggestions concerning these guidelines may be directed to the CA/Browser Forum at . - -**The CA/Browser Forum** - -The CA/Browser Forum is a voluntary open organization of certification authorities and suppliers of Internet browsers and other relying-party software applications. Membership is listed at . - -## Document History - -| **Ver.** | **Ballot** | **Description** | **Adopted** | **Effective\*** | -|-|-|-----|--|--| -| 1.4.0 | 72 | Reorganize EV Documents | 29 May 2012 | 29 May 2012 | -| 1.4.1 | 75 | NameConstraints Criticality Flag | 8 June 2012 | 8 June 2012 | -| 1.4.2 | 101 | EV 11.10.2 Accountants | 31 May 2013 | 31 May 2013 | -| 1.4.3 | 104 | Domain verification for EV Certificates | 9 July 2013 | 9 July 2013 | -| 1.4.4 | 113 | Revision to QIIS in EV Guidelines | 13 Jan 2014 | 13 Jan 2014 | -| 1.4.5 | 114 | Improvements to the EV Definitions | 28 Jan 2014 | 28 Jan 2014 | -| 1.4.6 | 119 | Remove "OfIncorporation" from OID descriptions in EVG 9.2.5 | 24 Mar 2014 | 24 Mar 2014 | -| 1.4.7 | 120 | Affiliate Authority to Verify Domain | 5 June 2014 | 5 June 2014 | -| 1.4.8 | 124 | Business Entity Clarification | 5 June 2014 | 5 June 2014 | -| 1.4.9 | 127 | Verification of Name, Title and Agency | 17 July 2014 | 17 July 2014 | -| 1.5.0 | 126 | Operational Existence | 24 July 2014 | 24 July 2014 | -| 1.5.1 | 131 | Verified Method of Communication | 12 Sept 2014 | 12 Sept 2014 | -| 1.5.2 | 123 | Reuse of Information | 16 Oct. 2014 | 16 Oct. 2014 | -| 1.5.3 | 144 | Validation rules for .onion names | 18 Feb. 2015 | 18 Feb. 2015 | -| 1.5.4 | 146 | Convert Baseline Requirements to RFC 3647 Framework | 16 Apr. 2015 | 16 Apr. 2015 | -| 1.5.5 | 145 | Operational Existence for Government Entities | 5 Mar. 2015 | 5 Mar. 2015 | -| 1.5.6 | 147 | Attorney-Accountant Letter Changes | 25 June 2015 | 25 June 2015 | -| 1.5.7 | 151 | Addition of Optional OIDs for Indicating Level of Validation | 28 Sept 2015 | 28 Sept 2015 | -| 1.5.8 | 162 | Sunset of Exceptions | 15 Mar 2016 | 15 Mar 2016 | -| 1.5.9 | 163 | Fix Errata in EV Guidelines 11.2.1 | 18 Mar 2016 | 18 Mar 2016 | -| 1.6.0 | 171 | Updating ETSI Standards | 1 July 2016 | 1 July 2016 | -| 1.6.1 | 180 | In EV 11.7.1, removed outdated cross-reference to BR 3.2.2.4(7) | 7 Jan. 2017 | 7 Jan. 2017 | -| 1.6.2 | 103 | 825-day Certificate Lifetimes | 17 Mar. 2017 | 17 Mar. 2017 | -| 1.6.3 | 198 | .Onion Revisions (declared invalid) | 7 May 2017 | 8 June 2017 | -| 1.6.4 | 191 | Clarify Place of Business Information | 23 May 2017 | 23 June 2017 | -| 1.6.5 | 201 | .onion Revisions | 8 June 2017 | 8 July 2017 | -| 1.6.6 | 192 | Notary revision | 28 June 2017 | 28 July 2017 | -| 1.6.7 | 207 | ASN.1 Jurisdiction | 23 October 2017 | 23 November 2017 | -| 1.6.8 | 217 | Sunset RFC 2527 | 21 Dec 2017 | 9 Mar 2018 | -| 1.6.9 | SC16 | Other Subject Attributes | 15 Mar 2019 | 16 Apr 2019 | -| 1.7.0 | SC17 | Alternative registration numbers for EV certificates | 21 May 2019 | 21 June 2019 | -| 1.7.1 | SC24 | Fall cleanup v2 | 12 Nov 2019 | 19 Dec 2019 | -| 1.7.2 | SC27 | Version 3 Onion Certificates | 19-Feb-2020 | 27-Mar-2020 | -| 1.7.3 | SC30 | Disclosure of Registration / Incorporating Agency | 13-Jul-2020 | 20-Aug-2020 | -| 1.7.3 | SC31 | Browser Alignment | 16-Jul-2020 | 20-Aug-2020 | -| 1.7.4 | SC35 | Cleanups and Clarifications | 9-Sep-2020 | 19-Oct-2020 | -| 1.7.5 | SC41 | Reformatting the BRs, EVGs, and NCSSRs | 24-Feb-2021 | 5-Apr-2021 | -| 1.7.6 | SC42 | 398-day Re-use Period | 22-Apr-2021 | 2-Jun-2021 | -| 1.7.7 | SC47 | Sunset subject:organizationalUnitName | 30-Jun-2021 | 16-Aug-2021 | -| 1.7.8 | SC48 | Domain Name and IP Address Encoding | 22-Jul-2021 | 25-Aug-2021 | -| 1.7.9 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | -| 1.8.0 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | - -\* Effective Date and Additionally Relevant Compliance Date(s) - -## Relevant Dates - -| **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | -|--|--|----------| -| 2020-01-31 | [9.2.8](#928-subject-organization-identifier-field) | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | -| 2020-09-01 | [9.4](#94-maximum-validity-period-for-ev-certificate) & Appendix F | Certificates issued MUST NOT have a Validity Period greater than 398 days. | -| 2020-10-01 | [11.1.3](#1113-disclosure-of-verification-sources) | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | -| 2022-09-01 | [9.2.7](#927-subject-organizational-unit-name-field) | CAs MUST NOT include the organizationalUnitName field in the Subject | - -**Implementers' Note**: Version 1.3 of these EV Guidelines was published on 20 November 2010 and supplemented through May 2012 when version 1.4 was published. ETSI TS 102 042 and ETSI TR 101 564 Technical Report: Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs reference version 1.3 of these EV Guidelines, and ETSI Draft EN 319 411-1 references version 1.4. Version 1.4.5 of Webtrust(r) for Certification Authorities – Extended Validation Audit Criteria references version 1.4.5 of these EV Guidelines. As illustrated in the Document History table above, the CA/Browser Forum continues to improve relevant industry guidelines, including this document, the Baseline Requirements, and the Network and Certificate System Security Requirements. We encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty. We will respond to implementation questions directed to questions@cabforum.org. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. - -# 1. Scope - -These Guidelines for the issuance and management of Extended Validation Certificates describe certain of the minimum requirements that a Certification Authority must meet in order to issue Extended Validation Certificates. Subject Organization information from Valid EV Certificates may be displayed in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site they are accessing. These Guidelines incorporate the Baseline Requirements established by the CA/Browser Forum by reference. A copy of the Baseline Requirements is available on the CA/Browser Forum's website at . - -These Guidelines address the basic issue of validating Subject identity information in EV Certificates and some related matters. They do not address all of the related matters, such as certain technical and operational ones. This version of the Guidelines addresses only requirements for EV Certificates intended to be used for SSL/TLS authentication on the Internet and for code signing. Similar requirements for S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions. - -These Guidelines do not address the verification of information, or the issuance, use, maintenance, or revocation of EV Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, where its Root CA Certificate is not distributed by any Application Software Supplier. - -# 2. Purpose - -## 2.1. Purpose of EV Certificates - -EV Certificates are intended for establishing Web-based data communication conduits via the TLS/SSL protocols and for verifying the authenticity of executable code. - -### 2.1.1. Primary Purposes - -The primary purposes of an EV Certificate are to: - -1. **Identify the legal entity that controls a Web site**: Provide a reasonable assurance to the user of an Internet browser that the Web site the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information; and - -2. **Enable encrypted communications with a Web site**: Facilitate the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a Web site. - -### 2.1.2. Secondary Purposes - -The secondary purposes of an EV Certificate are to help establish the legitimacy of a business claiming to operate a Web site or distribute executable code, and to provide a vehicle that can be used to assist in addressing problems related to phishing, malware, and other forms of online identity fraud. By providing more reliable third-party verified identity and address information regarding the business, EV Certificates may help to: - -1. Make it more difficult to mount phishing and other online identity fraud attacks using Certificates; -2. Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves to users; and -3. Assist law enforcement organizations in their investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the Subject. - -### 2.1.3. Excluded Purposes - -EV Certificates focus only on the identity of the Subject named in the Certificate, and not on the behavior of the Subject. As such, an EV Certificate is **not** intended to provide any assurances, or otherwise represent or warrant: - -1. That the Subject named in the EV Certificate is actively engaged in doing business; -2. That the Subject named in the EV Certificate complies with applicable laws; -3. That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or -4. That it is "safe" to do business with the Subject named in the EV Certificate. - -# 3. References - -See Baseline Requirements, which are available at . - -# 4. Definitions - -Capitalized Terms are defined in the Baseline Requirements except where provided below: - -**Accounting Practitioner**: A certified public accountant, chartered accountant, or a person with an equivalent license within the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility; provided that an accounting standards body in the jurisdiction maintains full (not "suspended" or "associate") membership status with the International Federation of Accountants. - -**Baseline Requirements**: The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates as published by the CA/Browser Forum and any amendments to such document. - -**Business Entity**: Any entity that is not a Private Organization, Government Entity, or Non-Commercial Entity as defined herein. Examples include, but are not limited to, general partnerships, unincorporated associations, sole proprietorships, etc. - -**Certificate Approver**: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to - - i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and - ii. to approve EV Certificate Requests submitted by other Certificate Requesters. - -**Certificate Requester**: A natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. - -**Confirmation Request**: An appropriate out-of-band communication requesting verification or confirmation of the particular fact at issue. - -**Confirming Person**: A position within an Applicant's organization that confirms the particular fact at issue. - -**Contract Signer**: A natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. - -**Demand Deposit Account**: A deposit account held at a bank or other financial institution, the funds deposited in which are payable on demand. The primary purpose of demand accounts is to facilitate cashless payments by means of check, bank draft, direct debit, electronic funds transfer, etc. Usage varies among countries, but a demand deposit account is commonly known as a share draft account, a current account, or a checking account. - -**EV Authority**: A source other than the Certificate Approver, through which verification occurs that the Certificate Approver is expressly authorized by the Applicant, as of the date of the EV Certificate Request, to take the Request actions described in these Guidelines. - -**EV Certificate**: A certificate that contains subject information specified in these Guidelines and that has been validated in accordance with these Guidelines. - -**EV Certificate Beneficiaries**: Persons to whom the CA and its Root CA make specified EV Certificate Warranties. - -**EV Certificate Renewal**: The process whereby an Applicant who has a valid unexpired and non-revoked EV Certificate makes an application, to the CA that issued the original certificate, for a newly issued EV Certificate for the same organizational name and Domain Name prior to the expiration of the Applicant's existing EV Certificate but with a new 'valid to' date beyond the expiry of the current EV Certificate. - -**EV Certificate Reissuance**: The process whereby an Applicant who has a valid unexpired and non-revoked EV Certificate makes an application, to the CA that issued the original certificate, for a newly issued EV Certificate for the same organizational name and Domain Name prior to the expiration of the Applicant's existing EV Certificate but with a 'valid to' date that matches that of the current EV Certificate. - -**EV Certificate Request**: A request from an Applicant to the CA requesting that the CA issue an EV Certificate to the Applicant, which request is validly authorized by the Applicant and signed by the Applicant Representative. - -**EV Certificate Warranties**: In conjunction with the CA issuing an EV Certificate, the CA and its Root CA, during the period when the EV Certificate is Valid, promise that the CA has followed the requirements of these Guidelines and the CA's EV Policies in issuing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. - -**EV OID**: An identifying number, in the form of an "object identifier," that is included in the `certificatePolicies` field of a certificate that: - - i. indicates which CA policy statement relates to that certificate, and - ii. is either the CA/Browser Forum EV policy identifier or a policy identifier that, by pre-agreement with one or more Application Software Supplier, marks the certificate as being an EV Certificate. - -**EV Policies**: Auditable EV Certificate practices, policies and procedures, such as a certification practice statement and certificate policy, that are developed, implemented, and enforced by the CA and its Root CA. - -**EV Processes**: The keys, software, processes, and procedures by which the CA verifies Certificate Data under this Guideline, issues EV Certificates, maintains a Repository, and revokes EV Certificates. - -**Extended Validation Certificate**: See EV Certificate. - -**Government Agency**: In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of Private Organizations is established (e.g., the government agency that issued the Certificate of Incorporation). In the context of Business Entities, the government agency in the jurisdiction of operation that registers business entities. In the case of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities. - -**Guidelines**: This document. - -**Incorporating Agency**: In the context of a Private Organization, the government agency in the Jurisdiction of Incorporation under whose authority the legal existence of the entity is registered (e.g., the government agency that issues certificates of formation or incorporation). In the context of a Government Entity, the entity that enacts law, regulations, or decrees establishing the legal existence of Government Entities. - -**Independent Confirmation From Applicant**: Confirmation of a particular fact received by the CA pursuant to the provisions of the Guidelines or binding upon the Applicant. - -**Individual**: A natural person. - -**International Organization**: An organization founded by a constituent document, e.g., a charter, treaty, convention or similar document, signed by, or on behalf of, a minimum of two Sovereign State governments. - -**Jurisdiction of Incorporation**: In the context of a Private Organization, the country and (where applicable) the state or province or locality where the organization's legal existence was established by a filing with (or an act of) an appropriate government agency or entity (e.g., where it was incorporated). In the context of a Government Entity, the country and (where applicable) the state or province where the Entity's legal existence was created by law. - -**Jurisdiction of Registration**: In the case of a Business Entity, the state, province, or locality where the organization has registered its business presence by means of filings by a Principal Individual involved in the business. - -**Latin Notary**: A person with legal training whose commission under applicable law not only includes authority to authenticate the execution of a signature on a document but also responsibility for the correctness and content of the document. A Latin Notary is sometimes referred to as a Civil Law Notary. - -**Legal Entity**: A Private Organization, Government Entity, Business Entity, or Non-Commercial Entity. - -**Legal Existence**: A Private Organization, Government Entity, or Business Entity has Legal Existence if it has been validly formed and not otherwise terminated, dissolved, or abandoned. - -**Legal Practitioner**: A person who is either a lawyer or a Latin Notary as described in these Guidelines and competent to render an opinion on factual claims of the Applicant. - -**Maximum Validity Period**: - - 1. The maximum time period for which the issued EV Certificate is valid. - 2. The maximum period after validation by the CA that certain Applicant information may be relied upon in issuing an EV Certificate pursuant to these Guidelines. - -**Notary**: A person whose commission under applicable law includes authority to authenticate the execution of a signature on a document. - -**Place of Business**: The location of any facility (such as a factory, retail store, warehouse, etc) where the Applicant's business is conducted. - -**Principal Individual**: An individual of a Private Organization, Government Entity, or Business Entity that is either an owner, partner, managing member, director, or officer, as identified by their title of employment, or an employee, contractor or agent authorized by such entity or organization to conduct business related to the request, issuance, and use of EV Certificates. - -**Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. - -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 17.6](#176-auditor-qualification). - -**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 11.11.6](#11116-qualified-government-information-source). - -**Qualified Government Tax Information Source**: A Qualified Governmental Information Source that specifically contains tax information relating to Private Organizations, Business Entities, or Individuals. - -**Qualified Independent Information Source**: A regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information. - -**Registration Agency**: A Governmental Agency that registers business information in connection with an entity's business formation or authorization to conduct business under a license, charter or other certification. A Registration Agency MAY include, but is not limited to - - i. a State Department of Corporations or a Secretary of State; - ii. a licensing agency, such as a State Department of Insurance; or - iii. a chartering agency, such as a state office or department of financial regulation, banking or finance, or a federal agency such as the Office of the Comptroller of the Currency or Office of Thrift Supervision. - -**Registration Reference**: A unique identifier assigned to a Legal Entity. - -**Registration Scheme**: A scheme for assigning a Registration Reference meeting the requirements identified in [Appendix H](#appendix-h--registration-schemes). - -**Registered Agent**: An individual or entity that is: - - i. authorized by the Applicant to receive service of process and business communications on behalf of the Applicant; and - ii. listed in the official records of the Applicant's Jurisdiction of Incorporation as acting in the role specified in (i) above. - -**Registered Office**: The official address of a company, as recorded with the Incorporating Agency, to which official documents are sent and at which legal notices are received. - -**Registration Number**: The unique number assigned to a Private Organization by the Incorporating Agency in such entity's Jurisdiction of Incorporation. - -**Regulated Financial Institution**: A financial institution that is regulated, supervised, and examined by governmental, national, state or provincial, or local authorities. - -**Root Key Generation Script**: A documented plan of procedures to be performed for the generation of the Root CA Key Pair. - -**Signing Authority**: One or more Certificate Approvers designated to act on behalf of the Applicant. - -**Superior Government Entity**: Based on the structure of government in a political subdivision, the Government Entity or Entities that have the ability to manage, direct and control the activities of the Applicant. - -**Suspect code**: Code that contains malicious functionality or serious vulnerabilities, including spyware, malware and other code that installs without the user's consent and/or resists its own removal, and code that can be exploited in ways not intended by its designers to compromise the trustworthiness of the platforms on which it executes. - -**Translator**: An individual or Business Entity that possesses the requisite knowledge and expertise to accurately translate the words of a document written in one language to the native language of the CA. - -**Verified Accountant Letter**: A document meeting the requirements specified in [Section 11.11.2](#11112-verified-accountant-letter). - -**Verified Legal Opinion**: A document meeting the requirements specified in [Section 11.11.1](#11111-verified-legal-opinion). - -**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 11.5](#115-verified-method-of-communication) as a reliable way of communicating with the Applicant. - -**Verified Professional Letter**: A Verified Accountant Letter or Verified Legal Opinion. - -**WebTrust EV Program**: The additional audit procedures specified for CAs that issue EV Certificates by the AICPA/CICA to be used in conjunction with its WebTrust Program for Certification Authorities. - -**WebTrust Program for CAs**: The then-current version of the AICPA/CICA WebTrust Program for Certification Authorities. - -**WebTrust Seal of Assurance**: An affirmation of compliance resulting from the WebTrust Program for CAs. - -# 5. Abbreviations and Acronyms - -Abbreviations and Acronyms are defined in the Baseline Requirements except as otherwise defined herein: - -| **Acronym** | **Meaning** | -| --- | --- | -| BIPM | International Bureau of Weights and Measures | -| BIS | (US Government) Bureau of Industry and Security | -| CEO | Chief Executive Officer | -| CFO | Chief Financial Officer | -| CIO | Chief Information Officer | -| CISO | Chief Information Security Officer | -| COO | Chief Operating Officer | -| CPA | Chartered Professional Accountant | -| CSO | Chief Security Officer | -| EV | Extended Validation | -| gTLD | Generic Top-Level Domain | -| IFAC | International Federation of Accountants | -| IRS | Internal Revenue Service | -| ISP | Internet Service Provider | -| QGIS | Qualified Government Information Source | -| QTIS | Qualified Government Tax Information Source | -| QIIS | Qualified Independent Information Source | -| SEC | (US Government) Securities and Exchange Commission | -| UTC(k) | National realization of Coordinated Universal Time | - -# 6. Conventions - -Terms not otherwise defined in these Guidelines shall be as defined in applicable agreements, user manuals, certification practice statements (CPS), and certificate policies (CP) of the CA issuing EV Certificates. - -The key words "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in these Guidelines shall be interpreted in accordance with RFC 2119. - -By convention, this document omits time and timezones when listing effective requirements such as dates. Except when explicitly specified, the associated time with a date shall be 00:00:00 UTC. - -# 7. Certificate Warranties and Representations - -## 7.1. EV Certificate Warranties - -When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following: - -A. **Legal Existence**: The CA has confirmed with the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or Registration; -B. **Identity**: The CA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject named in the EV Certificate matches the name on the official government records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration, and if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business; -C. **Right to Use Domain Name**: The CA has taken all steps reasonably necessary to verify that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate has the right to use all the Domain Name(s) listed in the EV Certificate; -D. **Authorization for EV Certificate**: The CA has taken all steps reasonably necessary to verify that the Subject named in the EV Certificate has authorized the issuance of the EV Certificate; -E. **Accuracy of Information**: The CA has taken all steps reasonably necessary to verify that all of the other information in the EV Certificate is accurate, as of the date the EV Certificate was issued; -F. **Subscriber Agreement**: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or, if they are affiliated, the Applicant Representative has acknowledged and accepted the Terms of Use; -G. **Status**: The CA will follow the requirements of these Guidelines and maintain a 24 x 7 online-accessible Repository with current information regarding the status of the EV Certificate as Valid or revoked; and -H. **Revocation**: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the revocation reasons specified in these Guidelines. - -## 7.2. By the Applicant - -EV Certificate Applicants make the commitments and warranties set forth in Section 9.6.3 of the Baseline Requirements for the benefit of the CA and Certificate Beneficiaries. - -# 8. Community and Applicability - -## 8.1. Issuance of EV Certificates - -The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements. - -If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly. - -## 8.2. EV Policies - -### 8.2.1. Implementation - -Each CA must develop, implement, enforce, display prominently on its Web site, and periodically update as necessary its own auditable EV Certificate practices, policies and procedures, such as a Certification Practice Statement (CPS) and Certificate Policy (CP) that: - -A. Implement the requirements of these Guidelines as they are revised from time-to-time; - -B. Implement the requirements of - - i. the then-current WebTrust Program for CAs, and - ii. the then-current WebTrust EV Program or ETSI TS 102 042 for EVCP or ETSI EN 319 411-1 for EVCP policy; and - -C. Specify the CA's and its Root CA's entire root certificate hierarchy including all roots that its EV Certificates depend on for proof of those EV Certificates' authenticity. - -### 8.2.2. Disclosure - -Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 17.1](#171-eligible-audit-schemes)). - -The CA's Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647. The Certificate Policy and/or Certification Practice Statement MUST include all material required by RFC 3647. - -## 8.3. Commitment to Comply with Recommendations - -Each CA SHALL publicly give effect to these Guidelines and represent that they will adhere to the latest published version by incorporating them into their respective EV Policies, using a clause such as the following (which must include a link to the official version of these Guidelines): - -> [Name of CA] conforms to the current version of the CA/Browser Forum Guidelines for Issuance and Management of Extended Validation Certificates published at . In the event of any inconsistency between this document and those Guidelines, those Guidelines take precedence over this document. - -In addition, the CA MUST include (directly or by reference) the applicable requirements of these Guidelines in all contracts with Subordinate CAs, RAs, Enterprise RAs, and subcontractors that involve or relate to the issuance or maintenance of EV Certificates. The CA MUST enforce compliance with such terms. - -## 8.4. Insurance - -Each CA SHALL maintain the following insurance related to their respective performance and obligations under these Guidelines: - -A. Commercial General Liability insurance (occurrence form) with policy limits of at least two million US dollars in coverage; and - -B. Professional Liability/Errors and Omissions insurance, with policy limits of at least five million US dollars in coverage, and including coverage for: - i. claims for damages arising out of an act, error, or omission, unintentional breach of contract, or neglect in issuing or maintaining EV Certificates, and; - ii. claims for damages arising out of infringement of the proprietary rights of any third party (excluding copyright, and trademark infringement), and invasion of privacy and advertising injury. - -Such insurance must be with a company rated no less than A- as to Policy Holder's Rating in the current edition of Best's Insurance Guide (or with an association of companies each of the members of which are so rated). - -A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that it has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0. - -## 8.5. Obtaining EV Certificates - -### 8.5.1. General - -The CA MAY only issue EV Certificates to Applicants that meet the Private Organization, Government Entity, Business Entity and Non-Commercial Entity requirements specified below. - -### 8.5.2. Private Organization Subjects - -An Applicant qualifies as a Private Organization if: - -1. The entity's legal existence is created or recognized by a by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument); - -2. The entity designated with the Incorporating or Registration Agency a Registered Agent, a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration), or an equivalent facility; - -3. The entity is not designated on the records of the Incorporating or Registration Agency by labels such as "inactive," "invalid," "not current," or the equivalent; - -4. The entity has a verifiable physical existence and business presence; - -5. The entity's Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and - -6. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - -### 8.5.3. Government Entity Subjects - -An Applicant qualifies as a Government Entity if: - -1. The entity's legal existence was established by the political subdivision in which the entity operates; - -2. The entity is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and - -3. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - -### 8.5.4. Business Entity Subjects - -An Applicant qualifies as a Business Entity if: - -1. The entity is a legally recognized entity that filed certain forms with a Registration Agency in its jurisdiction, the Registration Agency issued or approved the entity's charter, certificate, or license, and the entity's existence can be verified with that Registration Agency; - -2. The entity has a verifiable physical existence and business presence; - -3. At least one Principal Individual associated with the entity is identified and validated by the CA; - -4. The identified Principal Individual attests to the representations made in the Subscriber Agreement; - -5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 11.3](#113-verification-of-applicants-legal-existence-and-identity--assumed-name); - -6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and - -7. The entity and the identified Principal Individual associated with the entity are not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - -### 8.5.5. Non-Commercial Entity Subjects - -An Applicant qualifies as a Non-Commercial Entity if: - -1. The Applicant is an International Organization Entity, created under a charter, treaty, convention or equivalent instrument that was signed by, or on behalf of, more than one country's government. The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility; and - -2. The Applicant is not headquartered in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and - -3. The Applicant is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - -Subsidiary organizations or agencies of an entity that qualifies as a Non-Commercial Entity also qualifies for EV Certificates as a Non-Commercial Entity. - -# 9. EV Certificate Content and Profile - -This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate. - -## 9.1. Issuer Information - -Issuer Information listed in an EV Certificate MUST comply with Section 7.1.4.1 of the Baseline Requirements. - -## 9.2. Subject Distinguished Name Fields - -Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: - -### 9.2.1. Subject Organization Name Field - -__Certificate Field__: `subject:organizationName` (OID 2.5.4.10) -__Required/Optional__: Required -__Contents__: This field MUST contain the Subject's full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows "Company Name Incorporated" the CA MAY include "Company Name, Inc." - -When abbreviating a Subject's full legal name as allowed by this subsection, the CA MUST use abbreviations that are not misleading in the Jurisdiction of Incorporation or Registration. - -In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. - -If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#11121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. - -### 9.2.2. Subject Common Name Field - -__Certificate Field__: `subject:commonName` (OID: 2.5.4.3) -__Required/Optional__: Deprecated (Discouraged, but not prohibited) -__Contents__: If present, this field MUST contain a single Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This field MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. - -### 9.2.3. Subject Business Category Field - -__Certificate Field__: `subject:businessCategory` (OID: 2.5.4.15) -__Required/Optional__: Required -__Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 8.5.2](#852-private-organization-subjects), [Section 8.5.3](#853-government-entity-subjects), [Section 8.5.4](#854-business-entity-subjects) or [Section 8.5.5](#855-non-commercial-entity-subjects), respectively. - -### 9.2.4. Subject Jurisdiction of Incorporation or Registration Field - -__Certificate Fields__: - -Locality (if required): - `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1) - -State or province (if required): - `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2) - -Country: - `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) - -__Required/Optional__: Required -__Contents__: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction. - -Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. - -### 9.2.5. Subject Registration Number Field - -__Certificate Field__: `subject:serialNumber` (OID: 2.5.4.5) -__Required/Optional__: __Required__ -__Contents__: For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats. - -For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity. - -For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats. - -Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. - -### 9.2.6. Subject Physical Address of Place of Business Field - -__Certificate Fields__: - Number and street: `subject:streetAddress` (OID: 2.5.4.9) - City or town: `subject:localityName` (OID: 2.5.4.7) - State or province (where applicable): `subject:stateOrProvinceName` (OID: 2.5.4.8) - Country: `subject:countryName` (OID: 2.5.4.6) - Postal code: `subject:postalCode` (OID: 2.5.4.17) -__Required/Optional__: As stated in Section 7.1.4.2.2 d, e, f, g and h of the Baseline Requirements. -__Contents__: This field MUST contain the address of the physical location of the Subject's Place of Business. - -### 9.2.7. Subject Organizational Unit Name Field - -__Certificate Field__: `subject:organizationalUnitName` (OID: 2.5.4.11) -__Required/Optional/Prohibited:__ __Prohibited__. - -### 9.2.8. Subject Organization Identifier Field - -__Certificate Field__: `subject:organizationIdentifier` (OID: 2.5.4.97) -__Required/Optional__: Optional -__Contents__: If present, this field MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. - -The organizationIdentifier MUST be encoded as a PrintableString or UTF8String. - -The Registration Scheme MUST be identified using the using the following structure in the presented order: - -* 3 character Registration Scheme identifier; -* 2 character ISO 3166 country code for the nation in which the Registration Scheme is operated, or if the scheme is operated globally ISO 3166 code "XG" shall be used; -* For the NTR Registration Scheme identifier, if required under [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated, preceded by plus "+" (0x2B (ASCII), U+002B (UTF-8)); -* a hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); -* Registration Reference allocated in accordance with the identified Registration Scheme - -Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. - -As in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. - -Examples: - -* `NTRGB-12345678` (NTR scheme, Great Britain, Unique Identifier at Country level is 12345678) -* `NTRUS+CA-12345678` (NTR Scheme, United States - California, Unique identifier at State level is 12345678) -* `VATDE-123456789` (VAT Scheme, Germany, Unique Identifier at Country Level is 12345678) -* `PSDBE-NBB-1234.567.890` (PSD Scheme, Belgium, NCA's identifier is NBB, Subject Unique Identifier assigned by the NCA is 1234.567.890) - -Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) are currently recognized as valid under these guidelines. - -The CA SHALL: - -1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 9.2.1](#921-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field); -2. further verify the Registration Reference matches other information verified in accordance with [Section 11](#11-verification-requirements); -3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; -4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). - -### 9.2.9. Other Subject Attributes - -CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 9.2](#92-subject-distinguished-name-fields). - -## 9.3. Certificate Policy Identification - -### 9.3.1. EV Certificate Policy Identification Requirements - -This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy. - -### 9.3.2. EV Subscriber Certificates - -Each EV Certificate issued by the CA to a Subscriber MUST contain a policy identifier that is either defined by these Guidelines or the CA in the certificate's `certificatePolicies` extension that: - -1. indicates which CA policy statement relates to that Certificate, -2. asserts the CA's adherence to and compliance with these Guidelines, and -3. is either the CA/Browser Forum’s EV policy identifier or a policy identifier that, by pre-agreement with the Application Software Supplier, marks the Certificate as being an EV Certificate. - -The following Certificate Policy identifier is the CA/Browser Forum’s EV policy identifier: -`{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines (1) } (2.23.140.1.1)`, if the Certificate complies with these Guidelines. - -### 9.3.3. Root CA Certificates - -The Application Software Supplier identifies Root CAs that are approved to issue EV Certificates by storing EV policy identifiers in metadata associated with Root CA Certificates. - -### 9.3.4. EV Subordinate CA Certificates - -1. Certificates issued to Subordinate CAs that are not controlled by the issuing CA MUST contain one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA. -2. Certificates issued to Subordinate CAs that are controlled by the Root CA MAY contain the special `anyPolicy` identifier (OID: 2.5.29.32.0). - -### 9.3.5. Subscriber Certificates - -A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate's `certificatePolicies` extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines. - -## 9.4. Maximum Validity Period For EV Certificate - -The Validity Period for an EV Certificate SHALL NOT exceed 398 days. - -It is RECOMMENDED that EV Subscriber Certificates have a Maximum Validity Period of twelve months. - -## 9.5. Subscriber Public Key - -The requirements in Section 6.1.1.3 of the Baseline Requirements apply equally to EV Certificates. - -## 9.6. Certificate Serial Number - -The requirements in Section 7.1 of the Baseline Requirements apply equally to EV Certificates. - -## 9.7. Additional Technical Requirements for EV Certificates - -All provisions of the Baseline Requirements concerning Minimum Cryptographic Algorithms, Key Sizes, and Certificate Extensions apply to EV Certificates with the following exceptions: - -1. If a Subordinate CA Certificates is issued to a Subordinate CA not controlled by the entity that controls the Root CA, the policy identifiers in the `certificatePolicies` extension MUST include the CA's Extended Validation policy identifier. - - Otherwise, it MAY contain the anyPolicy identifier. - -2. The following fields MUST be present if the Subordinate CA is not controlled by the entity that controls the Root CA. - - * `certificatePolicies:policyQualifiers:policyQualifierId` - - `id-qt 1` [RFC 5280] - - * `certificatePolicies:policyQualifiers:qualifier:cPSuri` - - HTTP URL for the Root CA's Certification Practice Statement - -3. The `certificatePolicies` extension in EV Certificates issued to Subscribers MUST include the following: - - * `certificatePolicies:policyIdentifier` (Required) - - The Issuer's EV policy identifier - - * `certificatePolicies:policyQualifiers:policyQualifierId` (Required) - - `id-qt 1` [RFC 5280] - - * `certificatePolicies:policyQualifiers:qualifier:cPSuri` (Required) - - HTTP URL for the Subordinate CA's Certification Practice Statement - -4. The `cRLDistributionPoints` extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an `authorityInformationAccess` extension. - -## 9.8. Certificate Extensions - -The extensions listed in [Section 9.8](#98-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 9.8](#98-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. - -If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 9.8](#98-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. - -### 9.8.1. Subject Alternative Name Extension - -__Certificate Field__: `subjectAltName:dNSName` -__Required/Optional__: __Required__ -__Contents__: This extension MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This extension MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. - -### 9.8.2. CA/Browser Forum Organization Identifier Extension - -__Extension Name__: `cabfOrganizationIdentifier` (OID: 2.23.140.3.1) -__Verbose OID__: `{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }` -__Required/Optional__: __Optional (but see below)__ -__Contents__: If the subject:organizationIdentifier is present, this field MUST be present. - -If present, this extension MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. - -The Registration Scheme MUST be encoded as described by the following ASN.1 grammar: - -```ASN.1 -id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) international-organizations(23) - ca-browser-forum(140) certificate-extensions(3) - cabf-organizationIdentifier(1) -} - -ext-CABFOrganizationIdentifier EXTENSION ::= { - SYNTAX CABFOrganizationIdentifier - IDENTIFIED BY id-CABFOrganizationIdentifier -} - -CABFOrganizationIdentifier ::= SEQUENCE { - registrationSchemeIdentifier PrintableString (SIZE(3)), - registrationCountry PrintableString (SIZE(2)), - registrationStateOrProvince [0] IMPLICIT PrintableString - (SIZE(0..128)) OPTIONAL, - registrationReference UTF8String -} -``` - -where the subfields have the same values, meanings, and restrictions described in [Section 9.2.8](#928-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 9.2.8](#928-subject-organization-identifier-field). - -# 10. EV Certificate Request Requirements - -## 10.1. General Requirements - -### 10.1.1. Documentation Requirements - -The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. - -### 10.1.2. Role Requirements - -The following Applicant roles are required for the issuance of an EV Certificate. - -1. **Certificate Requester**: The EV Certificate Request MUST be submitted by an authorized Certificate Requester. A Certificate Requester is a natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. - -2. **Certificate Approver**: The EV Certificate Request MUST be approved by an authorized Certificate Approver. A Certificate Approver is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to - - i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and - ii. to approve EV Certificate Requests submitted by other Certificate Requesters. - -3. **Contract Signer**: A Subscriber Agreement applicable to the requested EV Certificate MUST be signed by an authorized Contract Signer. A Contract Signer is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. - -4. **Applicant Representative**: In the case where the CA and the Subscriber are affiliated, Terms of Use applicable to the requested EV Certificate MUST be acknowledged and agreed to by an authorized Applicant Representative. An Applicant Representative is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to acknowledge and agree to the Terms of Use. - -The Applicant MAY authorize one individual to occupy two or more of these roles. The Applicant MAY authorize more than one individual to occupy any of these roles. - -## 10.2. EV Certificate Request Requirements - -The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 11.14](#1114-requirements-for-re-use-of-existing-documentation). - -## 10.3. Requirements for Subscriber Agreement and Terms of Use - -Section 9.6.3 of the Baseline Requirements applies equally to EV Certificates. In cases where the Certificate Request does not contain all necessary information about the Applicant, the CA MUST additionally confirm the data with the Certificate Approver or Contract Signer rather than the Certificate Requester. - -# 11. Verification Requirements - -## 11.1. General Overview - -This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement. - -### 11.1.1. Verification Requirements – Overview - -Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following: - -1. Verify Applicant's existence and identity, including; - - A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity)), - - B. Verify the Applicant's physical existence (business presence at a physical address), and - - C. Verify the Applicant's operational existence (business activity). - -2. Verify the Applicant is a registered holder, or has control, of the Domain Name(s) to be included in the EV Certificate; - -3. Verify a reliable means of communication with the entity to be named as the Subject in the Certificate; - -4. Verify the Applicant's authorization for the EV Certificate, including; - - A. Verify the name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester, - - B. Verify that a Contract Signer signed the Subscriber Agreement or that a duly authorized Applicant Representative acknowledged and agreed to the Terms of Use; and - - C. Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request. - -### 11.1.2. Acceptable Methods of Verification – Overview - -As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 11.2 through 11.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. - -### 11.1.3. Disclosure of Verification Sources - -Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means. - -This Agency Information SHALL include at least the following: - -* Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency (such as a name, jurisdiction, and website); and, -* The accepted value or values for each of the `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1), `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2), and `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and, -* The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and, -* A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list. - -The CA MUST document where to obtain this information within Section 3.2 of the CA's Certificate Policy and/or Certification Practice Statement. - -## 11.2. Verification of Applicant's Legal Existence and Identity - -### 11.2.1. Verification Requirements - -To verify the Applicant's legal existence and identity, the CA MUST do the following. - -1. **Private Organization Subjects** - - A. **Legal Existence**: Verify that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated) with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, and not designated on the records of the Incorporating or Registration Agency by labels such as "inactive", "invalid", "not current", or the equivalent. - B. **Organization Name**: Verify that the Applicant's formal legal name as recorded with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Incorporation or Registration. - D. **Registered Agent**: Obtain the identity and address of the Applicant's Registered Agent or Registered Office (as applicable in the Applicant's Jurisdiction of Incorporation or Registration). - -2. **Government Entity Subjects** - - A. **Legal Existence**: Verify that the Applicant is a legally recognized Government Entity, in existence in the political subdivision in which such Government Entity operates. - B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of incorporation, registration, or formation, or the identifier for the legislative act that created the Government Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity. - -3. **Business Entity Subjects** - - A. **Legal Existence**: Verify that the Applicant is engaged in business under the name submitted by the Applicant in the Application. - B. **Organization Name**: Verify that the Applicant's formal legal name as recognized by the Registration Agency in the Applicant's Jurisdiction of Registration matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: Attempt to obtain the specific unique Registration Number assigned to the Applicant by the Registration Agency in the Applicant's Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Registration. - D. **Principal Individual**: Verify the identity of the identified Principal Individual. - -4. **Non-Commercial Entity Subjects (International Organizations)** - - A. **Legal Existence**: Verify that the Applicant is a legally recognized International Organization Entity. - B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity. - -### 11.2.2. Acceptable Method of Verification - -1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. - -2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: - i. a Qualified Government Information Source in the political subdivision in which such Government Entity operates; - ii. a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or - iii. from a judge that is an active member of the federal, state or local judiciary within that political subdivision. - - Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 11.11.1](#11111-verified-legal-opinion). - - Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. - -3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 11.2.1](#1121-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. - -4. **Principal Individual**: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency's face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation. - - A. **Face-To-Face Validation**: The face-to-face validation MUST be conducted before either an employee of the CA, a Latin Notary, a Notary (or equivalent in the Applicant's jurisdiction), a Lawyer, or Accountant (Third-Party Validator). The Principal Individual(s) MUST present the following documentation (Vetting Documents) directly to the Third-Party Validator: - - i. A Personal Statement that includes the following information: - - 1. Full name or names by which a person is, or has been, known (including all other names used); - 2. Residential Address at which he/she can be located; - 3. Date of birth; and - 4. An affirmation that all of the information contained in the Certificate Request is true and correct. - - ii. A current signed government-issued identification document that includes a photo of the Individual and is signed by the Individual such as: - - 1. A passport; - 2. A driver's license; - 3. A personal identification card; - 4. A concealed weapons permit; or - 5. A military ID. - - iii. At least two secondary documentary evidences to establish his/her identity that include the name of the Individual, one of which MUST be from a financial institution. - - 1. Acceptable financial institution documents include: - - a. A major credit card, provided that it contains an expiration date and it has not expired' - b. A debit card from a regulated financial institution, provided that it contains an expiration date and it has not expired, - c. A mortgage statement from a recognizable lender that is less than six months old, - d. A bank statement from a regulated financial institution that is less than six months old. - - 2. Acceptable non-financial documents include: - - a. Recent original utility bills or certificates from a utility company confirming the arrangement to pay for the services at a fixed address (not a mobile/cellular telephone bill), - b. A copy of a statement for payment of a lease, provided that the statement is dated within the past six months, - c. A certified copy of a birth certificate, - d. A local authority tax bill for the current year, - e. A certified copy of a court order, such as a divorce certificate, annulment papers, or adoption papers. - - The Third-Party Validator performing the face-to-face validation MUST: - - i. Attest to the signing of the Personal Statement and the identity of the signer; and - ii. Identify the original Vetting Documents used to perform the identification. In addition, the Third-Party Validator MUST attest on a copy of the current signed government-issued photo identification document that it is a full, true, and accurate reproduction of the original. - - B. **Verification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), lawyer, or accountant in the jurisdiction of the Individual's residency, and that the Third-Party Validator actually did perform the services and did attest to the signature of the Individual. - - C. **Cross-checking of Information**: The CA MUST obtain the signed and attested Personal Statement together with the attested copy of the current signed government-issued photo identification document. The CA MUST review the documentation to determine that the information is consistent, matches the information in the application, and identifies the Individual. The CA MAY rely on electronic copies of this documentation, provided that: - - i. the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and - ii. electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA's jurisdiction. - -5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (4) MUST be verified either: - - A. With reference to the constituent document under which the International Organization was formed; or - B. Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or - C. Directly against any current list of qualified entities that the CA/Browser Forum may maintain at www.cabforum.org. - D. In cases where the International Organization applying for the EV Certificate is an organ or agency - including a non-governmental organization of a verified International Organization, then the CA may verify the International Organization Applicant directly with the verified umbrella International Organization of which the Applicant is an organ or agency. - -6. The CA may rely on a Verified Professional Letter to establish the Applicant's information listed in (1)-(5) above if: - - i. the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and - ii. the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS. - -## 11.3. Verification of Applicant's Legal Existence and Identity – Assumed Name - -### 11.3.1. Verification Requirements - -If, in addition to the Applicant's formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, the Applicant's identity, as asserted in the EV Certificate, is to contain any assumed name (also known as "doing business as", "DBA", or "d/b/a" in the US, and "trading as" in the UK) under which the Applicant conducts business, the CA MUST verify that: - - i. the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and - ii. that such filing continues to be valid. - -### 11.3.2. Acceptable Method of Verification - -To verify any assumed name under which the Applicant conducts business: - -1. The CA MAY verify the assumed name through use of a Qualified Government Information Source operated by, or on behalf of, an appropriate government agency in the jurisdiction of the Applicant's Place of Business, or by direct contact with such government agency in person or via mail, e-mail, Web address, or telephone; or -2. The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. -3. The CA MAY rely on a Verified Professional Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. - -## 11.4. Verification of Applicant's Physical Existence - -### 11.4.1. Address of Applicant's Place of Business - -1. **Verification Requirements**: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business. - -2. **Acceptable Methods of Verification** - - A. **Place of Business in the Country of Incorporation or Registration** - - i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence: - - 1. For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business; - - 2. For Applicants who are not listed at the same Place of Business address in the current version of either at least one QIIS or QTIS, the CA MUST confirm that the address provided by the Applicant in the EV Certificate Request is the Applicant's or a Parent/Subsidiary Company's business address, by obtaining documentation of a site visit to the business address, which MUST be performed by a reliable individual or firm. The documentation of the site visit MUST: - - a. Verify that the Applicant's business is located at the exact address stated in the EV Certificate Request (e.g., via permanent signage, employee confirmation, etc.), - b. Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location, - c. Indicate whether there is a permanent sign (that cannot be moved) that identifies the Applicant, - d. Indicate whether there is evidence that the Applicant is conducting ongoing business activities at the site (not that it is just, for example, a mail drop, P.O. box, etc.), and - e. Include one or more photos of - i. the exterior of the site (showing signage indicating the Applicant's name, if present, and showing the street address if possible), and - ii. the interior reception area or workspace. - - ii. For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there. - iii. For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction. - iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. - - B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. - -## 11.5. Verified Method of Communication - -### 11.5.1. Verification Requirements - -To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant. - -### 11.5.2. Acceptable Methods of Verification - -To verify a Verified Method of Communication with the Applicant, the CA MUST: - -A. Verify that the Verified Method of Communication belongs to the Applicant, or a Parent/Subsidiary or Affiliate of the Applicant, by matching it with one of the Applicant's Parent/Subsidiary or Affiliate's Places of Business in: - - i. records provided by the applicable phone company; - ii. a QGIS, QTIS, or QIIS; or - iii. a Verified Professional Letter; and - -B. Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication. - -## 11.6. Verification of Applicant's Operational Existence - -### 11.6.1. Verification Requirements - -The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. - -### 11.6.2. Acceptable Methods of Verification - -To verify the Applicant's ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: - -1. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; - -2. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; - -3. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or - -4. Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. - -## 11.7. Verification of Applicant's Domain Name - -### 11.7.1. Verification Requirements - -1. For each Fully-Qualified Domain Name listed in a Certificate which is not an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant's control over the Onion Domain Name in accordance with Appendix B of the Baseline Requirements. - -2. **Mixed Character Set Domain Names**: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization. - -## 11.8. Verification of Name, Title, and Authority of Contract Signer and Certificate Approver - -### 11.8.1. Verification Requirements - -For both the Contract Signer and the Certificate Approver, the CA MUST verify the following. - -1. **Name, Title and Agency**: The CA MUST verify the name and title of the Contract Signer and the Certificate Approver, as applicable. The CA MUST also verify that the Contract Signer and the Certificate Approver are agents representing the Applicant. -2. **Signing Authority of Contract Signer**: The CA MUST verify that the Contract Signer is authorized by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant, including a contract that designates one or more Certificate Approvers on behalf of the Applicant. -3. **EV Authority of Certificate Approver**: The CA MUST verify, through a source other than the Certificate Approver him- or herself, that the Certificate Approver is expressly authorized by the Applicant to do the following, as of the date of the EV Certificate Request: - - A. Submit, and, if applicable, authorize a Certificate Requester to submit, the EV Certificate Request on behalf of the Applicant; and - B. Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and - C. Approve EV Certificate Requests submitted by a Certificate Requester. - -### 11.8.2. Acceptable Methods of Verification – Name, Title and Agency - -Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. - -1. **Name and Title**: The CA MAY verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such a role is in fact the named person designated to act in such role. - -2. **Agency**: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: - - A. Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; - B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or - C. Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant. - - The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. - -### 11.8.3. Acceptable Methods of Verification – Authority - -Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: - -1. **Verified Professional Letter**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Professional Letter; -2. **Corporate Resolution**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a properly authenticated corporate resolution that confirms that the person has been granted such Signing Authority, provided that such resolution is - - i. certified by the appropriate corporate officer (e.g., secretary), and - ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification; - -3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); -4. **Contract between CA and Applicant**: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; -5. **Prior Equivalent Authority**: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority. - - A. Prior Equivalent Authority of a Contract Signer MAY be relied upon for confirmation or verification of the signing authority of the Contract Signer when the Contract Signer has executed a binding contract between the CA and the Applicant with a legally valid and enforceable seal or handwritten signature and only when the contract was executed more than 90 days prior to the EV Certificate application. The CA MUST record sufficient details of the previous agreement to correctly identify it and associate it with the EV application. Such details MAY include any of the following: - - i. Agreement title, - ii. Date of Contract Signer's signature, - iii. Contract reference number, and - iv. Filing location. - - B. Prior Equivalent Authority of a Certificate Approver MAY be relied upon for confirmation or verification of the EV Authority of the Certificate Approver when the Certificate Approver has performed one or more of the following: - - i. Under contract to the CA, has served (or is serving) as an Enterprise RA for the Applicant, or - ii. Has participated in the approval of one or more certificate requests, for certificates issued by the CA and which are currently and verifiably in use by the Applicant. In this case the CA MUST have contacted the Certificate Approver by phone at a previously validated phone number or have accepted a signed and notarized letter approving the certificate request. - -6. **QIIS or QGIS**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by a QIIS or QGIS that identifies the Contract Signer and/or the Certificate Approver as a corporate officer, sole proprietor, or other senior official of the Applicant. - -7. **Contract Signer's Representation/Warranty**: Provided that the CA verifies that the Contract Signer is an employee or agent of the Applicant, the CA MAY rely on the signing authority of the Contract Signer by obtaining a duly executed representation or warranty from the Contract Signer that includes the following acknowledgments: - - A. That the Applicant authorizes the Contract Signer to sign the Subscriber Agreement on the Applicant's behalf, - B. That the Subscriber Agreement is a legally valid and enforceable agreement, - C. That, upon execution of the Subscriber Agreement, the Applicant will be bound by all of its terms and conditions, - D. That serious consequences attach to the misuse of an EV certificate, and - E. The contract signer has the authority to obtain the digital equivalent of a corporate seal, stamp or officer's signature to establish the authenticity of the company's Web site. - -Note: An example of an acceptable representation/warranty appears in [Appendix E](#appendix-e---sample-contract-signers-representationwarranty-informative). - -### 11.8.4. Pre-Authorized Certificate Approver - -Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA: - -1. Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and - -2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 11.8.3](#1183-acceptable-methods-of-verification--authority). - -The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s). - -Such an agreement MUST provide that the Applicant shall be obligated under the Subscriber Agreement for all EV Certificates issued at the request of, or approved by, such Certificate Approver(s) until such EV Authority is revoked, and MUST include mutually agreed-upon provisions for: - - i. authenticating the Certificate Approver when EV Certificate Requests are approved, - ii. periodic re-confirmation of the EV Authority of the Certificate Approver, - iii. secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and - iv. such other appropriate precautions as are reasonably necessary. - -## 11.9. Verification of Signature on Subscriber Agreement and EV Certificate Requests - -Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. - -### 11.9.1. Verification Requirements - -1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. - -2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. - -### 11.9.2. Acceptable Methods of Signature Verification - -Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following: - -1. Contacting the Applicant using a Verified Method of Communication for the Applicant, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; - -2. A letter mailed to the Applicant's or Agent's address, as verified through independent means in accordance with these Guidelines, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response through a Verified Method of Communication from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; - -3. Use of a signature process that establishes the name and title of the signer in a secure manner, such as through use of an appropriately secure login process that identifies the signer before signing, or through use of a digital signature made with reference to an appropriately verified certificate; or - -4. Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer. - -## 11.10. Verification of Approval of EV Certificate Request - -### 11.10.1. Verification Requirements - -In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. - -### 11.10.2. Acceptable Methods of Verification - -Acceptable methods of verifying the Certificate Approver's approval of an EV Certificate Request include: - -1. Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request; -2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or -3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). - -## 11.11. Verification of Certain Information Sources - -### 11.11.1. Verified Legal Opinion - -1. **Verification Requirements**: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements: - - A. **Status of Author**: The CA MUST verify that the legal opinion is authored by an independent legal practitioner retained by and representing the Applicant (or an in-house legal practitioner employed by the Applicant) (Legal Practitioner) who is either: - - i. A lawyer (or solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility, or - ii. A Latin Notary who is currently commissioned or licensed to practice in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility (and that such jurisdiction recognizes the role of the Latin Notary); - - B. **Basis of Opinion**: The CA MUST verify that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Legal Opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the Legal Practitioner's professional judgment and expertise; - C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Legal Opinion. - -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Legal Opinion are: - - A. **Status of Author**: The CA MUST verify the professional status of the author of the legal opinion by directly contacting the authority responsible for registering or licensing such Legal Practitioner(s) in the applicable jurisdiction; - B. **Basis of Opinion**: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as [Appendix B](#appendix-b---sample-attorney-opinions-confirming-specified-information); - C. **Authenticity**: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner's assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS. - - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.1](#11111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. - -### 11.11.2. Verified Accountant Letter - -1. **Verification Requirements**: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements: - - A. **Status of Author**: The CA MUST verify that the accountant letter is authored by an Accounting Practitioner retained or employed by the Applicant and licensed within the country of the Applicant's Jurisdiction of Incorporation, Jurisdiction of Registration, or country where the Applicant maintains an office or physical facility. Verification of license MUST be through the member organization or regulatory organization in the Accounting Practitioner's country or jurisdiction that is appropriate to contact when verifying an accountant's license to practice in that country or jurisdiction. Such country or jurisdiction must have an accounting standards body that maintains full membership status with the International Federation of Accountants. - B. **Basis of Opinion**: The CA MUST verify that the Accounting Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Accountant Letter are based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the Accounting Practitioner's professional judgment and expertise; - C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Accountant Letter. - -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Accountant Letter are listed here. - - A. **Status of Author**: The CA MUST verify the professional status of the author of the accountant letter by directly contacting the authority responsible for registering or licensing such Accounting Practitioners in the applicable jurisdiction. - B. **Basis of Opinion**: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as [Appendix C](#appendix-c---sample-accountant-letters-confirming-specified-information). - C. **Authenticity**: To confirm the authenticity of the accountant's opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner's assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS. - - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.2](#11112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. - -### 11.11.3. Face-to-Face Validation - -1. **Verification Requirements**: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements: - - A. **Qualification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), Lawyer, or Accountant in the jurisdiction of the individual's residency; - B. **Document Chain of Custody**: The CA MUST verify that the Third-Party Validator viewed the Vetting Documents in a face-to-face meeting with the individual being validated; - C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the attestation and vetting documents. - -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for vetting documents are: - - A. **Qualification of Third-Party Validator**: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction; - B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; - C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 11.11.3](#11113-face-to-face-validation) (1)(A), no further verification of authenticity is required. - -### 11.11.4. Independent Confirmation From Applicant - -An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is: - -A. Received by the CA from a Confirming Person (someone other than the person who is the subject of the inquiry) that has the appropriate authority to confirm such a fact, and who represents that he/she has confirmed such fact; -B. Received by the CA in a manner that authenticates and verifies the source of the confirmation; and -C. Binding on the Applicant. - -An Independent Confirmation from the Applicant MAY be obtained via the following procedure: - -1. **Confirmation Request**: The CA MUST initiate a Confirmation Request via an appropriate out-of-band communication, requesting verification or confirmation of the particular fact at issue as follows: - - A. **Addressee**: The Confirmation Request MUST be directed to: - - i. A position within the Applicant's organization that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current QGIS, QIIS, QTIS, Verified Legal Opinion, Verified Accountant Letter, or by contacting the Applicant using a Verified Method of Communication; or - ii. The Applicant's Registered Agent or Registered Office in the Jurisdiction of Incorporation as listed in the official records of the Incorporating Agency, with instructions that it be forwarded to an appropriate Confirming Person; or - iii. A named individual verified to be in the direct line of management above the Contract Signer or Certificate Approver by contacting the Applicant's Human Resources Department by phone or mail (at the phone number or address for the Applicant's Place of Business, verified in accordance with these Guidelines). - - B. **Means of Communication**: The Confirmation Request MUST be directed to the Confirming Person in a manner reasonably likely to reach such person. The following options are acceptable: - - i. By paper mail addressed to the Confirming Person at: - - 1. The address of the Applicant's Place of Business as verified by the CA in accordance with these Guidelines, or - 2. The business address for such Confirming Person specified in a current QGIS, QTIS, QIIS, Verified Professional Letter, or - 3. The address of the Applicant's Registered Agent or Registered Office listed in the official records of the Jurisdiction of Incorporation, or - - ii. By e-mail addressed to the Confirming Person at the business e-mail address for such person listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter; or - iii. By telephone call to the Confirming Person, where such person is contacted by calling the main phone number of the Applicant's Place of Business (verified in accordance with these Guidelines) and asking to speak to such person, and a person taking the call identifies him- or herself as such person; or - iv. By facsimile to the Confirming Person at the Place of Business. The facsimile number must be listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter. The cover page must be clearly addressed to the Confirming Person. - -2. **Confirmation Response**: The CA MUST receive a response to the Confirmation Request from a Confirming Person that confirms the particular fact at issue. Such response MAY be provided to the CA by telephone, by e-mail, or by paper mail, so long as the CA can reliably verify that it was provided by a Confirming Person in response to the Confirmation Request. - -3. The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if: - - A. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias; - B. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person. - -### 11.11.5. Qualified Independent Information Source - -A Qualified Independent Information Source (QIIS) is a regularly-updated and publicly available database that is generally recognized as a dependable source for certain information. A database qualifies as a QIIS if the CA determines that: - -1. Industries other than the certificate industry rely on the database for accurate location, contact, or other information; and - -2. The database provider updates its data on at least an annual basis. - -The CA SHALL use a documented process to check the accuracy of the database and ensure its data is acceptable, including reviewing the database provider's terms of use. The CA SHALL NOT use any data in a QIIS that the CA knows is - - i. self-reported and - ii. not verified by the QIIS as accurate. - -Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. - -### 11.11.6. Qualified Government Information Source - -A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity. - -### 11.11.7. Qualified Government Tax Information Source - -A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States). - -## 11.12. Other Verification Requirements - -### 11.12.1. High Risk Status - -The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirements apply equally to EV Certificates. - -### 11.12.2. Denied Lists and Other Legal Block Lists - -1. **Verification Requirements**: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant's Jurisdiction of Incorporation, Registration, or Place of Business: - - A. Is identified on any government denied list, list of prohibited persons, or other list that prohibits doing business with such organization or person under the laws of the country of the CA's jurisdiction(s) of operation; or - B. Has its Jurisdiction of Incorporation, Registration, or Place of Business in any country with which the laws of the CA's jurisdiction prohibit doing business. - - The CA MUST NOT issue any EV Certificate to the Applicant if either the Applicant, the Contract Signer, or Certificate Approver or if the Applicant's Jurisdiction of Incorporation or Registration or Place of Business is on any such list. - -2. **Acceptable Methods of Verification** The CA MUST take reasonable steps to verify with the following lists and regulations: - - A. If the CA has operations in the U.S., the CA MUST take reasonable steps to verify with the following US Government denied lists and regulations: - - i. BIS Denied Persons List - [https://www.bis.doc.gov/index.php/the-denied-persons-list](https://www.bis.doc.gov/index.php/the-denied-persons-list) - ii. BIS Denied Entities List - [https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list](https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list) - iii. US Treasury Department List of Specially Designated Nationals and Blocked Persons - [https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx](https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx) - iv. US Government export regulations - - B. If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country. - -### 11.12.3. Parent/Subsidiary/Affiliate Relationship - -A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 11.4.1](#1141-address-of-applicants-place-of-business), [Section 11.5](#115-verified-method-of-communication), [Section 11.6.1](#1161-verification-requirements), or [Section 11.7.1](#1171-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: - -1. QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS; -2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); -3. Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; -4. Verified Professional Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter; or -5. Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is: - - i. certified by the appropriate corporate officer (e.g., secretary), and - ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. - -## 11.13. Final Cross-Correlation and Due Diligence - -1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. -2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. -3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: - - A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or - B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). - -In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. - -## 11.14. Requirements for Re-use of Existing Documentation - -For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. - -### 11.14.1. Validation For Existing Subscribers - -If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: - -1. The Principal Individual verified under [Section 11.2.2](#1122-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; -2. The Applicant's Place of Business under [Section 11.4.1](#1141-address-of-applicants-place-of-business); -3. The Applicant's Verified Method of Communication required by [Section 11.5](#115-verified-method-of-communication) but still MUST perform the verification required by [Section 11.5.2](#1152-acceptable-methods-of-verification) (B); -4. The Applicant's Operational Existence under [Section 11.6](#116-verification-of-applicants-operational-existence); -5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 11.8](#118-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and -6. The Applicant's right to use the specified Domain Name under [Section 11.7](#117-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. - -### 11.14.2. Re-issuance Requests - -A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: - -1. The expiration date of the replacement certificate is the same as the expiration date of the EV Certificate that is being replaced, and -2. The Subject Information of the Certificate is the same as the Subject in the EV Certificate that is being replaced. - -### 11.14.3. Age of Validated Data - -1. Except for reissuance of an EV Certificate under [Section 11.14.2](#11142-re-issuance-requests) and except when permitted otherwise in [Section 11.14.1](#11141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: - - A. Legal existence and identity – 398 days; - B. Assumed name – 398 days; - C. Address of Place of Business – 398 days; - D. Verified Method of Communication – 398 days; - E. Operational existence – 398 days; - F. Domain Name – 398 days; - G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. - -2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. -3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). -4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). - -# 12. Certificate Issuance by a Root CA - -Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. - -Root CA Private Keys MUST NOT be used to sign EV Certificates. - -# 13. Certificate Revocation and Status Checking - -The requirements in Section 4.9 of the Baseline Requirements apply equally to EV Certificates. - -# 14. Employee and third party issues - -## 14.1. Trustworthiness and Competence - -### 14.1.1. Identity and Background Verification - -Prior to the commencement of employment of any person by the CA for engagement in the EV Processes, whether as an employee, agent, or an independent contractor of the CA, the CA MUST: - -1. **Verify the Identity of Such Person**: Verification of identity MUST be performed through: - - A. The personal (physical) presence of such person before trusted persons who perform human resource or security functions, and - B. The verification of well-recognized forms of government-issued photo identification (e.g., passports and/or drivers licenses); - - and - -2. **Verify the Trustworthiness of Such Person**: Verification of trustworthiness SHALL include background checks, which address at least the following, or their equivalent: - - A. Confirmation of previous employment, - B. Check of professional references; - C. Confirmation of the highest or most-relevant educational qualification obtained; - D. Search of criminal records (local, state or provincial, and national) where allowed by the jurisdiction in which the person will be employed; - - and - -3. In the case of employees already in the employ of the CA at the time of adoption of these Guidelines whose identity and background has not previously been verified as set forth above, the CA SHALL conduct such verification within three months of the date of adoption of these Guidelines. - -### 14.1.2. Training and Skills Level - -The requirements in Section 5.3.3 of the Baseline Requirements apply equally to EV Certificates and these Guidelines. The required internal examination must relate to the EV Certificate validation criteria outlined in these Guidelines. - -### 14.1.3. Separation of Duties - -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 11.13](#1113-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. -2. Such controls MUST be auditable. - -## 14.2. Delegation of Functions to Registration Authorities and Subcontractors - -### 14.2.1. General - -The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 14.1](#141-trustworthiness-and-competence). - -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 14](#14-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 15](#15-data-records). - -### 14.2.2. Enterprise RAs - -The CA MAY contractually authorize a Subscriber to perform the RA function and authorize the CA to issue additional EV Certificates. In such case, the Subscriber SHALL be considered an Enterprise RA, and the following requirements SHALL apply: - -1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; -2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and -3. The Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. - -Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 17.1](#171-eligible-audit-schemes). In all other cases, the requirements of [Section 17.1](#171-eligible-audit-schemes) SHALL apply. - -### 14.2.3. Guidelines Compliance Obligation - -In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. - -### 14.2.4. Allocation of Liability - -As specified in Section 9.8 of the Baseline Requirements. - -# 15. Data Records - -As specified in Section 5.4 of the Baseline Requirements. - -# 16. Data Security - -As specified in Section 5 of the Baseline Requirements. In addition, systems used to process and approve EV Certificate Requests MUST require actions by at least two trusted persons before creating an EV Certificate. - -# 17. Audit - -## 17.1. Eligible Audit Schemes - -A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: - -i. WebTrust Program for CAs audit and WebTrust EV Program audit, -ii. ETSI TS 102 042 audit for EVCP, or -iii. ETSI EN 319 411-1 audit for EVCP policy. - -If the CA is a Government Entity, an audit of the CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in one of the above audit schemes and certifies that the government CA has successfully passed the audit. - -EV audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor. - -## 17.2. Audit Period - -CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 17.1](#171-eligible-audit-schemes). - -## 17.3 Audit Record - -CAs SHOULD make its audit report publicly available no later than three months after the end of the audit period. If there is a delay greater than three months and if so requested by an Application Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. - -## 17.4. Pre-Issuance Readiness Audit - -1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program. -2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042. -3. If the CA has a currently valid ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI EN 319 411-1 for EVCP. -4. If the CA does not have a currently valid WebTrust Seal of Assurance for CAs or an ETSI TS 102 042 EVCP audit or an ETSI EN 319 411-1 audit for EVCP policy, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete either: - i. a point-in-time readiness assessment audit against the WebTrust for CA Program, or - ii. a point-in-time readiness assessment audit against the WebTrust EV Program, the ETSI TS 102 042 EVCP, or the ETSI EN 319 411-1 for EVCP policy. - -The CA MUST complete any required point-in-time readiness assessment no earlier than twelve (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. - -## 17.5. Regular Self Audits - -During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. - -## 17.6. Auditor Qualification - -A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. - -## 17.7. Root CA Key Pair Generation - -All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair and Certificate generation process: - - 1. Documented its Root CA key generation and protection procedures in its Certificate Policy, and its Certification Practices Statement; - 2. Included appropriate detail in its Root Key Generation Script; - 3. Maintained effective controls to provide reasonable assurance that the Root CA key pair was generated and protected in conformity with the procedures described in its CP/CPS and with its Root Key Generation Script; - 4. Performed, during the Root CA key generation process, all the procedures required by its Root Key Generation Script. - -# 18. Liability and Indemnification - -CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. - -A CA's indemnification obligations and a Root CA's obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements. - -# Appendix A - User Agent Verification (Normative) - -The CA MUST host test Web pages that allow Application Software Suppliers to test their software with EV Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host separate Web pages using certificates that are: - - i. valid; - ii. revoked; and - iii. expired. - -# Appendix B - Sample Attorney Opinions Confirming Specified Information - -**(Informative)** - -[Law Firm Letterhead] - -[Date] - -| To: | **(Name of Issuing Certification Authority)(Address / fax number of Issuing CA – may be sent by fax or email attachment)** | -| --- | --- | -| Re: | **EV Certificate Request No. (CA Reference Number)** | -| Client: | **(Exact company name of Client – see footnote 1)** | -| Client Representative: | **(Exact name of Client Representative who signed the Application – see footnote 2)** | -| Application Date: | **(Insert date of Client's Application to the Issuing CA)** | - -This firm represents _[__exact__ company name of Client]_ [^1] ("Client"), who has submitted the Application to you dated as of the Application Date shown above ("Application"). We have been asked by our Client to present you with our opinion as stated in this letter. - -[Insert customary preliminary matters for opinion letters in your jurisdiction.] - -On this basis, we hereby offer the following opinion: - -1. That [exact company name of Client] ("Company") is a duly formed [corporation, LLC, etc.] that is "active," "valid," "current," or the equivalent under the laws of the state/province of [name of governing jurisdiction where Client is incorporated or registered] and is not under any legal disability known to the author of this letter. - -2. That Company conducts business under the assumed name or "DBA"_[assumed name of the Applicant]_ and has registered such name with the appropriate government agency in the jurisdiction of its place of business below. - -3. That _[name of Client's Representative]_[^2] has authority to act on behalf of Company to: [_select as appropriate_] (a) provide the information about Company required for issuance of the EV Certificates as contained in the attached Application, (b) request one or more EV Certificates and to designate other persons to request EV Certificates, and (c) agree to the relevant contractual obligations contained in the Subscriber Agreement on behalf of Company. - -4. That Company has a physical presence and its place of business is at the following location: - - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - -5. That Company can be contacted at its stated place of business at the following telephone number: - - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - -6. That Company has an active current Demand Deposit Account with a regulated financial institution. - -7. That Company has the right to use the following Domain Name in identifying itself on the Internet: - - \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ - -Insert customary limitations and disclaimers for opinion letters in your jurisdiction. - -(Name and signature) - -_[Jurisdiction(s) in which attorney / Latin notary is admitted to practice]_[^3] - -cc: [Send copy to Client_]_ - -[^1]: This must be the Client's exact corporate name, as registered with the relevant Incorporating Agency in the Client's Jurisdiction of Incorporation. This is the name that will be included in the EV Certificate. - -[^2]: If necessary to establish the Client Representative's actual authority, you may rely on a Power of Attorney from an officer of Client who has authority to delegate the authority to the Client Representative. - -[^3]: This letter may be issued by in-house counsel for the Client so long as permitted by the rules of your jurisdiction. - -# Appendix C - Sample Accountant Letters Confirming Specified Information - -**(Informative)** - -It is acceptable for professional accountants to provide letters that address specified matters. The letters would be provided in accordance with the professional standards in the jurisdiction in which the accountant practices. - -Two examples of the letter that might be prepared by an accountant in the United States and in Canada follow: - -## UNITED STATES - -To the [Certification Authority] and Management of [Client]: - -We have performed the procedures enumerated below, which were agreed to by the Managements of Client, solely to assist you in evaluating the company's application for an Extended Validation (EV) Certificate, dated......................., 20...... This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. The sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose. - -| Specified Information: | Procedure:(Note 1: These are illustrative of the procedures that would be undertaken and are designed to meet the needs of the Certification Authorities issuing Extended Validation Certificates) | Results: (Note 2: If you are unavailable to perform any of the stated procedure, this should be noted in this column. Any exceptions should be noted in a separate paragraph below) | -| --- | --- | --- | -| | | | -| Legal Name - 123456 Delaware corporation | Agree legal name to permanent audit file information (If audit has been completed). | Legal name on the application agrees with the information contained in our permanent file with respect to Client.(If there is no permanent file, state this fact) | -| | | | -| Doing business as - "Name" | Agree name to government data base of business names | The name "Name" is registered with the (name of database to which the name was agreed) | -| | | | -| Physical location - "Address Information" | Visit the location at the address | Site visit completed at Address | -| | | | -| Business Phone Number - 555 999 9999 | Phone the number provided and confirm that it was answered by the named organization | Phoned Business Number and noted that it was answered with the Doing Business As name. This would provided by the receptionist | -| | | | -| Bank Account – "Bank Name", "Account Number" | Request a letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | Received letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | -| | | | -| The corporate officers are "NAMED" (verified officer) | Agree Names to annual shareholders meeting minutes (Note - not required to personally know the officers) | Agreed Names listed as corporate officers on the application to minute books maintained by the Client | -| | | | -| Name of application signer and approver | Obtain letter from verified Officer confirming the names of the application signer and approver | Obtained letter from the President confirming the names of the duly authorized names of the application signer and approver as they appear in the application | - -We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation Certificate. Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you. - -This report is intended solely for the information and use of the Certification Authority and managements of Client, and is not intended to be and should not be used by anyone other than these specified parties. - -[Signature] - -[Date] - -## CANADA - -To: [Name of Certification Authority] - -Re: Client Limited [Applicant] - -As specifically agreed, I/we have performed the following procedures in connection with the above company's application for an Extended Validation (EV) Certificate, dated ......................., 20.... with respect to the following specified information contained in the application - -| Specified Information: | Procedure:(Note 1: These are illustrative of the procedures that would be undertaken and are designed to meet the needs of the Certification Authorities issuing Extended Validation Certificates) | Results: (Note 2: If you are unavailable to perform any of the stated procedure, this should be noted in this column. Any exceptions should be noted in a separate paragraph below) | -| --- | --- | --- | -| | | | -| Legal Name - 123456 Ontario limited | Agree legal name to permanent audit file information (If audit has been completed) | Legal name on the application agrees with the information contained in our permanent file with respect to Client.(If there is no permanent file, state this fact) | -| | | | -| Doing business as - "Name" | Agree name to government data base of business names | The name "Name" is registered with the (name of database to which the name was agreed) | -| | | | -| Physical location - "Address Information" | Visit the location at the address | Site visit completed at Address | -| | | | -| Business Phone Number - 555 999 9999 | Phone the number provided and confirm that it was answered by the named organization | Phoned Business Number and noted that it was answered with the Doing Business As name. This would provided by the receptionist | -| | | | -| Bank Account – "Bank Name", "Account Number" | Request a letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | Received letter directly from "the Bank" confirming the existence of the account for the benefit of "the Client" | -| | | | -| The corporate officers are "NAMED" (verified officer) | Agree Names to annual shareholders meeting minutes (Note - not required to personally know the officers) | Agreed Names listed as corporate officers on the application to minute books maintained by the Client | -| | | | -| Name of application signer and approver | Obtain letter from verified Officer confirming the names of the application signer and approver | Obtained letter from the President confirming the names of the duly authorized names of the application signer and approver as they appear in the application | - -As a result of applying the above procedures, I/we found [no / the following] exceptions [list of exceptions]. However, these procedures do not constitute an audit of the company's application for an EV Certificate, and therefore I express no opinion on the application dated ......................., 20..... - -This letter is for use solely in connection with the application for an Extended Validation Certificate by [Client] dated ......................., 20...... - -City - -(signed) ...................................... - -# Appendix D - Country-Specific Interpretative Guidelines (Normative) - -NOTE: This appendix provides alternative interpretations of the EV Guidelines for countries that have a language, cultural, technical, or legal reason for deviating from a strict interpretation of the EV Guidelines. More specific information for particular countries may be added to this appendix in the future. - -## 1. Organization Names - -1. Non-Latin Organization Name - - Where an EV Applicant's organization name is not registered with a QGIS in _Latin_ characters and the Applicant's foreign character organization name and registration have been verified with a QGIS in accordance with these Guidelines, a CA MAY include a Latin character organization name in the EV Certificate. In such a case, the CA MUST follow the procedures laid down in this section. - -2. Romanized Names - - In order to include a transliteration/Romanization of the registered name, the Romanization MUST be verified by the CA using a system officially recognized by the Government in the Applicant's Jurisdiction of Incorporation. - - If the CA can not rely on a transliteration/Romanization of the registered name using a system officially recognized by the Government in the Applicant's Jurisdiction of Incorporation, then it MUST rely on one of the options below, in order of preference: - - A. A system recognized by the International Organization for Standardization (ISO); - B. A system recognized by the United Nations; or - C. A Lawyer's Opinion or Accountant's Letter confirming the proper Romanization of the registered name. - -3. Translated Name - - In order to include a Latin character name in the EV certificate that is not a direct Romanization of the registered name (e.g. an English Name) the CA MUST verify that the Latin character name is: - - A. Included in the Articles of Incorporation (or equivalent document) filed as part of the organization registration; or - B. Recognized by a QTIS in the Applicant's Jurisdiction of Incorporation as the Applicant's recognized name for tax filings; or - C. Confirmed with a QIIS to be the name associated with the registered organization; or - D. Confirmed by a Verified Legal Opinion or Accountant's Letter to be a translated trading name associated with the registered organization. - -### Country-Specific Procedures - -#### D-1. Japan - -As interpretation of the procedures set out above: - -1. Organization Names - - A. The Revised Hepburn method of Romanization, as well as Kunrei-shiki and Nihon-shiki methods described in ISO 3602, are acceptable for Japanese Romanizations. - B. The CA MAY verify the Romanized transliteration, language translation (e.g. English name), or other recognized Roman-letter substitute of the Applicant's formal legal name with either a QIIS, Verified Legal Opinion, or Verified Accountant Letter. - C. The CA MAY use the Financial Services Agency to verify a Romanized, translated, or other recognized Roman-letter substitute name. When used, the CA MUST verify that the translated English is recorded in the audited Financial Statements. - D. When relying on Articles of Incorporation to verify a Romanized, translated, or other recognized Roman-letter substitute name, the Articles of Incorporation MUST be accompanied either: by a document, signed with the original Japanese Corporate Stamp, that proves that the Articles of Incorporation are authentic and current, or by a Verified Legal Opinion or a Verified Accountant Letter. The CA MUST verify the authenticity of the Corporate Stamp. - E. A Romanized, translated, or other recognized Roman-lettered substitute name confirmed in accordance with this [Appendix D-1](#d-1-japan) stored in the ROBINS database operated by JIPDEC MAY be relied upon by a CA for determining the allowed organization name during any issuance or renewal process of an EV Certificate without the need to re-perform the above procedures. - -2. Accounting Practitioner - - In Japan: - - A. Accounting Practitioner includes either a certified public accountant (公認会計士 - Konin-kaikei-shi) or a licensed tax accountant (税理士 – Zei-ri-shi). - B. The CA MUST verify the professional status of the Accounting Practitioner through direct contact with the relevant local member association that is affiliated with either the Japanese Institute of Certified Public Accountants ([http://www.hp.jicpa.or.jp](http://www.hp.jicpa.or.jp/)), the Japan Federation of Certified Tax Accountant's Associations ([http://www.nichizeiren.or.jp](http://www.nichizeiren.or.jp/)), or any other authoritative source recognized by the Japanese Ministry of Finance ([http://www.mof.go.jp](http://www.mof.go.jp/)) as providing the current registration status of such professionals. - -3. Legal Practitioner - - In Japan: - - A. Legal Practitioner includes any of the following: - - - a licensed lawyer (弁護士 - Ben-go-shi), - - a judicial scrivener (司法書士 - Shiho-sho-shi lawyer), - - an administrative solicitor (行政書士 - Gyosei-sho-shi Lawyer), - - or a notary public (公証人 - Ko-sho-nin). - - For purposes of the EV Guidelines, a Japanese Notary Public is considered equivalent to a Latin Notary. - - B. The CA MUST verify the professional status of the Legal Practitioner by direct contact through the relevant local member association that is affiliated with one of the following national associations: - - - the Japan Federation of Bar Associations ([http://www.nichibenren.or.jp](http://www.nichibenren.or.jp/)), - - the Japan Federation of Shiho-Shoshi Lawyer's Associations ([http://www.shiho-shoshi.or.jp](http://www.shiho-shoshi.or.jp/)), - - the Japan Federation of Administrative Solicitors ([http://www.gyosei.or.jp](http://www.gyosei.or.jp/)), - - the Japan National Notaries Association ([http://www.koshonin.gr.jp](http://www.koshonin.gr.jp/)), or - - any other authoritative source recognized by the Japanese Ministry of Justice ([http://www.moj.go.jp](http://www.moj.go.jp/)) as providing the current registration status of such professionals. - -# Appendix E - Sample Contract Signer's Representation/Warranty (Informative) - -A CA may rely on the Contract Signer's authority to enter into the Subscriber Agreement using a representation/warranty executed by the Contract Signer. An example of an acceptable warranty is as follows: - -[CA] and Applicant are entering into a legally valid and enforceable Subscriber Agreement that creates extensive obligations on Applicant. An EV Certificate serves as a form of digital identity for Applicant. The loss or misuse of this identity can result in great harm to the Applicant. By signing this Subscriber Agreement, the contract signer acknowledges that they have the authority to obtain the digital equivalent of a company stamp, seal, or (where applicable) officer's signature to establish the authenticity of the company's website, and that [Applicant name] is responsible for all uses of its EV Certificate. By signing this Agreement on behalf of [Applicant name], the contract signer represents that the contract signer - - i. is acting as an authorized representative of [Applicant name], - ii. is expressly authorized by [Applicant name] to sign Subscriber Agreements and approve EV Certificate requests on Applicant's behalf, and - iii. has confirmed Applicant's right to use the domain(s) to be included in EV Certificates. - -# Appendix F – Unused - -This appendix is intentionally left blank. - -# Appendix G – Abstract Syntax Notation One module for EV certificates - -```ASN.1 -CABFSelectedAttributeTypes { - joint‐iso‐itu‐t(2) international‐organizations(23) - ca‐browser‐forum(140) module(4) - cabfSelectedAttributeTypes(1) 1 } -DEFINITIONS ::= -BEGIN --- EXPORTS All -IMPORTS - -- from Rec. ITU-T X.501 | ISO/IEC 9594-2 - selectedAttributeTypes, ID, ldap-enterprise - FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) - usefulDefinitions(0) 7} - - -- from the X.500 series - ub-locality-name, ub-state-name - FROM UpperBounds {joint-iso-itu-t ds(5) module(1) upperBounds(10) 7} - - -- from Rec. ITU-T X.520 | ISO/IEC 9594-6 - DirectoryString{}, CountryName - FROM SelectedAttributeTypes selectedAttributeTypes; - -id-evat-jurisdiction ID ::= {ldap-enterprise 311 ev(60) 2 1} -id-evat-jurisdiction-localityName ID ::= {id-evat-jurisdiction 1} -id-evat-jurisdiction-stateOrProvinceName ID ::= {id-evat-jurisdiction 2} -id-evat-jurisdiction-countryName ID ::= {id-evat-jurisdiction 3} - -jurisdictionLocalityName ATTRIBUTE ::= { - SUBTYPE OF name - WITH SYNTAX DirectoryString{ub-locality-name} - LDAP-SYNTAX directoryString.&id - LDAP-NAME {"jurisdictionL"} - ID id-evat-jurisdiction-localityName } - -jurisdictionStateOrProvinceName ATTRIBUTE ::= { - SUBTYPE OF name - WITH SYNTAX DirectoryString{ub-state-name} - LDAP-SYNTAX directoryString.&id - LDAP-NAME {"jurisdictionST"} - ID id-evat-jurisdiction-stateOrProvinceName } - -jurisdictionCountryName ATTRIBUTE ::= { - SUBTYPE OF name - WITH SYNTAX CountryName - SINGLE VALUE TRUE - LDAP-SYNTAX countryString.&id - LDAP-NAME {"jurisdictionC"} - ID id-evat-jurisdiction-countryName } - -END -``` - -# Appendix H – Registration Schemes - -The following Registration Schemes are currently recognized as valid under these -guidelines: - -* **NTR**: - - The information carried in this field shall be the same as held in - Subject Registration Number Field as specified in - [Section 9.2.5](#925-subject-registration-number-field) and the country code - used in the Registration Scheme identifier shall match that of the - subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). - - Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 - includes more than the country code, the additional locality information shall - be included as specified in [Section 9.2.8](#928-subject-organization-identifier-field) - and/or [Section 9.8.2](#982-cabrowser-forum-organization-identifier-extension). - -* **VAT**: - - Reference allocated by the national tax authorities to a Legal Entity. This - information shall be validated using information provided by the national tax - authority against the organization as identified by the Subject Organization - Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and - Subject Registration Number Field (see - Section 9.2.5](#925-subject-registration-number-field)) within the context of - the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). - -* **PSD**: - - Authorization number as specified in ETSI TS 119 495 clause 4.4 - allocated to a payment service provider and containing the information as - specified in ETSI TS 119 495 clause 5.2.1. This information SHALL be - obtained directly from the national competent authority register for - payment services or from an information source approved by a government - agency, regulatory body, or legislation for this purpose. This information - SHALL be validated by being matched directly or indirectly (for example, by - matching a globally unique registration number) against the organization as - identified by the Subject Organization Name Field (see - [Section 9.2.1](#921-subject-organization-name-field)) and - Subject Registration Number Field (see - [Section 9.2.5](#925-subject-registration-number-field)) within the context of - the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). - The stated address of the organization combined with the organization name - SHALL NOT be the only information used to disambiguate the organization. From 9cd1e32eb0733b321858faeaf127862f81f41d13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 11:15:02 +0200 Subject: [PATCH 30/48] Update EVG.md --- docs/EVG.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index c8295a45..d3e4db50 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -82,10 +82,10 @@ These Guidelines do not address the verification of information, or the issuance | **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | |--|--|----------| -| 2020-01-31 | [9.2.8](#928-subject-organization-identifier-field) | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | -| 2020-09-01 | [9.4](#94-maximum-validity-period-for-ev-certificate) & Appendix F | Certificates issued MUST NOT have a Validity Period greater than 398 days. | -| 2020-10-01 | [11.1.3](#1113-disclosure-of-verification-sources) | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | -| 2022-09-01 | [9.2.7](#927-subject-organizational-unit-name-field) | CAs MUST NOT include the organizationalUnitName field in the Subject | +| 2020-01-31 | [9.2.8] | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | +| 2020-09-01 | [9.4] & Appendix F | Certificates issued MUST NOT have a Validity Period greater than 398 days. | +| 2020-10-01 | [11.1.3] | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | +| 2022-09-01 | [9.2.7] | CAs MUST NOT include the organizationalUnitName field in the Subject | **Implementers' Note**: Version 1.3 of these EV Guidelines was published on 20 November 2010 and supplemented through May 2012 when version 1.4 was published. ETSI TS 102 042 and ETSI TR 101 564 Technical Report: Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs reference version 1.3 of these EV Guidelines, and ETSI Draft EN 319 411-1 references version 1.4. Version 1.4.5 of Webtrust(r) for Certification Authorities – Extended Validation Audit Criteria references version 1.4.5 of these EV Guidelines. As illustrated in the Document History table above, the CA/Browser Forum continues to improve relevant industry guidelines, including this document, the Baseline Requirements, and the Network and Certificate System Security Requirements. We encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty. We will respond to implementation questions directed to questions@cabforum.org. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. @@ -93,9 +93,9 @@ These Guidelines do not address the verification of information, or the issuance ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-trustworthiness-and-competence). +Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-background-check-procedures). -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 5.4](#54-data-records). +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-audit-logging-procedures). In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. #### 1.3.2.1 Enterprise Registration authorities @@ -229,7 +229,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-auditor-qualification). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-identity/qualifications-of-assessor). **Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.11.6](#32116-qualified-government-information-source). @@ -868,11 +868,11 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi 1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. 2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. 3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: +4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532-background-check-procedures). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-regular-self-audits) and [Section 8.3](#83-auditor-qualification). + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-regular-self-audits) and [Section 8.3](#83-Identity/qualifications-of-assessor). In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. @@ -1437,7 +1437,7 @@ A Certificate issued to a Subscriber MUST contain one or more policy identifier( ### 7.3.1 Version number(s) ### 7.3.2 OCSP extensions # 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS -## 8.1 Elegible Audit Schemes +## 8.1 Eligible Audit Schemes A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: i. WebTrust Program for CAs audit and WebTrust EV Program audit, From b8647c035b55b8c18bc33a6c530eccbefbdd8db6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 11:22:35 +0200 Subject: [PATCH 31/48] Update EVG.md --- docs/EVG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index d3e4db50..b775a097 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -93,9 +93,9 @@ These Guidelines do not address the verification of information, or the issuance ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-background-check-procedures). +Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-Background-check-procedures). -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-audit-logging-procedures). +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-Personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-Audit-logging-procedures). In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. #### 1.3.2.1 Enterprise Registration authorities From 1187c2de2090fed273dc72a4d7fcedf0a2d2cdac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 11:29:54 +0200 Subject: [PATCH 32/48] Update EVG.md --- docs/EVG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index b775a097..d3e4db50 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -93,9 +93,9 @@ These Guidelines do not address the verification of information, or the issuance ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-Background-check-procedures). +Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-background-check-procedures). -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-Personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-Audit-logging-procedures). +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-audit-logging-procedures). In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. #### 1.3.2.1 Enterprise Registration authorities From a5803612a8f0aed68d17d7a323bba728bd1ed1d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 11:41:53 +0200 Subject: [PATCH 33/48] Update EVG.md --- docs/EVG.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index d3e4db50..6b1b960e 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -93,9 +93,9 @@ These Guidelines do not address the verification of information, or the issuance ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-background-check-procedures). +Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532--background-check-procedures). -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-audit-logging-procedures). +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53--personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54--audit-logging-procedures). In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. #### 1.3.2.1 Enterprise Registration authorities @@ -229,7 +229,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-identity/qualifications-of-assessor). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83--identity/qualifications-of-assessor). **Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.11.6](#32116-qualified-government-information-source). @@ -868,13 +868,13 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi 1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. 2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. 3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532-background-check-procedures). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: +4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532--background-check-procedures). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-regular-self-audits) and [Section 8.3](#83-Identity/qualifications-of-assessor). + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89--regular-self-audits) and [Section 8.3](#83--Identity/qualifications-of-assessor). -In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. +In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132--delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. ### 3.2.14 Requirements for Re-use of Existing Documentation @@ -1243,7 +1243,7 @@ CABFOrganizationIdentifier ::= SEQUENCE { } ``` -where the subfields have the same values, meanings, and restrictions described in [Section 7.1.4.2.1](#71421-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 7.1.4.2.1](#71421-subject-organization-identifier-field). +where the subfields have the same values, meanings, and restrictions described in [Section 7.1.4.2.1](#71421--subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 7.1.4.2.1](#71421--subject-organization-identifier-field). ### 7.1.3 Algorithm object identifiers ### 7.1.4 Name forms @@ -1355,7 +1355,7 @@ Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) a The CA SHALL: -1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 7.1.4.2.1](#71421-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field); +1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 7.1.4.2.1](#71421--subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field); 2. further verify the Registration Reference matches other information verified in accordance with [Section 3.2](#32-verification-requirements); 3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; 4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). @@ -1859,7 +1859,7 @@ guidelines: Reference allocated by the national tax authorities to a Legal Entity. This information shall be validated using information provided by the national tax authority against the organization as identified by the Subject Organization - Name Field (see [Section 7.1.4.2.1](#71421-subject-organization-name-field)) and + Name Field (see [Section 7.1.4.2.1](#71421--subject-organization-name-field)) and Subject Registration Number Field (see Section 7.1.4.2.5](#71425-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in @@ -1876,7 +1876,7 @@ guidelines: SHALL be validated by being matched directly or indirectly (for example, by matching a globally unique registration number) against the organization as identified by the Subject Organization Name Field (see - [Section 7.1.4.2.1](#71421-subject-organization-name-field)) and + [Section 7.1.4.2.1](#71421--subject-organization-name-field)) and Subject Registration Number Field (see [Section 7.1.4.2.5](#71425-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in From 8a56417ea28e29aa614e8974d4e00dcec27f93e5 Mon Sep 17 00:00:00 2001 From: Martijn Katerbarg Date: Thu, 13 Jul 2023 11:58:22 +0200 Subject: [PATCH 34/48] Update EVG.md --- docs/EVG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index 6b1b960e..8843a37b 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1093,7 +1093,9 @@ As specified in Section 5 of the Baseline Requirements. In addition, systems use 1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. 2. Such controls MUST be auditable. ## 5.3 Personnel controls + ### 5.3.1 Qualifications, experience, and clearance requirements + ### 5.3.2 Background check procedures Prior to the commencement of employment of any person by the CA for engagement in the EV Processes, whether as an employee, agent, or an independent contractor of the CA, the CA MUST: @@ -1117,11 +1119,17 @@ Prior to the commencement of employment of any person by the CA for engagement i ### 5.3.3 Training requirements The requirements in Section 5.3.3 of the Baseline Requirements apply equally to EV Certificates and these Guidelines. The required internal examination must relate to the EV Certificate validation criteria outlined in these Guidelines. + ### 5.3.4 Retraining frequency and requirements + ### 5.3.5 Job rotation frequency and sequence + ### 5.3.6 Sanctions for unauthorized actions + ### 5.3.7 Independent contractor requirements + ### 5.3.8 Documentation supplied to personnel + ## 5.4 Audit logging procedures As specified in Section 5.4 of the Baseline Requirements. From 3a609d206eae6e20500777d1c12d4fb018e2c6bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 12:08:42 +0200 Subject: [PATCH 35/48] Update EVG.md --- docs/EVG.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 8843a37b..996b99c6 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -93,9 +93,9 @@ These Guidelines do not address the verification of information, or the issuance ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532--background-check-procedures). +Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-background-check-procedures). -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53--personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54--audit-logging-procedures). +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-audit-logging-procedures). In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. #### 1.3.2.1 Enterprise Registration authorities @@ -868,13 +868,13 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi 1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. 2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. 3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532--background-check-procedures). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: +4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532-background-check-procedures). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89--regular-self-audits) and [Section 8.3](#83--Identity/qualifications-of-assessor). + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-regular-self-audits) and [Section 8.3](#83-Identity/qualifications-of-assessor). -In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132--delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. +In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. ### 3.2.14 Requirements for Re-use of Existing Documentation From 30302545d9361bd84bc98ae73c76a0c970b3672a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 12:11:44 +0200 Subject: [PATCH 36/48] Update EVG.md --- docs/EVG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/EVG.md b/docs/EVG.md index 996b99c6..4e2a342a 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1092,6 +1092,7 @@ As specified in Section 5 of the Baseline Requirements. In addition, systems use ### 5.2.4 Roles requiring separation of duties 1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. 2. Such controls MUST be auditable. + ## 5.3 Personnel controls ### 5.3.1 Qualifications, experience, and clearance requirements From bda54b2a744178be0de7e82f8c59c23e0602dbc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 12:35:58 +0200 Subject: [PATCH 37/48] Update EVG.md --- docs/EVG.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 67 insertions(+), 8 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 4e2a342a..38e935f2 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -98,6 +98,7 @@ Affiliates and/or RAs must comply with the qualification requirements of [Sectio The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-audit-logging-procedures). In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. + #### 1.3.2.1 Enterprise Registration authorities The CA MAY contractually authorize a Subscriber to perform the RA function and authorize the CA to issue additional EV Certificates. In such case, the Subscriber SHALL be considered an Enterprise RA, and the following requirements SHALL apply: @@ -137,12 +138,15 @@ EV Certificates focus only on the identity of the Subject named in the Certifica 2. That the Subject named in the EV Certificate complies with applicable laws; 3. That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or 4. That it is "safe" to do business with the Subject named in the EV Certificate. + ## 1.5 Policy administration ### 1.5.1 Organization administering the document ### 1.5.2 Contact person ### 1.5.3 Person determining CPS suitability for the policy ### 1.5.4 CPS approval procedures + ## 1.6 Definitions and acronyms + ### 1.6.1 Definitions Capitalized Terms are defined in the Baseline Requirements except where provided below: @@ -281,6 +285,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **WebTrust Program for CAs**: The then-current version of the AICPA/CICA WebTrust Program for Certification Authorities. **WebTrust Seal of Assurance**: An affirmation of compliance resulting from the WebTrust Program for CAs. + ### 1.6.2 Acronyms Abbreviations and Acronyms are defined in the Baseline Requirements except as otherwise defined herein: @@ -305,8 +310,10 @@ Abbreviations and Acronyms are defined in the Baseline Requirements except as ot | QIIS | Qualified Independent Information Source | | SEC | (US Government) Securities and Exchange Commission | | UTC(k) | National realization of Coordinated Universal Time | + ### 1.6.3 References See Baseline Requirements, which are available at . + ### 1.6.4 Conventions Terms not otherwise defined in these Guidelines shall be as defined in applicable agreements, user manuals, certification practice statements (CPS), and certificate policies (CP) of the CA issuing EV Certificates. @@ -348,6 +355,7 @@ In addition, the CA MUST include (directly or by reference) the applicable requi ### 3.1.4 Rules for interpreting various name forms ### 3.1.5 Uniqueness of names ### 3.1.6 Recognition, authentication, and role of trademarks + ## 3.2 Initial identity validation ### 3.2.1 General Overview @@ -915,20 +923,16 @@ A CA may rely on a previously verified certificate request to issue a replacemen 4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.14.1](#32141-validation-for-existing-subscribers). - - -### 3.2.1 Method to prove possession of private key -### 3.2.2 Authentication of organization identity -### 3.2.3 Authentication of individual identity -### 3.2.4 Non-verified subscriber information -### 3.2.5 Validation of authority -### 3.2.6 Criteria for interoperation ## 3.3 Identification and authentication for re-key requests ### 3.3.1 Identification and authentication for routine re-key ### 3.3.2 Identification and authentication for re-key after revocation + ## 3.4 Identification and authentication for revocation request + # 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS + ## 4.1 Certificate Application + ### 4.1.1 Who can submit a certificate application The CA MAY only issue EV Certificates to Applicants that meet the Private Organization, Government Entity, Business Entity and Non-Commercial Entity requirements specified below. @@ -993,6 +997,7 @@ The documentation requirements in Section 4.1.2 of the Baseline Requirements app The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 3.2.14](#3214-requirements-for-re-use-of-existing-documentation). ## 4.2 Certificate application processing + ### 4.2.1 Performing identification and authentication functions The following Applicant roles are required for the issuance of an EV Certificate. @@ -1011,20 +1016,25 @@ The Applicant MAY authorize one individual to occupy two or more of these roles. ### 4.2.2 Approval or rejection of certificate applications ### 4.2.3 Time to process certificate applications + ## 4.3 Certificate issuance + ### 4.3.1 CA actions during certificate issuance Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. Root CA Private Keys MUST NOT be used to sign EV Certificates. ### 4.3.2 Notification to subscriber by the CA of issuance of certificate + ## 4.4 Certificate acceptance ### 4.4.1 Conduct constituting certificate acceptance ### 4.4.2 Publication of the certificate by the CA ### 4.4.3 Notification of certificate issuance by the CA to other entities + ## 4.5 Key pair and certificate usage ### 4.5.1 Subscriber private key and certificate usage ### 4.5.2 Relying party public key and certificate usage + ## 4.6 Certificate renewal ### 4.6.1 Circumstance for certificate renewal ### 4.6.2 Who may request renewal @@ -1033,6 +1043,7 @@ Root CA Private Keys MUST NOT be used to sign EV Certificates. ### 4.6.5 Conduct constituting acceptance of a renewal certificate ### 4.6.6 Publication of the renewal certificate by the CA ### 4.6.7 Notification of certificate issuance by the CA to other entities + ## 4.7 Certificate re-key ### 4.7.1 Circumstance for certificate re-key ### 4.7.2 Who may request certification of a new public key @@ -1041,6 +1052,7 @@ Root CA Private Keys MUST NOT be used to sign EV Certificates. ### 4.7.5 Conduct constituting acceptance of a re-keyed certificate ### 4.7.6 Publication of the re-keyed certificate by the CA ### 4.7.7 Notification of certificate issuance by the CA to other entities + ## 4.8 Certificate modification ### 4.8.1 Circumstance for certificate modification ### 4.8.2 Who may request certificate modification @@ -1049,6 +1061,7 @@ Root CA Private Keys MUST NOT be used to sign EV Certificates. ### 4.8.5 Conduct constituting acceptance of modified certificate ### 4.8.6 Publication of the modified certificate by the CA ### 4.8.7 Notification of certificate issuance by the CA to other entities + ## 4.9 Certificate revocation and suspension ### 4.9.1 Circumstances for revocation ### 4.9.2 Who can request revocation @@ -1066,16 +1079,21 @@ Root CA Private Keys MUST NOT be used to sign EV Certificates. ### 4.9.14 Who can request suspension ### 4.9.15 Procedure for suspension request ### 4.9.16 Limits on suspension period + ## 4.10 Certificate status services ### 4.10.1 Operational characteristics ### 4.10.2 Service availability ### 4.10.3 Optional features + ## 4.11 End of subscription + ## 4.12 Key escrow and recovery ### 4.12.1 Key escrow and recovery policy and practices ### 4.12.2 Session key encapsulation and recovery policy and practices + # 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS As specified in Section 5 of the Baseline Requirements. In addition, systems used to process and approve EV Certificate Requests MUST require actions by at least two trusted persons before creating an EV Certificate. + ## 5.1 Physical controls ### 5.1.1 Site location and construction ### 5.1.2 Physical access @@ -1085,10 +1103,12 @@ As specified in Section 5 of the Baseline Requirements. In addition, systems use ### 5.1.6 Media storage ### 5.1.7 Waste disposal ### 5.1.8 Off-site backup + ## 5.2 Procedural controls ### 5.2.1 Trusted roles ### 5.2.2 Number of persons required per task ### 5.2.3 Identification and authentication for each role + ### 5.2.4 Roles requiring separation of duties 1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. 2. Such controls MUST be auditable. @@ -1142,6 +1162,7 @@ As specified in Section 5.4 of the Baseline Requirements. ### 5.4.6 Audit collection system (internal vs. external) ### 5.4.7 Notification to event-causing subject ### 5.4.8 Vulnerability assessments + ## 5.5 Records archival ### 5.5.1 Types of records archived ### 5.5.2 Retention period for archive @@ -1150,15 +1171,21 @@ As specified in Section 5.4 of the Baseline Requirements. ### 5.5.5 Requirements for time-stamping of records ### 5.5.6 Archive collection system (internal or external) ### 5.5.7 Procedures to obtain and verify archive information + ## 5.6 Key changeover + ## 5.7 Compromise and disaster recovery ### 5.7.1 Incident and compromise handling procedures ### 5.7.2 Computing resources, software, and/or data are corrupted ### 5.7.3 Entity private key compromise procedures ### 5.7.4 Business continuity capabilities after a disaster + ## 5.8 CA or RA termination + # 6. TECHNICAL SECURITY CONTROLS + ## 6.1 Key pair generation and installation + ### 6.1.1 Key pair generation All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair and Certificate generation process: @@ -1173,6 +1200,7 @@ All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally t ### 6.1.5 Key sizes ### 6.1.6 Public key parameters generation and quality checking ### 6.1.7 Key usage purposes (as per X.509 v3 key usage field) + ## 6.2 Private Key Protection and Cryptographic Module Engineering Controls ### 6.2.1 Cryptographic module standards and controls ### 6.2.2 Private key (n out of m) multi-person control @@ -1185,30 +1213,40 @@ All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally t ### 6.2.9 Method of deactivating private key ### 6.2.10 Method of destroying private key ### 6.2.11 Cryptographic Module Rating + ## 6.3 Other aspects of key pair management ### 6.3.1 Public key archival + ### 6.3.2 Certificate operational periods and key pair usage periods The Validity Period for an EV Certificate SHALL NOT exceed 398 days. It is RECOMMENDED that EV Subscriber Certificates have a Maximum Validity Period of twelve months. + ## 6.4 Activation data ### 6.4.1 Activation data generation and installation ### 6.4.2 Activation data protection ### 6.4.3 Other aspects of activation data + ## 6.5 Computer security controls ### 6.5.1 Specific computer security technical requirements ### 6.5.2 Computer security rating + ## 6.6 Life cycle technical controls ### 6.6.1 System development controls ### 6.6.2 Security management controls ### 6.6.3 Life cycle security controls + ## 6.7 Network security controls + ## 6.8 Time-stamping + # 7. CERTIFICATE, CRL, AND OCSP PROFILES + ## 7.1 Certificate profile This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate. ### 7.1.1 Version number(s) + ### 7.1.2 Certificate extensions The extensions listed in [Section 7.1.2](#712-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 7.1.2](#712-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. @@ -1259,6 +1297,7 @@ where the subfields have the same values, meanings, and restrictions described i #### 7.1.4.1 Issuer Information Issuer Information listed in an EV Certificate MUST comply with Section 7.1.4.1 of the Baseline Requirements. + #### 7.1.4.2 Subject Distinguished Name Fields Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: @@ -1409,6 +1448,7 @@ All provisions of the Baseline Requirements concerning Minimum Cryptographic Alg ### 7.1.5 Name constraints + ### 7.1.6 Certificate policy object identifier This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy. @@ -1437,15 +1477,21 @@ The Application Software Supplier identifies Root CAs that are approved to issue A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate's `certificatePolicies` extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines. ### 7.1.7 Usage of Policy Constraints extension + ### 7.1.8 Policy qualifiers syntax and semantics + ### 7.1.9 Processing semantics for the critical Certificate Policies extension + ## 7.2 CRL profile ### 7.2.1 Version number(s) ### 7.2.2 CRL and CRL entry extensions + ## 7.3 OCSP profile ### 7.3.1 Version number(s) ### 7.3.2 OCSP extensions + # 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS + ## 8.1 Eligible Audit Schemes A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: @@ -1457,13 +1503,17 @@ If the CA is a Government Entity, an audit of the CA by the appropriate internal ## 8.2 Frequency or circumstances of assessment CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 8.1](#81-eligible-audit-schemes). + ## 8.3 Identity/qualifications of assessor A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. + ## 8.4 Assessor's relationship to assessed entity ## 8.5 Topics covered by assessment ## 8.6 Actions taken as a result of deficiency + ## 8.7 Communication of results CAs SHOULD make its audit report publicly available no later than three months after the end of the audit period. If there is a delay greater than three months and if so requested by an Application Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. + ## 8.8 Pre-issuance Readiness Audit 1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program. @@ -1477,6 +1527,7 @@ The CA MUST complete any required point-in-time readiness assessment no earlier ## 8.9 Self audits During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. + # 9. OTHER BUSINESS AND LEGAL MATTERS ## 9.1 Fees ### 9.1.1 Certificate issuance or renewal fees @@ -1484,7 +1535,9 @@ During the period in which it issues EV Certificates, the CA MUST strictly contr ### 9.1.3 Revocation or status information access fees ### 9.1.4 Fees for other services ### 9.1.5 Refund policy + ## 9.2 Financial responsibility + ### 9.2.1 Insurance coverage Each CA SHALL maintain the following insurance related to their respective performance and obligations under these Guidelines: @@ -1514,6 +1567,7 @@ A CA MAY self-insure for liabilities that arise from such party's performance an ### 9.4.7 Other information disclosure circumstances ## 9.5 Intellectual property rights ## 9.6 Representations and warranties + ### 9.6.1 CA representations and warranties When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following: @@ -1534,6 +1588,7 @@ G. **Status**: The CA will follow the requirements of these Guidelines and main H. **Revocation**: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the revocation reasons specified in these Guidelines. ### 9.6.2 RA representations and warranties + ### 9.6.3 Subscriber representations and warranties Section 9.6.3 of the Baseline Requirements applies equally to EV Certificates. In cases where the Certificate Request does not contain all necessary information about the Applicant, the CA MUST additionally confirm the data with the Certificate Approver or Contract Signer rather than the Certificate Requester. @@ -1541,10 +1596,13 @@ EV Certificate Applicants make the commitments and warranties set forth in Secti ### 9.6.4 Relying party representations and warranties ### 9.6.5 Representations and warranties of other participants ## 9.7 Disclaimers of warranties + ## 9.8 Limitations of liability CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. + ## 9.9 Indemnities A CA's indemnification obligations and a Root CA's obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements. + ## 9.10 Term and termination ### 9.10.1 Term ### 9.10.2 Termination @@ -1560,6 +1618,7 @@ A CA's indemnification obligations and a Root CA's obligations with respect to s ## 9.16 Miscellaneous provisions ### 9.16.1 Entire agreement ### 9.16.2 Assignment + ### 9.16.3 Severability The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements. From c2a36ad8a545707e32f8a93a066d82f05dc20319 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Thu, 13 Jul 2023 12:39:49 +0200 Subject: [PATCH 38/48] Update EVG.md --- docs/EVG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 38e935f2..b401782f 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -233,7 +233,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83--identity/qualifications-of-assessor). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83--identityqualifications-of-assessor). **Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.11.6](#32116-qualified-government-information-source). @@ -880,7 +880,7 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-regular-self-audits) and [Section 8.3](#83-Identity/qualifications-of-assessor). + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-self-audits) and [Section 8.3](#83--Identityqualifications-of-assessor). In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. From 3b4fe337e6c819410388c91d7446cfdee120bc2c Mon Sep 17 00:00:00 2001 From: Martijn Katerbarg Date: Thu, 13 Jul 2023 16:28:24 +0200 Subject: [PATCH 39/48] Update EVG.md --- docs/EVG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index b401782f..5298423f 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -90,7 +90,9 @@ These Guidelines do not address the verification of information, or the issuance **Implementers' Note**: Version 1.3 of these EV Guidelines was published on 20 November 2010 and supplemented through May 2012 when version 1.4 was published. ETSI TS 102 042 and ETSI TR 101 564 Technical Report: Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs reference version 1.3 of these EV Guidelines, and ETSI Draft EN 319 411-1 references version 1.4. Version 1.4.5 of Webtrust(r) for Certification Authorities – Extended Validation Audit Criteria references version 1.4.5 of these EV Guidelines. As illustrated in the Document History table above, the CA/Browser Forum continues to improve relevant industry guidelines, including this document, the Baseline Requirements, and the Network and Certificate System Security Requirements. We encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty. We will respond to implementation questions directed to questions@cabforum.org. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. ## 1.3 PKI participants + ### 1.3.1 Certification authorities + ### 1.3.2 Registration authorities The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence). Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-background-check-procedures). @@ -233,7 +235,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83--identityqualifications-of-assessor). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-identityqualifications-of-assessor). **Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.11.6](#32116-qualified-government-information-source). @@ -880,7 +882,7 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-self-audits) and [Section 8.3](#83--Identityqualifications-of-assessor). + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-self-audits) and [Section 8.3](#83-Identityqualifications-of-assessor). In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. From 572b1fff65469367f8f6e5d175a0bc1fda51a939 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 14 Jul 2023 10:31:27 +0200 Subject: [PATCH 40/48] Update EVG.md --- docs/EVG.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 5298423f..d72c3dce 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -235,7 +235,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-identityqualifications-of-assessor). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83--identityqualifications-of-assessor). **Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.11.6](#32116-qualified-government-information-source). @@ -882,9 +882,9 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-self-audits) and [Section 8.3](#83-Identityqualifications-of-assessor). + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-self-audits) and [Section 8.3](#83--identityqualifications-of-assessor). -In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. +In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132--registration-authorities), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. ### 3.2.14 Requirements for Re-use of Existing Documentation @@ -1292,7 +1292,7 @@ CABFOrganizationIdentifier ::= SEQUENCE { } ``` -where the subfields have the same values, meanings, and restrictions described in [Section 7.1.4.2.1](#71421--subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 7.1.4.2.1](#71421--subject-organization-identifier-field). +where the subfields have the same values, meanings, and restrictions described in [Section 7.1.4.2.1](#71428-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 7.1.4.2.1](#71428-subject-organization-identifier-field). ### 7.1.3 Algorithm object identifiers ### 7.1.4 Name forms @@ -1314,7 +1314,7 @@ When abbreviating a Subject's full legal name as allowed by this subsection, the In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. -If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#11121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. +If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#32121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. ##### 7.1.4.2.2 Subject Common Name Field @@ -1405,8 +1405,8 @@ Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) a The CA SHALL: -1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 7.1.4.2.1](#71421--subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field); -2. further verify the Registration Reference matches other information verified in accordance with [Section 3.2](#32-verification-requirements); +1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 7.1.4.2.1](#71421-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field); +2. further verify the Registration Reference matches other information verified in accordance with [Section 3.2](#32--initial-identity-validation); 3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; 4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). @@ -1929,7 +1929,7 @@ guidelines: Reference allocated by the national tax authorities to a Legal Entity. This information shall be validated using information provided by the national tax authority against the organization as identified by the Subject Organization - Name Field (see [Section 7.1.4.2.1](#71421--subject-organization-name-field)) and + Name Field (see [Section 7.1.4.2.1](#71421-subject-organization-name-field)) and Subject Registration Number Field (see Section 7.1.4.2.5](#71425-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in @@ -1946,7 +1946,7 @@ guidelines: SHALL be validated by being matched directly or indirectly (for example, by matching a globally unique registration number) against the organization as identified by the Subject Organization Name Field (see - [Section 7.1.4.2.1](#71421--subject-organization-name-field)) and + [Section 7.1.4.2.1](#71421-subject-organization-name-field)) and Subject Registration Number Field (see [Section 7.1.4.2.5](#71425-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in From e2a54e5471cf8eb4e8508e8b265d6afa1676027a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 14 Jul 2023 12:15:48 +0200 Subject: [PATCH 41/48] Update EVG.md --- docs/EVG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index d72c3dce..2bf2c1a6 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -235,7 +235,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83--identityqualifications-of-assessor). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-identityqualifications-of-assessor). **Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.11.6](#32116-qualified-government-information-source). From 13b4f85a494fefa52510512a2fb3c4d7c77a7a36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 14 Jul 2023 12:18:29 +0200 Subject: [PATCH 42/48] Update EVG.md --- docs/EVG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 2bf2c1a6..b3822b78 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -882,9 +882,9 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-self-audits) and [Section 8.3](#83--identityqualifications-of-assessor). + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-self-audits) and [Section 8.3](#83-identityqualifications-of-assessor). -In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132--registration-authorities), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. +In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-registration-authorities), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. ### 3.2.14 Requirements for Re-use of Existing Documentation @@ -1406,7 +1406,7 @@ Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) a The CA SHALL: 1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 7.1.4.2.1](#71421-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field); -2. further verify the Registration Reference matches other information verified in accordance with [Section 3.2](#32--initial-identity-validation); +2. further verify the Registration Reference matches other information verified in accordance with [Section 3.2](#32-initial-identity-validation); 3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; 4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). From 26502393538bb97d77616af49cfa8200a26c241a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 15 Dec 2023 11:44:01 +0100 Subject: [PATCH 43/48] Update EVG to match section 6 of the RFC 3647.md Updated section 1.1 from scope to overview Added section 3.2.1 for the possesion of the private key Changed totally/created new section 3.2.2 to cover all section 11 Moved section 8.1 to section 8 and renamed the others to meet RFC3647 Added the self-audits (8.1.1) under section 8.1 Left/created section 8.7 for pre/readiness audits which do not exist under RFC 3647 --- docs/EVG.md | 219 +++++++++++++++++++++++++++------------------------- 1 file changed, 113 insertions(+), 106 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index b3822b78..cc5d26fe 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -22,7 +22,7 @@ The Guidelines for the Issuance and Management of Extended Validation Certificat **The CA/Browser Forum** The CA/Browser Forum is a voluntary open organization of certification authorities and suppliers of Internet browsers and other relying-party software applications. Membership is listed at . -## 1.1 Scope +## 1.1 Overview These Guidelines for the issuance and management of Extended Validation Certificates describe certain of the minimum requirements that a Certification Authority must meet in order to issue Extended Validation Certificates. Subject Organization information from Valid EV Certificates may be displayed in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site they are accessing. These Guidelines incorporate the Baseline Requirements established by the CA/Browser Forum by reference. A copy of the Baseline Requirements is available on the CA/Browser Forum's website at . These Guidelines address the basic issue of validating Subject identity information in EV Certificates and some related matters. They do not address all of the related matters, such as certain technical and operational ones. This version of the Guidelines addresses only requirements for EV Certificates intended to be used for SSL/TLS authentication on the Internet and for code signing. Similar requirements for S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions. @@ -94,7 +94,7 @@ These Guidelines do not address the verification of information, or the issuance ### 1.3.1 Certification authorities ### 1.3.2 Registration authorities -The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence). +The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence). Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-background-check-procedures). The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-audit-logging-procedures). @@ -106,9 +106,9 @@ The CA MAY contractually authorize a Subscriber to perform the RA function and a 1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; 2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and -3. The Final Cross-Correlation and Due Diligence requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. +3. The Final Cross-Correlation and Due Diligence requirements of [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. -Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 8.1](#81-eligible-audit-schemes). In all other cases, the requirements of [Section 8.1](#81-eligible-audit-schemes) SHALL apply. +Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 8](#8-compliance-audit-and-other-assessments). In all other cases, the requirements of [Section 8](#8-compliance-audit-and-other-assessments) SHALL apply. ### 1.3.3 Subscribers ### 1.3.4 Relying parties @@ -237,7 +237,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-identityqualifications-of-assessor). -**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.11.6](#32116-qualified-government-information-source). +**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.2.11.6](#322116-qualified-government-information-source). **Qualified Government Tax Information Source**: A Qualified Governmental Information Source that specifically contains tax information relating to Private Organizations, Business Entities, or Individuals. @@ -274,11 +274,11 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Translator**: An individual or Business Entity that possesses the requisite knowledge and expertise to accurately translate the words of a document written in one language to the native language of the CA. -**Verified Accountant Letter**: A document meeting the requirements specified in [Section 3.2.11.2](#32112-verified-accountant-letter). +**Verified Accountant Letter**: A document meeting the requirements specified in [Section 3.2.2.11.2](#322112-verified-accountant-letter). -**Verified Legal Opinion**: A document meeting the requirements specified in [Section 3.2.11.1](#32111-verified-legal-opinion). +**Verified Legal Opinion**: A document meeting the requirements specified in [Section 3.2.2.11.1](#322111-verified-legal-opinion). -**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 3.2.5](#325-verified-method-of-communication) as a reliable way of communicating with the Applicant. +**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 3.2.2.5](#3225-verified-method-of-communication) as a reliable way of communicating with the Applicant. **Verified Professional Letter**: A Verified Accountant Letter or Verified Legal Opinion. @@ -337,7 +337,7 @@ C. Specify the CA's and its Root CA's entire root certificate hierarchy includi ## 2.1 Repositories ## 2.2 Publication of certification information -Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 8.1](#81-eligible-audit-schemes)). +Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 8](#8-compliance-audit-and-other-assessments)). The CA's Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647. The Certificate Policy and/or Certification Practice Statement MUST include all material required by RFC 3647. @@ -360,17 +360,21 @@ In addition, the CA MUST include (directly or by reference) the applicable requi ## 3.2 Initial identity validation -### 3.2.1 General Overview +### 3.2.1 Method to prove possession of private key + +### 3.2.2 Authentication of organization identity + +#### 3.2.2.1 Overview This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement. -#### 3.2.1.1 Verification Requirements – Overview +##### 3.2.2.1.1 Verification Requirements – Overview Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following: 1. Verify Applicant's existence and identity, including; - A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 3.2.2](#322-verification-of-applicants-legal-existence-and-identity)), + A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 3.2.2.2](#3222-verification-of-applicants-legal-existence-and-identity)), B. Verify the Applicant's physical existence (business presence at a physical address), and @@ -388,11 +392,11 @@ Before issuing an EV Certificate, the CA MUST ensure that all Subject organizati C. Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request. -#### 3.2.1.2 Acceptable Methods of Verification – Overview +##### 3.2.2.1.2 Acceptable Methods of Verification – Overview As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 3.2.2 through 3.2.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. -#### 3.2.1.3 Disclosure of Verification Sources +##### 3.2.2.1.3 Disclosure of Verification Sources Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means. @@ -405,9 +409,9 @@ This Agency Information SHALL include at least the following: The CA MUST document where to obtain this information within Section 3.2 of the CA's Certificate Policy and/or Certification Practice Statement. -### 3.2.2 Verification of Applicant's Legal Existence and Identity +#### 3.2.2.2 Verification of Applicant's Legal Existence and Identity -#### 3.2.2.1 Verification Requirements +##### 3.2.2.2.1 Verification Requirements To verify the Applicant's legal existence and identity, the CA MUST do the following. @@ -437,20 +441,20 @@ To verify the Applicant's legal existence and identity, the CA MUST do the follo B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity. -#### 3.2.2.2 Acceptable Method of Verification +##### 3.2.2.2.2 Acceptable Method of Verification -1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 3.2.2.1](#3221-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. +1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 3.2.2.2.1](#32221-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. -2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 3.2.2.1](#3221-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: +2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 3.2.2.2.1](#32221-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: i. a Qualified Government Information Source in the political subdivision in which such Government Entity operates; ii. a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or iii. from a judge that is an active member of the federal, state or local judiciary within that political subdivision. - Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 3.2.11.1](#32111-verified-legal-opinion). + Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 3.2.2.11.1](#322111-verified-legal-opinion). Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. -3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 3.2.2.1](#3221-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. +3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 3.2.2.2.1](#32221-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. 4. **Principal Individual**: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency's face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation. @@ -500,7 +504,7 @@ To verify the Applicant's legal existence and identity, the CA MUST do the follo i. the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and ii. electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA's jurisdiction. -5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 3.2.2.1](#3221-verification-requirements) (4) MUST be verified either: +5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 3.2.2.2.1](#32221-verification-requirements) (4) MUST be verified either: A. With reference to the constituent document under which the International Organization was formed; or B. Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or @@ -512,16 +516,16 @@ To verify the Applicant's legal existence and identity, the CA MUST do the follo i. the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and ii. the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS. -### 3.2.3 Verification of Applicant's Legal Existence and Identity – Assumed Name +#### 3.2.2.3 Verification of Applicant's Legal Existence and Identity – Assumed Name -#### 3.2.3.1 Verification Requirements +##### 3.2.2.3.1 Verification Requirements If, in addition to the Applicant's formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, the Applicant's identity, as asserted in the EV Certificate, is to contain any assumed name (also known as "doing business as", "DBA", or "d/b/a" in the US, and "trading as" in the UK) under which the Applicant conducts business, the CA MUST verify that: i. the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and ii. that such filing continues to be valid. -#### 3.2.3.2 Acceptable Method of Verification +##### 3.2.2.3.2 Acceptable Method of Verification To verify any assumed name under which the Applicant conducts business: @@ -529,9 +533,9 @@ To verify any assumed name under which the Applicant conducts business: 2. The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. 3. The CA MAY rely on a Verified Professional Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. -### 3.2.4 Verification of Applicant's Physical Existence +#### 3.2.2.4 Verification of Applicant's Physical Existence -#### 3.2.4.1 Address of Applicant's Place of Business +##### 3.2.2.4.1 Address of Applicant's Place of Business 1. **Verification Requirements**: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business. @@ -539,7 +543,7 @@ To verify any assumed name under which the Applicant conducts business: A. **Place of Business in the Country of Incorporation or Registration** - i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 3.2.2](#322-verification-of-applicants-legal-existence-and-identity) to verify legal existence: + i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 3.2.2.2](#3222-verification-of-applicants-legal-existence-and-identity) to verify legal existence: 1. For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business; @@ -555,17 +559,17 @@ To verify any assumed name under which the Applicant conducts business: ii. For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there. iii. For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction. - iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 3.2.2](#322-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. + iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 3.2.2.2](#3222-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. -### 3.2.5 Verified Method of Communication +#### 3.2.2.5 Verified Method of Communication -#### 3.2.5.1 Verification Requirements +##### 3.2.2.5.1 Verification Requirements To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant. -#### 3.2.5.2 Acceptable Methods of Verification +##### 3.2.2.5.2 Acceptable Methods of Verification To verify a Verified Method of Communication with the Applicant, the CA MUST: @@ -577,13 +581,13 @@ A. Verify that the Verified Method of Communication belongs to the Applicant, o B. Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication. -### 3.2.6 Verification of Applicant's Operational Existence +#### 3.2.2.6 Verification of Applicant's Operational Existence -#### 3.2.6.1 Verification Requirements +##### 3.2.2.6.1 Verification Requirements -The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 3.2.2](#322-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. +The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 3.2.2.2](#3222-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. -#### 3.2.6.2 Acceptable Methods of Verification +##### 3.2.2.6.2 Acceptable Methods of Verification To verify the Applicant's ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: @@ -595,17 +599,17 @@ To verify the Applicant's ability to engage in business, the CA MUST verify the 4. Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. -#### 3.2.7 Verification of Applicant's Domain Name +##### 3.2.2.7 Verification of Applicant's Domain Name -#### 3.2.7.1 Verification Requirements +##### 3.2.2.7.1 Verification Requirements 1. For each Fully-Qualified Domain Name listed in a Certificate which is not an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant's control over the Onion Domain Name in accordance with Appendix B of the Baseline Requirements. 2. **Mixed Character Set Domain Names**: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization. -### 3.2.8 Verification of Name, Title, and Authority of Contract Signer and Certificate Approver +#### 3.2.2.8 Verification of Name, Title, and Authority of Contract Signer and Certificate Approver -#### 3.2.8.1 Verification Requirements +##### 3.2.2.8.1 Verification Requirements For both the Contract Signer and the Certificate Approver, the CA MUST verify the following. @@ -617,7 +621,7 @@ For both the Contract Signer and the Certificate Approver, the CA MUST verify th B. Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and C. Approve EV Certificate Requests submitted by a Certificate Requester. -#### 3.2.8.2 Acceptable Methods of Verification – Name, Title and Agency +##### 3.2.2.8.2 Acceptable Methods of Verification – Name, Title and Agency Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. @@ -626,12 +630,12 @@ Acceptable methods of verification of the name, title, and agency status of the 2. **Agency**: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: A. Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; - B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 3.2.11.4](#32114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or + B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 3.2.2.11.4](#322114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or C. Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant. The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. -#### 3.2.8.3 Acceptable Methods of Verification – Authority +##### 3.2.2.8.3 Acceptable Methods of Verification – Authority Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: @@ -641,7 +645,7 @@ Acceptable methods of verification of the Signing Authority of the Contract Sign i. certified by the appropriate corporate officer (e.g., secretary), and ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification; -3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 3.2.11.4](#32114-independent-confirmation-from-applicant)); +3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 3.2.2.11.4](#322114-independent-confirmation-from-applicant)); 4. **Contract between CA and Applicant**: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; 5. **Prior Equivalent Authority**: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority. @@ -669,13 +673,13 @@ Acceptable methods of verification of the Signing Authority of the Contract Sign Note: An example of an acceptable representation/warranty appears in [Appendix E](#appendix-e---sample-contract-signers-representationwarranty-informative). -#### 3.2.8.4 Pre-Authorized Certificate Approver +##### 3.2.2.8.4 Pre-Authorized Certificate Approver Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA: 1. Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and -2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 3.2.8.3](#3283-acceptable-methods-of-verification--authority). +2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 3.2.2.8.3](#32283-acceptable-methods-of-verification--authority). The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s). @@ -686,17 +690,17 @@ Such an agreement MUST provide that the Applicant shall be obligated under the S iii. secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and iv. such other appropriate precautions as are reasonably necessary. -### 3.2.9 Verification of Signature on Subscriber Agreement and EV Certificate Requests +#### 3.2.2.9 Verification of Signature on Subscriber Agreement and EV Certificate Requests -Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 3.2.8.4](#3284-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. +Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 3.2.2.8.4](#32284-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. -#### 3.2.9.1 Verification Requirements +##### 3.2.2.9.1 Verification Requirements 1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. -2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 3.2.10](#3210-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. +2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 3.2.2.10](#32210-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. -#### 3.2.9.2 Acceptable Methods of Signature Verification +##### 3.2.2.9.2 Acceptable Methods of Signature Verification Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following: @@ -708,23 +712,23 @@ Acceptable methods of authenticating the signature of the Certificate Requester 4. Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer. -### 3.2.10 Verification of Approval of EV Certificate Request +#### 3.2.2.10 Verification of Approval of EV Certificate Request -#### 3.2.10.1 Verification Requirements +##### 3.2.2.10.1 Verification Requirements In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. -#### 3.2.10.2 Acceptable Methods of Verification +##### 3.2.2.10.2 Acceptable Methods of Verification Acceptable methods of verifying the Certificate Approver's approval of an EV Certificate Request include: 1. Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request; 2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or -3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 3.2.9](#329-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). +3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 3.2.2.9](#3229-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). -### 3.2.11 Verification of Certain Information Sources +#### 3.2.2.11 Verification of Certain Information Sources -#### 3.2.11.1 Verified Legal Opinion +##### 3.2.2.11.1 Verified Legal Opinion 1. **Verification Requirements**: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements: @@ -742,9 +746,9 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer B. **Basis of Opinion**: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as [Appendix B](#appendix-b---sample-attorney-opinions-confirming-specified-information); C. **Authenticity**: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner's assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS. - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 3.2.11.1](#32111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 3.2.2.11.1](#322111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. -#### 3.2.11.2 Verified Accountant Letter +##### 3.2.2.11.2 Verified Accountant Letter 1. **Verification Requirements**: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements: @@ -758,9 +762,9 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer B. **Basis of Opinion**: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as [Appendix C](#appendix-c---sample-accountant-letters-confirming-specified-information). C. **Authenticity**: To confirm the authenticity of the accountant's opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner's assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS. - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 3.2.11.2](#32112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 3.2.2.11.2](#322112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. -#### 3.2.11.3 Face-to-Face Validation +##### 3.2.2.11.3 Face-to-Face Validation 1. **Verification Requirements**: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements: @@ -772,9 +776,9 @@ Acceptable methods of verifying the Certificate Approver's approval of an EV Cer A. **Qualification of Third-Party Validator**: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction; B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; - C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 3.2.11.3](#32113-face-to-face-validation) (1)(A), no further verification of authenticity is required. + C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 3.2.2.11.3](#322113-face-to-face-validation) (1)(A), no further verification of authenticity is required. -#### 3.2.11.4 Independent Confirmation From Applicant +##### 3.2.2.11.4 Independent Confirmation From Applicant An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is: @@ -811,7 +815,7 @@ An Independent Confirmation from the Applicant MAY be obtained via the following A. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias; B. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person. -#### 3.2.11.5 Qualified Independent Information Source +##### 3.2.2.11.5 Qualified Independent Information Source A Qualified Independent Information Source (QIIS) is a regularly-updated and publicly available database that is generally recognized as a dependable source for certain information. A database qualifies as a QIIS if the CA determines that: @@ -826,21 +830,21 @@ The CA SHALL use a documented process to check the accuracy of the database and Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. -#### 3.2.11.6 Qualified Government Information Source +##### 3.2.2.11.6 Qualified Government Information Source A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity. -#### 3.2.11.7 Qualified Government Tax Information Source +##### 3.2.2.11.7 Qualified Government Tax Information Source A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States). -### 3.2.12 Other Verification Requirements +#### 3.2.2.12 Other Verification Requirements -#### 3.2.12.1 High Risk Status +##### 3.2.2.12.1 High Risk Status The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirements apply equally to EV Certificates. -#### 3.2.12.2 Denied Lists and Other Legal Block Lists +##### 3.2.2.12.2 Denied Lists and Other Legal Block Lists 1. **Verification Requirements**: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant's Jurisdiction of Incorporation, Registration, or Place of Business: @@ -860,12 +864,12 @@ The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirem B. If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country. -#### 3.2.12.3 Parent/Subsidiary/Affiliate Relationship +##### 3.2.2.12.3 Parent/Subsidiary/Affiliate Relationship -A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 3.2.4.1](#3241-address-of-applicants-place-of-business), [Section 3.2.5](#325-verified-method-of-communication), [Section 3.2.6.1](#3261-verification-requirements), or [Section 3.2.7.1](#3271-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: +A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 3.2.2.4.1](#32241-address-of-applicants-place-of-business), [Section 3.2.2.5](#3225-verified-method-of-communication), [Section 3.2.2.6.1](#32261-verification-requirements), or [Section 3.2.2.7.1](#32271-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: 1. QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS; -2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 3.2.11.4](#32114-independent-confirmation-from-applicant)); +2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 3.2.2.11.4](#322114-independent-confirmation-from-applicant)); 3. Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; 4. Verified Professional Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter; or 5. Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is: @@ -873,7 +877,7 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi i. certified by the appropriate corporate officer (e.g., secretary), and ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. -### 3.2.13 Final Cross-Correlation and Due Diligence +#### 3.2.2.13 Final Cross-Correlation and Due Diligence 1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. 2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. @@ -881,36 +885,36 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi 4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532-background-check-procedures). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or - B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.9](#89-self-audits) and [Section 8.3](#83-identityqualifications-of-assessor). + B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.1.1](#811-self-audits) and [Section 8.3](#83-identityqualifications-of-assessor). In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-registration-authorities), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. -### 3.2.14 Requirements for Re-use of Existing Documentation +#### 3.2.2.14 Requirements for Re-use of Existing Documentation For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. -#### 3.2.14.1 Validation For Existing Subscribers +##### 3.2.2.14.1 Validation For Existing Subscribers If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: -1. The Principal Individual verified under [Section 3.2.2.2](#3222-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; -2. The Applicant's Place of Business under [Section 3.2.4.1](#3241-address-of-applicants-place-of-business); -3. The Applicant's Verified Method of Communication required by [Section 3.2.5](#325-verified-method-of-communication) but still MUST perform the verification required by [Section 3.2.5.2](#3252-acceptable-methods-of-verification) (B); -4. The Applicant's Operational Existence under [Section 3.2.6](#326-verification-of-applicants-operational-existence); -5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 3.2.8](#328-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and -6. The Applicant's right to use the specified Domain Name under [Section 3.2.7](#327-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. +1. The Principal Individual verified under [Section 3.2.2.2.2](#32222-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; +2. The Applicant's Place of Business under [Section 3.2.2.4.1](#32241-address-of-applicants-place-of-business); +3. The Applicant's Verified Method of Communication required by [Section 3.2.2.5](#3225-verified-method-of-communication) but still MUST perform the verification required by [Section 3.2.2.5.2](#32252-acceptable-methods-of-verification) (B); +4. The Applicant's Operational Existence under [Section 3.2.2.6](#3226-verification-of-applicants-operational-existence); +5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 3.2.2.8](#3228-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and +6. The Applicant's right to use the specified Domain Name under [Section 3.2.2.7](#3227-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. -#### 3.2.14.2 Re-issuance Requests +##### 3.2.2.14.2 Re-issuance Requests A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: 1. The expiration date of the replacement certificate is the same as the expiration date of the EV Certificate that is being replaced, and 2. The Subject Information of the Certificate is the same as the Subject in the EV Certificate that is being replaced. -#### 3.2.14.3 Age of Validated Data +##### 3.2.2.14.3 Age of Validated Data -1. Except for reissuance of an EV Certificate under [Section 3.2.14.2](#32142-re-issuance-requests) and except when permitted otherwise in [Section 3.2.14.1](#32141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: +1. Except for reissuance of an EV Certificate under [Section 3.2.2.14.2](#322142-re-issuance-requests) and except when permitted otherwise in [Section 3.2.14.1](#32141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: A. Legal existence and identity – 398 days; B. Assumed name – 398 days; @@ -921,9 +925,13 @@ A CA may rely on a previously verified certificate request to issue a replacemen G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. 2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. -3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 3.2.9](#329-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 3.2.10](#3210-verification-of-approval-of-ev-certificate-request). -4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.14.1](#32141-validation-for-existing-subscribers). +3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 3.2.2.9](#3229-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 3.2.2.10](#32210-verification-of-approval-of-ev-certificate-request). +4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.2.14.1](#322141-validation-for-existing-subscribers). +### 3.2.3 Authentication of individual identity +### 3.2.4 Non-verified subscriber information +### 3.2.5 Validation of authority +### 3.2.6 Criteria for interoperation ## 3.3 Identification and authentication for re-key requests ### 3.3.1 Identification and authentication for routine re-key @@ -976,7 +984,7 @@ An Applicant qualifies as a Business Entity if: 4. The identified Principal Individual attests to the representations made in the Subscriber Agreement; -5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 3.2.3](#323-verification-of-applicants-legal-existence-and-identity--assumed-name); +5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 3.2.2.3](#3223-verification-of-applicants-legal-existence-and-identity--assumed-name); 6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and @@ -996,7 +1004,7 @@ Subsidiary organizations or agencies of an entity that qualifies as a Non-Commer ### 4.1.2 Enrollment process and responsibilities The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. -The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 3.2.14](#3214-requirements-for-re-use-of-existing-documentation). +The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 3.2.2.14](#32214-requirements-for-re-use-of-existing-documentation). ## 4.2 Certificate application processing @@ -1112,7 +1120,7 @@ As specified in Section 5 of the Baseline Requirements. In addition, systems use ### 5.2.3 Identification and authentication for each role ### 5.2.4 Roles requiring separation of duties -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. 2. Such controls MUST be auditable. ## 5.3 Personnel controls @@ -1314,7 +1322,7 @@ When abbreviating a Subject's full legal name as allowed by this subsection, the In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. -If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#32121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. +If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 3.2.2.12.1](#322121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. ##### 7.1.4.2.2 Subject Common Name Field @@ -1344,7 +1352,7 @@ Country: __Required/Optional__: Required __Contents__: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction. -Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 3.2.1.3](#3213-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. +Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 3.2.2.1.3](#32213-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. ##### 7.1.4.2.5 Subject Registration Number Field @@ -1356,7 +1364,7 @@ For Government Entities that do not have a Registration Number or readily verifi For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats. -Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 3.2.1.3](#3213-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. +Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 3.2.2.1.3](#32213-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. ##### 7.1.4.2.6 Subject Physical Address of Place of Business Field @@ -1494,7 +1502,6 @@ A Certificate issued to a Subscriber MUST contain one or more policy identifier( # 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS -## 8.1 Eligible Audit Schemes A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: i. WebTrust Program for CAs audit and WebTrust EV Program audit, @@ -1503,20 +1510,23 @@ iii. ETSI EN 319 411-1 audit for EVCP policy. If the CA is a Government Entity, an audit of the CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in one of the above audit schemes and certifies that the government CA has successfully passed the audit. -## 8.2 Frequency or circumstances of assessment -CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 8.1](#81-eligible-audit-schemes). +## 8.1 Frequency or circumstances of assessment +CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 8](#8-compliance-audit-and-other-assessments). -## 8.3 Identity/qualifications of assessor +### 8.1.1 Self audits +During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. + +## 8.2 Identity/qualifications of assessor A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. -## 8.4 Assessor's relationship to assessed entity -## 8.5 Topics covered by assessment -## 8.6 Actions taken as a result of deficiency +## 8.3 Assessor's relationship to assessed entity +## 8.4 Topics covered by assessment +## 8.5 Actions taken as a result of deficiency -## 8.7 Communication of results +## 8.6 Communication of results CAs SHOULD make its audit report publicly available no later than three months after the end of the audit period. If there is a delay greater than three months and if so requested by an Application Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. -## 8.8 Pre-issuance Readiness Audit +## 8.7 Pre-issuance Readiness Audit 1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program. 2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042. @@ -1527,9 +1537,6 @@ CAs SHOULD make its audit report publicly available no later than three months a The CA MUST complete any required point-in-time readiness assessment no earlier than twelve (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. -## 8.9 Self audits -During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 3.2.13](#3213-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. - # 9. OTHER BUSINESS AND LEGAL MATTERS ## 9.1 Fees ### 9.1.1 Certificate issuance or renewal fees From ac87a3db5c74e7911830775d4a428bac3d8eca5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 15 Dec 2023 11:50:17 +0100 Subject: [PATCH 44/48] Update EVG updating links.md 2 links were updated regarding section 8 --- docs/EVG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index cc5d26fe..6c148c59 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -235,7 +235,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.3](#83-identityqualifications-of-assessor). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.2](#82-identityqualifications-of-assessor). **Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.2.11.6](#322116-qualified-government-information-source). @@ -886,7 +886,7 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.1.1](#811-self-audits) and [Section 8.3](#83-identityqualifications-of-assessor). + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.1.1](#811-self-audits) and [Section 8.2](#82-identityqualifications-of-assessor). In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-registration-authorities), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. From 238ff99fbe04f2aa24f2c58910d8133f2283f11e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 15 Dec 2023 11:54:27 +0100 Subject: [PATCH 45/48] Update EVG.md Another link updated from 3.2.14.1 to 3.2.2.14.1 --- docs/EVG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 6c148c59..c27b75a7 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -914,7 +914,7 @@ A CA may rely on a previously verified certificate request to issue a replacemen ##### 3.2.2.14.3 Age of Validated Data -1. Except for reissuance of an EV Certificate under [Section 3.2.2.14.2](#322142-re-issuance-requests) and except when permitted otherwise in [Section 3.2.14.1](#32141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: +1. Except for reissuance of an EV Certificate under [Section 3.2.2.14.2](#322142-re-issuance-requests) and except when permitted otherwise in [Section 3.2.2.14.1](#322141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: A. Legal existence and identity – 398 days; B. Assumed name – 398 days; From e3f16c116c498417a029ffb36e6d76e4043e3a9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 19 Jan 2024 12:30:42 +0100 Subject: [PATCH 46/48] Update branch for BRs pointing to new sections of EVGs (#476) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell * Integrate newer ballots (#406) * Update README (#294) Co-authored-by: Jos Purvis * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Jos Purvis * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis Co-authored-by: Wayne Thayer * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi Co-authored-by: Jos * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi Co-authored-by: Jos * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi Co-authored-by: Jos Purvis * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1) Signed-off-by: dependabot[bot] * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson * Update version and date table Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Jos Purvis * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell * Update version, table, and date Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Purvis * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1) Signed-off-by: dependabot[bot] * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Jos Purvis * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409, effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b. Co-authored-by: Corey Bonnell * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409, effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b. Co-authored-by: Corey Bonnell * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Corey Bonnell Co-authored-by: Jos Purvis * Integrate SC-48 CN requirements Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Corey Bonnell Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - https://github.com/cabforum/servercert/pull/402#discussion_r1040210458 (added "CRL") - https://github.com/cabforum/servercert/pull/414#discussion_r1073714166 (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to https://github.com/cabforum/servercert/pull/414#discussion_r1073772243) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable * Update docs/BR.md Editorial Co-authored-by: Aaron Gable * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Aaron Gable * Update BR.md --------- Co-authored-by: Ryan Dickson Co-authored-by: Ryan Sleevi Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Aaron Gable * Fall 2023 clean up (#460) * Issue#169 Issue #169 - updated 3.2.2.5.6 and 3.2.2.5.7 - added RFC 8738 in References * Issue #174 Issue #174 - Updated title in section 3.2.2.4.10 - Updated section 3.2.2.4.18 * Issue #337 Issue #337 - Updated title of the document to include TLS Server And also: - updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name * Issue #423 Issue #423 Updated section 1.6.3 - removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada - removing version of the NetSec and changing the link to redirect to the NetSec documents * Issue #430 Issue #430 Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse" * Issue #444 Issue #444 Added empty section 7.1.5 * Issue #450 Issue #450 Updated including link to the 6.2.7 section * Issue #453 Issue #453 Updated section as indicated * PR #415 PR #415 Updated title * Update BR.md Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order * Update BR.md Updated version and changelog * Issue #461 Issue #461 Used 2 option for the update * Update docs/BR.md Co-authored-by: Corey Bonnell * Add line breaks in 7.1.2.11.2 According to #462 * Revert the change of the NSSR version Put back the version 1.7 in the NetSec * Update BR.md --------- Co-authored-by: Corey Bonnell --------- Co-authored-by: Ryan Dickson Co-authored-by: Ryan Sleevi Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Aaron Gable --- docs/BR.md | 234 ++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 167 insertions(+), 67 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index f152d150..c85365b1 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,14 +1,13 @@ --- -title: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates - -subtitle: Version 2.0.0 +title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates +subtitle: Version 2.0.2 author: - CA/Browser Forum -date: 11 April, 2023 +date: 8-January-2024 copyright: | - Copyright 2023 CA/Browser Forum + Copyright 2024 CA/Browser Forum This work is licensed under the Creative Commons Attribution 4.0 International license. --- @@ -17,13 +16,13 @@ copyright: | ## 1.1 Overview -This document describes an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly-Trusted Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely-available application software. The requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying-party Application Software Suppliers. +This document describes an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly-Trusted TLS Server Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely-available application software. The requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying-party Application Software Suppliers. **Notice to Readers** -The CP for the Issuance and Management of Publicly-Trusted Certificates describe a subset of the requirements that a Certification Authority must meet in order to issue Publicly Trusted Certificates. This document serves two purposes: to specify Baseline Requirements and to provide guidance and requirements for what a CA should include in its CPS. Except where explicitly stated otherwise, these Requirements apply only to relevant events that occur on or after 1 July 2012 (the original effective date of these requirements). +The CP for the Issuance and Management of Publicly-Trusted TLS Server Certificates describe a subset of the requirements that a Certification Authority must meet in order to issue Publicly Trusted TLS Server Certificates. This document serves two purposes: to specify Baseline Requirements and to provide guidance and requirements for what a CA should include in its CPS. Except where explicitly stated otherwise, these Requirements apply only to relevant events that occur on or after 1 July 2012 (the original effective date of these requirements). -These Requirements do not address all of the issues relevant to the issuance and management of Publicly-Trusted Certificates. In accordance with RFC 3647 and to facilitate a comparison of other certificate policies and CPSs (e.g. for policy mapping), this document includes all sections of the RFC 3647 framework. However, rather than beginning with a "no stipulation" comment in all empty sections, the CA/Browser Forum is leaving such sections initially blank until a decision of "no stipulation" is made. The CA/Browser Forum may update these Requirements from time to time, in order to address both existing and emerging threats to online security. In particular, it is expected that a future version will contain more formal and comprehensive audit requirements for delegated functions. +These Requirements do not address all of the issues relevant to the issuance and management of Publicly-Trusted TLS Server Certificates. In accordance with RFC 3647 and to facilitate a comparison of other certificate policies and CPSs (e.g. for policy mapping), this document includes all sections of the RFC 3647 framework. However, rather than beginning with a "no stipulation" comment in all empty sections, the CA/Browser Forum is leaving such sections initially blank until a decision of "no stipulation" is made. The CA/Browser Forum may update these Requirements from time to time, in order to address both existing and emerging threats to online security. In particular, it is expected that a future version will contain more formal and comprehensive audit requirements for delegated functions. These Requirements only address Certificates intended to be used for authenticating servers accessible through the Internet. Similar requirements for code signing, S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions. @@ -33,7 +32,7 @@ These Requirements are applicable to all Certification Authorities within a chai ## 1.2 Document name and identification -This certificate policy (CP) contains the requirements for the issuance and management of publicly-trusted SSL certificates, as adopted by the CA/Browser Forum. +This certificate policy (CP) contains the requirements for the issuance and management of publicly-trusted TLS Server certificates, as adopted by the CA/Browser Forum. The following Certificate Policy identifiers are reserved for use by CAs to assert compliance with this document (OID arc 2.23.140.1.2) as follows: @@ -134,6 +133,8 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 1.8.6 | SC58 | Require distributionPoint in sharded CRLs | 7-Nov-2022 | 11-Dec-2022 | | 1.8.7 | SC61 | New CRL entries must have a Revocation Reason Code | 1-Apr-2023 | 15-Jul-2023 | | 2.0.0 | SC62 | Certificate Profiles Update | 22-Apr-2023 | 15-Sep-2023 | +| 2.0.1 | SC63 | Make OCSP optional, require CRLs, and incentivize automation | 17-Aug-2023 | 15-Mar-2024 | +| 2.0.2 | SC66 | 2023 Cleanup | 23-Nov-2023 | 8-Jan-2024 | @@ -186,7 +187,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2023-01-15 | 7.2.2 | Sharded or partitioned CRLs MUST have a distributionPoint | | 2023-07-15 | 4.9.1.1 and 7.2.2 | New CRL entries MUST have a revocation reason code | | 2023-09-15 | Section 7 (and others) | CAs MUST use the updated Certificate Profiles passed in Version 2.0.0 | - +| 2024-03-15 | 4.9.7 | CAs MUST generate and publish CRLs. | ## 1.3 PKI Participants @@ -222,6 +223,8 @@ The CA SHALL impose these limitations as a contractual requirement on the Enterp As defined in [Section 1.6.1](#161-definitions). +In some situations, a CA acts as an Applicant or Subscriber, for instance, when it generates and protects a Private Key, requests a Certificate, demonstrates control of a Domain, or obtains a Certificate for its own use. + ### 1.3.4 Relying Parties "Relying Party" and "Application Software Supplier" are defined in [Section 1.6.1](#161-definitions). Current Members of the CA/Browser Forum who are Application Software Suppliers are listed here: @@ -243,7 +246,7 @@ No stipulation. ## 1.5 Policy administration -The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates present criteria established by the CA/Browser Forum for use by Certification Authorities when issuing, maintaining, and revoking publicly-trusted Certificates. This document may be revised from time to time, as appropriate, in accordance with procedures adopted by the CA/Browser Forum. Because one of the primary beneficiaries of this document is the end user, the Forum openly invites anyone to make recommendations and suggestions by email to the CA/Browser Forum at . The Forum members value all input, regardless of source, and will seriously consider all such input. +The Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates present criteria established by the CA/Browser Forum for use by Certification Authorities when issuing, maintaining, and revoking publicly-trusted TLS Server Certificates. This document may be revised from time to time, as appropriate, in accordance with procedures adopted by the CA/Browser Forum. Because one of the primary beneficiaries of this document is the end user, the Forum openly invites anyone to make recommendations and suggestions by email to the CA/Browser Forum at . The Forum members value all input, regardless of source, and will seriously consider all such input. ### 1.5.1 Organization Administering the Document @@ -389,18 +392,18 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Parent Company**: A company that Controls a Subsidiary Company. -**P-Label**: A XN-Label that contains valid output of the Punycode algorithm (as defined in RFC 3492, Section 6.3) from the fifth and subsequent positions. +**Pending Prohibition​​**: The use of a behavior described with this label is highly discouraged, as it is planned to be deprecated and will likely be designated as MUST NOT in the future. **Private Key**: The key of a Key Pair that is kept secret by the holder of the Key Pair, and that is used to create Digital Signatures and/or to decrypt electronic records or files that were encrypted with the corresponding Public Key. -**Pending Prohibition​​**: The use of a behavior described with this label is highly discouraged, as it is planned to be deprecated and will likely be designated as MUST NOT in the future. - **Public Key**: The key of a Key Pair that may be publicly disclosed by the holder of the corresponding Private Key and that is used by a Relying Party to verify Digital Signatures created with the holder's corresponding Private Key and/or to encrypt messages so that they can be decrypted only with the holder's corresponding Private Key. **Public Key Infrastructure**: A set of hardware, software, people, procedures, rules, policies, and obligations used to facilitate the trustworthy creation, issuance, management, and use of Certificates and keys based on Public Key Cryptography. **Publicly-Trusted Certificate**: A Certificate that is trusted by virtue of the fact that its corresponding Root Certificate is distributed as a trust anchor in widely-available application software. +**P-Label**: A XN-Label that contains valid output of the Punycode algorithm (as defined in RFC 3492, Section 6.3) from the fifth and subsequent positions. + **Qualified Auditor**: A natural person or Legal Entity that meets the requirements of [Section 8.2](#82-identityqualifications-of-assessor). **Random Value**: A value specified by a CA to the Applicant that exhibits at least 112 bits of entropy. @@ -460,6 +463,8 @@ The script outputs: **Root Certificate**: The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs. +**Short-lived Subscriber Certificate**: For Certificates issued on or after 15 March 2024 and prior to 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 10 days (864,000 seconds). For Certificates issued on or after 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 7 days (604,800 seconds). + **Sovereign State**: A state or country that administers its own government, and is not dependent upon, or subject to, another power. **Subject**: The natural person, device, system, unit, or Legal Entity identified in a Certificate as the Subject. The Subject is either the Subscriber or a device under the control and operation of the Subscriber. @@ -545,7 +550,7 @@ FIPS 186-4, Federal Information Processing Standards Publication - Digital Signa ISO 21188:2006, Public key infrastructure for financial services -- Practices and policy framework. -Network and Certificate System Security Requirements, Version 1.7, available at . +Network and Certificate System Security Requirements, Version 1.7, available at NIST SP 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications, . @@ -581,7 +586,12 @@ RFC8499, Request for Comments: 8499, DNS Terminology. P. Hoffman, et al. January RFC8659, Request for Comments: 8659, DNS Certification Authority Authorization (CAA) Resource Record. P. Hallam-Baker, et al. November 2019. -WebTrust for Certification Authorities, SSL Baseline with Network Security, Version 2.5, available at . +RFC8738, Request for Comments: 8738, Automated Certificate Management Environment (ACME) IP Identifier Validation Extension. R.B.Shoemaker, Ed. February 2020. + +RFC8954, Request for Comments: 8954, Online Certificate Status Protocol (OCSP) Nonce Extension. M. Sahni, Ed. November 2020. + +WebTrust for Certification Authorities, SSL Baseline with Network Security, available at + X.509, Recommendation ITU-T X.509 (08/2005) \| ISO/IEC 9594-8:2005, Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks. @@ -609,7 +619,7 @@ Section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement The CA SHALL publicly give effect to these Requirements and represent that it will adhere to the latest published version. The CA MAY fulfill this requirement by incorporating these Requirements directly into its Certificate Policy and/or Certification Practice Statements or by incorporating them by reference using a clause such as the following (which MUST include a link to the official version of these Requirements): -> [Name of CA] conforms to the current version of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates published at . In the event of any inconsistency between this document and those Requirements, those Requirements take precedence over this document. +> [Name of CA] conforms to the current version of the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates published at . In the event of any inconsistency between this document and those Requirements, those Requirements take precedence over this document. The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are @@ -771,7 +781,7 @@ Confirming the Applicant's control over the FQDN by confirming that the Applican This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates. -##### 3.2.2.4.10 TLS Using a Random Number +##### 3.2.2.4.10 TLS Using a Random Value This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates. @@ -848,7 +858,7 @@ Confirming the Applicant's control over the FQDN by verifying that the Request T 1. The entire Request Token or Random Value MUST NOT appear in the request used to retrieve the file, and 2. the CA MUST receive a successful HTTP response from the request (meaning a 2xx HTTP status code must be received). -The file containing the Request Token or Random Number: +The file containing the Request Token or Random Value: 1. MUST be located on the Authorization Domain Name, and 2. MUST be located under the "/.well-known/pki-validation" directory, and @@ -953,11 +963,11 @@ The Random Value SHALL remain valid for use in a confirming response for no more ##### 3.2.2.5.6 ACME “http-01” method for IP Addresses -Confirming the Applicant's control over the IP Address by performing the procedure documented for an “http-01” challenge in draft 04 of “ACME IP Identifier Validation Extension,” available at . +Confirming the Applicant's control over the IP Address by performing the procedure documented for an “http-01” challenge in RFC 8738. ##### 3.2.2.5.7 ACME “tls-alpn-01” method for IP Addresses -Confirming the Applicant's control over the IP Address by performing the procedure documented for a “tls-alpn-01” challenge in draft 04 of “ACME IP Identifier Validation Extension,” available at . +Confirming the Applicant's control over the IP Address by performing the procedure documented for a “tls-alpn-01” challenge in RFC 8738. #### 3.2.2.6 Wildcard Domain Validation @@ -1065,7 +1075,7 @@ The certificate request MAY include all factual information about the Applicant Applicant information MUST include, but not be limited to, at least one Fully-Qualified Domain Name or IP address to be included in the Certificate's `subjectAltName` extension. -[Section 6.3.2](#632-certificate-operational-periods-and-key-pair-usage-periods) limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in [Section 3.2](#32-initial-identity-validation) to verify certificate information, or may reuse previous validations themselves, provided that the CA obtained the data or document from a source specified under [Section 3.2](#32-initial-identity-validation) or completed the validation itself no more than 825 days prior to issuing the Certificate. For validation of Domain Names and IP Addresses according to Section 3.2.2.4 and 3.2.2.5, any reused data, document, or completed validation MUST be obtained no more than 398 days prior to issuing the Certificate. +[Section 6.3.2](#632-certificate-operational-periods-and-key-pair-usage-periods) limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in [Section 3.2](#32-initial-identity-validation) to verify certificate information, or may reuse previous validations themselves, provided that the CA obtained the data or document from a source specified under [Section 3.2](#32-initial-identity-validation) or completed the validation itself no more than 825 days prior to issuing the Certificate. For validation of Domain Names and IP Addresses according to Section 3.2.2.4 and 3.2.2.5, any data, document, or completed validation used MUST be obtained no more than 398 days prior to issuing the Certificate. In no case may a prior validation be reused if any data or document used in the prior validation was obtained more than the maximum time permitted for reuse of the data or document prior to issuing the Certificate. @@ -1213,7 +1223,9 @@ No stipulation. #### 4.9.1.1 Reasons for Revoking a Subscriber Certificate -The CA SHALL revoke a Certificate within 24 hours and use the corresponding CRLReason (see Section 7.2.2) if one or more of the following occurs: +The CA MAY support revocation of Short-lived Subscriber Certificates. + +With the exception of Short-lived Subscriber Certificates, the CA SHALL revoke a Certificate within 24 hours and use the corresponding CRLReason (see Section 7.2.2) if one or more of the following occurs: 1. The Subscriber requests in writing, without specifying a CRLreason, that the CA revoke the Certificate (CRLReason "unspecified (0)" which results in no reasonCode extension being provided in the CRL); 2. The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization (CRLReason #9, privilegeWithdrawn); @@ -1221,7 +1233,7 @@ The CA SHALL revoke a Certificate within 24 hours and use the corresponding CRLR 4. The CA is made aware of a demonstrated or proven method that can easily compute the Subscriber's Private Key based on the Public Key in the Certificate (such as a Debian weak key, see ) (CRLReason #1, keyCompromise); 5. The CA obtains evidence that the validation of domain authorization or control for any Fully-Qualified Domain Name or IP address in the Certificate should not be relied upon (CRLReason #4, superseded). -The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days and use the corresponding CRLReason if one or more of the following occurs: +With the exception of Short-lived Subscriber Certificates, the CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days and use the corresponding CRLReason (see Section 7.2.2) if one or more of the following occurs: 6. The Certificate no longer complies with the requirements of [Section 6.1.5](#615-key-sizes) and [Section 6.1.6](#616-public-key-parameters-generation-and-quality-checking) (CRLReason #4, superseded); 7. The CA obtains evidence that the Certificate was misused (CRLReason #9, privilegeWithdrawn); @@ -1280,20 +1292,28 @@ No stipulation. **Note**: Following certificate issuance, a certificate may be revoked for reasons stated in [Section 4.9](#49-certificate-revocation-and-suspension). Therefore, relying parties should check the revocation status of all certificates that contain a CDP or OCSP pointer. -### 4.9.7 CRL issuance frequency (if applicable) +### 4.9.7 CRL issuance frequency -For the status of Subscriber Certificates: +CRLs must be available via a publicly-accessible HTTP URL (i.e., "published"). -If the CA publishes a CRL, then the CA SHALL update and reissue CRLs at least once every seven days, and the value of the `nextUpdate` field MUST NOT be more than ten days beyond the value of the `thisUpdate` field. +Within twenty-four (24) hours of issuing its first Certificate, the CA MUST generate and publish either: +- a full and complete CRL; OR +- partitioned (i.e., "sharded") CRLs that, when aggregated, represent the equivalent of a full and complete CRL. -For the status of Subordinate CA Certificates: +CAs issuing Subscriber Certificates: +1. MUST update and publish a new CRL at least every: + - seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”); or + - four (4) days in all other cases; +2. MUST update and publish a new CRL within twenty-four (24) hours after recording a Certificate as revoked. -The CA SHALL update and reissue CRLs at least: +CAs issuing CA Certificates: +1. MUST update and publish a new CRL at least every twelve (12) months; +2. MUST update and publish a new CRL within twenty-four (24) hours after recording a Certificate as revoked. - i. once every twelve months; and - ii. within 24 hours after revoking a Subordinate CA Certificate. +CAs MUST continue issuing CRLs until one of the following is true: +- all Subordinate CA Certificates containing the same Subject Public Key are expired or revoked; OR +- the corresponding Subordinate CA Private Key is destroyed. -The value of the `nextUpdate` field MUST NOT be more than twelve months beyond the value of the `thisUpdate` field. ### 4.9.8 Maximum latency for CRLs (if applicable) @@ -1301,6 +1321,8 @@ No stipulation. ### 4.9.9 On-line revocation/status checking availability +The following SHALL apply for communicating the status of Certificates which include an Authority Information Access extension with an id-ad-ocsp accessMethod. + OCSP responses MUST conform to RFC6960 and/or RFC5019. OCSP responses MUST either: 1. Be signed by the CA that issued the Certificates whose revocation status is being checked, or @@ -1312,7 +1334,9 @@ defined by RFC6960. ### 4.9.10 On-line revocation checking requirements -OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019. +The following SHALL apply for communicating the status of Certificates which include an Authority Information Access extension with an id-ad-ocsp accessMethod. + +OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019. The CA MAY process the Nonce extension (`1.3.6.1.5.5.7.48.1.2`) in accordance with RFC 8954. The validity interval of an OCSP response is the difference in time between the `thisUpdate` and `nextUpdate` field, inclusive. For purposes of computing differences, a difference of 3,600 seconds shall be equal to one hour, and a difference of 86,400 seconds shall be equal to one day, ignoring leap-seconds. @@ -1376,7 +1400,7 @@ Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the ### 4.10.2 Service availability -The CA SHALL operate and maintain its CRL and OCSP capability with resources sufficient to provide a response time of ten seconds or less under normal operating conditions. +The CA SHALL operate and maintain its CRL and optional OCSP capability with resources sufficient to provide a response time of ten seconds or less under normal operating conditions. The CA SHALL maintain an online 24x7 Repository that application software can use to automatically check the current status of all unexpired Certificates issued by the CA. @@ -1428,7 +1452,7 @@ The CA's security program MUST include an annual Risk Assessment that: Based on the Risk Assessment, the CA SHALL develop, implement, and maintain a security plan consisting of security procedures, measures, and products designed to achieve the objectives set forth above and to manage and control the risks identified during the Risk Assessment, commensurate with the sensitivity of the Certificate Data and Certificate Management Processes. The security plan MUST include administrative, organizational, technical, and physical safeguards appropriate to the sensitivity of the Certificate Data and Certificate Management Processes. The security plan MUST also take into account then-available technology and the cost of implementing the specific measures, and SHALL implement a reasonable level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected. -## 5.1 PHYSICAL SECURITY CONTROLS +## 5.1 Physical Security Controls ### 5.1.1 Site location and construction @@ -1714,7 +1738,7 @@ Private Keys corresponding to Root Certificates MUST NOT be used to sign Certifi ## 6.2 Private Key Protection and Cryptographic Module Engineering Controls -The CA SHALL implement physical and logical safeguards to prevent unauthorized certificate issuance. Protection of the CA Private Key outside the validated system or device specified above MUST consist of physical security, encryption, or a combination of both, implemented in a manner that prevents disclosure of the Private Key. The CA SHALL encrypt its Private Key with an algorithm and key-length that, according to the state of the art, are capable of withstanding cryptanalytic attacks for the residual life of the encrypted key or key part. +The CA SHALL implement physical and logical safeguards to prevent unauthorized certificate issuance. Protection of the CA Private Key outside the validated system or device specified in [Section 6.2.7](#627-private-key-storage-on-cryptographic-module) MUST consist of physical security, encryption, or a combination of both, implemented in a manner that prevents disclosure of the Private Key. The CA SHALL encrypt its Private Key with an algorithm and key-length that, according to the state of the art, are capable of withstanding cryptanalytic attacks for the residual life of the encrypted key or key part. ### 6.2.1 Cryptographic module standards and controls @@ -1752,9 +1776,7 @@ The CA SHALL protect its Private Key in a system or device that has been validat ### 6.3.2 Certificate operational periods and key pair usage periods -Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. -Subscriber Certificates issued after 1 March 2018, but prior to 1 September 2020, MUST NOT have a Validity Period greater than 825 days. -Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST NOT have a Validity Period greater than 39 months. +Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. For the purpose of calculations, a day is measured as 86,400 seconds. Any amount of time greater than this, including fractional seconds and/or leap seconds, shall represent an additional day. For this reason, Subscriber Certificates SHOULD NOT be issued for the maximum permissible time by default, in order to account for such adjustments. @@ -2373,12 +2395,14 @@ In addition, `subject` Attributes MUST NOT contain only metadata such as '.', '- | `nameConstraints` | MUST NOT | - | - | | `keyUsage` | SHOULD | Y | See [Section 7.1.2.7.11](#712711-subscriber-certificate-key-usage) | | `basicConstraints` | MAY | Y | See [Section 7.1.2.7.8](#71278-subscriber-certificate-basic-constraints) | -| `crlDistributionPoints` | MAY | N | See [Section 7.1.2.11.2](#712112-crl-distribution-points) | +| `crlDistributionPoints` | * | N | See [Section 7.1.2.11.2](#712112-crl-distribution-points) | | Signed Certificate Timestamp List | MAY | N | See [Section 7.1.2.11.3](#712113-signed-certificate-timestamp-list) | | `subjectKeyIdentifier` | NOT RECOMMENDED | N | See [Section 7.1.2.11.4](#712114-subject-key-identifier) | | Any other extension | NOT RECOMMENDED | - | See [Section 7.1.2.11.5](#712115-other-extensions) | -**Note**: whether or not the `subjectAltName` extension should be marked Critical depends on the contents of the Certificate's `subject` field, as detailed in [Section 7.1.2.7.12](#712712-subscriber-certificate-subject-alternative-name). +**Notes**: +- whether or not the `subjectAltName` extension should be marked Critical depends on the contents of the Certificate's `subject` field, as detailed in [Section 7.1.2.7.12](#712712-subscriber-certificate-subject-alternative-name). +- whether or not the CRL Distribution Points extension must be present depends on 1) whether the Certificate includes an Authority Information Access extension with an id-ad-ocsp accessMethod and 2) the Certificate's validity period, as detailed in [Section 7.1.2.11.2](#712112-crl-distribution-points). ##### 7.1.2.7.7 Subscriber Certificate Authority Information Access @@ -2388,7 +2412,7 @@ The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with t | __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ | | -- | -- | ---- | - | - | --- | -| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MUST | \* | A HTTP URL of the Issuing CA's OCSP responder. | +| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. | | `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | A HTTP URL of the Issuing CA's certificate. | | Any other value | - | - | MUST NOT | - | No other `accessMethod`s may be used. | @@ -2543,7 +2567,7 @@ If the Issuing CA does not directly sign OCSP responses, it MAY make use of an O For OCSP Responder certificates, this extension is NOT RECOMMENDED, as the Relying Party should already possess the necessary information. In order to validate the given Responder certificate, the Relying Party must have access to the Issuing CA's certificate, eliminating the need to provide `id-ad-caIssuers`. Similarly, because of the requirement for an OCSP Responder certificate to include the `id-pkix-ocsp-nocheck` extension, it is not necessary to provide `id-ad-ocsp`, as such responses will not be checked by Relying Parties. -If present, the `AuthorityInformationAccesssSyntax` MUST contain one or more `AccessDescription`s. Each `AccessDescription` MUST only contain a permitted `accessMethod`, as detailed below, and each `AuthorityInfoAccessSyntax` MUST contain all required `AccessDescription`s. +If present, the `AuthorityInfoAccessSyntax` MUST contain one or more `AccessDescription`s. Each `AccessDescription` MUST only contain a permitted `accessMethod`, as detailed below, and each `AuthorityInfoAccessSyntax` MUST contain all required `AccessDescription`s. | __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ | | -- | -- | ---- | - | - | --- | @@ -2748,7 +2772,7 @@ The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with t | __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ | | -- | -- | ---- | - | - | --- | -| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | SHOULD | \* | A HTTP URL of the Issuing CA's OCSP responder. | +| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. | | `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's certificate. | | Any other value | - | - | MUST NOT | - | No other `accessMethod`s may be used. | @@ -2887,7 +2911,24 @@ This section contains several fields that are common among multiple certificate ##### 7.1.2.11.2 CRL Distribution Points -If present, the CRL Distribution Points extension MUST contain at least one `DistributionPoint`; containing more than one is NOT RECOMMENDED. All `DistributionPoint` items must be formatted as follows: +The CRL Distribution Points extension MUST be present in: + +- Subordinate CA Certificates; and +- Subscriber Certificates that 1) do not qualify as "Short-lived Subscriber Certificates" and 2) do not include an Authority Information Access extension with an id-ad-ocsp accessMethod. + +The CRL Distribution Points extension SHOULD NOT be present in: + +- Root CA Certificates. + +The CRL Distribution Points extension is OPTIONAL in: + +- Short-lived Subscriber Certificates. + +The CRL Distribution Points extension MUST NOT be present in: + +- OCSP Responder Certificates. + +When present, the CRL Distribution Points extension MUST contain at least one `DistributionPoint`; containing more than one is NOT RECOMMENDED. All `DistributionPoint` items must be formatted as follows: Table: `DistributionPoint` profile @@ -2907,7 +2948,7 @@ Each `SignedCertificateTimestamp` included within the `SignedCertificateTimestam ##### 7.1.2.11.4 Subject Key Identifier -If present, the `subjectKeyIdentifier` MUST be set as defined within [RFC 5280, Section 4.2.1.2](https://tools.ietf.org/html/rfc5280#section-4.2.1.2). The CA MUST generate a `subjectKeyIdentifier` that is unique within the scope of all Certificates it has issued for each unique public key (the `subjectPublicKeyInfo` field of the `tbsCertificate`). For example, CAs may generate the subject key identifier using an algorithm derived from the public key, or may generate a sufficiently-large unique number, such by using a CSPRNG. +If present, the `subjectKeyIdentifier` MUST be set as defined within [RFC 5280, Section 4.2.1.2](https://tools.ietf.org/html/rfc5280#section-4.2.1.2). The CA MUST generate a `subjectKeyIdentifier` that is unique within the scope of all Certificates it has issued for each unique public key (the `subjectPublicKeyInfo` field of the `tbsCertificate`). For example, CAs may generate the subject key identifier using an algorithm derived from the public key, or may generate a sufficiently-large unique number, such as by using a CSPRNG. ##### 7.1.2.11.5 Other Extensions @@ -3125,6 +3166,8 @@ Before including such an attribute, the CA SHALL: * Document the attributes within Section 7.1.4 of their CP or CPS, along with the applicable validation practices. * Ensure that the contents contain information that has been verified by the CA, independent of the Applicant. +### 7.1.5 Name constraints + ### 7.1.6 Certificate policy object identifier #### 7.1.6.1 Reserved Certificate Policy Identifiers @@ -3147,44 +3190,101 @@ The following Certificate Policy identifiers are reserved for use by CAs as an o ## 7.2 CRL profile +Prior to 2024‐03‐15, the CA SHALL issue CRLs in accordance with the profile specified in these Requirements or the profile specified in Version 1.8.7 of the Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates. Effective 2024‐03‐15, the CA SHALL issue CRLs in accordance with the profile specified in these Requirements. + +If the CA asserts compliance with these Baseline Requirements, all CRLs that it issues MUST comply with the following CRL profile, which incorporates, and is derived from [RFC 5280](https://tools.ietf.org/html/rfc5280). Except as explicitly noted, all normative requirements imposed by RFC 5280 shall apply, in addition to the normative requirements imposed by this document. CAs SHOULD examine [RFC 5280, Appendix B](https://tools.ietf.org/html/rfc5280#appendix-B) for further issues to be aware of. + +A full and complete CRL is a CRL whose scope includes all Certificates issued by the CA. + +A partitioned CRL (sometimes referred to as a "sharded CRL") is a CRL with a constrained scope, such as all Certificates issued by the CA during a certain period of time ("temporal sharding"). Aside from the presence of the Issuing Distribution Point extension (OID 2.5.29.28) in partitioned CRLs, both CRL formats are syntactically the same from the perspective of this profile. + +Minimally, CAs MUST issue either a "full and complete" CRL or a set of "partitioned" CRLs which cover the complete set of Certificates issued by the CA. In other words, if issuing only partitioned CRLs, the combined scope of those CRLs must be equivalent to that of a full and complete CRL. + +CAs MUST NOT issue indirect CRLs (i.e., the issuer of the CRL is not the issuer of all Certificates that are included in the scope of the CRL). + +Table: CRL Fields + +| __Field__ | __Presence__ | __Description__ | +| --- | ------ | ------ | +| `tbsCertList` | | | +|     `version` | MUST | MUST be v2(1), see [Section 7.2.1](#721-version-numbers) | +|     `signature` | MUST | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) | +|     `issuer` | MUST | MUST be byte-for-byte identical to the `subject` field of the Issuing CA. | +|     `thisUpdate` | MUST | Indicates the issue date of the CRL. | +|     `nextUpdate` | MUST | Indicates the date by which the next CRL will be issued. For CRLs covering Subscriber Certificates, at most 10 days after the `thisUpdate`. For other CRLs, at most 12 months after the `thisUpdate`. | +|     `revokedCertificates` | * | MUST be present if the CA has issued a Certificate that has been revoked and the corresponding entry has yet to appear on at least one regularly scheduled CRL beyond the revoked Certificate's validity period. The CA SHOULD remove an entry for a corresponding Certificate after it has appeared on at least one regularly scheduled CRL beyond the revoked Certificate's validity period. See the "revokedCertificates Component" table for additional requirements. | +|     `extensions` | MUST | See the "CRL Extensions" table for additional requirements. | +| `signatureAlgorithm` | MUST | Encoded value MUST be byte-for-byte identical to the `tbsCertList.signature`. | +| `signature` | MUST | - | +| Any other value | NOT RECOMMENDED | - | + ### 7.2.1 Version number(s) +Certificate Revocation Lists MUST be of type X.509 v2. + ### 7.2.2 CRL and CRL entry extensions -1. `reasonCode` (OID 2.5.29.21) +Table: CRL Extensions - If present, this extension MUST NOT be marked critical. +| __Extension__ | __Presence__ | __Critical__ | __Description__ | +| ---- | - | - | ----- | +| `authorityKeyIdentifier` | MUST | N | See [Section 7.1.2.11.1](#712111-authority-key-identifier) | +| `CRLNumber` | MUST | N | MUST contain an INTEGER greater than or equal to zero (0) and less than 2¹⁵⁹, and convey a strictly increasing sequence. | +| `IssuingDistributionPoint` | * | Y | See [Section 7.2.2.1 CRL Issuing Distribution Point](#7221-crl-issuing-distribution-point) | +| Any other extension | NOT RECOMMENDED | - | - | - If a CRL entry is for a Root CA or Subordinate CA Certificate, including Cross-Certified Subordinate CA Certificates, this CRL entry extension MUST be present. - If a CRL entry is for a Certificate not technically capable of causing issuance, this CRL entry extension SHOULD be present, but MAY be omitted, subject to the following requirements. +Table: revokedCertificates Component - The `CRLReason` indicated MUST NOT be unspecified (0). If the reason for revocation is unspecified, CAs MUST omit `reasonCode` entry extension, if allowed by the previous requirements. - If a CRL entry is for a Certificate not subject to these Requirements and was either issued on-or-after 2020-09-30 or has a `notBefore` on-or-after 2020-09-30, the `CRLReason` MUST NOT be certificateHold (6). - If a CRL entry is for a Certificate subject to these Requirements, the `CRLReason` MUST NOT be certificateHold (6). +| __Component__ | __Presence__ | __Description__ | +| ---- | - | ----- | +| `serialNumber` | MUST | MUST be byte-for-byte identical to the serialNumber contained in the revoked Certificate. | +| `revocationDate` | MUST | Normally, the date and time revocation occurred. See the footnote following this table for circumstances where backdating is permitted. | +| `crlEntryExtensions` | * | See the "crlEntryExtensions Component" table for additional requirements. | - If a `reasonCode` CRL entry extension is present, the `CRLReason` MUST indicate the most appropriate reason for revocation of the Certificate. - - CRLReason MUST be included in the `reasonCode` extension of the CRL entry corresponding to a Subscriber Certificate that is revoked after July 15, 2023, unless the CRLReason is "unspecified (0)". Revocation reason code entries for Subscriber Certificates revoked prior to July 15, 2023, do NOT need to be added or changed. +**Note:** The CA SHOULD update the revocation date in a CRL entry when it is determined that the private key of the Certificate was compromised prior to the revocation date that is indicated in the CRL entry for that Certificate. Backdating the revocationDate field is an exception to best practice described in RFC 5280 (Section 5.3.2); however, these requirements specify the use of the revocationDate field to support TLS implementations that process the revocationDate field as the date when the Certificate is first considered to be compromised. -Only the following CRLReasons MAY be present in the CRL `reasonCode` extension for Subscriber Certifificates: +Table: crlEntryExtensions Component - * **keyCompromise (RFC 5280 CRLReason #1):** Indicates that it is known or suspected that the Subscriber’s Private Key has been compromised; - * **affiliationChanged (RFC 5280 CRLReason #3):** Indicates that the Subject's name or other Subject Identity Information in the Certificate has changed, but there is no cause to suspect that the Certificate's Private Key has been compromised; - * **superseded (RFC 5280 CRLReason #4):** Indicates that the Certificate is being replaced because: the Subscriber has requested a new Certificate, the CA has reasonable evidence that the validation of domain authorization or control for any fully‐qualified domain name or IP address in the Certificate should not be relied upon, or the CA has revoked the Certificate for compliance reasons such as the Certificate does not comply with these Baseline Requirements or the CA's CP or CPS; - * **cessationOfOperation (RFC 5280 CRLReason #5):** Indicates that the website with the Certificate is shut down prior to the expiration of the Certificate, or if the Subscriber no longer owns or controls the Domain Name in the Certificate prior to the expiration of the Certificate; or - * **privilegeWithdrawn (RFC 5280 CRLReason #9):** Indicates that there has been a subscriber-side infraction that has not resulted in keyCompromise, such as the Certificate Subscriber provided misleading information in their Certificate Request or has not upheld their material obligations under the Subscriber Agreement or Terms of Use. +| __CRL Entry Extension__ | __Presence__ | __Description__ | +| --- | - | ------ | +| `reasonCode` | * | When present (OID 2.5.29.21), MUST NOT be marked critical and MUST indicate the most appropriate reason for revocation of the Certificate.

MUST be present unless the CRL entry is for a Certificate not technically capable of causing issuance and either 1) the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023 or 2) the reason for revocation (i.e., reasonCode) is unspecified (0).

See the "CRLReasons" table for additional requirements. | +| Any other value | NOT RECOMMENDED | - | + +Table: CRLReasons + +| __RFC 5280 reasonCode__ | __RFC 5280 reasonCode value__ | __Description__ | +| --- | - | ------ | +| unspecified | 0 | Represented by the omission of a reasonCode. MUST be omitted if the CRL entry is for a Certificate not technically capable of causing issuance unless the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023. +| keyCompromise | 1 | Indicates that it is known or suspected that the Subscriber’s Private Key has been compromised. | +| affiliationChanged | 3 | Indicates that the Subject's name or other Subject Identity Information in the Certificate has changed, but there is no cause to suspect that the Certificate's Private Key has been compromised. | +| superseded | 4 | Indicates that the Certificate is being replaced because: the Subscriber has requested a new Certificate, the CA has reasonable evidence that the validation of domain authorization or control for any fully‐qualified domain name or IP address in the Certificate should not be relied upon, or the CA has revoked the Certificate for compliance reasons such as the Certificate does not comply with these Baseline Requirements or the CA's CP or CPS. | +| cessationOfOperation | 5 | Indicates that the website with the Certificate is shut down prior to the expiration of the Certificate, or if the Subscriber no longer owns or controls the Domain Name in the Certificate prior to the expiration of the Certificate. +| certificateHold | 6 | MUST NOT be included if the CRL entry is for 1) a Certificate subject to these Requirements, or 2) a Certificate not subject to these Requirements and was either A) issued on-or-after 2020-09-30 or B) has a `notBefore` on-or-after 2020-09-30. +| privilegeWithdrawn | 9 | Indicates that there has been a subscriber-side infraction that has not resulted in keyCompromise, such as the Certificate Subscriber provided misleading information in their Certificate Request or has not upheld their material obligations under the Subscriber Agreement or Terms of Use. | The Subscriber Agreement, or an online resource referenced therein, MUST inform Subscribers about the revocation reason options listed above and provide explanation about when to choose each option. Tools that the CA provides to the Subscriber MUST allow for these options to be easily specified when the Subscriber requests revocation of their Certificate, with the default value being that no revocation reason is provided (i.e. the default corresponds to the CRLReason “unspecified (0)” which results in no reasonCode extension being provided in the CRL). The privilegeWithdrawn reasonCode SHOULD NOT be made available to the Subscriber as a revocation reason option, because the use of this reasonCode is determined by the CA and not the Subscriber. -When a CA obtains verifiable evidence of Key Compromise for a Certificate whose CRL entry does not contain a reasonCode extension or has a reasonCode extension with a non-keyCompromise reason, the CA SHOULD update the CRL entry to enter keyCompromise as the CRLReason in the reasonCode extension. Additionally, the CA SHOULD update the revocation date in a CRL entry when it is determined that the private key of the certificate was compromised prior to the revocation date that is indicated in the CRL entry for that certificate. +When a CA obtains verifiable evidence of Key Compromise for a Certificate whose CRL entry does not contain a reasonCode extension or has a reasonCode extension with a non-keyCompromise reason, the CA SHOULD update the CRL entry to enter keyCompromise as the CRLReason in the reasonCode extension. + +#### 7.2.2.1 CRL Issuing Distribution Point + +Partitioned CRLs MUST contain an Issuing Distribution Point extension. The `distributionPoint` field of the Issuing Distribution Point extension MUST be present. Additionally, the `fullName` field of the DistributionPointName value MUST be present, and its value MUST conform to the following requirements: + +1. If a Certificate within the scope of the CRL contains a CRL Distribution Points extension, then at least one of the `uniformResourceIdentifiers` in the CRL Distribution Points's `fullName` field MUST be included in the `fullName` field of the CRL's Issuing Distribution Point extension. The encoding of the `uniformResourceIdentifier` value in the Issuing Distribution Point extension SHALL be byte-for-byte identical to the encoding used in the Certificate's CRL Distribution Points extension. +2. Other GeneralNames of type `uniformResourceIdentifier` MAY be included. +3. Non-`uniformResourceIdentifier` GeneralName types MUST NOT be included. + +The `indirectCRL` and `onlyContainsAttributeCerts` fields MUST be set to `FALSE` (i.e., not asserted). + +The CA MAY set either of the `onlyContainsUserCerts` and `onlyContainsCACerts` fields to `TRUE`, depending on the scope of the CRL. + +The CA MUST NOT assert both of the `onlyContainsUserCerts` and `onlyContainsCACerts` fields. -Note: Backdating the revocationDate field is an exception to best practice described in RFC 5280 (section 5.3.2); however, these requirements specify the use of the revocationDate field to support TLS implementations that process the revocationDate field as the date when the Certificate is first considered to be compromised. - -2. `issuingDistributionPoint` (OID 2.5.29.28) +The `onlySomeReasons` field SHOULD NOT be included; if included, then the CA MUST provide another CRL whose scope encompasses all revocations regardless of reason code. - Effective 2023-01-15, if a CRL does not contain entries for all revoked unexpired certificates issued by the CRL issuer, then it MUST contain a critical Issuing Distribution Point extension and MUST populate the `distributionPoint` field of that extension. +This extension is NOT RECOMMENDED for full and complete CRLs. ## 7.3 OCSP profile From 65b69fe0ab5365a002c3d4b668d3f2ab81079411 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 19 Jan 2024 13:07:09 +0100 Subject: [PATCH 47/48] Update BRs with the new EVGs section numbers.md Changed sections 3.2.2.4.7 and 7.1.2.7.5, updating the following: Section 3.2.2.4.7 EVG 11.14.3 to new 3.2.2.14.3 Section 7.1.2.7.5 EVG 9.2 to new 7.1.4.2 --- docs/BR.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index c85365b1..de52a1fb 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,9 +1,9 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.2 +subtitle: Version 2.0.3 author: - CA/Browser Forum -date: 8-January-2024 +date: 19-January-2024 copyright: | @@ -767,7 +767,7 @@ Confirming the Applicant's control over the FQDN by confirming the presence of a If a Random Value is used, the CA SHALL provide a Random Value unique to the Certificate request and SHALL not use the Random Value after i. 30 days or - ii. if the Applicant submitted the Certificate request, the time frame permitted for reuse of validated information relevant to the Certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of these Guidelines or Section 11.14.3 of the EV Guidelines). + ii. if the Applicant submitted the Certificate request, the time frame permitted for reuse of validated information relevant to the Certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of these Guidelines or Section 3.2.2.14.3 of the EV Guidelines). **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. @@ -2377,7 +2377,7 @@ For a Subscriber Certificate to be Extended Validation, it MUST comply with the | __Field__ | __Requirements__ | | -- | ------- | -| `subject` | See Guidelines for the Issuance and Management of Extended Validation Certificates, Section 9.2. | +| `subject` | See Guidelines for the Issuance and Management of Extended Validation Certificates, Section 7.1.4.2. | | `certificatePolicies` | MUST be present. MUST assert the [Reserved Certificate Policy Identifier](#7161-reserved-certificate-policy-identifiers) of `2.23.140.1.1` as a `policyIdentifier`. See [Section 7.1.2.7.9](#71279-subscriber-certificate-certificate-policies). | | All other extensions | See [Section 7.1.2.7.6](#71276-subscriber-certificate-extensions) and the Guidelines for the Issuance and Management of Extended Validation Certificates. | From dedeebfe036fa5a6f0d7ae985ea08317ba60b8cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Tue, 20 Feb 2024 13:58:58 +0100 Subject: [PATCH 48/48] Update EVG.md Updated section 7.1.2.2 to fix the link to section 7.1.4.2.8 --- docs/EVG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index c27b75a7..0a6d580d 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1300,7 +1300,7 @@ CABFOrganizationIdentifier ::= SEQUENCE { } ``` -where the subfields have the same values, meanings, and restrictions described in [Section 7.1.4.2.1](#71428-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 7.1.4.2.1](#71428-subject-organization-identifier-field). +where the subfields have the same values, meanings, and restrictions described in [Section 7.1.4.2.8](#71428-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 7.1.4.2.8](#71428-subject-organization-identifier-field). ### 7.1.3 Algorithm object identifiers ### 7.1.4 Name forms