This section presents the requirements for validation of certificate applications to be performed by the applicable IA or by an authorized local registration authority. It also explains the procedures for applications that fail validation.
5.1.3 Third-Party Confirmation of Business Entity Information
5.1.5 InterNIC Domain Name Confirmation & Serial Number Assignment
5.2 Approval of Class 1 or 3 Certificate Applications
Upon receipt of a certificate application (per CPS Section 4 -- Certificate Application Procedures) the IA shall perform all required validations as a prerequisite to certificate issuance (per CPS Section 6 -- Issuance of Certificates), as follows.
The IA shall confirm that:
(a) the certificate applicant is the person identified in the request (in accordance with and only to the extent provided in the certificate class descriptions, see CPS Section 2, and as further described below),
(b) the certificate applicant rightfully holds the private key corresponding to the public key to be listed in the certificate (this obligation may be satisfied by a statement to this effect from the certificate applicant),
(c) the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI), and
(d) any agents who apply for a certificate listing the certificate applicant's public key (permissible for Class 3 certificates, for business entities only) are duly authorized to make such a request.
Once a certificate is issued, the IA shall have no continuing duty to monitor and investigate the accuracy of the information in a certificate, unless the IA is notified in accordance with this CPS of that certificate's compromise.
Table 7 (Validation Requirements for Certificate Applications) highlights certain differences between the validation requirements for each certificate class. VeriSign reserves the right to update these validation procedures to improve the validation process. Further details concerning validations are presented below. Updated validation procedures (when released) are presented in the VeriSign repository at https://www.verisign.com/repository/updates and may also be obtained from VeriSign, Inc., 1390 Shorebird Way, Mountain View, CA 94043 USA Attn. Certification Services.
|
Validation Requirements |
Class 1 |
Class 2 |
Class 3 |
| Personal presence | No | No | Yes - Individuals: Before a notary or LRA
(except non-VeriSign organizational LRA applicants)
Organizations: Optional |
| Personal investigation
(for individuals) |
No | No | Yes - Individuals: By a notary in conjunction with the notary's acknowledgment of the certificate application |
| Third-party automated confirmation of personal (individual) data | No | Yes | Yes - see description below) |
| Third-party confirmation of business entities | n/a | n/a | Yes - see description below) |
| Postal address confirmation | n/a | Yes (see below) | n/a |
| InterNIC domain name confirmation | n/a | n/a | Yes (see description below) |
| Export controls confirmation | n/a | n/a | Yes, for Export Control Certificates (see description below) |
TABLE 7 -- VALIDATION REQUIREMENTS FOR CERTIFICATE APPLICATIONS
In order to effect an appropriate binding between the applicant and the applicant's public key, individuals applying for Class 3 certificates must appear personally before a trusted entity (such as a notary or an LRA) to facilitate the confirmation of their identity. A personal presence requirement has many variables (depending upon the class and type of certificate), including but not limited to specified identification documents.
Where required, a third party confirms personal information provided by the certificate applicant by comparing it to the third party's databases. Confirmation is achieved if the certificate applicant's data is consistent with the database information, based on VeriSign's custom matching algorithm or another appropriate determination process.
On-line investigation provides some assurance of identity by comparing certificate applicant identity information against credit bureau databases. These databases may also provide confirmation of the applicant's address. If a validation fails, the applicable IA shall reject the certificate application by promptly notifying the certificate applicant of the validation failure and providing the reason code (except where prohibited by law) for such failure. Where such validation failure is caused as a result of third-party database information, the applicable IA shall provide the certificate applicant with the third-party database company's contact information for inquiry and dispute resolution. Such notice shall be communicated to the certificate applicant using the same method as was used to communicate the certificate application to the IA (or LRA).
A person whose certificate application has been rejected may thereafter
reapply.
scope of on-line investigations is, however, subject to individual countries'
data protection laws. Special procedures may also be implemented by an
IA, depending on the requirements of the certificate applicant and the
class of certificate to be issued.
Where required, the third party confirms the business entity's name, address, and other registration information through comparison with third-party databases and through inquiry to the appropriate government entities. Confirmation of information of companies, banks, and their agents requires certain customized (and possibly localized) procedures focusing on specific business-related criteria (such as proper business registration). The third party also provides telephone numbers that are used for out-of-band communications with the business entity to confirm certain information (for example, to confirm an agent's position within the business entity or to confirm that the particular individual listed in the application is in fact the applicant). If its databases do not contain all the information required, the third party may undertake an investigation, if requested by the IA, or the certificate applicant may be required to provide additional information and proof.
Upon issuance of a Class 2 (provisional) certificate, the IA shall send a corroboration letter (via first class mail) to the postal address submitted in the certificate application and confirmed (via third party database - see CPS Section 5.1.2). This corroboration procedure provides further confirmation that the subscriber's address matches the address listed in the certificate application and therefore provides further assurances that the subscriber is who he or she purports to be.
The corroboration letter (letter) contains a personal identification number (PIN) that is intended to enhance the authentication of the certificate applicant. The letter instructs the recipient (of the letter) to request cancellation of the application process and revocation of the certificate in the event the certificate application is determined to have been submitted by an imposter. This cancellation procedure is available only during the certificate's provisional period, and is distinct from certificate revocation procedures. If revocation has not occurred during the provisional period, the provisional certificate shall become a normal certificate thereafter. Postal address confirmation does not apply to Class 2 certificates approved by non-VeriSign organizational LRAs.
The naming authority used by an IA and VeriSign shall have sole discretion regarding the assignment of relative distinguished names (RDNs) and certificate serial numbers appearing in the certificates they issue. IAs shall use the InterNIC for resolving RDN assignment where appropriate. For information about InterNIC procedures and assurances, see http://www.internic.net/.
5.1.6 Export Controls Confirmation
In addition to the other validations undertaken for Class 3 certificates, VeriSign shall perform the following confirmations as a condition of issuing Export Control Certificates for installation on a server.
(i) VeriSign shall require the certificate applicant to identify the country in which such server shall be located in the certificate application. The certificate applicant's identification of such country shall constitute a representation and warranty that such server is in fact located in the identified country.
(ii) If the certificate applicant represents and warrants that such server shall be located in the United States, VeriSign shall confirm that the country field in the certificate application specifies "U.S." VeriSign shall also confirm that information obtained from a reliable third-party database - see CPS Section 5.1.3) indicates that the entity identified in the "organizational contact information" field of the certificate application is located within the United States.
(iii) If the certificate applicant represents and warrants that such server will be located outside of the United States, VeriSign shall confirm that the certificate applicant appears on a list provided by the web server software manufacturer. Each entry on the list shall contain: (a) the name of the entity for which the web server software manufacturer obtained United States Government export approval and (b) the unique control number associated with such entry on the list. VeriSign shall obtain such list (as an authenticated record communicated in a confidential manner) from the web server software manufacturer. VeriSign shall require the certificate applicant to include the server's associated control number in the certificate application. VeriSign shall confirm that the certificate applicant's name appears on the list supplied by the web server manufacturer and that the control number supplied by the certificate applicant matches the control number corresponding to the certificate applicant's name on the list.
Upon successful performance of all required validations of a Class 1 or 3 certificate application (in accordance with CPS Section 5.1), the applicable IA shall approve the application. Approval is demonstrated by issuing a normal certificate according to CPS Section 6 (Issuance of Certificates).
Upon successful performance of all required IA-internal validations of a Class 2 certificate application (in accordance with CPS Section 5.1), the applicable IA shall provisionally approve the certificate application. Such approval is demonstrated by that IA issuing a provisional certificate according to CPS Section 6.2 (Provisional Certificates).
If a validation fails, the applicable IA shall reject the certificate application by promptly notifying the certificate applicant of the validation failure and providing the reason code (except where prohibited by law) for such failure. Where such validation failure is caused as a result of third-party database information, the applicable IA shall provide the certificate applicant with the third-party database companys contact information for inquiry and dispute resolution. Such notice shall be communicated to the certificate applicant using the same method as was used to communicate the certificate application to the IA (or LRA). A person whose certificate application has been rejected may thereafter reapply.