Confirm, administrator
5,526
edits
Changes
m
It is important that sufficient verification procedures are in place such that someone cannot submit forged or stolen documents and receive a certificate in his name (or that of a company). There are various ways confirming ones identity and we don't dictate exactly how this should be done for non-EV certificates. However there the documentation must be a clear path about how the identity and organization validation are tied together so that there is reasonable assurance. It is important that sufficient verification procedures are in place such that someone cannot submit forged or stolen documents and receive a certificate in his name (or that of a company).
→Verifying Identity of Code Signing Certificate Subscriber
The CA's public documentation needs to provide sufficient information describing how it is verified that the entity submitting the certificate signing request is the same entity referenced in the certificate, or has been authorized be the entity referenced in the certificate.
If public resources are used, then there should be a description of the public resources that are used, what data is retrieved from public resources, and how that data is used for verification of the entity referenced in the certificate.
