Confirm, administrator
5,526
edits
Changes
m
→Verifying Identity of Code Signing Certificate Subscriber
Section 7 of the [http://www.mozilla.org/projects/security/certs/policy Mozilla CA Certificate Policy] states: “for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf; ”
The CA's public documentation needs to provide sufficient information describing how it is verified that the entity submitting the certificate signing request is the same entity referenced in the certificate, or has been authorized be by the entity referenced in the certificate. The documentation needs to be clear about the checks that are performed to confirm the identity of the certificate subscriber as well as establish that the certificate subscriber is authorized by the organization to be referenced in the certificate.
There are various ways to confirm the certificate subscribers identity and we don't dictate exactly how this should be done for non-EV certificates. However the documentation must be clear about how the identity and organization validation are tied together so that there is reasonable assurance. Additionally, it is important that sufficient verification procedures are in place such that someone cannot submit forged or stolen documents and receive a certificate in his name (or that of a company).
