Confirm, administrator
5,526
edits
Changes
m
→Verifying Identity of Code Signing Certificate Subscriber
There are various ways to confirm the certificate subscribers identity and we don't dictate exactly how this should be done for non-EV certificates. However the documentation must be clear about how the identity and organization validation are tied together so that there is reasonable assurance. Additionally, it is important that sufficient verification procedures are in place such that someone cannot submit forged or stolen documents and receive a certificate in his name (or that of a company).
If public resources are used, then there should be a description of the types of public resources that are used, what data is retrieved from public resources, and how that data is used for verification of the entity referenced in the certificate.
The verification procedures often include contacting the organization through an independent means to confirm that the certificate subscriber is authorized by the organization to request the certificate. If this is the case, then it should be documented. The documentation should include such information such as how the company's contact information is obtained, the method for contacting the organization, who is contacted at the organization, and what information they
