There are various ways to confirm the certificate subscriber's identity and we don't dictate exactly how this should be done for non-EV certificates. However we must be clear that a minimum standard has been reached:
# The organizational information to be included in the cert had been verified.
# The identity of the individual (the person requesting the certificate) has been verified.
# If the request is on behalf of an organization, then the authority of the individual to make that request has been verified.
# The identity and organization validation are tied together so that there is reasonable assurance;
# Sufficient verification procedures are in place such that someone cannot submit forged or stolen documents and receive a certificate in his name (or that of a company).