Section 7 of the [http://www.mozilla.org/projects/security/certs/policy Mozilla CA Certificate Policy] states: “for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf; ”
The CAThere are various ways to confirm the certificate subscriber's public documentation needs to provide sufficient information describing identity and we don't dictate exactly how it is verified this should be done for non-EV certificates. However we must be clear that the entity submitting the certificate signing request is the same entity referenced in the certificate, or a minimum standard has been authorized by the entity referenced in the certificate. reached:# The documentation needs to be clear about the checks identity and organization validation are tied together so that there is reasonable assurance;# Sufficient verification procedures are performed to confirm the identity of the certificate subscriber as well as establish in place such that the someone cannot submit forged or stolen documents and receive a certificate subscriber is authorized by the organization to be referenced in the certificatehis name (or that of a company).
There are various ways to confirm the certificate subscriberThe CA's identity public (and we don't dictate exactly audited) documentation must provide sufficient information describing the process to permit us to form an opinion. The documentation needs to provide sufficient information describing how this should be done for non-EV certificatesit is verified that the entity submitting the certificate signing request is the same entity referenced in the certificate, or has been authorized by the entity referenced in the certificate. However the The documentation must needs to be clear about how the checks that are performed to confirm the identity and organization validation are tied together so of the certificate subscriber as well as establish that there the certificate subscriber is reasonable assurance. Additionally, it is important that sufficient verification procedures are authorized by the organization to be referenced in place such that someone cannot submit forged or stolen documents and receive a the certificate in his name (or that of a company).
If public resources are used, then there should be a description of the types of public resources that are used, what data is retrieved from public resources, and how that data is used for verification of the entity referenced in the certificate.
Verification procedures often include contacting the organization through an independent means to confirm that the certificate subscriber is authorized by the organization to request the certificate. If this is the case, then it should be documentedstated. The documentation should include information such as how the company's contact information is obtained, the method for contacting the organization, who the typical title/position of the person is contacted at the organization, and what information they confirm. Note that if the CA issues certificates outside its national area, documentation will need to establish the same minimum standard outside borders.
=== DNS names go in SAN ===
