Confirm, administrator
5,526
edits
Changes
m
→Verifying Identity of Code Signing Certificate Subscriber
# Sufficient verification procedures are in place such that someone cannot submit forged or stolen documents and receive a certificate in his name (or that of a company).
The CA's public (and audited) documentation must provide sufficient information describing the process to permit us to form an opinion. The documentation needs to provide sufficient information describing how it is verified that the entity submitting the certificate signing request is the same entity referenced in the certificate, or has been authorized by the entity referenced in the certificate. The documentation needs to be clear about the checks that are performed to confirm the identity of the certificate subscriber as well as establish that the certificate subscriber is authorized by the organization to be referenced in the certificate.
If public resources are used, then there should be a description of the types of public resources that are used, what data is retrieved from public resources, and how that data is used for verification of the entity referenced in the certificate.
