Minimum Security Requirements for Issuance of Verified ...

VerifiedMarkCertificateRequirementsv1.4 1

MinimumSecurityRequirementsforIssuance

ofVerifiedMarkCertificatesVersion1.4

Version1.4March31,2022


TABLEOFCONTENTS1. INTRODUCTION ..................................................................................................................................... 7

1.1. Overview ........................................................................................................................................ 7 1.2. Document name and Identification ................................................................................................ 7

1.2.1. Revisions ............................................................................................................................. 8 1.2.2. Verified Mark Certificate OIDs ............................................................................................. 8

1.3. PKI Participants ............................................................................................................................. 8 1.3.1. Certification Authorities ........................................................................................................ 8 1.3.2. Registration Authorities ........................................................................................................ 8 1.3.3. Subscribers .......................................................................................................................... 9 1.3.4. Relying Parties ..................................................................................................................... 9 1.3.5. Other Participants ................................................................................................................ 9

1.4. Certificate Usage ........................................................................................................................... 9 1.4.1. Appropriate Certificate Uses ................................................................................................ 9 1.4.2. Prohibited Certificate Uses .................................................................................................. 9

1.5. Policy administration ...................................................................................................................... 9 1.5.1. Organization Administering the Document .......................................................................... 9 1.5.2. Contact Person .................................................................................................................... 9 1.5.3. Person Determining CPS suitability for the policy ............................................................... 9 1.5.4. CPS approval procedures .................................................................................................. 10

1.6. Definitions and acronyms ............................................................................................................ 10 1.6.1. Definitions .......................................................................................................................... 10 1.6.2. Acronyms ........................................................................................................................... 20 1.6.3. References ......................................................................................................................... 21 1.6.4. Conventions ....................................................................................................................... 22

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES ................................................................... 22 2.1. Repositories ................................................................................................................................. 22 2.2. Publication of information ............................................................................................................ 22 2.3. Time or frequency of publication ................................................................................................. 23 2.4. Access controls on repositories ................................................................................................... 23

3. IDENTIFICATION AND AUTHENTICATION ........................................................................................ 23 3.1. Naming ........................................................................................................................................ 23

3.1.1. Types of names ................................................................................................................. 23 3.1.2. Need for names to be meaningful ...................................................................................... 23 3.1.3. Anonymity or pseudonymity of subscribers ....................................................................... 23 3.1.4. Rules for interpreting various name forms ......................................................................... 23 3.1.5. Uniqueness of names ........................................................................................................ 23 3.1.6. Recognition, authentication, and role of trademarks ......................................................... 23

3.2. Initial identity validation ............................................................................................................... 23 3.2.1. Method to Prove Possession of Private Key ...................................................................... 23 3.2.2. Authentication of Organization and Domain Identity .......................................................... 23 3.2.3. Verification Requirements – Overview ............................................................................... 24 3.2.4. Acceptable Methods of Verification – Overview ................................................................ 25 3.2.5. Verification of Applicant’s Legal Existence and Identity ..................................................... 25 3.2.6. Verification of Applicant’s Legal Existence and Identity – Assumed Name ....................... 28 3.2.7. Verification of Applicant’s Physical Existence .................................................................... 28 3.2.8. Verified Method of Communication .................................................................................... 29 3.2.9. Verification of Applicant’s Operational Existence .............................................................. 29 3.2.10. Verification of Identity and Authority of Contract Signer and Certificate Approver ............ 30 3.2.11. Verification of Signature on Subscriber Agreement and Verified Mark Certificate Requests32 3.2.12. Verification of Approval of Verified Mark Certificate Request ............................................ 33 3.2.13. Verification of Certain Information Sources ....................................................................... 33 3.2.14. Validation of Domain Authorization or Control ................................................................. 37 3.2.15. CAA Records for Verified Mark Certificates ....................................................................... 41 3.2.16. Registered Mark Verification .............................................................................................. 42 3.2.17. Other Verification Requirements ........................................................................................ 44 3.2.18. Final Cross-Correlation and Due Diligence ....................................................................... 45 3.2.19. Criteria for Interoperation or Certification ........................................................................... 46

3.3. Identification and authentication for re-key requests ................................................................... 46 3.3.1. Identification and Authentication for Routine Re-key ......................................................... 46


3.3.2. Identification and Authentication for Re-key After Revocation ........................................... 46 3.4. Identification and authentication for revocation request .............................................................. 46

4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ........................................................ 46 4.1. Certificate Application .................................................................................................................. 46

4.1.1. Who Can Submit a Certificate Application ......................................................................... 46 4.1.2. Enrollment Process and Responsibilities ........................................................................... 46

4.2. Certificate application processing ................................................................................................ 47 4.2.1. Performing Identification and Authentication Functions ..................................................... 47 4.2.2. Approval or Rejection of Certificate Applications ............................................................... 47 4.2.3. Time to Process Certificate Applications ........................................................................... 47

4.3. Certificate issuance ..................................................................................................................... 47 4.3.1. CA Actions during Certificate Issuance ............................................................................. 47 4.3.2. Notification of Certificate Issuance .................................................................................... 48

4.4. Certificate acceptance ................................................................................................................. 48 4.4.1. Conduct constituting certificate acceptance ...................................................................... 48 4.4.2. Publication of the certificate by the CA .............................................................................. 48 4.4.3. Notification of certificate issuance by the CA to other entities ........................................... 48

4.5. Key pair and certificate usage ..................................................................................................... 48 4.5.1. Subscriber private key and certificate usage ..................................................................... 48 4.5.2. Relying party public key and certificate usage ................................................................... 48

4.6. Certificate renewal ....................................................................................................................... 48 4.6.1. Circumstance for certificate renewal .................................................................................. 48 4.6.2. Who may request renewal ................................................................................................. 48 4.6.3. Processing certificate renewal requests ............................................................................ 48 4.6.4. Notification of new certificate issuance to subscriber ........................................................ 48 4.6.5. Conduct constituting acceptance of a renewal certificate .................................................. 48 4.6.6. Publication of the renewal certificate by the CA ................................................................ 49 4.6.7. Notification of certificate issuance by the CA to other entities ........................................... 49

4.7. Certificate re-key ......................................................................................................................... 49 4.7.1. Circumstance for certificate re-key .................................................................................... 49 4.7.2. Who may request certification of a new public key ............................................................ 49 4.7.3. Processing certificate re-keying requests .......................................................................... 49 4.7.4. Notification of new certificate issuance to subscriber ........................................................ 49 4.7.5. Conduct constituting acceptance of a re-keyed certificate ................................................ 49 4.7.6. Publication of the re-keyed certificate by the CA ............................................................... 49 4.7.7. Notification of certificate issuance by the CA to other entities ........................................... 49

4.8. Certificate modification ................................................................................................................ 49 4.8.1. Circumstance for certificate modification ........................................................................... 49 4.8.2. Who may request certificate modification .......................................................................... 49 4.8.3. Processing certificate modification requests ...................................................................... 49 4.8.4. Notification of new certificate issuance to subscriber ........................................................ 49 4.8.5. Conduct constituting acceptance of modified certificate .................................................... 50 4.8.6. Publication of the modified certificate by the CA ............................................................... 50 4.8.7. Notification of certificate issuance by the CA to other entities ........................................... 50

4.9. Certificate revocation and suspension ........................................................................................ 50 4.9.1. Circumstances for Revocation ........................................................................................... 50 4.9.2. Who Can Request Revocation .......................................................................................... 51 4.9.3. Procedure for Revocation Request .................................................................................... 51 4.9.4. Revocation Request Grace Period .................................................................................... 51 4.9.5. Time within which CA Must Process the Revocation Request .......................................... 51 4.9.6. Revocation Checking Requirement for Relying Parties ..................................................... 51 4.9.7. CRL Issuance Frequency .................................................................................................. 51 4.9.8. Maximum Latency for CRLs ............................................................................................... 52 4.9.9. On-line Revocation/Status Checking Availability ............................................................... 52 4.9.10. On-line Revocation Checking Requirements ..................................................................... 52 4.9.11. Other Forms of Revocation Advertisements Available ...................................................... 52 4.9.12. Special Requirements Related to Key Compromise .......................................................... 52 4.9.13. Circumstances for Suspension .......................................................................................... 53 4.9.14. Who Can Request Suspension .......................................................................................... 53 4.9.15. Procedure for Suspension Request ................................................................................... 53 4.9.16. Limits on Suspension Period ............................................................................................. 53

4.10. Certificate status services ............................................................................................................ 53


4.10.1. Operational Characteristics ................................................................................................ 53 4.10.2. Service Availability ............................................................................................................. 53 4.10.3. Optional Features .............................................................................................................. 53

4.11. End of subscription ...................................................................................................................... 53 4.12. Key escrow and recovery ............................................................................................................ 53

4.12.1. Key escrow and recovery policy and practices .................................................................. 53 4.12.2. Session key encapsulation and recovery policy and practices .......................................... 53

5. MANAGEMENT, OPERTIONAL, and Physical CONTROLS ................................................................ 54 5.1. Physical security Controls ........................................................................................................... 54

5.1.1. Site location and construction ............................................................................................ 54 5.1.2. Physical access ................................................................................................................. 54 5.1.3. Power and air conditioning ................................................................................................ 55 5.1.4. Water exposures ................................................................................................................ 55 5.1.5. Fire prevention and protection ........................................................................................... 55 5.1.6. Media storage .................................................................................................................... 55 5.1.7. Waste disposal ................................................................................................................... 55 5.1.8. Off-site backup ................................................................................................................... 55

5.2. Procedural controls ...................................................................................................................... 55 5.2.1. Trusted Roles ..................................................................................................................... 55 5.2.2. Number of Individuals Required per Task ......................................................................... 55 5.2.3. Identification and Authentication for Trusted Roles ........................................................... 55 5.2.4. Roles Requiring Separation of Duties ................................................................................ 55

5.3. Personnel controls ....................................................................................................................... 55 5.3.1. Qualifications, Experience, and Clearance Requirements ................................................ 55 5.3.2. Background Check Procedures ......................................................................................... 55 5.3.3. Training Requirements and Procedures ............................................................................ 55 5.3.4. Retraining Frequency and Requirements .......................................................................... 56 5.3.5. Job Rotation Frequency and Sequence ............................................................................ 56 5.3.6. Sanctions for Unauthorized Actions ................................................................................... 56 5.3.7. Independent Contractor Controls ....................................................................................... 56 5.3.8. Documentation Supplied to Personnel .............................................................................. 56

5.4. Audit logging procedures ............................................................................................................. 56 5.4.1. Types of Events Recorded ................................................................................................ 56 5.4.2. Frequency for Processing and Archiving Audit Logs ......................................................... 57 5.4.3. Retention Period for Audit Logs ......................................................................................... 57 5.4.4. Protection of Audit Log ...................................................................................................... 57 5.4.5. Audit Log Backup Procedures ........................................................................................... 57 5.4.6. Audit Log Accumulation System (internal vs. external) ..................................................... 57 5.4.7. Notification to Event-Causing Subject ............................................................................... 57 5.4.8. Vulnerability Assessments ................................................................................................. 57

5.5. Records archival .......................................................................................................................... 58 5.5.1. Types of Records Archived ................................................................................................ 58 5.5.2. Retention Period for Archive .............................................................................................. 58 5.5.3. Protection of Archive .......................................................................................................... 58 5.5.4. Archive Backup Procedures .............................................................................................. 58 5.5.5. Requirements for Time-stamping of Records .................................................................... 58 5.5.6. Archive Collection System (internal or external) ................................................................ 58 5.5.7. Procedures to Obtain and Verify Archive Information ........................................................ 58

5.6. Key changeover .......................................................................................................................... 58 5.7. Compromise and disaster recovery ............................................................................................. 58

5.7.1. Incident and Compromise Handling Procedures ............................................................... 58 5.7.2. Recovery Procedures if Computing Resources, Software, and/or Data Are Corrupted .... 59 5.7.3. Recovery Procedures After Key Compromise ................................................................... 59 5.7.4. Business Continuity Capabilities after a Disaster .............................................................. 59

5.8. CA or RA termination ................................................................................................................... 59 6. TECHNICAL SECURITY CONTROLS .................................................................................................. 59

6.1. Key pair generation and installation ............................................................................................ 59 6.1.1. Key Pair Generation........................................................................................................... 59 6.1.2. Private Key Delivery to Subscriber .................................................................................... 60 6.1.3. Public Key Delivery to Certificate Issuer ............................................................................ 60 6.1.4. CA Public Key Delivery to Relying Parties ......................................................................... 60 6.1.5. Algorithm type and key sizes ............................................................................................. 60


6.1.6. Public Key Parameters Generation and Quality Checking ................................................ 61 6.1.7. Key Usage Purposes ......................................................................................................... 61

6.2. Private Key Protection and Cryptographic Module Engineering Controls ................................... 61 6.2.1. Cryptographic Module Standards and Controls ................................................................. 61 6.2.2. Private Key (n out of m) Multi-person Control .................................................................... 61 6.2.3. Private Key Escrow ............................................................................................................ 61 6.2.4. Private Key Backup ............................................................................................................ 61 6.2.5. Private Key Archival ........................................................................................................... 62 6.2.6. Private Key Transfer into or from a Cryptographic Module ................................................ 62 6.2.7. Private Key Storage on Cryptographic Module .................................................................. 62 6.2.8. Activating Private Keys ...................................................................................................... 62 6.2.9. Deactivating Private Keys .................................................................................................. 62 6.2.10. Destroying Private Keys ..................................................................................................... 62 6.2.11. Cryptographic Module Capabilities .................................................................................... 62

6.3. Other aspects of key pair management ...................................................................................... 62 6.3.1. Public Key Archival ............................................................................................................ 62 6.3.2. Certificate Operational Periods and Key Pair Usage Periods ............................................ 62

6.4. Activation data ............................................................................................................................. 62 6.4.1. Activation data generation and installation ........................................................................ 62 6.4.2. Activation data protection .................................................................................................. 62 6.4.3. Other aspects of activation data ........................................................................................ 63

6.5. Computer security controls .......................................................................................................... 63 6.5.1. Specific Computer Security Technical Requirements ........................................................ 63 6.5.2. Computer Security Rating .................................................................................................. 63

6.6. Life cycle technical controls ......................................................................................................... 63 6.6.1. System development controls ............................................................................................ 63 6.6.2. Security management controls .......................................................................................... 63 6.6.3. Life cycle security controls ................................................................................................. 63

6.7. Network security controls ............................................................................................................ 63 6.8. Time-stamping ............................................................................................................................. 63

7. CERTIFICATE, CRL, AND OCSP PROFILES ...................................................................................... 63 7.1. Certificate profile .......................................................................................................................... 63

7.1.1. Version Number(s) ............................................................................................................. 64 7.1.2. Certificate Content and Extensions; Application of RFC 5280 .......................................... 64 7.1.3. Algorithm Object Identifiers ................................................................................................ 67 7.1.4. Name Forms ...................................................................................................................... 67 7.1.5. Name Constraints .............................................................................................................. 73 7.1.6. Certificate Policy Object Identifier ...................................................................................... 73 7.1.7. Usage of Policy Constraints Extension .............................................................................. 73 7.1.8. Policy Qualifiers Syntax and Semantics ............................................................................ 73 7.1.9. Processing Semantics for the Critical Certificate Policies Extension ................................. 73

7.2. CRL profile ................................................................................................................................... 73 7.2.1. Version number(s) ............................................................................................................. 73 7.2.2. CRL and CRL entry extensions ......................................................................................... 73

7.3. OCSP profile ................................................................................................................................ 73 7.3.1. Version number(s) ............................................................................................................. 73 7.3.2. OCSP extensions ............................................................................................................... 73

8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS ........................................................................ 73 8.1. Frequency or circumstances of assessment ............................................................................... 74 8.2. Identity/qualifications of assessor ................................................................................................ 74 8.3. Assessor's relationship to assessed entity .................................................................................. 74 8.4. Topics covered by assessment ................................................................................................... 74 8.5. Actions taken as a result of deficiency ........................................................................................ 74 8.6. Communication of results ............................................................................................................ 74 8.7. Self-Audits ................................................................................................................................... 75

9. OTHER BUSINESS AND LEGAL MATTERS ....................................................................................... 75 9.1. Fees ............................................................................................................................................. 75

9.1.1. Certificate issuance or renewal fees .................................................................................. 75 9.1.2. Certificate access fees ....................................................................................................... 75 9.1.3. Revocation or status information access fees ................................................................... 75 9.1.4. Fees for other services ...................................................................................................... 75 9.1.5. Refund policy ..................................................................................................................... 75


9.2. Financial responsibility ................................................................................................................ 75 9.2.1. Insurance coverage ........................................................................................................... 75 9.2.2. Other assets ....................................................................................................................... 75 9.2.3. Insurance or warranty coverage for end-entities ............................................................... 75

9.3. Confidentiality of business information ........................................................................................ 75 9.3.1. Scope of confidential information ....................................................................................... 75 9.3.2. Information not within the scope of confidential information .............................................. 75 9.3.3. Responsibility to protect confidential information ............................................................... 76

9.4. Privacy of personal information ................................................................................................... 76 9.4.1. Privacy plan ....................................................................................................................... 76 9.4.2. Information treated as private ............................................................................................ 76 9.4.3. Information not deemed private ......................................................................................... 76 9.4.4. Responsibility to protect private information ...................................................................... 76 9.4.5. Notice and consent to use private information ................................................................... 76 9.4.6. Disclosure pursuant to judicial or administrative process .................................................. 76 9.4.7. Other information disclosure circumstances ...................................................................... 76

9.5. Intellectual property rights ........................................................................................................... 76 9.6. Representations and warranties .................................................................................................. 76

9.6.1. CA Representations and Warranties ................................................................................. 76 9.6.2. RA Representations and Warranties ................................................................................. 77 9.6.3. Subscriber Representations and Warranties ..................................................................... 77 9.6.4. Relying Party Representations and Warranties ................................................................. 78 9.6.5. Representations and Warranties of Other Participants ..................................................... 78

9.7. Disclaimers of warranties ............................................................................................................ 78 9.8. Limitations of liability .................................................................................................................... 78 9.9. Indemnities .................................................................................................................................. 78

9.9.1. Indemnification by CAs ...................................................................................................... 78 9.9.2. Indemnification by Subscribers .......................................................................................... 79 9.9.3. Indemnification by Relying Parties ..................................................................................... 79

9.10. Term and termination .................................................................................................................. 79 9.10.1. Term ................................................................................................................................... 79 9.10.2. Termination ........................................................................................................................ 79 9.10.3. Effect of termination and survival ....................................................................................... 79

9.11. Individual notices and communications with participants ............................................................ 79 9.12. Amendments ............................................................................................................................... 79

9.12.1. Procedure for amendment ................................................................................................. 79 9.12.2. Notification mechanism and period .................................................................................... 79 9.12.3. Circumstances under which OID must be changed ........................................................... 79

9.13. Dispute resolution provisions ...................................................................................................... 79 9.14. Governing law .............................................................................................................................. 79 9.15. Compliance with applicable law .................................................................................................. 79 9.16. Miscellaneous provisions ............................................................................................................ 79

9.16.1. Entire Agreement ............................................................................................................... 79 9.16.2. Assignment ........................................................................................................................ 80 9.16.3. Severability ........................................................................................................................ 80 9.16.4. Enforcement (attorneys' fees and waiver of rights) ............................................................ 80 9.16.5. Force Majeure .................................................................................................................... 80

9.17. Other provisions .......................................................................................................................... 80 APPENDIX A – DNS Contact Properties ................................................................................................... 81 APPENDIX B – Mapping of Combined, Design, and Word Mark Terminology to Terminology of Authorized Trademark Offices 83 APPENDIX C – Authorized Trademark Offices for VMCs ......................................................................... 86 APPENDIX D - VMC Terms of Use (“VMC Terms”) .................................................................................. 87 APPENDIX E - Optional Rules for Matching Mark Representation Submitted by Subscriber with Registered Mark Verified by CA ............................................................................................................................................ 89 APPENDIX F - CT Logs Approved by Authindicators Working Group ...................................................... 90 APPENDIX G – Additional F2F Verification Requirements ....................................................................... 91 APPENDIX H - Country-Specific Interpretative Guidelines (Normative) .................................................... 95 APPENDIX I – Abstract Syntax Notation One module for EV certificates ................................................. 97 APPENDIX J – Registration Schemes ....................................................................................................... 98


1. INTRODUCTION

1.1. OVERVIEW

Thisdocumentdescribesanintegratedsetoftechnologies,protocols,andidentityandmarkproofingrequirementsthatarenecessaryfortheissuanceandmanagementofVerifiedMarkCertificates(VMCs)-certificatesthataretrustedbyConsumingEntities.Uponadoption,theyaremandatoryforCertificationAuthoritieswhoissueorplantoissueVerifiedMarkCertificates.VMCsassertacryptographicallyverifiableandauditablebindingbetweenanidentity,alogo,andadomain.ThekeypairofanendentityVMCisunused,andtherearenorequirementsaroundthegeneration,storage,andprotectionofsuchkeypairs.Inparticular,CertificationAuthoritiesMAYgeneratesuchkeypairsonbehalfoftheircustomers,andVMCsneednotberevokediftheunusedkeypairiscompromised.VMCspresentConsumingEntitiesandRelyingPartieswithinformationaboutandmarksassertedbytheMarkAssertingEntity,someofwhichisgatheredfromlegaldocumentsandgovernmentregistries(includingtrademarkregistries).WhenMarkVerifyingAuthoritiesverifymarkspresentedbyaMarkAssertingEntityforinclusioninaVMC,orwhenMarkVerifyingAuthoritiespresentVMCsandtheinformationormarkstheycontaintoConsumingEntities,orwhenConsumingEntitiespresentVMCsandtheinformationormarkstheycontaintoRelyingParties,theyarenotprovidinglegaladvicetoanyparty.InadoptingtheseVerifiedMarkCertificateRequirements(VMCR),theAuthindicatorsWorkingGroupisnotprovidinglegaladvicetoanyparty.Allparties(MarkAssertingEntities,MarkVerifyingAuthorities,ConsumingEntitiesandRelyingParties)areadvisedtoconsulttheirownlegalcounselonallmatters.MarkVerifyingAuthoritieshavenolegalobligationtoissueVMCstoanyMarkAssertingEntity.ConsumingEntitieshavenolegalobligationtouseordisplayVMCsortheinformationormarkstheycontaintoanyRelyingParty,andmaychooseattheirsolediscretionnottouseordisplayVMCs(orgroupsorcategoriesofVMCs)ortheinformationormarkstheycontaintoRelyingPartiesortoanysubsetofRelyingPartiestheymaychoose.VerifiedMarkCertificatesmaybeissuedwithrespecttomarksaccreditedbylegislation(suchasRegisteredMarksthatareingoodstandingwithaTrademarkOffice)andwhichareownedbyorlicensedtotheApplicant.CAsmayissueVerifiedMarkCertificatesprovidedthattheCAsatisfiestherequirementsinthisdocument.AllSubscribers/MarkAssertingEntities,ConsumingEntities,andRelyingPartiesareboundbytheVMCTermsattachedasAppendixDaccordingtotheirterms.CAswhoissueVerifiedMarkCertificatesSHALLincludetheVMCTermsintheirapplicableCertificationPracticeStatement.RelevantsectionsoftheseVMCRshavebeensynchronizedwiththefollowingversionsoftheCA/BrowserForumstandards:

• BaselineRequirementsfortheIssuanceandManagementofPublicly-TrustedCertificatesv1.7.0• GuidelinesForTheIssuanceAndManagementOfExtendedValidationCertificatesv1.7.2

ThisdocumentmaybesynchronizedfromtimetotimewithfutureversionsoftheCA/BrowserForumdocumentsatthesolediscretionoftheAuthindicatorsWorkingGroup.However,thisdocumentisindependentofanyactionsoftheCA/BrowserForumorofitsdocuments.

1.2. DOCUMENTNAMEANDIDENTIFICATION

ThisdocumentSHALLbeknownastheVerifiedMarkCertificateRequirements(or“VMCRequirements”orsimply“VMCR”).TheseVMCRequirementsSHALLtakeeffectuponpublicadoptionbyoneormore


CertificationAuthorities(CAs)thatofferVerifiedMarkCertificatestoSubscribersandbyoneormoreConsumingEntitiesthatrecognizeandutilizetheVerifiedMarkCertificates.

1.2.1. RevisionsVersion Adopted Effective0.97 12-19-2019 12-19-20190.984 06-24-2019 06-24-20190.985 05-26-2020 05-26-20200.986 02-05-2021 02-05-20211.0 07-09-2021 07-09-20211.1 09-10-2021 09-10-20211.2 11-28-2021 11-28-20211.3 01-31-2022 01-31-20221.4 03-31-2022 03-XX-2022

1.2.2. VerifiedMarkCertificateOIDsCertificatesadheringtotheseVMCRequirementsSHALLbeidentifiedbythepresenceoftheVMCpolicyOIDintheCertificatePoliciesExtensionasdescribedinsection7.1.6.

1.3. PKIPARTICIPANTS

TheAuthindicatorsWorkingGroupisavoluntaryorganizationthatmaintainstheseVMCRequirements.Thesewillbepublishedatwww.bimigroup.org.

1.3.1. CertificationAuthoritiesCertificationAuthority(CA),alsoknownasMarkVerifyingAuthority,isdefinedinSection1.6.1.

1.3.2. RegistrationAuthoritiesWiththeexceptionofsection3.2.14,theCAMAYdelegatetheperformanceofall,oranypart,ofSection3.2requirementstoaDelegatedThirdParty,providedthattheprocessasawholefulfillsalloftherequirementsofSection3.2.BeforetheCAauthorizesaDelegatedThirdPartytoperformadelegatedfunction,theCASHALLcontractuallyrequiretheDelegatedThirdPartyto:(1)MeetthequalificationrequirementsofSection5.3.1,whenapplicabletothedelegatedfunction;(2)RetaindocumentationinaccordancewithSection5.5.2;(3)AbidebytheotherprovisionsoftheseRequirementsthatareapplicabletothedelegatedfunction;and(4)Complywith(a)theCA’sCertificatePolicy/CertificationPracticeStatementor(b)theDelegatedThirdParty’spracticestatementthattheCAhasverifiedcomplieswiththeseRequirements.TheCAMAYdesignateanEnterpriseRAtoverifycertificaterequestsfromtheEnterpriseRA’sownorganization.TheCASHALLNOTacceptcertificaterequestsauthorizedbyanEnterpriseRAunlessthefollowingrequirementsaresatisfied:1.TheCASHALLconfirmthattherequestedFully-QualifiedDomainName(s)arewithintheEnterpriseRA’sverifiedDomainNamespace.2.IfthecertificaterequestincludesaSubjectnameofatypeotherthanaFully-QualifiedDomainName,theCASHALLconfirmthatthenameiseitherthatofthedelegatedenterprise,oranAffiliateofthedelegatedenterprise,orthatthedelegatedenterpriseisanagentofthenamedSubject.Forexample,theCASHALLNOT


issueaCertificatecontainingtheSubjectname“XYZCo.”ontheauthorityofEnterpriseRA“ABCCo.”,unlessthetwocompaniesareaffiliated(seeSection3.2)or“ABCCo.”istheagentof“XYZCo”.ThisrequirementappliesregardlessofwhethertheaccompanyingrequestedSubjectFQDNfallswithintheDomainNamespaceofABCCo.’sRegisteredDomainName.TheCASHALLimposetheselimitationsasacontractualrequirementontheEnterpriseRAandmonitorcompliancebytheEnterpriseRA.

1.3.3. SubscribersSubscribersmayalsobeknownasMarkAssertingEntities.BothareasdefinedinSection1.6.1.

1.3.4. RelyingParties“RelyingParty”and“ApplicationSoftwareSupplier”and“ConsumingEntities”aredefinedinSection1.6.1.

1.3.5. OtherParticipantsOthergroupsthathaveparticipatedinthedevelopmentoftheseRequirementsincludetheCPACanadaWebTrustforCertificationAuthoritiestaskforce.ParticipationbyCPACanadadoesnotimplyitsendorsement,recommendation,orapprovalofthefinalproduct.

1.4. CERTIFICATEUSAGE

1.4.1. AppropriateCertificateUsesTheprimarygoaloftheseRequirementsistoenableefficientandsecureelectroniccommunication,whileaddressinguserconcernsaboutthetrustworthinessofCertificatesandVerifiedMarks.TheseRequirementsalsoservetoinformusersandhelpthemtomakeinformeddecisionswhenrelyingonCertificatesandVerifiedMarks.

1.4.2. ProhibitedCertificateUsesNoStipulation.

1.5. POLICYADMINISTRATION

TheVerifiedMarkCertificateRequirementspresentcriteriaestablishedbytheAuthindicatorsWorkingGroupforusebyCertificationAuthoritieswhenissuing,maintaining,andrevokingVerifiedMarkCertificates.Thisdocumentmayberevisedfromtimetotime,asappropriate,inaccordancewithproceduresadoptedbytheAuthindicatorsWorkingGroup.Becauseoneoftheprimarybeneficiariesofthisdocumentistheenduser,theAuthindicatorsWorkingGroupopenlyinvitesanyonetomakerecommendationsandsuggestionsbyemailtohttps://bimigroup.org/contact-us/.AuthindicatorsWorkingGroupmembersvalueallinput,regardlessofsource,andwillseriouslyconsiderallsuchinput.

1.5.1. OrganizationAdministeringtheDocumentAuthindicatorsWorkingGrouphttps://bimigroup.org/.

1.5.2. ContactPersonContactinformationforAuthindicatorsWorkingGroupisavailablehere:https://bimigroup.org/contact-us/InthissectionofaCA’sCertificationPracticeStatement(CPS),theCASHALLprovidealinktoawebpageoranemailaddressforcontactingthepersonorpersonsresponsibleforoperationoftheCA.

1.5.3. PersonDeterminingCPSsuitabilityforthepolicy


Nostipulation.

1.5.4. CPSapprovalproceduresNostipulation.

1.6. DEFINITIONSANDACRONYMS

1.6.1. DefinitionsAccountingPractitioner:Acertifiedpublicaccountant,charteredaccountant,orapersonwithanequivalentlicensewithinthecountryoftheApplicant’sJurisdictionofIncorporationorRegistrationoranyjurisdictionwheretheApplicantmaintainsanofficeorphysicalfacility;providedthatanaccountingstandardsbodyinthejurisdictionmaintainsfull(not“suspended”or“associate”)membershipstatuswiththeInternationalFederationofAccountants.Affiliate:Acorporation,partnership,jointventureorotherentitycontrolling,controlledby,orundercommoncontrolwithanotherentity,oranagency,department,politicalsubdivision,oranyentityoperatingunderthedirectcontrolofaGovernmentEntity.Applicant:Aperson,entity,ororganizationapplyingforaVerifiedMarkCertificate,butwhichhasnotyetbeenissuedaVerifiedMarkCertificate,oraperson,entity,ororganizationthatcurrentlyhasaVerifiedMarkCertificateorCertificatesandthatisapplyingforrenewalofsuchVerifiedMarkCertificateorCertificatesorforanadditionalVerifiedMarkCertificateorCertificates.ApplicantRepresentative:AnaturalpersonorhumansponsorwhoiseithertheApplicant,employedbytheApplicant,oranauthorizedagentwhohasexpressauthoritytorepresenttheApplicant:(i)whosignsandsubmits,orapprovesacertificaterequestonbehalfoftheApplicant,and/or(ii)whosignsandsubmitsaSubscriberAgreementonbehalfoftheApplicant,and/or(iii)whoacknowledgestheTermsofUseonbehalfoftheApplicantwhentheApplicantisanAffiliateoftheCAoristheCA.ApplicationSoftwareSupplier:Asupplierofrelying-partyapplicationsoftwarethatdisplaysorusesVerifiedMarkCertificatesandincorporatesRootCertificates.AttestationLetter:AletterattestingthatSubjectInformationiscorrectwrittenbyanaccountant,lawyer,governmentofficial,orotherreliablethirdpartycustomarilyrelieduponforsuchinformation.AuditPeriod:Inaperiod-of-timeaudit,theperiodbetweenthefirstday(start)andthelastdayofoperations(end)coveredbytheauditorsintheirengagement.(Thisisnotthesameastheperiodoftimewhentheauditorsareon-siteattheCA.)Thecoveragerulesandmaximumlengthofauditperiodsaredefinedinsection8.1.AuditReport:AreportfromaQualifiedPractitionerstatingtheQualifiedPractitioner’sopiniononwhetheranentity’sprocessesandcontrolscomplywiththemandatoryprovisionsoftheseRequirements.AuthorizationDomainName:TheDomainNameusedtoobtainauthorizationforcertificateissuanceforagivenFQDN.TheCAmayusetheFQDNreturnedfromaDNSCNAMElookupastheFQDNforthepurposesofdomainvalidation.TheCAmayprunezeroormorelabelsfromlefttorightuntilencounteringaBaseDomainNameandmayuseanyoneoftheintermediatevaluesforthepurposeofdomainvalidation.AuthorizedPorts:Oneofthefollowingports:80(http),443(https),25(smtp),22(ssh).BaseDomainName:Theportionofanapplied-forFQDNthatisthefirstdomainnamenodeleftofaregistry-controlledorpublicsuffixplustheregistry-controlledorpublicsuffix(e.g."example.co.uk"or


"example.com").ForFQDNswheretheright-mostdomainnamenodeisagTLDhavingICANNSpecification13initsregistryagreement,thegTLDitselfmaybeusedastheBaseDomainName.BusinessEntity:AnyentitythatisnotaPrivateOrganization,GovernmentEntity,orNon-CommercialEntityasdefinedherein.Examplesinclude,butarenotlimitedto,generalpartnerships,unincorporatedassociations,soleproprietorships,etc.CA:TheCertificationAuthoritythatissuesaVerifiedMarkCertificate.AlsoknownasaMarkVerifyingAuthority.CAA:FromRFC8659(https://tools.ietf.org/html/rfc8659):“TheCertificationAuthorityAuthorization(CAA)DNSResourceRecordallowsaDNSdomainnameholdertospecifyoneormoreCertificationAuthorities(CAs)authorizedtoissuecertificatesforthatdomainname.CAAResourceRecordsallowapublicCAtoimplementadditionalcontrolstoreducetheriskofunintendedcertificatemis-issue.”Certificate:AVerifiedMarkCertificate.CertificateApprover:AnaturalpersonwhoiseithertheApplicant,employedbytheApplicant,oranauthorizedagentwhohasexpressauthoritytorepresenttheApplicantto(i)actasaCertificateRequesterandtoauthorizeotheremployeesorthirdpartiestoactasaCertificateRequester,and(ii)toapproveVMCRequestssubmittedbyotherCertificateRequesters.TheCertificateApprovermayalsoserveastheDesignatedIndividualduringtheF2FVerificationProcedure.CertificateData:Certificaterequestsanddatarelatedthereto(whetherobtainedfromtheApplicantorotherwise)intheCA’spossessionorcontrolortowhichtheCAhasaccess.CertificateManagementProcess:Processes,practices,andproceduresassociatedwiththeuseofkeys,software,andhardware,bywhichtheCAverifiesCertificateData,issuesCertificates,maintainsaRepository,andrevokesCertificates.CertificatePolicy:AsetofrulesthatindicatestheapplicabilityofanamedCertificatetoaparticularcommunityand/orPKIimplementationwithcommonsecurityrequirements.CertificateProblemReport:ComplaintofCertificatemisissuance,Certificatemisuse,orothertypesoffraud,compromise,misuse,orinappropriateconductrelatedtoCertificates.CertificateProfile:AsetofdocumentsorfilesthatdefinesrequirementsforCertificatecontentandCertificateextensionsinaccordancewithSection7oftheseRequirements,e.g.,aSectioninaCA’sCPSoracertificatetemplatefileusedbyCAsoftware.CertificateRequester:AnaturalpersonwhoiseithertheApplicant,employedbytheApplicant,anauthorizedagentwhohasexpressauthoritytorepresenttheApplicant,orathirdparty(suchasanISPorhostingcompany)thatcompletesandsubmitsaVMCCertificateRequestonbehalfoftheApplicant.CertificateRevocationList:Aregularlyupdatedtime-stampedlistofrevokedCertificatesthatiscreatedanddigitallysignedbytheCAthatissuedtheCertificates.CertificationAuthority:Anorganizationthatisresponsibleforthecreation,issuance,revocation,andmanagementofCertificates,alsoknownasaMarkVerifyingAuthority.ThetermappliesequallytobothRootsCAsandSubordinateCAs.CertificationPracticeStatement:OneofseveraldocumentsformingthegovernanceframeworkinwhichCertificatesarecreated,issued,managed,andused.


CombinedMark:Amarkconsistingofagraphicdesign,stylizedlogo,orimage,withwordsand/orlettershavingaparticularstylizedappearance.Forgreatercertainty,a“CombinedMark”includesmarksmadeupofbothwordanddesignelements.SeeAppendixBformappingofthenamesusedbydifferenttrademarksofficestothedefinitionofCombinedMark.ConfirmationRequest:Anappropriateout-of-bandcommunicationrequestingverificationorconfirmationoftheparticularfactatissue.ConfirmingPerson:ApositionwithinanApplicant’sorganizationthatconfirmstheparticularfactatissue.ConsumingEntity(”CE”):AnentitythatincorporatesandusestheMarkRepresentationandrelateddatacontainedinaVerifiedMarkCertificateinitsproductsandservicesinaccordancewiththeVMCTerms.ConsumingEntitiesincludemailboxproviders.ContractSigner:AnaturalpersonwhoiseithertheApplicant,employedbytheApplicant,oranauthorizedagentwhohasexpressauthoritytorepresenttheApplicant,andwhohasauthorityonbehalfoftheApplicanttosignSubscriberAgreements.TheContractSignermayalsoserveastheDesignatedIndividualduringtheF2FVerificationProcedure.Control:“Control”(anditscorrelativemeanings,“controlledby”and“undercommoncontrolwith”)meanspossession,directlyorindirectly,ofthepowerto:(1)directthemanagement,personnel,finances,orplansofsuchentity;(2)controltheelectionofamajorityofthedirectors;or(3)votethatportionofvotingsharesrequiredfor“control”underthelawoftheentity’sJurisdictionofIncorporationorRegistrationbutinnocaselessthan10%.Country:EitheramemberoftheUnitedNationsORageographicregionrecognizedasaSovereignStatebyatleasttwoUNmembernations.CRL:CertificateRevocationListasdefinedinRFC5280.ACRLisalistidentifyingwhichcertificatesarerevokedmeaninginvalid,publishedperiodicallybyCAs.CrossCertificate:AcertificatethatisusedtoestablishatrustrelationshipbetweentwoRootCAs.CSPRNG:Arandomnumbergeneratorintendedforuseincryptographicsystem.DelegatedThirdParty:AnaturalpersonorLegalEntitythatisnottheCA,andwhoseactivitiesarenotwithinthescopeoftheappropriateCAaudits,butisauthorizedbytheCAtoassistintheCertificateManagementProcessbyperformingorfulfillingoneormoreoftheCArequirementsfoundherein.DemandDepositAccount:Adepositaccountheldatabankorotherfinancialinstitution,thefundsdepositedinwhicharepayableondemand.Theprimarypurposeofdemandaccountsistofacilitatecashlesspaymentsbymeansofcheck,bankdraft,directdebit,electronicfundstransfer,etc.Usagevariesamongcountries,butademanddepositaccountiscommonlyknownasasharedraftaccount,acurrentaccount,oracheckingaccount.DesignMark:Amarkconsistingofagraphicdesign,stylizedlogo,orimage,withoutwordsand/orletters.Forgreatercertainty,a“DesignMark”includesmarksmadeupsolelyofdesignelements.ForRegisteredMarks,seeAppendixBformappingofthenamesusedbydifferenttrademarksofficestothedefinitionofDesignMark.DesignatedIndividual:ThepersonwhocompletestheF2FVerificationProcedureundertheprovisionsofAppendixG,Section1orSection2.DNSCAAEmailContact:TheemailaddressdefinedinsectionA.1.1.


DNSCAAPhoneContact:ThephonenumberdefinedinsectionA.1.2.DNSTXTRecordEmailContact:TheemailaddressdefinedinsectionA.2.1.DNSTXTRecordPhoneContact:ThephonenumberdefinedinsectionA.2.2.DomainAuthorizationDocument:Documentationprovidedby,oraCA’sdocumentationofacommunicationwith,aDomainNameRegistrar,theDomainNameRegistrant,orthepersonorentitylistedinWHOISastheDomainNameRegistrant(includinganyprivate,anonymous,orproxyregistrationservice)attestingtotheauthorityofanApplicanttorequestaCertificateforaspecificDomainNamespace.DomainContact:TheDomainNameRegistrant,technicalcontact,oradministrativecontact(ortheequivalentunderaccTLD)aslistedintheWHOISrecordoftheBaseDomainNameorinaDNSSOArecord,orasobtainedthroughdirectcontactwiththeDomainNameRegistrar.DomainName:ThelabelassignedtoanodeintheDomainNameSystem.DomainNamespace:ThesetofallpossibleDomainNamesthataresubordinatetoasinglenodeintheDomainNameSystem.DomainNameRegistrant:Sometimesreferredtoasthe“owner”ofaDomainName,butmoreproperlytheperson(s)orentity(ies)registeredwithaDomainNameRegistrarashavingtherighttocontrolhowaDomainNameisused,suchasthenaturalpersonorLegalEntitythatislistedasthe“Registrant”byWHOISortheDomainNameRegistrar.DomainNameRegistrar:ApersonorentitythatregistersDomainNamesundertheauspicesoforbyagreementwith:(i)theInternetCorporationforAssignedNamesandNumbers(ICANN),(ii)anationalDomainNameauthority/registry,or(iii)aNetworkInformationCenter(includingtheiraffiliates,contractors,delegates,successors,orassignees).ExpiryDate:The“NotAfter”dateinaCertificatethatdefinestheendofaCertificate’svalidityperiod.F2FVerificationProcedure:EithertheNotarizationprocessasspecifiedatAppendixG,Section1,orthewebbasedF2FsessionasspecifiedatAppendixG,Section2,aschosenbytheCA.Fully-QualifiedDomainName:ADomainNamethatincludesthelabelsofallsuperiornodesintheInternetDomainNameSystem.GlobalLegalEntityIdentifierFoundation(GLEIF):TheorganizationestablishedbytheFinancialStabilityBoardtosupporttheimplementationanduseoftheLegalEntityIdentifier(LEI).Seewww.gleif.org.

GlobalLegalEntityIdentifierIndex:TheGLEIFpublicindexofLEIrecordsforthoselegalentitiesidentifiablewithanLEI.GovernmentAgency:InthecontextofaPrivateOrganization,thegovernmentagencyintheJurisdictionofIncorporationunderwhoseauthoritythelegalexistenceofPrivateOrganizationsisestablished(e.g.,thegovernmentagencythatissuedtheCertificateofIncorporation).InthecontextofBusinessEntities,thegovernmentagencyinthejurisdictionofoperationthatregistersbusinessentities.InthecaseofaGovernmentEntity,theentitythatenactslaw,regulations,ordecreesestablishingthelegalexistenceofGovernmentEntities.GovernmentEntity:Agovernment-operatedlegalentity,agency,department,ministry,branch,orsimilarelementofthegovernmentofacountry,orpoliticalsubdivisionwithinsuchcountry(suchasastate,province,city,county,etc.).


GovernmentMark:AMarkorequivalentgrantedtoorclaimedbyagovernmentorganization(orgrantedtoaprivateorganizationorotherorganization)throughofficialstatute,regulation,treaty,orgovernmentactionasitappearsorisdescribedinthestatute,regulation,treaty,orgovernmentactionandconfirmedbyaMarkVerifyingAuthorityusingtheproceduresprescribedinSection3.2.16.2.AMarkthathasbeenregisteredbyaGovernmentEntityasatrademarkwithaTrademarkOfficeisnotconsidereda“GovernmentMark”.IncorporatingAgency:InthecontextofaPrivateOrganization,thegovernmentagencyintheJurisdictionofIncorporationunderwhoseauthoritythelegalexistenceoftheentityisregistered(e.g.,thegovernmentagencythatissuescertificatesofformationorincorporation).InthecontextofaGovernmentEntity,theentitythatenactslaw,regulations,ordecreesestablishingthelegalexistenceofGovernmentEntities.IndependentConfirmationFromApplicant:ConfirmationofaparticularfactreceivedbytheCApursuanttotheprovisionsoftheRequirementsorbindingupontheApplicant.InternalName:Astringofcharacters(notanIPaddress)inaCommonNameorSubjectAlternativeNamefieldofaCertificatethatcannotbeverifiedasgloballyuniquewithinthepublicDNSatthetimeofcertificateissuancebecauseitdoesnotendwithaTopLevelDomainregisteredinIANA’sRootZoneDatabase.InternationalOrganization:Anorganizationfoundedbyaconstituentdocument,e.g.,acharter,treaty,conventionorsimilardocument,signedby,oronbehalfof,aminimumoftwoSovereignStategovernments.IssuingCA:InrelationtoaparticularCertificate,theCAthatissuedtheCertificate.ThiscouldbeeitheraRootCAoraSubordinateCA.JurisdictionofIncorporation:InthecontextofaPrivateOrganization,thecountryand(whereapplicable)thestateorprovinceorlocalitywheretheorganization’slegalexistencewasestablishedbyafilingwith(oranactof)anappropriategovernmentagencyorentity(e.g.,whereitwasincorporated).InthecontextofaGovernmentEntity,thecountryand(whereapplicable)thestateorprovincewheretheEntity’slegalexistencewascreatedbylaw.JurisdictionofRegistration:InthecaseofaBusinessEntity,thestate,province,orlocalitywheretheorganizationhasregistereditsbusinesspresencebymeansoffilingsbyaPrincipalIndividualinvolvedinthebusiness.KeyGenerationScript:AdocumentedplanofproceduresforthegenerationofaCAKeyPair.KeyPair:ThePrivateKeyanditsassociatedPublicKey.LatinNotary:Apersonwithlegaltrainingwhosecommissionunderapplicablelawnotonlyincludesauthoritytoauthenticatetheexecutionofasignatureonadocumentbutalsoresponsibilityforthecorrectnessandcontentofthedocument.ALatinNotaryissometimesreferredtoasaCivilLawNotary.LegalEntity:APrivateOrganization,GovernmentEntity,BusinessEntity,orNon-CommercialEntity.LegalExistence:APrivateOrganization,GovernmentEntity,orBusinessEntityhasLegalExistenceifithasbeenvalidlyformedandnototherwiseterminated,dissolved,orabandoned.LegalPractitioner:ApersonwhoiseitheralawyeroraLatinNotaryasdescribedintheseRequirementsandcompetenttorenderanopiniononfactualclaimsoftheApplicant.LegalEntityIdentifier(“LEI”):LEIisspecifiedintheISO17442andnameslegalentitiesintheGlobalLegalEntityIdentifierIndex.Mark:ACombinedMark,DesignMark,orWordMark.MarksmayeitherberegisteredwithaTrademarkOffice(RegisteredMark)orcreatedthroughgovernmentaction(GovernmentMark).


MarkAssertingEntity(“MAE”):AnApplicantfor/SubscriberofaVerifiedMarkCertificate.MaybethesameastheApplicantand/orSubscriber.MarkRepresentation:AdigitalrepresentationofaCombinedMark,DesignMark,orWordMarksuchasadigitalorcomputerfile,containingstructuredbinaryortextualdatawhichcanbeinterpretedtorecreate(render)avisualrepresentationofthemarksothatitcanbeseen.TheMarkRepresentationwillbeusedastheLogotypeExtensionunderSection7.1.2.3.MarkVerifyingAuthority(“MVA”):TheauthoritywhoissuesaVerifiedMarkCertificate.AlsoreferredtoasaCertificationAuthorityorCA.MaximumValidityPeriod:1.ThemaximumtimeperiodforwhichtheissuedVMCisvalid.2.ThemaximumperiodaftervalidationbytheCAthatcertainApplicantinformationmayberelieduponinissuingaVMCpursuanttotheseRequirements.Notary:Anotary(orlegalequivalentintheapplicablejurisdiction),LatinNotary,lawyer,solicitor,orotherpersonororganizationinthejurisdictionwheretheContractSignerorCertificateApprover(alsoknownasthe“DesignatedIndividual”)willbeverifiedwhosecommissionunderapplicablelawincludesauthoritytoauthenticatetheexecutionofasignatureonadocument.“Notarize”includesRemoteNotarization.Notarize:TheprocessbywhichtheNotaryverifiestheidentityoftheContractSignerorCertificateApproverbymeansofagovernment-issuedphotoID,observestheContractSignerorCertificateApproversignaVerificationDocumentpreparedbytheCA,andsignsandaffixestheNotary’snotarizationsealorotherequivalentmethodtotheVerificationDocumenttoindicatetheNotarizationprocesshasbeencompletedbytheNotary.ObjectIdentifier:AuniquealphanumericornumericidentifierregisteredundertheInternationalOrganizationforStandardization’sapplicablestandardforaspecificobjectorobjectclass.OCSPResponder:AnonlineserveroperatedundertheauthorityoftheCAandconnectedtoitsRepositoryforprocessingCertificatestatusrequests.Seealso,OnlineCertificateStatusProtocol.OnlineCertificateStatusProtocol:AnonlineCertificate-checkingprotocolasdefinedinRFC6960thatenablesRelyingPartiesandrelying-partyapplicationsoftwaretodeterminethestatusofanidentifiedCertificate.SeealsoOCSPResponder.ParentCompany:AcompanythatControlsaSubsidiaryCompany.PrivateKey:ThekeyofaKeyPairthatcorrespondstothePublicKeyusedbytheSubscribertosignaVMCcertificaterequest.OncethePrivateKey-PublicKeypairhasbeengenerated,thePrivateKeyisnotusedandmaybediscarded.PlaceofBusiness:Thelocationofanyfacility(suchasafactory,retailstore,warehouse,etc)wheretheApplicant’sbusinessisconducted.PrincipalIndividual:AnindividualofaPrivateOrganization,GovernmentEntity,orBusinessEntitythatiseitheranowner,partner,managingmember,director,orofficer,asidentifiedbytheirtitleofemployment,oranemployee,contractororagentauthorizedbysuchentityororganizationtoconductbusinessrelatedtotherequest,issuance,anduseofVerifiedMarkCertificates.PrivateOrganization:Anon-governmentallegalentity(whetherownershipinterestsareprivatelyheldorpubliclytraded)whoseexistencewascreatedbyafilingwith(oranactof)theIncorporatingAgencyorequivalentinitsJurisdictionofIncorporation.


PublicKey:ThekeyofaKeyPairthatmaybepubliclydisclosedbytheholderofthecorrespondingPrivateKeyandthatisusedtogenerateVMCsigningrequestsfortheCAonbehalfoftheSubscriber.PublicKeyInfrastructure:Asetofhardware,software,people,procedures,rules,policies,andobligationsusedtofacilitatethetrustworthycreation,issuance,management,anduseofCertificatesandkeysbasedonPublicKeyCryptography.Publicly-TrustedCertificate:ACertificatethatistrustedbyvirtueofthefactthatitscorrespondingRootCertificateisdistributedasatrustanchorinwidely-availableapplicationsoftware.QualifiedPractitioner:AnaturalpersonorLegalEntitythatmeetstherequirementsofSection8.2.QualifiedGovernmentInformationSource:AdatabasemaintainedbyaGovernmentEntity(e.g.SECfilings)thatmeetstherequirementsofSection3.2.13.4.QualifiedGovernmentTaxInformationSource:AQualifiedGovernmentalInformationSourcethatspecificallycontainstaxinformationrelatingtoPrivateOrganizations,BusinessEntities,orIndividuals.QualifiedIndependentInformationSource:Aregularly-updatedandcurrent,publiclyavailable,databasedesignedforthepurposeofaccuratelyprovidingtheinformationforwhichitisconsulted,andwhichisgenerallyrecognizedasadependablesourceofsuchinformation.RandomValue:AvaluespecifiedbyaCAtotheApplicantthatexhibitsatleast112bitsofentropy.RegisteredDomainName:ADomainNamethathasbeenregisteredwithaDomainNameRegistrar.ARegisteredDomainNamemayalsobecalledanOrganizationalDomain.RegisteredAgent:Anindividualorentitythatis:(i)authorizedbytheApplicanttoreceiveserviceofprocessandbusinesscommunicationsonbehalfoftheApplicant;and(ii)listedintheofficialrecordsoftheApplicant’sJurisdictionofIncorporationasactingintherolespecifiedin(i)above.RegisteredOffice:Theofficialaddressofacompany,asrecordedwiththeIncorporatingAgency,towhichofficialdocumentsaresentandatwhichlegalnoticesarereceived.RegisteredMark:AMarkthathasbeenregisteredasatrademarkwithaTrademarkOffice,andinparticular,astheMarkappearsintheofficialdatabaseoftheapplicableTrademarkOffice.RegisteredMarkProfile:VerifiedMarkCertificatesthathavebeenissuedfollowingthevalidationproceduresinsection3.2.16anddesignatedbyaCertificateGeneralPolicyIdentifierOID(1.3.6.1.4.1.53087.1.1)asdescribedunderSection7.1.2.2and7.1.2.3.TheseVMCshaveaSVGinthelogotypeextensionthatcontainsregisteredmarkandotherdistinguishingfieldsnotedelsewhere.RegistrationAuthority(RA):AnyLegalEntitythatisresponsibleforidentificationandauthenticationofsubjectsofCertificates,butisnotaCA,andhencedoesnotsignorissueCertificates.AnRAmayassistinthecertificateapplicationprocessorrevocationprocessorboth.When“RA”isusedasanadjectivetodescribearoleorfunction,itdoesnotnecessarilyimplyaseparatebody,butcanbepartoftheCAasstipulatedinSection1.3.2.RegistrationAgency:AGovernmentalAgencythatregistersbusinessinformationinconnectionwithanentity’sbusinessformationorauthorizationtoconductbusinessunderalicense,charterorothercertification.ARegistrationAgencyMAYinclude,butisnotlimitedto(i)aStateDepartmentofCorporationsoraSecretaryofState;(ii)alicensingagency,suchasaStateDepartmentofInsurance;or(iii)acharteringagency,suchasastateofficeordepartmentoffinancialregulation,bankingorfinance,orafederalagencysuchastheOfficeoftheComptrolleroftheCurrencyorOfficeofThriftSupervision.


RegistrationNumber:TheuniquenumberassignedtoaPrivateOrganizationbytheIncorporatingAgencyinsuchentity’sJurisdictionofIncorporationRegistrationReference:AuniqueidentifierassignedtoaLegalEntity.RegulatedFinancialInstitution:Afinancialinstitutionthatisregulated,supervised,andexaminedbygovernmental,national,stateorprovincial,orlocalauthorities.RelyingParty:AnynaturalorlegalpersonthatreliesonaVMCortheinformationorMarkscontainedinaVMCordisplayedtothepersonbyaConsumingEntity.AnApplicationSoftwareSupplierisnotconsideredaRelyingPartywhensoftwaredistributedbysuchSuppliermerelydisplaysinformationrelatingtoaCertificate.RemoteNotarization:TheprocessbywhichaNotaryNotarizesadocumentoveralivevideo/audiolinkwhiletheNotaryandtheContractSignerorCertificateApproverarephysicallyindifferentlocations.Repository:Anonlinedatabasecontainingpublicly-disclosedVMCgovernancedocuments(suchasCertificationPracticeStatements)andCertificatestatusinformation,eitherintheformofaCRLoranOCSPresponse.RequestToken:Avalue,derivedinamethodspecifiedbytheCAwhichbindsthisdemonstrationofcontroltothecertificaterequest.TheCASHOULDdefinewithinitsCPS(oradocumentclearlyreferencedbytheCPS)theformatandmethodofRequestTokensitaccepts.TheRequestTokenSHALLincorporatethekeyusedinthecertificaterequest.ARequestTokenMAYincludeatimestamptoindicatewhenitwascreated.ARequestTokenMAYincludeotherinformationtoensureitsuniqueness.ARequestTokenthatincludesatimestampSHALLremainvalidfornomorethan30daysfromthetimeofcreation.ARequestTokenthatincludesatimestampSHALLbetreatedasinvalidifitstimestampisinthefuture.ARequestTokenthatdoesnotincludeatimestampisvalidforasingleuseandtheCASHALLNOTre-useitforasubsequentvalidation.ThebindingSHALLuseadigitalsignaturealgorithmoracryptographichashalgorithmatleastasstrongasthattobeusedinsigningthecertificaterequest.Note:ExamplesofRequestTokensinclude,butarenotlimitedto:(i)ahashofthepublickey;or(ii)ahashoftheSubjectPublicKeyInfo[X.509];or(iii)ahashofaPKCS#10CSR.ARequestTokenmayalsobeconcatenatedwithatimestamporotherdata.IfaCAwantedtoalwaysuseahashofaPKCS#10CSRasaRequestTokenanddidnotwanttoincorporateatimestampanddidwanttoallowcertificatekeyre-usethentheapplicantmightusethechallengepasswordinthecreationofaCSRwithOpenSSLtoensureuniquenessevenifthesubjectandkeyareidenticalbetweensubsequentrequests.Note:ThissimplisticshellcommandproducesaRequestTokenwhichhasatimestampandahashofaCSR.echo`date-u+%Y%m%d%H%M``sha256sum<r2.csr`\|sed"s/[-]//g"


Thescriptoutputs:201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14fRequiredWebsiteContent:EitheraRandomValueoraRequestToken,togetherwithadditionalinformationthatuniquelyidentifiestheSubscriber,asspecifiedbytheCA.Requirements:TheVMCRequirementsfoundinthisdocument.RootCA:ThetoplevelCertificationAuthoritywhoseRootCertificateisdistributedbyApplicationSoftwareSuppliersandthatissuesSubordinateCACertificates.RootCertificate:Theself-signedCertificateissuedbytheRootCAtoidentifyitselfandtofacilitateverificationofCertificatesissuedtoitsSubordinateCAs.SovereignState:Astateorcountrythatadministersitsowngovernment,andisnotdependentupon,orsubjectto,anotherpower.Subscriber:Aperson,entity,ororganizationthathasappliedforandhasbeenissuedaVerifiedMarkCertificate.Subject:Thenaturalperson,device,system,unit,orLegalEntityidentifiedinaCertificateastheSubject.TheSubjectistheSubscriber.SubjectIdentityInformation:InformationthatidentifiestheCertificateSubject.SubjectIdentityInformationdoesnotincludeadomainnamelistedinthesubjectAltNameextensionortheSubjectcommonNamefield.SubordinateCA:ACertificationAuthoritywhoseCertificateissignedbytheRootCA,oranotherSubordinateCA.Subscriber:AnaturalpersonorLegalEntitytowhomaCertificateisissuedandwhoislegallyboundbyaSubscriberAgreementorTermsofUse.SubscriberAgreement:AnagreementbetweentheCAandtheApplicant/Subscriberthatspecifiestherightsandresponsibilitiesoftheparties.SubsidiaryCompany:AcompanythatiscontrolledbyaParentCompany.SuperiorGovernmentEntity:Basedonthestructureofgovernmentinapoliticalsubdivision,theGovernmentEntityorEntitiesthathavetheabilitytomanage,directandcontroltheactivitiesoftheApplicant.SVGGuidelines:Thedraft-svg-tiny-ps-abrotman-01versionoftheSVGTinyPortable/Secure(SVGTinyPS)GuidelinesdocumentlocatedatthisURL:https://bimigroup.org/resources/RFC_SVG_PS.txtaswellasaRNCvalidatorlocatedatthisURL:http://bimigroup.org/resources/SVG_PS-latest.rnc.txtBotharepublishedbytheAuthindicatorsWorkingGroup.TermsofUse:ProvisionsregardingthesafekeepingandacceptableusesofaCertificateissuedinaccordancewiththeseRequirementswhentheApplicant/SubscriberisanAffiliateoftheCAoristheCA.Third-PartyValidator:ApersonororganizationwhoperformstheF2FVerificationProcedureoftheContractSignerorCertificateApproverusingtheNotarizationprocessunderAppendixG,Section1.


TrademarkOffice:AnintellectualpropertyofficerecognizedbytheWorldIntellectualPropertyOrganizationforregistrationoftrademarks(seenamesofintellectualpropertyofficesaslistedinthecolumn“Office”athttps://www.wipo.int/directory/en/urls.jsp).Translator:AnindividualorBusinessEntitythatpossessestherequisiteknowledgeandexpertisetoaccuratelytranslatethewordsofadocumentwritteninonelanguagetothenativelanguageoftheCA.TrustworthySystem:Computerhardware,software,andproceduresthatare:reasonablysecurefromintrusionandmisuse;provideareasonablelevelofavailability,reliability,andcorrectoperation;arereasonablysuitedtoperformingtheirintendedfunctions;andenforcetheapplicablesecuritypolicy.ValidCertificate:ACertificatethatpassesthevalidationprocedurespecifiedinRFC5280.ValidationSpecialists:SomeonewhoperformstheinformationverificationdutiesspecifiedbytheseRequirements.ValidityPeriod:TheperiodoftimemeasuredfromthedatewhentheCertificateisissueduntiltheExpiryDate.VerificationDocument:AdocumentusedtoverifytheidentityandrelevantinformationoftheContractSignerorCertificateApprover(actingastheDesignatedIndividual)thatisNotarizedbyaNotary.TheVerificationDocumentshould:

(1)ListtheContractSignerorCertificateApprover’snameandtheaddresswheretheContractSignerorCertificateApproverislocatedwhentheNotarizationprocedureoccurs,(2)ContainlanguagethattheContractSignerorCertificateApproverconfirmstheinformationlistedin(1)iscorrectandaplacefortheContractSignerorCertificateApprovertosignthedocument,and(3)ContainappropriatetextfortheNotarytosignandaffixaseal(asappropriateinthejurisdiction)toindicatetheVerificationDocumentwasNotarizedbytheNotary.

VerifiedAccountantLetter:AdocumentmeetingtherequirementsspecifiedinSection3.2.13.2oftheseRequirementsVerifiedLegalOpinion:AdocumentmeetingtherequirementsspecifiedinSection3.2.13.1oftheseRequirements.VerifiedMarkCertificate:AcertificatethatcontainssubjectinformationandextensionsspecifiedintheseVMCRequirementsandthathasbeenverifiedandissuedbyaCAinaccordancewiththeseVMCRequirements.VerifiedMethodofCommunication:Theuseofatelephonenumber,afaxnumber,anemailaddress,orpostaldeliveryaddress,confirmedbytheCAinaccordancewithSection3.2.8oftheRequirementsasareliablewayofcommunicatingwiththeApplicant.VerifiedProfessionalLetter:AVerifiedAccountantLetterorVerifiedLegalOpinion.VMCAuthority:AsourceotherthantheCertificateApprover,throughwhichverificationoccursthattheCertificateApproverisexpresslyauthorizedbytheApplicant,asofthedateoftheVMCCertificateRequest,totaketheRequestactionsdescribedintheseRequirements.VMCCertificateRequest:ArequestfromanApplicanttotheCArequestingthattheCAissueaVMCCertificatetotheApplicant,whichrequestisvalidlyauthorizedbytheApplicantandsignedbytheCertificateApprover.


VMCMark:TheMarkRepresentationandWordMark,ifany,containedinaMAE’sVerifiedMarkCertificateapplication.VMCR:TheseVMCRequirementsVMCTerms:ThetermsofusethatapplytoaVMCCertificateandtotheMarkRepresentationandrelateddatacontainedinaVerifiedMarkCertificate,assetoutinAppendixDtotheseVMCRequirements.WHOIS:InformationretrieveddirectlyfromtheDomainNameRegistrarorregistryoperatorviatheprotocoldefinedinRFC3912,theRegistryDataAccessProtocoldefinedinRFC7482,oranHTTPSwebsite.WordMark:Amarkconsistingexclusivelyoftextexpressedwithoutregardtothefont,style,sizeorcolor.ForRegisteredMarks,seeAppendixBformappingofthenamesusedbydifferenttrademarksofficestothedefinitionofWordMark.

1.6.2. AcronymsAICPA AmericanInstituteofCertifiedPublicAccountantsADN AuthorizationDomainNameCA CertificationAuthorityCAA CertificationAuthorityAuthorizationccTLD CountryCodeTop-LevelDomainCP CertificatePolicyCPS CertificationPracticeStatementCRL CertificateRevocationListDBA DoingBusinessAsDNS DomainNameSystemFIPS (USGovernment)FederalInformationProcessingStandardFQDN FullyQualifiedDomainNameIM InstantMessagingIANA InternetAssignedNumbersAuthorityICANN InternetCorporationforAssignedNamesandNumbersISO InternationalOrganizationforStandardizationNIST (USGovernment)NationalInstituteofStandardsandTechnologyOCSP OnlineCertificateStatusProtocolOID ObjectIdentifierPKI PublicKeyInfrastructureRA RegistrationAuthorityS/MIME SecureMIME(MultipurposeInternetMailExtensions)SSL SecureSocketsLayerTLD Top-LevelDomainTLS TransportLayerSecurityVoIP VoiceOverInternetProtocolBIPM InternationalBureauofWeightsandMeasuresBIS (USGovernment)BureauofIndustryandSecurityCEO ChiefExecutiveOfficerCFO ChiefFinancialOfficerCIO ChiefInformationOfficerCISO ChiefInformationSecurityOfficerCOO ChiefOperatingOfficerCPA CharteredProfessionalAccountantCSO ChiefSecurityOfficerEV ExtendedValidationgTLD GenericTop-LevelDomainIFAC InternationalFederationofAccountants


IRS InternalRevenueServiceISP InternetServiceProviderQGIS QualifiedGovernmentInformationSourceQTIS QualifiedGovernmentTaxInformationSourceQIIS QualifiedIndependentInformationSourceSEC (USGovernment)SecuritiesandExchangeCommissionUTC(k) NationalrealizationofCoordinatedUniversalTime

1.6.3. ReferencesETSIEN319403,ElectronicSignaturesandInfrastructures(ESI);TrustServiceProviderConformityAssessment-RequirementsforconformityassessmentbodiesassessingTrustServiceProviders.ETSIEN319411-1,ElectronicSignaturesandInfrastructures(ESI);PolicyandsecurityrequirementsforTrustServiceProvidersissuingcertificates;Part1:Generalrequirements.ETSITS102042,ElectronicSignaturesandInfrastructures(ESI);Policyrequirementsforcertificationauthoritiesissuingpublickeycertificates.FIPS140-2,FederalInformationProcessingStandardsPublication-SecurityRequirementsForCryptographicModules,InformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,May25,2001.FIPS186-4,FederalInformationProcessingStandardsPublication-DigitalSignatureStandard(DSS),InformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,July2013.ISO21188:2006,Publickeyinfrastructureforfinancialservices--Practicesandpolicyframework.NetworkandCertificateSystemSecurityRequirements,v1.7,4/5/2021.NISTSP800-89,RecommendationforObtainingAssurancesforDigitalSignatureApplications,http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf.RFC2119,RequestforComments:2119,KeywordsforuseinRFCstoIndicateRequirementLevels,Bradner,March1997.RFC2527,RequestforComments:2527,InternetX.509PublicKeyInfrastructure:CertificatePolicyandCertificationPracticesFramework,Chokhani,etal,March1999.RFC3647,RequestforComments:3647,InternetX.509PublicKeyInfrastructure:CertificatePolicyandCertificationPracticesFramework,Chokhani,etal,November2003.RFC3912,RequestforComments:3912,WHOISProtocolSpecification,Daigle,September2004.RFC4366,RequestforComments:4366,TransportLayerSecurity(TLS)Extensions,Blake-Wilson,etal,April2006.RFC5019,RequestforComments:5019,TheLightweightOnlineCertificateStatusProtocol(OCSP)ProfileforHigh-VolumeEnvironments,A.Deacon,etal,September2007.RFC5280,RequestforComments:5280,InternetX.509PublicKeyInfrastructure:CertificateandCertificateRevocationList(CRL)Profile,Cooperetal,May2008.RFC6960,RequestforComments:6960,X.509InternetPublicKeyInfrastructureOnlineCertificateStatusProtocol-OCSP.Santesson,Myers,Ankney,Malpani,Galperin,Adams,June2013.


RFC6962,RequestforComments:6962,CertificateTransparency.B.Laurie,A.Langley,E.Kasper.June2013.RFC7482,RequestforComments:7482,RegistrationDataAccessProtocol(RDAP)QueryFormat,Newton,etal,March2015.WebTrustforCertificationAuthorities,SSLBaselinewithNetworkSecurity,Version2.0,availableathttp://www.webtrust.org/homepage-documents/item79806.pdf.RFC8659,RequestforComments:8659,DNSCertificationAuthorityAuthorization(CAA)ResourceRecord,Hallam-Baker,Stradling,Hoffman-Andrews,November2019.X.509,RecommendationITU-TX.509(10/2012)|ISO/IEC9594-8:2014(E),Informationtechnology–OpenSystemsInterconnection–TheDirectory:Public-keyandattributecertificateframeworks.

1.6.4. ConventionsThekeywords“MUST”,“MUSTNOT”,"REQUIRED","SHALL","SHALLNOT","SHOULD","SHOULDNOT","RECOMMENDED","MAY",and"OPTIONAL"intheseRequirementsshallbeinterpretedinaccordancewithRFC2119.

2. PUBLICATIONANDREPOSITORYRESPONSIBILITIESTheCASHALLdevelop,implement,enforce,andannuallyupdateaCertificatePolicyand/orCertificationPracticeStatementthatdescribesindetailhowtheCAimplementsthelatestversionoftheseRequirements.

2.1. REPOSITORIES

TheCASHALLmakerevocationinformationforSubordinateCertificatesandSubscriberCertificatesavailableinaccordancewiththisPolicy.

2.2. PUBLICATIONOFINFORMATION

TheCASHALLpubliclydiscloseitsCertificatePolicyand/orCertificationPracticeStatementthroughanappropriateandreadilyaccessibleonlinemeansthatisavailableona24x7basis.TheCASHALLpubliclydiscloseitsCAbusinesspracticestotheextentrequiredbytheCA'sselectedauditscheme(seeSection8.1).TheCertificatePolicyand/orCertificationPracticeStatementMUSTbestructuredinaccordancewithRFC3647andMUSTincludeallmaterialrequiredbyRFC3647.Section4.2ofaCA'sCertificatePolicyand/orCertificationPracticeStatementSHALLstatetheCA'spolicyorpracticeonprocessingCAARecordsforFullyQualifiedDomainNames;thatpolicySHALLbeconsistentwiththeseRequirements.ItSHALLclearlyspecifythesetofIssuerDomainNamesthattheCArecognizesinCAA"issuevmc"recordsaspermittingittoissue.TheCASHALLlogallactionstaken,ifany,consistentwithitsprocessingpractice.TheCASHALLpubliclygiveeffecttotheseRequirementsandrepresentthatitwilladheretothelatestpublishedversion.TheCAMAYfulfillthisrequirementbyincorporatingtheseRequirementsdirectlyintoitsCertificatePolicyand/orCertificationPracticeStatementsorbyincorporatingthembyreferenceusingaclausesuchasthefollowing(whichMUSTincludealinktotheofficialversionoftheseRequirements):

[NameofCA]conformstothecurrentversionoftheVerifiedMarkCertificateRequirementspublishedathttps://bimigroup.org.IntheeventofanyinconsistencybetweenthisdocumentandthoseRequirements,thoserequirementstakeprecedenceoverthisdocument.


2.3. TIMEORFREQUENCYOFPUBLICATION

TheCASHALLdevelop,implement,enforce,andannuallyupdateaCertificatePolicyand/orCertificationPracticeStatementthatdescribesindetailhowtheCAimplementsthelatestversionoftheseRequirements.

2.4. ACCESSCONTROLSONREPOSITORIES

TheCASHALLmakeitsRepositorypubliclyavailableinaread-onlymanner.

3. IDENTIFICATIONANDAUTHENTICATION

3.1. NAMING

3.1.1. TypesofnamesNostipulation.

3.1.2. NeedfornamestobemeaningfulNostipulation.

3.1.3. AnonymityorpseudonymityofsubscribersNostipulation.

3.1.4. RulesforinterpretingvariousnameformsNostipulation.

3.1.5. UniquenessofnamesNostipulation.

3.1.6. Recognition,authentication,androleoftrademarksNostipulation.

3.2. INITIALIDENTITYVALIDATION

3.2.1. MethodtoProvePossessionofPrivateKeyThePublicKeycontainedinVerifiedMarkCertificatesisnotused,soCAsarenotrequiredtoprovepossessionoftheassociatedPrivateKey.

3.2.2. AuthenticationofOrganizationandDomainIdentityTheCAMAYonlyissueVMCCertificatestoApplicantsthatmeetthePrivateOrganization,GovernmentEntity,BusinessEntityandNon-CommercialEntityrequirementsspecifiedbelow.

3.2.2.1. PrivateOrganizationSubjectsAnApplicantqualifiesasaPrivateOrganizationif:(1) Theentity’slegalexistenceiscreatedorrecognizedbyafilingwith(oranactof)theIncorporatingor

RegistrationAgencyinitsJurisdictionofIncorporationorRegistration(e.g.,byissuanceofacertificateofincorporation,registrationnumber,etc.)orcreatedorrecognizedbyaGovernmentAgency(e.g.underacharter,treaty,convention,orequivalentrecognitioninstrument);


(2) TheentitydesignatedwiththeIncorporatingorRegistrationAgencyaRegisteredAgent,aRegisteredOffice(asrequiredunderthelawsoftheJurisdictionofIncorporationorRegistration),oranequivalentfacility;

(3) TheentityisnotdesignatedontherecordsoftheIncorporatingorRegistrationAgencybylabelssuchas“inactive,”“invalid,”“notcurrent,”ortheequivalent;

(4) Theentityhasaverifiablephysicalexistenceandbusinesspresence;(5) Theentity’sJurisdictionofIncorporation,Registration,Charter,orLicense,and/oritsPlaceofBusinessis

notinanycountrywheretheCAisprohibitedfromdoingbusinessorissuingacertificatebythelawsoftheCA’sjurisdiction;and

(6) Theentityisnotlistedonanygovernmentdeniallistorprohibitedlist(e.g.,tradeembargo)underthelawsoftheCA’sjurisdiction.

3.2.2.2. GovernmentEntitySubjectsAnApplicantqualifiesasaGovernmentEntityif:(1)Theentity’slegalexistencewasestablishedbythepoliticalsubdivisioninwhichtheentityoperates;(2) TheentityisnotinanycountrywheretheCAisprohibitedfromdoingbusinessorissuingacertificateby

thelawsoftheCA’sjurisdiction;and(3) Theentityisnotlistedonanygovernmentdeniallistorprohibitedlist(e.g.,tradeembargo)underthe

lawsoftheCA’sjurisdiction.

3.2.2.3. BusinessEntitySubjectsAnApplicantqualifiesasaBusinessEntityif:(1) TheentityisalegallyrecognizedentitythatfiledcertainformswithaRegistrationAgencyinits

jurisdiction,theRegistrationAgencyissuedorapprovedtheentity’scharter,certificate,orlicense,andtheentity’sexistencecanbeverifiedwiththatRegistrationAgency;

(2) Theentityhasaverifiablephysicalexistenceandbusinesspresence;(3) AtleastonePrincipalIndividualassociatedwiththeentityisidentifiedandvalidatedbytheCA;(4) TheidentifiedPrincipalIndividualatteststotherepresentationsmadeintheSubscriberAgreement;(5) TheentityandtheidentifiedPrincipalIndividualassociatedwiththeentityarenotlocatedorresidingin

anycountrywheretheCAisprohibitedfromdoingbusinessorissuingacertificatebythelawsoftheCA’sjurisdiction;and

(6) TheentityandtheidentifiedPrincipalIndividualassociatedwiththeentityarenotlistedonanygovernmentdeniallistorprohibitedlist(e.g.,tradeembargo)underthelawsoftheCA’sjurisdiction.

3.2.2.4. Non-CommercialEntitySubjectsAnApplicantqualifiesasaNon-CommercialEntityif:

(A)TheApplicantisanInternationalOrganizationEntity,createdunderacharter,treaty,conventionorequivalentinstrumentthatwassignedby,oronbehalfof,morethanonecountry'sgovernment.TheCA/BrowserForummaypublishalistingofApplicantswhoqualifyasanInternationalOrganizationforVerifiedMarkeligibility;and

(B)TheApplicantisnotheadquarteredinanycountrywheretheCAisprohibitedfromdoingbusinessorissuingacertificatebythelawsoftheCA'sjurisdiction;and

(C)TheApplicantisnotlistedonanygovernmentdeniallistorprohibitedlist(e.g.,tradeembargo)underthelawsoftheCA'sjurisdiction.

SubsidiaryorganizationsoragenciesofanentitythatqualifiesasaNon-CommercialEntityalsoqualifiesforVerifiedMarkCertificatesasaNon-CommercialEntity.

3.2.3. VerificationRequirements–OverviewBeforeissuinganVerifiedMarkCertificate,theCAMUSTensurethatallSubjectorganizationinformationtobeincludedintheVMCconformstotherequirementsof,andisverifiedinaccordancewith,theseRequirementsandmatchestheinformationconfirmedanddocumentedbytheCApursuanttoitsverificationprocesses.Suchverificationprocessesareintendedtoaccomplishthefollowing: VerifyApplicant’sexistenceandidentity,including;

(A) VerifytheApplicant’slegalexistenceandidentity(asmorefullysetforthinSection3.2herein),(B) VerifytheApplicant’sphysicalexistence(businesspresenceataphysicaladdress),and


(C) VerifytheApplicant’soperationalexistence(businessactivity). VerifytheApplicantisaregisteredholder,orhascontrol,oftheDomainName(s)tobeincludedinthe

VerifiedMarkCertificate;(3)VerifyareliablemeansofcommunicationwiththeentitytobenamedastheSubjectintheCertificate; VerifytheApplicant’sauthorizationfortheVerifiedMarkCertificate,including;

(A) Verifythename,title,andauthorityoftheContractSigner,CertificateApprover,andCertificateRequester,

(B) VerifythataContractSignersignedtheSubscriberAgreementorthatadulyauthorizedindividualacknowledgedandagreedtotheTermsofUse;and

(C) VerifythataCertificateApproverhassignedorotherwiseapprovedtheVerifiedMarkCertificateRequest.

3.2.4. AcceptableMethodsofVerification–OverviewAsageneralrule,theCAisresponsiblefortakingallverificationstepsreasonablynecessarytosatisfyeachoftheVerificationRequirementssetforthinthesubsectionsbelow.TheAcceptableMethodsofVerificationsetforthineachofSections3.2.5through3.2.18(whichusuallyincludealternatives)areconsideredtobetheminimumacceptablelevelofverificationrequiredoftheCA.Inallcases,however,theCAisresponsiblefortakinganyadditionalverificationstepsthatmaybereasonablynecessaryunderthecircumstancestosatisfytheapplicableVerificationRequirement.

3.2.5. VerificationofApplicant’sLegalExistenceandIdentity3.2.5.1. VerificationRequirementsToverifytheApplicant’slegalexistenceandidentity,theCAMUSTdothefollowing.(1) PrivateOrganizationSubjects

(A) LegalExistence:VerifythattheApplicantisalegallyrecognizedentity,inexistenceandvalidlyformed(e.g.,incorporated)withtheIncorporatingorRegistrationAgencyintheApplicant’sJurisdictionofIncorporationorRegistration,andnotdesignatedontherecordsoftheIncorporatingorRegistrationAgencybylabelssuchas“inactive”,“invalid”,“notcurrent”,ortheequivalent.(B)OrganizationName:VerifythattheApplicant’sformallegalnameasrecordedwiththeIncorporatingorRegistrationAgencyintheApplicant’sJurisdictionofIncorporationorRegistrationmatchestheApplicant’snameintheVerifiedMarkCertificateRequest.(C) RegistrationNumber:ObtainthespecificRegistrationNumberassignedtotheApplicantbytheIncorporatingorRegistrationAgencyintheApplicant’sJurisdictionofIncorporationorRegistration.WheretheIncorporatingorRegistrationAgencydoesnotassignaRegistrationNumber,theCASHALLobtaintheApplicant’sdateofIncorporationorRegistration.(D)RegisteredAgent:ObtaintheidentityandaddressoftheApplicant’sRegisteredAgentorRegisteredOffice(asapplicableintheApplicant’sJurisdictionofIncorporationorRegistration).

(2) GovernmentEntitySubjects(A) LegalExistence:VerifythattheApplicantisalegallyrecognizedGovernmentEntity,inexistenceinthepoliticalsubdivisioninwhichsuchGovernmentEntityoperates.(B) EntityName:VerifythattheApplicant’sformallegalnamematchestheApplicant’snameintheVerifiedMarkCertificateRequest.(C) RegistrationNumber:TheCAMUSTattempttoobtaintheApplicant’sdateofincorporation,registration,orformation,ortheidentifierforthelegislativeactthatcreatedtheGovernmentEntity.Incircumstanceswherethisinformationisnotavailable,theCAMUSTenterappropriatelanguagetoindicatethattheSubjectisaGovernmentEntity.

(3) BusinessEntitySubjects(A) LegalExistence:VerifythattheApplicantisengagedinbusinessunderthenamesubmittedbytheApplicantintheApplication.(B)OrganizationName:VerifythattheApplicant’sformallegalnameasrecognizedbytheRegistrationAgencyintheApplicant’sJurisdictionofRegistrationmatchestheApplicant’snameintheVerifiedMarkCertificateRequest.


(C) RegistrationNumber:AttempttoobtainthespecificuniqueRegistrationNumberassignedtotheApplicantbytheRegistrationAgencyintheApplicant’sJurisdictionofRegistration.WheretheRegistrationAgencydoesnotassignaRegistrationNumber,theCASHALLobtaintheApplicant’sdateofRegistration.(D)PrincipalIndividual:VerifytheidentityoftheidentifiedPrincipalIndividual.

(4)Non-CommercialEntitySubjects(InternationalOrganizations)(A) LegalExistence:VerifythattheApplicantisalegallyrecognizedInternationalOrganizationEntity.(B) EntityName:VerifythattheApplicant'sformallegalnamematchestheApplicant'snameintheVerifiedMarkCertificateRequest.(C) RegistrationNumber:TheCAMUSTattempttoobtaintheApplicant'sdateofformation,ortheidentifierforthelegislativeactthatcreatedtheInternationalOrganizationEntity.Incircumstanceswherethisinformationisnotavailable,theCAMUSTenterappropriatelanguagetoindicatethattheSubjectisanInternationalOrganizationEntity.

3.2.5.2. AcceptableMethodofVerification(1) PrivateOrganizationSubjects:AllitemslistedinSection3.2.5.1(1)MUSTbeverifieddirectlywith,or

obtaineddirectlyfrom,theIncorporatingorRegistrationAgencyintheApplicant'sJurisdictionofIncorporationorRegistration.SuchverificationMAYbethroughuseofaQualifiedGovernmentInformationSourceoperatedby,oronbehalfof,theIncorporatingorRegistrationAgency,orbydirectcontactwiththeIncorporatingorRegistrationAgencyinpersonorviamail,e-mail,Webaddress,ortelephone,usinganaddressorphonenumberobtaineddirectlyfromtheQualifiedGovernmentInformationSource,IncorporatingorRegistrationAgency,orfromaQualifiedIndependentInformationSource.

(2) GovernmentEntitySubjects:AllitemslistedinSection3.2.5.1(2)MUSTeitherbeverifieddirectlywith,orobtaineddirectlyfrom,oneofthefollowing:(i)aQualifiedGovernmentInformationSourceinthepoliticalsubdivisioninwhichsuchGovernmentEntityoperates;(ii)asuperiorgoverningGovernmentEntityinthesamepoliticalsubdivisionastheApplicant(e.g.aSecretaryofStatemayverifythelegalexistenceofaspecificStateDepartment)SuchverificationMAYbebydirectcontactwiththeappropriateGovernmentEntityinpersonorviamail,e-mail,Webaddress,ortelephone,usinganaddressorphonenumberobtainedfromaQualifiedIndependentInformationSource.

(3) BusinessEntitySubjects:ItemslistedinSection3.2.5.1(3)(A)through(C)above,MUSTbeverifieddirectlywith,orobtaineddirectlyfrom,theRegistrationAgencyintheApplicant'sJurisdictionofRegistration.SuchverificationMAYbeperformedbymeansofaQualifiedGovernmentInformationSource,aQualifiedGovernmentalTaxInformationSource,orbydirectcontactwiththeRegistrationAgencyinpersonorviamail,e-mail,Webaddress,ortelephone,usinganaddressorphonenumberobtaineddirectlyfromtheQualifiedGovernmentInformationSource,QualifiedGovernmentalTaxInformationSourceorRegistrationAgency,orfromaQualifiedIndependentInformationSource.Inaddition,theCAMUSTvalidateaPrincipalIndividualassociatedwiththeBusinessEntitypursuanttotherequirementsinsubsection(4),below.

(4) PrincipalIndividual:APrincipalIndividualassociatedwiththeBusinessEntityMUSTbevalidatedinaface-to-facesetting.TheCAMAYrelyuponaface-to-facevalidationofthePrincipalIndividualperformedbytheRegistrationAgency,providedthattheCAhasevaluatedthevalidationprocedureandconcludedthatitsatisfiestherequirementsoftheRequirementsforface-to-facevalidationprocedures.Wherenoface-to-facevalidationwasconductedbytheRegistrationAgency,ortheRegistrationAgency’sface-to-facevalidationproceduredoesnotsatisfytherequirementsoftheRequirements,theCASHALLperformface-to-facevalidation.(A)Face-To-FaceValidation:Theface-to-facevalidationMUSTbeconductedbeforeeitheranemployee

oftheCA,aLatinNotary,aNotary(orequivalentintheApplicant’sjurisdiction),aLawyer,orAccountant(Third-PartyValidator).Inallcases,theThird-PartyValidatormustbeworkingonbehalfoftheCA.ThePrincipalIndividual(s)MUSTpresentthefollowingdocumentation(VettingDocuments)directlytotheThird-PartyValidator:(i)APersonalStatementthatincludesthefollowinginformation:

1.Fullnameornamesbywhichapersonis,orhasbeen,known(includingallothernamesused);


2.ResidentialAddressatwhichhe/shecanbelocated;3.Dateofbirth;and4.AnaffirmationthatalloftheinformationcontainedintheCertificateRequestistrueand

correct.(ii)Acurrentsignedgovernment-issuedidentificationdocumentthatincludesaphotoofthe

IndividualandissignedbytheIndividualsuchas:1.Apassport;2.Adriver’slicense;3.Apersonalidentificationcard;4.Aconcealedweaponspermit;or5.AmilitaryID.

(iii)Atleasttwosecondarydocumentaryevidencestoestablishhis/heridentitythatincludethenameoftheIndividual,oneofwhichMUSTbefromafinancialinstitution.1.Acceptablefinancialinstitutiondocumentsinclude:

a.Amajorcreditcard,providedthatitcontainsanexpirationdateandithasnotexpired'b.Adebitcardfromaregulatedfinancialinstitution,providedthatitcontainsanexpirationdateandithasnotexpired,c.Amortgagestatementfromarecognizablelenderthatislessthansixmonthsold,d.Abankstatementfromaregulatedfinancialinstitutionthatislessthansixmonthsold.

2.Acceptablenon-financialdocumentsinclude:a.Recentoriginalutilitybillsorcertificatesfromautilitycompanyconfirmingthearrangementtopayfortheservicesatafixedaddress(notamobile/cellulartelephonebill),b.Acopyofastatementforpaymentofalease,providedthatthestatementisdatedwithinthepastsixmonths,c.Acertifiedcopyofabirthcertificate,d.Alocalauthoritytaxbillforthecurrentyear,e.Acertifiedcopyofacourtorder,suchasadivorcecertificate,annulmentpapers,oradoptionpapers.

TheThird-PartyValidatorperformingtheface-to-facevalidationMUST:(i) AttesttothesigningofthePersonalStatementandtheidentityofthesigner;and(ii) IdentifytheoriginalVettingDocumentsusedtoperformtheidentification.Inaddition,the

Third-PartyValidatorMUSTattestonacopyofthecurrentsignedgovernment-issuedphotoidentificationdocumentthatitisafull,true,andaccuratereproductionoftheoriginal.

(B)VerificationofThird-PartyValidator:TheCAMUSTindependentlyverifythattheThird-Party

Validatorisalegally-qualifiedLatinNotaryorNotary(orlegalequivalentintheApplicant’sjurisdiction),lawyer,oraccountantinthejurisdictionoftheIndividual’sresidency,andthattheThird-PartyValidatoractuallydidperformtheservicesanddidattesttothesignatureoftheIndividual.

(C)Cross-checkingofInformation:TheCAMUSTobtainthesignedandattestedPersonalStatement

togetherwiththeattestedcopyofthecurrentsignedgovernment-issuedphotoidentificationdocument.TheCAMUSTreviewthedocumentationtodeterminethattheinformationisconsistent,matchestheinformationintheapplication,andidentifiestheIndividual.TheCAMAYrelyonelectroniccopiesofthisdocumentation,providedthat:

(i)theCAconfirmstheirauthenticity(notimproperlymodifiedwhencomparedwiththeunderlyingoriginal)withtheThird-PartyValidator;and

(ii)electroniccopiesofsimilarkindsofdocumentsarerecognizedaslegalsubstitutesfororiginalsunderthelawsoftheCA’sjurisdiction.

(5)Non-CommercialEntitySubjects(InternationalOrganization):Unlessverifiedundersubsection(6),allitemslistedinSection3.3.1(4)MUSTbeverifiedeither:

(A)WithreferencetotheconstituentdocumentunderwhichtheInternationalOrganizationwasformed;or


(B)Directlywithasignatorycountry'sgovernmentinwhichtheCAispermittedtodobusiness.Suchverificationmaybeobtainedfromanappropriategovernmentagencyorfromthelawsofthatcountry,orbyverifyingthatthecountry'sgovernmenthasamissiontorepresentitattheInternationalOrganization;or

(C)DirectlyagainstanycurrentlistofqualifiedentitiesthattheAuthindicators/BIMIGroupmaymaintainathttps://bimigroup.org.

(D)IncaseswheretheInternationalOrganizationapplyingfortheVMCisanorganoragency-includinganon-governmentalorganizationofaverifiedInternationalOrganization,thentheCAmayverifytheInternationalOrganizationApplicantdirectlywiththeverifiedumbrellaInternationalOrganizationofwhichtheApplicantisanorganoragency.

3.2.6. VerificationofApplicant’sLegalExistenceandIdentity–AssumedName3.2.6.1. VerificationRequirementsIf,inadditiontotheApplicant’sformallegalname,asrecordedwiththeapplicableIncorporatingAgencyorRegistrationAgencyintheApplicant’sJurisdictionofIncorporationorRegistration,theApplicant’sidentity,asassertedintheVerifiedMarkCertificate,istocontainanyassumedname(alsoknownas“doingbusinessas”,“DBA”,or“d/b/a”intheUS,and“tradingas”intheUK)underwhichtheApplicantconductsbusiness,theCAMUSTverifythat:(i)theApplicanthasregistereditsuseoftheassumednamewiththeappropriategovernmentagencyforsuchfilingsinthejurisdictionofitsPlaceofBusiness(asverifiedinaccordancewiththeseGuidelines),and(ii)thatsuchfilingcontinuestobevalid.

3.2.6.2. AcceptableMethodofVerificationToverifyanyassumednameunderwhichtheApplicantconductsbusiness:

(1) TheCAMAYverifytheassumednamethroughuseofaQualifiedGovernmentInformationSourceoperatedby,oronbehalfof,anappropriategovernmentagencyinthejurisdictionoftheApplicant’sPlaceofBusiness,orbydirectcontactwithsuchgovernmentagencyinpersonorviamail,e-mail,Webaddress,ortelephone;or

(2) TheCAMAYverifytheassumednamethroughuseofaQualifiedIndependentInformationSourceprovidedthattheQIIShasverifiedtheassumednamewiththeappropriategovernmentagency.

(3) TheCAMAYrelyonaVerifiedProfessionalLetterthatindicatestheassumednameunderwhichtheApplicantconductsbusiness,thegovernmentagencywithwhichtheassumednameisregistered,andthatsuchfilingcontinuestobevalid.

3.2.7. VerificationofApplicant’sPhysicalExistence3.2.7.1. AddressofApplicant’sPlaceofBusiness(1) VerificationRequirements:ToverifytheApplicant'sphysicalexistenceandbusinesspresence,theCA

MUSTverifythatthephysicaladdressprovidedbytheApplicantisanaddresswheretheApplicantoraParent/SubsidiaryCompanyconductsbusinessoperations(not,forexample,amaildroporP.O.box,or'careof'(C/O)address,suchasanaddressforanagentoftheOrganization),andistheaddressoftheApplicant'sPlaceofBusiness.

(2)AcceptableMethodsofVerification(A)PlaceofBusinessintheCountryofIncorporationorRegistration

(i) ForApplicantswhosePlaceofBusinessisinthesamecountryastheApplicant'sJurisdictionofIncorporationorRegistrationandwhosePlaceofBusinessisNOTthesameasthatindicatedintherelevantQualifiedGovernmentInformationSourceusedinSection3.2.5toverifylegalexistence:(1)ForApplicantslistedatthesamePlaceofBusinessaddressinthecurrentversionofeitheratleastoneQGIS(otherthanthatusedtoverifylegalexistence),QIISorQTIS,theCAMUSTconfirmthattheApplicant'saddress,aslistedintheVerifiedMarkCertificateRequest,isavalidbusinessaddressfortheApplicantoraParent/SubsidiaryCompanybyreferencetosuchQGIS,QIIS,orQTIS,andMAYrelyontheApplicant'srepresentationthatsuchaddressisitsPlaceofBusiness;


(2)ForApplicantswhoarenotlistedatthesamePlaceofBusinessaddressinthecurrentversionofeitheratleastoneQIISorQTIS,theCAMUSTconfirmthattheaddressprovidedbytheApplicantintheVerifiedMarkCertificateRequestistheApplicant'soraParent/SubsidiaryCompany'sbusinessaddress,byobtainingdocumentationofasitevisittothebusinessaddress,whichMUSTbeperformedbyareliableindividualorfirm.ThedocumentationofthesitevisitMUST:(a)VerifythattheApplicant'sbusinessislocatedattheexactaddressstatedintheVerifiedMark

CertificateRequest(e.g.,viapermanentsignage,employeeconfirmation,etc.),(b)Identifythetypeoffacility(e.g.,officeinacommercialbuilding,privateresidence,storefront,

etc.)andwhetheritappearstobeapermanentbusinesslocation,(c)Indicatewhetherthereisapermanentsign(thatcannotbemoved)thatidentifiesthe

Applicant,(d)IndicatewhetherthereisevidencethattheApplicantisconductingongoingbusiness

activitiesatthesite(notthatitisjust,forexample,amaildrop,P.O.box,etc.),and(e)Includeoneormorephotosof(i)theexteriorofthesite(showingsignageindicatingthe

Applicant'sname,ifpresent,andshowingthestreetaddressifpossible),and(ii)theinteriorreceptionareaorworkspace.

(3)ForallApplicants,theCAMAYalternativelyrelyonaVerifiedProfessionalLetterthatindicatestheaddressoftheApplicant'soraParent/SubsidiaryCompany'sPlaceofBusinessandthatbusinessoperationsareconductedthere.

(4)ForGovernmentEntityApplicants,theCAMAYrelyontheaddresscontainedintherecordsoftheQGISintheApplicant'sjurisdiction.

(5)ForApplicantswhosePlaceofBusinessisinthesamecountryastheApplicant'sJurisdictionofIncorporationorRegistrationandwheretheQGISusedinSection3.2.5toverifylegalexistencecontainsabusinessaddressfortheApplicant,theCAMAYrelyontheaddressintheQGIStoconfirmtheApplicant'soraParent/SubsidiaryCompany'saddressaslistedintheVerifiedMarkCertificateRequest,andMAYrelyontheApplicant'srepresentationthatsuchaddressisitsPlaceofBusiness.

(B)PlaceofBusinessnotintheCountryofIncorporationorRegistration:TheCAMUSTrelyonaVerifiedProfessionalLetterthatindicatestheaddressoftheApplicant'sPlaceofBusinessandthatbusinessoperationsareconductedthere.

3.2.8. VerifiedMethodofCommunication3.2.8.1. VerificationRequirementsToassistincommunicatingwiththeApplicantandconfirmingthattheApplicantisawareofandapprovesissuance,theCAMUSTverifyatelephonenumber,faxnumber,emailaddress,orpostaldeliveryaddressasaVerifiedMethodofCommunicationwiththeApplicant.

3.2.8.2. AcceptableMethodsofVerificationToverifyaVerifiedMethodofCommunicationwiththeApplicant,theCAMUST:

(A)VerifythattheVerifiedMethodofCommunicationbelongstotheApplicant,oraParent/SubsidiaryorAffiliateoftheApplicant,bymatchingitwithoneoftheApplicant'sParent/SubsidiaryorAffiliate'sPlacesofBusinessin:(i)recordsprovidedbytheapplicablephonecompany;(ii)aQGIS,QTIS,orQIIS;or(iii)aVerifiedProfessionalLetter;and

(B)ConfirmtheVerifiedMethodofCommunicationbyusingittoobtainanaffirmativeresponsesufficienttoenableareasonablepersontoconcludethattheApplicant,oraParent/SubsidiaryorAffiliateofApplicant,canbecontactedreliablybyusingtheVerifiedMethodofCommunication.

3.2.9. VerificationofApplicant’sOperationalExistence3.2.9.1. VerificationRequirementsTheCAMUSTverifythattheApplicanthastheabilitytoengageinbusinessbyverifyingtheApplicant's,orAffiliate/Parent/SubsidiaryCompany's,operationalexistence.TheCAMAYrelyonitsverificationofaGovernmentEntity’slegalexistenceunderSection3.3asverificationofaGovernmentEntity’soperationalexistence.


3.2.9.2. AcceptableMethodsofVerificationToverifytheApplicant’sabilitytoengageinbusiness,theCAMUSTverifytheoperationalexistenceoftheApplicant,oritsAffiliate/Parent/SubsidiaryCompany,by:(1) VerifyingthattheApplicant,Affiliate,ParentCompany,orSubsidiaryCompanyhasbeeninexistencefor

atleastthreeyears,asindicatedbytherecordsofanIncorporatingAgencyorRegistrationAgency;(2) VerifyingthattheApplicant,Affiliate,ParentCompany,orSubsidiaryCompanyislistedineitheracurrent

QIISorQTIS;(3) VerifyingthattheApplicant,Affiliate,ParentCompany,orSubsidiaryCompanyhasanactivecurrent

DemandDepositAccountwithaRegulatedFinancialInstitutionbyreceivingauthenticateddocumentationoftheApplicant's,Affiliate's,ParentCompany's,orSubsidiaryCompany'sDemandDepositAccountdirectlyfromaRegulatedFinancialInstitution;or

(4) RelyingonaVerifiedProfessionalLettertotheeffectthattheApplicanthasanactivecurrentDemandDepositAccountwithaRegulatedFinancialInstitution.

3.2.10. VerificationofIdentityandAuthorityofContractSignerandCertificateApprover

3.2.10.1. VerificationRequirementsForboththeContractSignerandtheCertificateApprover,theCAMUSTverifythefollowing.(1) Name,TitleandAgency:TheCAMUSTverifythenameandtitleoftheContractSignerandthe

CertificateApprover,asapplicable.TheCAMUSTalsoverifythattheContractSignerandtheCertificateApproverareagentsrepresentingtheApplicant.

(2) SigningAuthorityofContractSigner:TheCAMUSTverifythattheContractSignerisauthorizedbytheApplicanttoenterintotheSubscriberAgreement(andanyotherrelevantcontractualobligations)onbehalfoftheApplicant,includingacontractthatdesignatesoneormoreCertificateApproversonbehalfoftheApplicant.

(3) VMCAuthorityofCertificateApprover:TheCAMUSTverify,throughasourceotherthantheCertificateApproverhim-orherself,thattheCertificateApproverisexpresslyauthorizedbytheApplicanttodothefollowing,asofthedateoftheVerifiedMarkCertificateRequest:(A) Submit,and,ifapplicable,authorizeaCertificateRequestertosubmit,theVerifiedMarkCertificate

RequestonbehalfoftheApplicant;and(B) Provide,and,ifapplicable,authorizeaCertificateRequestertoprovide,theinformationrequested

fromtheApplicantbytheCAforissuanceoftheVerifiedMarkCertificate;and(C) ApproveVerifiedMarkCertificateRequestssubmittedbyaCertificateRequester.

(4)F2FVerificationProcedure:TheCAmustconductaF2FVerificationProcedureoftheContractSignerorCertificateApproverfortheApplicantfollowingtheverificationstepsdescribedinAppendixG,Section1orSection2.IftheNotarizationprocessofSection1isused,theCAmustverifythatthevalidatorisalegally-qualifiedNotary(orlegalequivalentintheContractSignerorCertificateApprover’sjurisdiction),LatinNotary,lawyer,orsolicitor(collectively,“Notary”)inthejurisdictionwheretheContractSignerorCertificateApproverisverified.

3.2.10.2. AcceptableMethodsofVerification–Name,TitleandAgencyAcceptablemethodsofverificationofthename,title,andagencystatusoftheContractSignerandtheCertificateApproverincludethefollowing.(1) NameandTitle:TheCAMAYverifythenameandtitleoftheContractSignerandtheCertificate

Approverbyanyappropriatemethoddesignedtoprovidereasonableassurancethatapersonclaimingtoactinsucharoleisinfactthenamedpersondesignatedtoactinsuchrole.

(2) Agency:TheCAMAYverifytheagencyoftheContractSignerandtheCertificateApproverby:(A) ContactingtheApplicantusingaVerifiedMethodofCommunicationfortheApplicant,andobtaining

confirmationthattheContractSignerand/ortheCertificateApprover,asapplicable,isanemployee;(B) ObtaininganIndependentConfirmationFromtheApplicant(asdescribedinSection3.2.13.4),oraVerifiedProfessionalLetterverifyingthattheContractSignerand/ortheCertificate


Approver,asapplicable,iseitheranemployeeorhasotherwisebeenappointedasanagentoftheApplicant;or

(C)ObtainingconfirmationfromaQIISorQGISthattheContractSignerand/orCertificateApproverisanemployeeoftheApplicant.

TheCAMAYalsoverifytheagencyoftheCertificateApproverviaacertificationfromtheContractSigner(includinginacontractbetweentheCAandtheApplicantsignedbytheContractSigner),providedthattheemploymentoragencystatusandSigningAuthorityoftheContractSignerhasbeenverified.

3.2.10.3. AcceptableMethodsofVerification–AuthorityAcceptablemethodsofverificationoftheSigningAuthorityoftheContractSigner,andtheVMCAuthorityoftheCertificateApprover,asapplicable,include:(1) CorporateResolution:TheSigningAuthorityoftheContractSigner,and/ortheVMCAuthorityofthe

CertificateApprover,MAYbeverifiedbyrelianceonaproperlyauthenticatedcorporateresolutionthatconfirmsthatthepersonhasbeengrantedsuchSigningAuthority,providedthatsuchresolutionis(i)certifiedbytheappropriatecorporateofficer(e.g.,secretary),and(ii)theCAcanreliablyverifythatthecertificationwasvalidlysignedbysuchperson,andthatsuchpersondoeshavetherequisiteauthoritytoprovidesuchcertification;

(2) IndependentConfirmationfromApplicant:TheSigningAuthorityoftheContractSigner,and/ortheVMCAuthorityoftheCertificateApprover,MAYbeverifiedbyobtaininganIndependentConfirmationfromtheApplicant(asdescribedinSection3.2.13.1);

(3) ContractbetweenCAandApplicant:TheVMCAuthorityoftheCertificateApproverMAYbeverifiedbyrelianceonacontractbetweentheCAandtheApplicantthatdesignatestheCertificateApproverwithsuchVMCAuthority,providedthatthecontractissignedbytheContractSignerandprovidedthattheagencyandSigningAuthorityoftheContractSignerhavebeenverified;

(5) PriorEquivalentAuthority:ThesigningauthorityoftheContractSigner,and/ortheVMCAuthorityoftheCertificateApprover,MAYbeverifiedbyrelyingonademonstrationofPriorEquivalentAuthority.(A) PriorEquivalentAuthorityofaContractSignerMAYberelieduponforconfirmationorverificationof

thesigningauthorityoftheContractSignerwhentheContractSignerhasexecutedabindingcontractbetweentheCAandtheApplicantwithalegallyvalidandenforceablesealorhandwrittensignatureandonlywhenthecontractwasexecutedmorethan90dayspriortotheVerifiedMarkCertificateapplication.TheCAMUSTrecordsufficientdetailsofthepreviousagreementtocorrectlyidentifyitandassociateitwiththeVerifiedMarkapplication.SuchdetailsMAYincludeanyofthefollowing:(i) Agreementtitle,(ii) DateofContractSigner’ssignature,(iii)Contractreferencenumber,and(iv)Filinglocation.

(B) PriorEquivalentAuthorityofaCertificateApproverMAYberelieduponforconfirmationorverificationoftheVMCAuthorityoftheCertificateApproverwhentheCertificateApproverhasperformedoneormoreofthefollowing:(i) UndercontracttotheCA,hasserved(orisserving)asanEnterpriseRAfortheApplicant,or(ii) Hasparticipatedintheapprovalofoneormorecertificaterequests,forcertificatesissuedbythe

CAandwhicharecurrentlyandverifiablyinusebytheApplicant.InthiscasetheCAMUSThavecontactedtheCertificateApproverbyphoneatapreviouslyvalidatedphonenumberorhaveacceptedasignedandnotarizedletterapprovingthecertificaterequest.

(6)QIISorQGIS:TheSigningAuthorityoftheContractSigner,and/ortheVMCAuthorityoftheCertificateApprover,MAYbeverifiedbyaQIISorQGISthatidentifiestheContractSignerand/ortheCertificateApproverasacorporateofficer,soleproprietor,orotherseniorofficialoftheApplicant.

(7)ContractSigner’sRepresentation/Warranty:ProvidedthattheCAverifiesthattheContractSignerisanemployeeoragentoftheApplicant,theCAMAYrelyonthesigningauthorityoftheContractSignerbyobtainingadulyexecutedrepresentationorwarrantyfromtheContractSignerthatincludesthefollowingacknowledgments:(A)ThattheApplicantauthorizestheContractSignertosigntheSubscriberAgreementonthe

Applicant'sbehalf,(B)ThattheSubscriberAgreementisalegallyvalidandenforceableagreement,


(C)That,uponexecutionoftheSubscriberAgreement,theApplicantwillbeboundbyallofitstermsandconditions,

(D)ThatseriousconsequencesattachtothemisuseofanVerifiedMarkcertificate,and(E)Thecontractsignerhastheauthoritytoobtainthedigitalequivalentofacorporateseal,stampor

officer'ssignaturetoestablishtheauthenticityofthecompany'sWebsite.

3.2.10.4. Pre-AuthorizedCertificateApproverWheretheCAandApplicantcontemplatethesubmissionofmultiplefutureVerifiedMarkCertificateRequests,then,aftertheCA:

• HasverifiedthenameandtitleoftheContractSignerandthathe/sheisanemployeeoragentoftheApplicant;and

• HasverifiedtheSigningAuthorityofsuchContractSignerinaccordancewithoneoftheproceduresinSection3.2.10.

TheCAandtheApplicantMAYenterintoawrittenagreement,signedbytheContractSigneronbehalfoftheApplicant,whereby,foraspecifiedterm,theApplicantexpresslyauthorizesoneormoreCertificateApprover(s)designatedinsuchagreementtoexerciseVMCAuthoritywithrespecttoeachfutureVerifiedMarkCertificateRequestsubmittedonbehalfoftheApplicantandproperlyauthenticatedasoriginatingwith,orotherwisebeingapprovedby,suchCertificateApprover(s).SuchanagreementMUSTprovidethattheApplicantSHALLbeobligatedundertheSubscriberAgreementforallVerifiedMarkCertificatesissuedattherequestof,orapprovedby,suchCertificateApprover(s)untilsuchVMCAuthorityisrevoked,andMUSTincludemutuallyagreed-uponprovisionsfor(i)authenticatingtheCertificateApproverwhenVerifiedMarkCertificateRequestsareapproved,(ii)periodicre-confirmationoftheVMCAuthorityoftheCertificateApprover,(iii)secureproceduresbywhichtheApplicantcannotifytheCAthattheVMCAuthorityofanysuchCertificateApproverisrevoked,and(iv)suchotherappropriateprecautionsasarereasonablynecessary.

3.2.11. VerificationofSignatureonSubscriberAgreementandVerifiedMarkCertificateRequests

BoththeSubscriberAgreementandeachnon-pre-authorizedVerifiedMarkCertificateRequestMUSTbesigned.TheSubscriberAgreementMUSTbesignedbyanauthorizedContractSigner.TheVerifiedMarkCertificateRequestMUSTbesignedbytheCertificateRequestersubmittingthedocument,unlesstheCertificateRequesthasbeenpre-authorizedinlinewithSection3.2.10.4oftheseRequirements.IftheCertificateRequesterisnotalsoanauthorizedCertificateApprover,thenanauthorizedCertificateApproverMUSTindependentlyapprovetheVerifiedMarkCertificateRequest.Inallcases,applicablesignaturesMUSTbealegallyvalidandcontainanenforceablesealorhandwrittensignature(forapaperSubscriberAgreementand/orVerifiedMarkCertificateRequest),oralegallyvalidandenforceableelectronicsignature(foranelectronicSubscriberAgreementand/orVerifiedMarkCertificateRequest),thatbindstheApplicanttothetermsofeachrespectivedocument.

3.2.11.1. VerificationRequirements(1) Signature:TheCAMUSTauthenticatethesignatureoftheContractSignerontheSubscriberAgreement

andthesignatureoftheCertificateRequesteroneachVerifiedMarkCertificateRequestinamannerthatmakesitreasonablycertainthatthepersonnamedasthesignerintheapplicabledocumentis,infact,thepersonwhosignedthedocumentonbehalfoftheApplicant.

(2) ApprovalAlternative:IncaseswhereanVerifiedMarkCertificateRequestissignedandsubmittedbyaCertificateRequesterwhodoesnotalsofunctionasaCertificateApprover,approvalandadoptionoftheVerifiedMarkCertificateRequestbyaCertificateApproverinaccordancewiththerequirementsofSection3.2.12cansubstituteforauthenticationofthesignatureoftheCertificateRequesteronsuchVerifiedMarkCertificateRequest.

3.2.11.2. AcceptableMethodsofSignatureVerificationAcceptablemethodsofauthenticatingthesignatureoftheCertificateRequesterorContractSignerincludethefollowing:(1) ContactingtheApplicantusingaVerifiedMethodofCommunicationfortheApplicant,fortheattentionof

theCertificateRequesterorContractSigner,asapplicable,followedbyaresponsefromsomeonewho


identifiesthemselvesassuchpersonconfirmingthathe/shedidsigntheapplicabledocumentonbehalfoftheApplicant;

(2) AlettermailedtotheApplicant’sorAgent’saddress,asverifiedthroughindependentmeansinaccordancewiththeseRequirements,fortheattentionoftheCertificateRequesterorContractSigner,asapplicable,followedbyaresponsethroughaVerifiedMethodofCommunicationfromsomeonewhoidentifiesthemselvesassuchpersonconfirmingthathe/shedidsigntheapplicabledocumentonbehalfoftheApplicant;

(3) Useofasignatureprocessthatestablishesthenameandtitleofthesignerinasecuremanner,suchasthroughuseofanappropriatelysecureloginprocessthatidentifiesthesignerbeforesigning,orthroughuseofadigitalsignaturemadewithreferencetoanappropriatelyverifiedcertificate;or

(4) Notarizationbyanotary,providedthattheCAindependentlyverifiesthatsuchnotaryisalegallyqualifiednotaryinthejurisdictionoftheCertificateRequesterorContractSigner.

3.2.12. VerificationofApprovalofVerifiedMarkCertificateRequest3.2.12.1. VerificationRequirementsIncaseswhereanVerifiedMarkCertificateRequestissubmittedbyaCertificateRequester,beforetheCAissuestherequestedVerifiedMarkCertificate,theCAMUSTverifythatanauthorizedCertificateApproverreviewedandapprovedtheVerifiedMarkCertificateRequest.

3.2.12.2. AcceptableMethodsofVerificationAcceptablemethodsofverifyingtheCertificateApprover’sapprovalofaVerifiedMarkCertificateRequestinclude:(1) ContactingtheCertificateApproverusingaVerifiedMethodofCommunicationfortheApplicantand

obtainingoralorwrittenconfirmationthattheCertificateApproverhasreviewedandapprovedtheVerifiedMarkCertificateRequest;

(2) NotifyingtheCertificateApproverthatoneormorenewVerifiedMarkCertificateRequestsareavailableforreviewandapprovalatadesignatedaccess-controlledandsecureWebsite,followedbyaloginby,andanindicationofapprovalfrom,theCertificateApproverinthemannerrequiredbytheWebsite;or

(3) VerifyingthesignatureoftheCertificateApproverontheVerifiedMarkCertificateRequestinaccordancewithSection3.2.11oftheseRequirements.

3.2.13. VerificationofCertainInformationSources3.2.13.1. VerifiedLegalOpinion(1) VerificationRequirements:BeforerelyingonalegalopinionsubmittedtotheCA,theCAMUSTverify

thatsuchlegalopinionmeetsthefollowingrequirements:(A) StatusofAuthor:TheCAMUSTverifythatthelegalopinionisauthoredbyanindependentlegal

practitionerretainedbyandrepresentingtheApplicant(oranin-houselegalpractitioneremployedbytheApplicant)(LegalPractitioner)whoiseither:(i) Alawyer(orsolicitor,barrister,advocate,orequivalent)licensedtopracticelawinthecountry

oftheApplicant’sJurisdictionofIncorporationorRegistrationoranyjurisdictionwheretheApplicantmaintainsanofficeorphysicalfacility,or

(ii) ALatinNotarywhoiscurrentlycommissionedorlicensedtopracticeinthecountryoftheApplicant’sJurisdictionofIncorporationorRegistrationoranyjurisdictionwheretheApplicantmaintainsanofficeorphysicalfacility(andthatsuchjurisdictionrecognizestheroleoftheLatinNotary);

(B) BasisofOpinion:TheCAMUSTverifythattheLegalPractitionerisactingonbehalfoftheApplicantandthattheconclusionsoftheVerifiedLegalOpinionarebasedontheLegalPractitioner’sstatedfamiliaritywiththerelevantfactsandtheexerciseoftheLegalPractitioner’sprofessionaljudgmentandexpertise;

(C) Authenticity:TheCAMUSTconfirmtheauthenticityoftheVerifiedLegalOpinion.(2) AcceptableMethodsofVerification:Acceptablemethodsofestablishingtheforegoingrequirements

foraVerifiedLegalOpinionare:


(A) StatusofAuthor:TheCAMUSTverifytheprofessionalstatusoftheauthorofthelegalopinionbydirectlycontactingtheauthorityresponsibleforregisteringorlicensingsuchLegalPractitioner(s)intheapplicablejurisdiction;

(B) BasisofOpinion:ThetextofthelegalopinionMUSTmakeitclearthattheLegalPractitionerisactingonbehalfoftheApplicantandthattheconclusionsofthelegalopinionarebasedontheLegalPractitioner’sstatedfamiliaritywiththerelevantfactsandtheexerciseofthepractitioner’sprofessionaljudgmentandexpertise.ThelegalopinionMAYalsoincludedisclaimersandotherlimitationscustomaryintheLegalPractitioner’sjurisdiction,providedthatthescopeofthedisclaimedresponsibilityisnotsogreatastoeliminateanysubstantialrisk(financial,professional,and/orreputational)totheLegalPractitioner,shouldthelegalopinionprovetobeerroneous;

(C) Authenticity:Toconfirmtheauthenticityofthelegalopinion,theCAMUSTmakeatelephonecallorsendacopyofthelegalopinionbacktotheLegalPractitionerattheaddress,phonenumber,facsimile,or(ifavailable)e-mailaddressfortheLegalPractitionerlistedwiththeauthorityresponsibleforregisteringorlicensingsuchLegalPractitioner,andobtainconfirmationfromtheLegalPractitionerortheLegalPractitioner’sassistantthatthelegalopinionisauthentic.Ifaphonenumberisnotavailablefromthelicensingauthority,theCAMAYusethenumberlistedfortheLegalPractitionerinrecordsprovidedbytheapplicablephonecompany,QGIS,orQIIS.Incircumstanceswheretheopinionisdigitallysigned,inamannerthatconfirmstheauthenticityofthedocumentandtheidentityofthesigner,asverifiedbytheCAinSection3.2.13.1(2)(A),nofurtherverificationofauthenticityisrequired.

3.2.13.2. VerifiedAccountantLetter(1) VerificationRequirements:BeforerelyingonanaccountantlettersubmittedtotheCA,theCAMUST

verifythatsuchaccountantlettermeetsthefollowingrequirements:(A)StatusofAuthor:TheCAMUSTverifythattheaccountantletterisauthoredbyanAccounting

PractitionerretainedoremployedbytheApplicantandlicensedwithinthecountryoftheApplicant’sJurisdictionofIncorporation,JurisdictionofRegistration,orcountrywheretheApplicantmaintainsanofficeorphysicalfacility.VerificationoflicenseMUSTbethroughthememberorganizationorregulatoryorganizationintheAccountingPractitioner’scountryorjurisdictionthatisappropriatetocontactwhenverifyinganaccountant’slicensetopracticeinthatcountryorjurisdiction.SuchcountryorjurisdictionmusthaveanaccountingstandardsbodythatmaintainsfullmembershipstatuswiththeInternationalFederationofAccountants.

(B)BasisofOpinion:TheCAMUSTverifythattheAccountingPractitionerisactingonbehalfoftheApplicantandthattheconclusionsoftheVerifiedAccountantLetterarebasedontheAccountingPractitioner’sstatedfamiliaritywiththerelevantfactsandtheexerciseoftheAccountingPractitioner’sprofessionaljudgmentandexpertise;

(C) Authenticity:TheCAMUSTconfirmtheauthenticityoftheVerifiedAccountantLetter.(2) AcceptableMethodsofVerification:Acceptablemethodsofestablishingtheforegoingrequirements

foraVerifiedAccountantLetterarelistedhere.(A) StatusofAuthor:TheCAMUSTverifytheprofessionalstatusoftheauthoroftheaccountantletter

bydirectlycontactingtheauthorityresponsibleforregisteringorlicensingsuchAccountingPractitionersintheapplicablejurisdiction.

(B) BasisofOpinion:ThetextoftheVerifiedAccountantLetterMUSTmakeclearthattheAccountingPractitionerisactingonbehalfoftheApplicantandthattheinformationintheletterisbasedontheAccountingPractitioner’sstatedfamiliaritywiththerelevantfactsandtheexerciseofthepractitioner’sprofessionaljudgmentandexpertise.TheVerifiedAccountantLetterMAYalsoincludedisclaimersandotherlimitationscustomaryintheAccountingPractitioner’sjurisdiction,providedthatthescopeofthedisclaimedresponsibilityisnotsogreatastoeliminateanysubstantialrisk(financial,professional,and/orreputational)totheAccountingPractitioner,shouldtheVerifiedAccountantLetterprovetobeerroneous.

(C) Authenticity:Toconfirmtheauthenticityoftheaccountant’sopinion,theCAMUSTmakeatelephonecallorsendacopyoftheVerifiedAccountantLetterbacktotheAccountingPractitionerattheaddress,phonenumber,facsimile,or(ifavailable)e-mailaddressfortheAccountingPractitionerlistedwiththeauthorityresponsibleforregisteringorlicensingsuchAccountingPractitionersandobtainconfirmationfromtheAccountingPractitionerortheAccountingPractitioner’sassistantthat


theaccountantletterisauthentic.Ifaphonenumberisnotavailablefromthelicensingauthority,theCAMAYusethenumberlistedfortheAccountantinrecordsprovidedbytheapplicablephonecompany,QGIS,orQIIS.Incircumstanceswheretheopinionisdigitallysigned,inamannerthatconfirmstheauthenticityofthedocumentandtheidentityofthesigner,asverifiedbytheCAinSection3.2.13.2(2)(A),nofurtherverificationofauthenticityisrequired.

3.2.13.3. Face-to-FaceValidationusingtheNotarizationprocess(1) VerificationRequirements:BeforerelyingonF2FVerificationProceduredocumentsusingthe

NotarizationprocessunderAppendixG,Section1thataresubmittedtotheCA,theCAMUSTverifythattheThird-PartyValidatormeetsthefollowingrequirements:(A)QualificationofThird-PartyValidator:TheCAMUSTindependentlyverifythattheThird-Party

Validatorisalegally-qualifiedLatinNotaryorNotary(orlegalequivalentintheApplicant’sjurisdiction),Lawyer,orAccountantinthejurisdictionoftheindividual’sresidency;

(B)DocumentChainofCustody:TheCAMUSTverifythattheThird-PartyValidatorviewedtheVettingDocumentsinaface-to-facemeetingwiththeindividualbeingvalidated;

(C) VerificationofAttestation:IftheThird-PartyValidatorisnotaLatinNotary,thentheCAMUSTconfirmtheauthenticityoftheattestationandvettingdocuments.

(2) AcceptableMethodsofVerification:Acceptablemethodsofestablishingtheforegoingrequirementsforvettingdocumentsare:(A)QualificationofThird-PartyValidator:TheCAMUSTverifytheprofessionalstatusoftheThird-

PartyValidatorbydirectlycontactingtheauthorityresponsibleforregisteringorlicensingsuchThird-PartyValidatorsintheapplicablejurisdiction;

(B)DocumentChainofCustody:TheThird-PartyValidatorMUSTsubmitastatementtotheCAwhichatteststhattheyobtainedtheVettingDocumentssubmittedtotheCAfortheindividualduringaface-to-facemeetingwiththeindividual;

(C) VerificationofAttestation:IftheThird-PartyValidatorisnotaLatinNotary,thentheCAMUSTconfirmtheauthenticityofthevettingdocumentsreceivedfromtheThird-PartyValidator.TheCAMUSTmakeatelephonecalltotheThird-PartyValidatorandobtainconfirmationfromthemortheirassistantthattheyperformedtheface-to-facevalidation.TheCAMAYrelyuponself-reportedinformationobtainedfromtheThird-PartyValidatorforthesolepurposeofperformingthisverificationprocess.Incircumstanceswheretheattestationisdigitallysigned,inamannerthatconfirmstheauthenticityofthedocuments,andtheidentityofthesignerasverifiedbytheCAinSection3.2.13.1(1)(A),nofurtherverificationofauthenticityisrequired.

3.2.13.4. IndependentConfirmationFromApplicantAnIndependentConfirmationfromtheApplicantisaconfirmationofaparticularfact(e.g.,confirmationoftheemployeeoragencystatusofaContractSignerorCertificateApprover,confirmationoftheVMCAuthorityofaCertificateApprover,etc.)thatis:

(A) ReceivedbytheCAfromaConfirmingPerson(someoneotherthanthepersonwhoisthesubjectoftheinquiry)thathastheappropriateauthoritytoconfirmsuchafact,andwhorepresentsthathe/shehasconfirmedsuchfact;

(B) ReceivedbytheCAinamannerthatauthenticatesandverifiesthesourceoftheconfirmation;and(C) BindingontheApplicant.

AnIndependentConfirmationfromtheApplicantMAYbeobtainedviathefollowingprocedure:(1) ConfirmationRequest:TheCAMUSTinitiateaConfirmationRequestviaanappropriateout-of-band

communication,requestingverificationorconfirmationoftheparticularfactatissueasfollows:(A)Addressee:TheConfirmationRequestMUSTbedirectedto:

(i) ApositionwithintheApplicant’sorganizationthatqualifiesasaConfirmingPerson(e.g.,Secretary,President,CEO,CFO,COO,CIO,CSO,Director,etc.)andisidentifiedbynameandtitleinacurrentQGIS,QIIS,QTIS,VerifiedLegalOpinion,VerifiedAccountantLetter,orbycontactingtheApplicantusingaVerifiedMethodofCommunication;or

(ii) TheApplicant’sRegisteredAgentorRegisteredOfficeintheJurisdictionofIncorporationaslistedintheofficialrecordsoftheIncorporatingAgency,withinstructionsthatitbeforwardedtoanappropriateConfirmingPerson;or


(iii)AnamedindividualverifiedtobeinthedirectlineofmanagementabovetheContractSignerorCertificateApproverbycontactingtheApplicant’sHumanResourcesDepartmentbyphoneormail(atthephonenumberoraddressfortheApplicant’sPlaceofBusiness,verifiedinaccordancewiththeseRequirements).

(B)MeansofCommunication:TheConfirmationRequestMUSTbedirectedtotheConfirmingPersoninamannerreasonablylikelytoreachsuchperson.Thefollowingoptionsareacceptable:(i) BypapermailaddressedtotheConfirmingPersonat:

(1) TheaddressoftheApplicant’sPlaceofBusinessasverifiedbytheCAinaccordancewiththeseRequirements,or

(2) ThebusinessaddressforsuchConfirmingPersonspecifiedinacurrentQGIS,QTIS,QIIS,VerifiedProfessionalLetter,or

(3) TheaddressoftheApplicant’sRegisteredAgentorRegisteredOfficelistedintheofficialrecordsoftheJurisdictionofIncorporation,or

(ii) Bye-mailaddressedtotheConfirmingPersonatthebusinesse-mailaddressforsuchpersonlistedinacurrentQGIS,QTIS,orQIIS,VerifiedLegalOpinion,orVerifiedAccountantLetter;or

(iii)BytelephonecalltotheConfirmingPerson,wheresuchpersoniscontactedbycallingthemainphonenumberoftheApplicant’sPlaceofBusiness(verifiedinaccordancewiththeseRequirements)andaskingtospeaktosuchperson,andapersontakingthecallidentifieshim-orherselfassuchperson;or

(iv)ByfacsimiletotheConfirmingPersonatthePlaceofBusiness.ThefacsimilenumbermustbelistedinacurrentQGIS,QTIS,orQIIS,VerifiedLegalOpinion,orVerifiedAccountantLetter.ThecoverpagemustbeclearlyaddressedtotheConfirmingPerson.

(2) ConfirmationResponse:TheCAMUSTreceivearesponsetotheConfirmationRequestfromaConfirmingPersonthatconfirmstheparticularfactatissue.SuchresponseMAYbeprovidedtotheCAbytelephone,bye-mail,orbypapermail,solongastheCAcanreliablyverifythatitwasprovidedbyaConfirmingPersoninresponsetotheConfirmationRequest.

(3)TheCAMAYrelyonaverifiedConfirmingPersontoconfirmtheirowncontactinformation:emailaddress,telephonenumber,andfacsimilenumber.TheCAMAYrelyonthisverifiedcontactinformationforfuturecorrespondencewiththeConfirmingPersonif:(A)Thedomainofthee-mailaddressisownedbytheApplicantandistheConfirmingPerson’sowne-

mailaddressandnotagroupe-mailalias;(B)TheConfirmingPerson’stelephone/faxnumberisverifiedbytheCAtobeatelephonenumberthatis

partoftheorganization’stelephonesystem,andisnotthepersonalphonenumberfortheperson.

3.2.13.5. QualifiedIndependentInformationSourceAQualifiedIndependentInformationSource(QIIS)isaregularly-updatedandpubliclyavailabledatabasethatisgenerallyrecognizedasadependablesourceforcertaininformation.AdatabasequalifiesasaQIISiftheCAdeterminesthat:(1) Industriesotherthanthecertificateindustryrelyonthedatabaseforaccuratelocation,contact,orother

information;and(2) Thedatabaseproviderupdatesitsdataonatleastanannualbasis.TheCASHALLuseadocumentedprocesstochecktheaccuracyofthedatabaseandensureitsdataisacceptable,includingreviewingthedatabaseprovider’stermsofuse.TheCASHALLNOTuseanydatainaQIISthattheCAknowsis(i)self-reportedand(ii)notverifiedbytheQIISasaccurate.DatabasesinwhichtheCAoritsownersoraffiliatedcompaniesmaintainacontrollinginterest,orinwhichanyRegistrationAuthoritiesorsubcontractorstowhomtheCAhasoutsourcedanyportionofthevettingprocess(ortheirownersoraffiliatedcompanies)maintainanyownershiporbeneficialinterest,donotqualifyasaQIIS.

3.2.13.6. QualifiedGovernmentInformationSourceAQualifiedGovernmentInformationSource(QGIS)isaregularly-updatedandcurrent,publiclyavailable,databasedesignedforthepurposeofaccuratelyprovidingtheinformationforwhichitisconsulted,andwhichisgenerallyrecognizedasadependablesourceofsuchinformationprovidedthatitismaintainedbyaGovernmentEntity,thereportingofdataisrequiredbylaw,andfalseormisleadingreportingispunishablewithcriminalorcivilpenalties.NothingintheseRequirementsSHALLprohibittheuseofthird-partyvendorstoobtaintheinformationfromtheGovernmentEntityprovidedthatthethirdpartyobtainstheinformationdirectlyfromtheGovernmentEntity.


3.2.13.7. QualifiedGovernmentTaxInformationSourceAQualifiedGovernmentTaxInformationSourceisaQualifiedGovernmentInformationSourcethatspecificallycontainstaxinformationrelatingtoPrivateOrganizations,BusinessEntitiesorIndividuals(e.g.,theIRSintheUnitedStates).

3.2.14. ValidationofDomainAuthorizationorControlThissectiondefinesthepermittedprocessesandproceduresforvalidatingtheApplicant'sownershiporcontrolofthedomain.TheCASHALLconfirmthatpriortoissuance,theCAhasvalidatedeachFully-QualifiedDomainName(FQDN)listedintheCertificateusingatleastoneofthemethodslistedbelow.CompletedvalidationsofApplicantauthoritymaybevalidfortheissuanceofmultipleCertificatesovertime.Inallcases,thevalidationmusthavebeeninitiatedwithinthetimeperiodspecifiedintherelevantrequirement(suchasSection4.2.1ofthisdocument)priortoCertificateissuance.Forpurposesofdomainvalidation,thetermApplicantincludestheApplicant'sParentCompany,SubsidiaryCompany,orAffiliate.CAsSHALLmaintainarecordofwhichdomainvalidationmethod,includingrelevantVMCRequirementsversionnumber,theyusedtovalidateeverydomain.Note:FQDNsmaybelistedinSubscriberCertificatesusingdNSNamesinthesubjectAltNameextensionorinSubordinateCACertificatesviadNSNamesinpermittedSubtreeswithintheNameConstraintsextension.

3.2.14.1. ValidatingtheApplicantasaDomainContactThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.2. Email,Fax,SMS,orPostalMailtoDomainContactConfirmingtheApplicant'scontrolovertheFQDNbysendingaRandomValueviaemail,fax,SMS,orpostalmailandthenreceivingaconfirmingresponseutilizingtheRandomValue.TheRandomValueMUSTbesenttoanemailaddress,fax/SMSnumber,orpostalmailaddressidentifiedasaDomainContact.Eachemail,fax,SMS,orpostalmailMAYconfirmcontrolofmultipleAuthorizationDomainNames.TheCAMAYsendtheemail,fax,SMS,orpostalmailidentifiedunderthissectiontomorethanonerecipientprovidedthateveryrecipientisidentifiedbytheDomainNameRegistrarasrepresentingtheDomainNameRegistrantforeveryFQDNbeingverifiedusingtheemail,fax,SMS,orpostalmail.TheRandomValueSHALLbeuniqueineachemail,fax,SMS,orpostalmail.TheCAMAYresendtheemail,fax,SMS,orpostalmailinitsentirety,includingre-useoftheRandomValue,providedthatthecommunication'sentirecontentsandrecipient(s)remainunchanged.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues,inwhichcasetheCAMUSTfollowitsCPS.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.3. PhoneContactwithDomainContactThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.4. ConstructedEmailtoDomainContactConfirmtheApplicant'scontrolovertheFQDNby

1. sendinganemailtooneormoreaddressescreatedbyusing'admin','administrator','webmaster','hostmaster',or'postmaster'asthelocalpart,followedbytheat-sign("@"),followedbyanAuthorizationDomainName,

2. includingaRandomValueintheemail,and3. receivingaconfirmingresponseutilizingtheRandomValue.


EachemailMAYconfirmcontrolofmultipleFQDNs,providedtheAuthorizationDomainNameusedintheemailisanAuthorizationDomainNameforeachFQDNbeingconfirmed.TheRandomValueSHALLbeuniqueineachemail.TheemailMAYbere-sentinitsentirety,includingthere-useoftheRandomValue,providedthatitsentirecontentsandrecipientSHALLremainunchanged.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.5. DomainAuthorizationDocumentThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.6. Agreed-UponChangetoWebsiteThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.7. DNSChangeConfirmingtheApplicant'scontrolovertheFQDNbyconfirmingthepresenceofaRandomValueorRequestTokenforeitherinaDNSCNAME,TXTorCAArecordforeither1)anAuthorizationDomainName;or2)anAuthorizationDomainNamethatisprefixedwithalabelthatbeginswithanunderscorecharacter.IfaRandomValueisused,theCASHALLprovideaRandomValueuniquetotheCertificaterequestandSHALLnotusetheRandomValueafter(i)30daysor(ii)iftheApplicantsubmittedtheCertificaterequest,thetimeframepermittedforreuseofvalidatedinformationrelevanttotheCertificate(suchasinSection4.2.1oftheseRequirements).Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.8. IPAddressThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.9. TestCertificateThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.10. TLSUsingaRandomNumberThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.11. AnyOtherMethodThismethodhasbeenretiredandMUSTNOTbeused.

3.2.14.12. ValidatingApplicantasaDomainContactConfirmingtheApplicant'scontrolovertheFQDNbyvalidatingtheApplicantistheDomainContact.ThismethodmayonlybeusediftheCAisalsotheDomainNameRegistrar,oranAffiliateoftheRegistrar,oftheBaseDomainName.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.


3.2.14.13. EmailtoDNSCAAContactConfirmingtheApplicant'scontrolovertheFQDNbysendingaRandomValueviaemailandthenreceivingaconfirmingresponseutilizingtheRandomValue.TheRandomValueMUSTbesenttoaDNSCAAEmailContact.TherelevantCAAResourceRecordSetMUSTbefoundusingthesearchalgorithmdefinedinRFC8659.EachemailMAYconfirmcontrolofmultipleFQDNs,providedthateachemailaddressisaDNSCAAEmailContactforeachAuthorizationDomainNamebeingvalidated.ThesameemailMAYbesenttomultiplerecipientsaslongasallrecipientsareDNSCAAEmailContactsforeachAuthorizationDomainNamebeingvalidated.TheRandomValueSHALLbeuniqueineachemail.TheemailMAYbere-sentinitsentirety,includingthere-useoftheRandomValue,providedthatitsentirecontentsandrecipient(s)SHALLremainunchanged.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.14. EmailtoDNSTXTContactConfirmingtheApplicant'scontrolovertheFQDNbysendingaRandomValueviaemailandthenreceivingaconfirmingresponseutilizingtheRandomValue.TheRandomValueMUSTbesenttoaDNSTXTRecordEmailContactfortheAuthorizationDomainNameselectedtovalidatetheFQDN.EachemailMAYconfirmcontrolofmultipleFQDNs,providedthateachemailaddressisDNSTXTRecordEmailContactforeachAuthorizationDomainNamebeingvalidated.ThesameemailMAYbesenttomultiplerecipientsaslongasallrecipientsareDNSTXTRecordEmailContactsforeachAuthorizationDomainNamebeingvalidated.TheRandomValueSHALLbeuniqueineachemail.TheemailMAYbere-sentinitsentirety,includingthere-useoftheRandomValue,providedthatitsentirecontentsandrecipient(s)SHALLremainunchanged.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.15. PhoneContactwithDomainContactConfirmtheApplicant'scontrolovertheFQDNbycallingtheDomainContact’sphonenumberandobtainaconfirmingresponsetovalidatetheADN.EachphonecallMAYconfirmcontrolofmultipleADNsprovidedthatthesameDomainContactphonenumberislistedforeachADNbeingverifiedandtheyprovideaconfirmingresponseforeachADN.IntheeventthatsomeoneotherthanaDomainContactisreached,theCAMAYrequesttobetransferredtotheDomainContact.Intheeventofreachingvoicemail,theCAmayleavetheRandomValueandtheADN(s)beingvalidated.TheRandomValueMUSTbereturnedtotheCAtoapprovetherequest.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.16. PhoneContactwithDNSTXTRecordPhoneContactConfirmtheApplicant'scontrolovertheFQDNbycallingtheDNSTXTRecordPhoneContact’sphonenumberandobtainaconfirmingresponsetovalidatetheADN.EachphonecallMAYconfirmcontrolofmultipleADNsprovidedthatthesameDNSTXTRecordPhoneContactphonenumberislistedforeachADNbeingverifiedandtheyprovideaconfirmingresponseforeachADN.TheCAMAYNOTknowinglybetransferredorrequesttobetransferredasthisphonenumberhasbeenspecificallylistedforthepurposesofDomainValidation.


Intheeventofreachingvoicemail,theCAmayleavetheRandomValueandtheADN(s)beingvalidated.TheRandomValueMUSTbereturnedtotheCAtoapprovetherequest.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.17. PhoneContactwithDNSCAAPhoneContactConfirmtheApplicant'scontrolovertheFQDNbycallingtheDNSCAAPhoneContact’sphonenumberandobtainaconfirmingresponsetovalidatetheADN.EachphonecallMAYconfirmcontrolofmultipleADNsprovidedthatthesameDNSCAAPhoneContactphonenumberislistedforeachADNbeingverifiedandtheyprovideaconfirmingresponseforeachADN.TherelevantCAAResourceRecordSetMUSTbefoundusingthesearchalgorithmdefinedinRFC8659.TheCAMUSTNOTbetransferredorrequesttobetransferredasthisphonenumberhasbeenspecificallylistedforthepurposesofDomainValidation.Intheeventofreachingvoicemail,theCAmayleavetheRandomValueandtheADN(s)beingvalidated.TheRandomValueMUSTbereturnedtotheCAtoapprovetherequest.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.18. Agreed-UponChangetoWebsitev2ConfirmingtheApplicant'scontrolovertheFQDNbyverifyingthattheRequestTokenorRandomValueiscontainedinthecontentsofafile.

1. TheentireRequestTokenorRandomValueMUSTNOTappearintherequestusedtoretrievethefile,and

2. theCAMUSTreceiveasuccessfulHTTPresponsefromtherequest(meaninga2xxHTTPstatuscodemustbereceived).

ThefilecontainingtheRequestTokenorRandomNumber:1. MUSTbelocatedontheAuthorizationDomainName,and2. MUSTbelocatedunderthe"/.well-known/pki-validation"directory,and3. MUSTberetrievedviaeitherthe"http"or"https"scheme,and4. MUSTbeaccessedoveranAuthorizedPort.

IftheCAfollowsredirectsthefollowingapply:1. RedirectsMUSTbeinitiatedattheHTTPprotocollayer(e.g.usinga3xxstatuscode).2. RedirectsMUSTbetheresultofanHTTPstatuscoderesultwithinthe3xxRedirectionclassofstatus

codes,asdefinedinRFC7231,Section6.4.3. RedirectsMUSTbetoresourceURLswitheitherviathe"http"or"https"scheme.4. RedirectsMUSTbetoresourceURLsaccessedviaAuthorizedPorts.

IfaRandomValueisused,then:1. TheCAMUSTprovideaRandomValueuniquetothecertificaterequest.2. TheRandomValueMUSTremainvalidforuseinaconfirmingresponsefornomorethan30days

fromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues,inwhichcasetheCAMUSTfollowitsCPS.

Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.19. Agreed-UponChangetoWebsite-ACMEConfirmingtheApplicant'scontroloveraFQDNbyvalidatingdomaincontroloftheFQDNusingtheACMEHTTPChallengemethoddefinedinsection8.3ofRFC8555.ThefollowingareadditiverequirementstoRFC8555.


TheCAMUSTreceiveasuccessfulHTTPresponsefromtherequest(meaninga2xxHTTPstatuscodemustbereceived).Thetoken(asdefinedinRFC8555,section8.3)MUSTNOTbeusedformorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues,inwhichcasetheCAMUSTfollowitsCPS.IftheCAfollowsredirects:

1. RedirectsMUSTbeinitiatedattheHTTPprotocollayer(e.g.usinga3xxstatuscode).2. RedirectsMUSTbetheresultofanHTTPstatuscoderesultwithinthe3xxRedirectionclassofstatus

codes,asdefinedinRFC7231,Section6.4.3. RedirectsMUSTbetoresourceURLswitheitherviathe"http"or"https"scheme.4. RedirectsMUSTbetoresourceURLsaccessedviaAuthorizedPorts.

Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.20. TLSUsingALPNConfirmingtheApplicant’scontroloveraFQDNbyvalidatingdomaincontroloftheFQDNbynegotiatinganewapplicationlayerprotocolusingtheTLSApplication-LayerProtocolNegotiation(ALPN)Extension[RFC7301]asdefinedinRFC8737.ThefollowingareadditiverequirementstoRFC8737.Thetoken(asdefinedinRFC8737,section3)MUSTNOTbeusedformorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforthetoken,inwhichcasetheCAMUSTfollowitsCPS.

3.2.15. CAARecordsforVerifiedMarkCertificates(1) Aspartoftheissuanceprocess,theCAMUSTcheckforCAArecordsandfollowtheprocessing

instructionsfound,foreachdNSNameinthesubjectAltNameextensionofthecertificatetobeissued,asspecifiedinSubsection(2).IftheCAissues,theyMUSTdosowithintheTTLoftheCAArecord,or8hours,whicheverisgreater.CAAcheckingisoptionalforVMCsissuedbeforeJanuary1,2021,butMUSTbedoneforVMCsissuedonorafterJanuary1,2022.ThisstipulationdoesnotpreventtheCAfromcheckingCAArecordsatanyothertime.RFC8659requiresthatCAs"MUSTNOTissueacertificateunlesseither(1)thecertificaterequestisconsistentwiththeapplicableCAAResourceRecordsetor(2)anexceptionspecifiedintherelevantCertificatePolicyorCertificationPracticesStatementapplies."ForissuancesconformingtotheseRequirements,CAsMUSTNOTrelyonanyexceptionsspecifiedintheirCPorCPSunlesstheyareoneofthefollowing:

• CAAcheckingisoptionalforcertificatesforwhichaCertificateTransparencypre-certificatewascreatedandloggedinatleastonepublicloglistedinAppendixF,andforwhichCAAwaschecked.

• CAAcheckingisoptionaliftheCAoranAffiliateoftheCAistheDNSOperator(asdefinedinRFC7719)ofthedomain'sDNS.

CAsarepermittedtotreatarecordlookupfailureaspermissiontoissueif:

• thefailureisoutsidetheCA'sinfrastructure;and• thelookuphasbeenretriedatleastonce;and• thedomain'szonedoesnothaveaDNSSECvalidationchaintotheICANNroot.

CAsMUSTdocumentpotentialissuancesthatwerepreventedbyaCAArecordandSHOULDdispatchreportsofsuchissuancerequeststothecontact(s)stipulatedintheCAAiodefrecord(s),Ifpresent.CAsarenotexpectedtosupportURLschemesintheiodefrecordotherthanmailto:orhttps:.

(2) PriortotheissuanceofVerifiedMarkCertificates,theCAMUSTcheckforthepublicationofaRelevantRRSetforeachFQDNtobeincludedinadNSNamewithintheVerifiedMarkCertificate’s


subjectAlternativeNameextension.TheRelevantRRSetforeachFQDNmustbedeterminedusingthealgorithmdefinedinsection3ofRFC8659.ForeachFQDN,ifaRelevantRRSetexists,theCAMUSTNOTissuetheCertificateunlesstheCAdeterminesthatthecertificaterequestisconsistentwiththeRelevantRRSet.IftheRelevantRRSetforanFQDNdoesnotcontainanyPropertyTagsthatrestrictissuanceofaVerifiedMarkCertificateanddoesnotcontainanyunrecognizedPropertyTagsthataremarkedcritical,thentheRelevantRRSetdoesnotrestrictissuanceofaVerifiedMarkCertificatecontainingthegivenFQDN.Inparticular,CAArecordswith“issue”and“issuewild”PropertyTagsdonotrestricttheissuanceofVerifiedMarkCertificates.IfaCAArecordwiththe“issuevmc”PropertyTagispresentintheRelevantRRsetforanFQDN,itisarequestthattheCA:

1. PerformCAAissuerestrictionprocessingfortheFQDN,and2. GrantauthorizationtoissueVerifiedMarkCertificatescontainingthatFQDNtotheholderoftheissuer-domain-nameorapartyactingundertheexplicitauthorityoftheholderoftheissuer-domain-name.

Thesub-syntaxofthe“issuevmc”PropertyTagvalueisthesameasthe“issue”PropertyTagasdefinedinsection4.2ofRFC8659.Thesemanticsofthe“issuevmc”PropertyTagaresimilartothe“issue”PropertyTag,withtheonlydifferencebeingthatthe“issuevmc”PropertyTagrestrictsissuanceofVerifiedMarkCertificatesasopposedtoTLSServerAuthenticationCertificates.

3.2.16. RegisteredMarkVerificationInadditiontotheidentityanddomainverificationrequiredbySection3.1,CAsissuingVerifiedMarkCertificatesSHALLperformverificationofthesubmittedRegisteredMarkasfollows:

3.2.16.1. RegisteredMarkVerification

3.2.16.1.1. VerificationofMarkwithTrademarkOfficeTheSubscriberwillprovidetheCAwith(a)theRegisteredMark’strademarkregistrationnumberandnameoftheTrademarkOfficethatgrantedthetrademarkregistration,and(b)theMarkRepresentationinSVGformatthattheApplicantwishestoincludeintheVerifiedMarkCertificate.RegisteredMarksmustbeingoodstandingandMUSTbeverifiedthroughconsultationwiththeofficialdatabaseoftheapplicableTrademarkOffice,tobeeligibleforinclusionwithinaVerifiedMarkCertificate.Inaddition,onlyRegisteredMarksareeligibleforinclusionwithinthelogotype(asdefinedinRFC3709).Forclarityandwithoutlimitation,unregisteredmarksarenoteligibleasalogotypeintheregisteredmarkprofile.Inthealternative,theCAmayverifytheRegisteredMarkthroughtheWIPOGlobalBrandDatabaseathttps://www3.wipo.int/branddb/en/TheCASHALLconfirmthattheMarkRepresentationsubmittedbytheSubjectorganizationmatchestheRegisteredMarkasitappearsintheofficialdatabaseoftheapplicableTrademarkOfficeortheWIPOGlobalBrandDatabase.IndeterminingwhethertheMarkRepresentationmatchestheRegisteredMark,theCASHALLmaintainarecordofitsdecisionsandreasonstherefor.TheCAmay,butisnotrequiredto,followtheguidelinesinAppendixEforcomparisonoftheRegisteredTrademarkwiththeMarkRepresentation.TheCASHALLalsoretainascreenshotorotherrecordoftheMarkRepresentationprovidedbytheApplicantandallinformationabouttheRegisteredMarkobtainedfromtheapplicableTrademarkOfficeaswellasallothersupportingdatathattheCAreliesuponinissuingtheVerifiedMarkCertificate.


3.2.16.1.2. VerificationofRegisteredMarkOwnershiporLicenseTheCASHALLconfirmthattheowneroftheRegisteredMarkidentifiedintheofficialdatabaseoftheapplicableTrademarkOfficeortheWIPOGlobalBrandDatabaseisthesameSubjectorganizationverifiedbytheVerifiedMarkvettingprocessunderSection3.2(ortoaParent,Subsidiary,orAffiliateoftheorganizationasconfirmedinaccordancewiththeVerifiedMarkRequirements),oriftheowneroftheRegisteredMarkisnotthesameorganization,thattheSubjectorganizationhasobtainedtherighttousetheRegisteredMarkthroughamutuallyagreed-uponlicensefromtheentitywhoistheownerofrecordoftheRegisteredMark(oraParent,Subsidiary,orAffiliateoftheowner).IftheownerofaRegisteredMarkisnottheApplicant,theApplicantmayonlyusetheRegisteredMarkiftheCAobtainsanauthorizationletterfromtheownerofrecordoftheRegisteredMark.IndeterminingwhethertheApplicantistheowneroralicenseeoftheRegisteredMarkcorrespondingtotheMarkRepresentation,theCASHALLmaintainarecordofitsdecisionsandreasonsthereforintheCA’srecordsrequiredinsection3.2.1.

3.2.16.1.3. ColorRestrictionsMarkRepresentationsinVerifiedMarkCertificatesforCombinedMarksandDesignMarksSHALLonlybeincolorsaspermittedfortheRegisteredMarkbytheapplicableTrademarkOffice.TheCASHALLexaminetheRegisteredMarktodeterminewhatrights,ifany,theSubjectorganizationhastouseoftheRegisteredMarkinthecolorsoftheMarkRepresentationsubmittedbytheSubscriber.IndeterminingwhetherthecolorsintheMarkRepresentationsubmittedbytheSubscribermatchthecolorspermittedbytheRegisteredMarkregistration,theCASHALLmaintainarecordofitsdecisionandreasonsthereforintheCA’srecordsrequiredinsection3.2.1.

3.2.16.2. GovernmentMarkVerificationVMCsmaybeissuedtoGovernmentEntitiesforGovernmentMarksundertheRegisteredMarkProfiledesignatedbyaCertificateGeneralPolicyIdentifierOID(1.3.6.1.4.1.53087.1.1)asdescribedunderSection7.1.2.2and7.1.2.3.TheCASHALLconfirmthataMarkorequivalentwasgrantedtoorclaimedbyaGovernmentEntityorNon-CommercialEntity(InternationalOrganization)(orgrantedtoaprivateorganizationorotherorganizationbyaGovernmentEntityorNon-CommercialEntity[InternationalOrganization]throughofficialstatute,regulation,treaty,orgovernmentaction)asitappearsorisdescribedinthestatute,regulation,treaty,orgovernmentactionandconfirmedbyaMarkVerifyingAuthority.InadditiontotheidentityanddomainverificationrequiredbySection3.2,CAsissuingVerifiedMarkCertificatesSHALLperformverificationofthesubmittedGovernmentMarkasfollows:

3.2.16.2.1. VerificationofStatute,Regulation,Treaty,orActionTheCASHALLconfirmthattheGovernmentMarkwasgrantedtoorclaimedbyaGovernmentEntityorNon-CommercialEntity(InternationalOrganization)(orgrantedtoaprivateorganizationorotherorganizationbyaGovernmentEntityorNon-CommercialEntity(InternationalOrganization)throughofficialstatute,regulation,treaty,orgovernmentactionbyconfirmingthegrantorclaiminpubliclyavailablerecordsofthestatute,regulation,treaty,orgovernmentaction.TheCAshallmaintainacopyofthestatute,regulation,treaty,orgovernmentactionincludingallofficialreferences(e.g.,statuteorregulationnumberandjurisdiction)andacopyoftheMarkimageascontainedinorreferencedbythestatuteorregulation.Example:USDepartmentoftheTreasury-TreasuryOrder100-01approvingthedesignoftheTreasurysealwhichaccompaniestheOrder,pursuantto31U.S.C.§301(g).


TheCASHALLalsoretainascreenshotorotherrecordoftheMarkRepresentationprovidedbytheApplicantandallinformationsupportingtheverificationoftheGovernmentMarkobtainedfromtheapplicablestatute,regulation,treaty,orgovernmentaction.

3.2.16.2.2. VerificationofGovernmentMarkOwnershiporLicenseTheCASHALLconfirmthattheowneroftheGovernmentMarkconfirmedundersubsection(1)isthesameSubjectorganizationverifiedbytheVerifiedMarkvettingprocessunderSection3.2,oriftheowneroftheGovernmentMarkisnotthesameSubjectorganization,thattheSubjectorganizationhasobtainedtherighttousetheGovernmentMarkthroughstatute,regulation,treaty,orgovernmentaction,orbyamutuallyagreed-uponlicensefromtheentitywhoistheownerofrecordoftheGovernmentMark.IftheownerofaGovernmentMarkisnottheApplicant,theApplicantmayonlyusetheGovernmentMarkiftheCAobtainsanauthorizationletterfromtheownerofrecordoftheGovernmentMark.IndeterminingwhethertheApplicantistheowneroralicenseeoftheGovernmentMarkcorrespondingtotheMarkRepresentation,theCASHALLmaintainarecordofitsdecisionsandreasonsthereforintheCA’srecordsrequiredinsection3.2.1.

3.2.16.2.3. ConfirmationofMarkRepresentationTheCASHALLconfirmthattheMarkRepresentationsubmittedbytheApplicantmatchestheGovernmentMarkasconfirmedundersubsection(1).IndeterminingwhethertheMarkRepresentationmatchestheGovernmentMarksoconfirmed,theCASHALLmaintainarecordofitsdecisionsandreasonstherefor.TheCAMAYfollowtheguidelinesinAppendixEforcomparisonoftheGovernmentMarkasconfirmedwiththeMarkRepresentation.

3.2.16.2.4. ColorRestrictionsMarkRepresentationsinVerifiedMarkCertificatesforCombinedMarksandDesignMarksSHALLonlybeincolorsaspermittedfortheGovernmentMarkbytheapplicablestatute,regulation,treaty,orgovernmentactionverifiedbytheCA.TheCASHALLexaminetheGovernmentMarktodeterminewhatrights,ifany,theSubjectorganizationhastouseoftheGovernmentMarkinthecolorsoftheMarkRepresentationsubmittedbytheSubscriber.IndeterminingwhetherthecolorsintheMarkRepresentationsubmittedbytheSubscribermatchthecolorspermittedbythestatute,regulation,treaty,orgovernmentactionverifiedbytheCA,theCASHALLmaintainarecordofitsdecisionandreasonsthereforintheCA’srecordsrequiredinsection3.2.1.

3.2.17. OtherVerificationRequirements3.2.17.1. DeniedListsandOtherLegalBlockLists(1) VerificationRequirements:TheCAMUSTverifywhethertheApplicant,theContractSigner,the

CertificateApprover,theApplicant’sJurisdictionofIncorporation,Registration,orPlaceofBusiness:(A) Isidentifiedonanygovernmentdeniedlist,listofprohibitedpersons,orotherlistthatprohibits

doingbusinesswithsuchorganizationorpersonunderthelawsofthecountryoftheCA’sjurisdiction(s)ofoperation;or

(B�HasitsJurisdictionofIncorporation,Registration,orPlaceofBusinessinanycountrywithwhichthelawsoftheCA’sjurisdictionprohibitdoingbusiness.

TheCAMUSTNOTissueanyVerifiedMarkCertificatetotheApplicantifeithertheApplicant,theContractSigner,orCertificateApproveroriftheApplicant’sJurisdictionofIncorporationorRegistrationorPlaceofBusinessisonanysuchlist.


(2)AcceptableMethodsofVerification:TheCAMUSTtakereasonablestepstoverifywiththefollowinglistsandregulations:(A) IftheCAhasoperationsintheU.S.,theCAMUSTtakereasonablestepstoverifywiththefollowingUS

Governmentdeniedlistsandregulations:(i) BISDeniedPersonsList-http://www.bis.doc.gov/dpl/thedeniallist.asp(ii) BISDeniedEntitiesList-http://www.bis.doc.gov/Entities/Default.htm(iii)USTreasuryDepartmentListofSpeciallyDesignatedNationalsandBlockedPersons-

http://www.treas.gov/ofac/t11sdn.pdf(iv)USGovernmentexportregulations

(B) IftheCAhasoperationsinanyothercountry,theCAMUSTtakereasonablestepstoverifywithallequivalentdeniedlistsandexportregulations(ifany)insuchothercountry.

3.2.17.2. Parent/Subsidiary/AffiliateRelationshipACAverifyinganApplicantusinginformationoftheApplicant'sParent,Subsidiary,orAffiliate,whenallowedundersection3.2.7.1,3.2.8.2,3.2.9.1,or3.2.14,MUSTverifytheApplicant'srelationshiptotheParent,Subsidiary,orAffiliate.AcceptablemethodsofverifyingtheApplicant'srelationshiptotheParent,Subsidiary,orAffiliateincludethefollowing:(1) QIISorQGIS:TherelationshipbetweentheApplicantandtheParent,Subsidiary,orAffiliateisidentified

inaQIISorQGIS;(2) IndependentConfirmationfromtheParent,Subsidiary,orAffiliate:ACAMAYverifytherelationship

betweenanApplicantandaParent,Subsidiary,orAffiliatebyobtaininganIndependentConfirmationfromtheappropriateParent,Subsidiary,orAffiliate(asdescribedinSection3.2.13.2);

(3) ContractbetweenCAandParent,Subsidiary,orAffiliate:ACAMAYverifytherelationshipbetweenanApplicantandaParent,Subsidiary,orAffiliatebyrelyingonacontractbetweentheCAandtheParent,Subsidiary,orAffiliatethatdesignatestheCertificateApproverwithsuchVMCAuthority,providedthatthecontractissignedbytheContractSignerandprovidedthattheagencyandSigningAuthorityoftheContractSignerhavebeenverified;

(4)CorporateResolution:ACAMAYverifytherelationshipbetweenanApplicantandaSubsidiarybyrelyingonaproperlyauthenticatedcorporateresolutionthatapprovescreationoftheSubsidiaryortheApplicant,providedthatsuchresolutionis(i)certifiedbytheappropriatecorporateofficer(e.g.,secretary),and(ii)theCAcanreliablyverifythatthecertificationwasvalidlysignedbysuchperson,andthatsuchpersondoeshavetherequisiteauthoritytoprovidesuchcertification.

3.2.18. FinalCross-CorrelationandDueDiligence(1) TheresultsoftheverificationprocessesandproceduresoutlinedintheseRequirementsareintendedto

beviewedbothindividuallyandasagroup.Thus,afteralloftheverificationprocessesandproceduresarecompleted,theCAMUSThaveasecondValidationSpecialistwhoisnotresponsibleforthecollectionofinformationreviewalloftheinformationanddocumentationassembledinsupportoftheVerifiedMarkCertificateapplicationandlookfordiscrepanciesorotherdetailsrequiringfurtherexplanation.

(2) TheCAMUSTobtainanddocumentfurtherexplanationorclarificationfromtheApplicant,CertificateApprover,CertificateRequester,QualifiedIndependentInformationSources,and/orothersourcesofinformation,asnecessary,toresolvethosediscrepanciesordetailsthatrequirefurtherexplanation.

(3) TheCAMUSTrefrainfromissuingaVerifiedMarkCertificateuntiltheentirecorpusofinformationanddocumentationassembledinsupportoftheVerifiedMarkCertificateRequestissuchthatissuanceoftheVerifiedMarkCertificatewillnotcommunicatefactualinformationthattheCAknows,ortheexerciseofduediligenceshoulddiscoverfromtheassembledinformationanddocumentation,tobeinaccurate,Ifsatisfactoryexplanationand/oradditionaldocumentationarenotreceivedwithinareasonabletime,theCAMUSTdeclinetheVerifiedMarkCertificateRequestandSHOULDnotifytheApplicantaccordingly.

(4) InthecasewheresomeorallofthedocumentationusedtosupporttheapplicationisinalanguageotherthantheCA’snormaloperatinglanguage,theCAoritsAffiliateMUSTperformtherequirementsofthisFinalCross-CorrelationandDueDiligencesectionusingemployeesunderitscontrolandhavingappropriatetraining,experience,andjudgmentinconfirmingorganizationalidentificationandauthorizationandfulfillingallqualificationrequirementscontainedinSection5.3oftheseRequirements.WhenemployeesunderthecontroloftheCAdonotpossessthelanguageskillsnecessarytoperformthe


FinalCross-CorrelationandDueDiligenceaCAMAYrelyonlanguagetranslationsoftherelevantportionsofthedocumentation,providedthatthetranslationsarereceivedfromaTranslator.

3.2.19. CriteriaforInteroperationorCertificationTheCASHALLdiscloseallCrossCertificatesthatidentifytheCAastheSubject,providedthattheCAarrangedfororacceptedtheestablishmentofthetrustrelationship(i.e.theCrossCertificateatissue).

3.3. IDENTIFICATIONANDAUTHENTICATIONFORRE-KEYREQUESTS

3.3.1. IdentificationandAuthenticationforRoutineRe-keyNostipulation.

3.3.2. IdentificationandAuthenticationforRe-keyAfterRevocationNostipulation.

3.4. IDENTIFICATIONANDAUTHENTICATIONFORREVOCATIONREQUEST

Nostipulation.

4. CERTIFICATELIFE-CYCLEOPERATIONALREQUIREMENTS

4.1. CERTIFICATEAPPLICATION

4.1.1. WhoCanSubmitaCertificateApplicationInaccordancewithSection5.5.2,theCASHALLmaintainaninternaldatabaseofallpreviouslyrevokedCertificatesandpreviouslyrejectedcertificaterequestsduetosuspectedphishingorotherfraudulentusageorconcerns.TheCASHALLusethisinformationtoidentifysubsequentsuspiciouscertificaterequests.TheCASHALLestablishaprocessthatallowsanApplicanttospecifytheindividualswhomayrequestCertificates.IfanApplicantspecifies,inwriting,theindividualswhomayrequestaCertificate,thentheCASHALLNOTacceptanycertificaterequeststhatareoutsidethisspecification.TheCASHALLprovideanApplicantwithalistofitsauthorizedcertificaterequestersupontheApplicant’sverifiedwrittenrequest.

4.1.2. EnrollmentProcessandResponsibilitiesPriortotheissuanceofaCertificate,theCASHALLobtainthefollowingdocumentationfromtheApplicant:

1. Acertificaterequest,whichmaybeelectronic;and2. AnexecutedSubscriberAgreementorTermsofUse,whichmaybeelectronic.

TheCASHOULDobtainanyadditionaldocumentationtheCAdeterminesnecessarytomeettheseRequirements.PriortotheissuanceofaCertificate,theCASHALLobtainfromtheApplicantacertificaterequestinaformprescribedbytheCAandthatcomplieswiththeseRequirements.OnecertificaterequestMAYsufficeformultipleCertificatestobeissuedtothesameApplicant,subjecttotheagingandupdatingrequirementinSection4.2.1,providedthateachCertificateissupportedbyavalid,currentcertificaterequestsignedbytheappropriateApplicantRepresentativeonbehalfoftheApplicant.ThecertificaterequestMAYbemade,submittedand/orsignedelectronically.


ThecertificaterequestMUSTcontainarequestfrom,oronbehalfof,theApplicantfortheissuanceofaCertificate,andacertificationby,oronbehalfof,theApplicantthatalloftheinformationcontainedthereiniscorrect.

4.2. CERTIFICATEAPPLICATIONPROCESSING

4.2.1. PerformingIdentificationandAuthenticationFunctionsThecertificaterequestMAYincludeallfactualinformationabouttheApplicanttobeincludedintheCertificate,andsuchadditionalinformationasisnecessaryfortheCAtoobtainfromtheApplicantinordertocomplywiththeseRequirementsandtheCA’sCertificatePolicyand/orCertificationPracticeStatement.IncaseswherethecertificaterequestdoesnotcontainallthenecessaryinformationabouttheApplicant,theCASHALLobtaintheremaininginformationfromtheApplicantor,havingobtaineditfromareliable,independent,third-partydatasource,confirmitwiththeApplicant.TheCASHALLestablishandfollowadocumentedprocedureforverifyingalldatarequestedforinclusionintheCertificatebytheApplicant.ApplicantinformationMUSTinclude,butnotbelimitedto,atleastoneFully-QualifiedDomainNametobeincludedintheCertificate’sSubjectAltNameextension.Section6.3.2limitsthevalidityperiodofSubscriberCertificates.TheCAMAYusethedocumentsanddataprovidedinSection3.2toverifycertificateinformation,ormayreusepreviousvalidationsthemselves,providedthattheCAobtainedthedataordocumentfromasourcespecifiedunderSection3.2orcompletedthevalidationitselfnomorethan398dayspriortoissuingtheCertificate.InnocasemayapriorvalidationbereusedifanydataordocumentusedinthepriorvalidationwasobtainedmorethanthemaximumtimepermittedforreuseofthedataordocumentpriortoissuingtheCertificate.Asanexceptiontothevalidationreuseperiodof398daysdefinedabove,face-to-facevalidationisnotrequiredmorethanonceforanySubscriberOrganization(orParent,Subsidiary,orAffiliate)solongastheCAhasmaintainedcontinuouscontactwithoneormoreSubscriberrepresentativesandmaintainsasystemforauthorizationbytheSubscriberofnewSubscriberrepresentatives(orrepresentativesofaParent,Subsidiary,orAffiliate).“Continuouscontact”meanstheCAhasoneormoredirectcontactswithaSubscriberrepresentativeduringthevalidityperiodofanyVMCissuedtotheSubscriberorwithin90daysoftheexpirationofthelastoftheSubscriber’sVMCtoexpire.AfterthechangetoanyvalidationmethodspecifiedintheVerifiedMarkRequirements,aCAmaycontinuetoreusevalidationdataordocumentscollectedpriortothechange,orthevalidationitself,fortheperiodstatedinthissectionunlessotherwisespecificallyprovidedintheseRequirements.

4.2.2. ApprovalorRejectionofCertificateApplicationsCAsSHALLNOTissuecertificatescontainingInternalNames(seesection7.1.4.2.1).

4.2.3. TimetoProcessCertificateApplicationsNostipulation.

4.3. CERTIFICATEISSUANCE

4.3.1. CAActionsduringCertificateIssuance


CertificateissuancebytheRootCASHALLrequireanindividualauthorizedbytheCA(i.e.theCAsystemoperator,systemofficer,orPKIadministrator)todeliberatelyissueadirectcommandinorderfortheRootCAtoperformacertificatesigningoperation.BeforeissuanceofaVerifiedMarkCertificate,theCASHALLlogtheVerifiedMarkCertificatepre-certificate(includingallthedataincludedintheSubjectfieldofthecertificateplustheMarkRepresentation)tooneormorepublicCTlogs.ThelistofCTlogsthatareacceptableforthefulfillmentofthisrequirementisfoundinAppendixF.

4.3.2. NotificationofCertificateIssuanceNostipulation.

4.4. CERTIFICATEACCEPTANCE

4.4.1. ConductconstitutingcertificateacceptanceNostipulation.

4.4.2. PublicationofthecertificatebytheCANostipulation.

4.4.3. NotificationofcertificateissuancebytheCAtootherentitiesNostipulation.

4.5. KEYPAIRANDCERTIFICATEUSAGE

4.5.1. SubscriberprivatekeyandcertificateusageTheSubscriberprivatekeydoesnotneedtobeprotected,andmaybediscarded.

4.5.2. RelyingpartypublickeyandcertificateusageNostipulation.

4.6. CERTIFICATERENEWAL

4.6.1. CircumstanceforcertificaterenewalNostipulation.

4.6.2. WhomayrequestrenewalNostipulation.

4.6.3. ProcessingcertificaterenewalrequestsNostipulation.

4.6.4. NotificationofnewcertificateissuancetosubscriberNostipulation.

4.6.5. ConductconstitutingacceptanceofarenewalcertificateNostipulation.


4.6.6. PublicationoftherenewalcertificatebytheCANostipulation.


4.7. CERTIFICATERE-KEY

4.7.1. Circumstanceforcertificatere-keyNostipulation.

4.7.2. WhomayrequestcertificationofanewpublickeyNostipulation.

4.7.3. Processingcertificatere-keyingrequestsNostipulation.


4.7.5. Conductconstitutingacceptanceofare-keyedcertificateNostipulation.

4.7.6. Publicationofthere-keyedcertificatebytheCANostipulation.


4.8. CERTIFICATEMODIFICATION

4.8.1. CircumstanceforcertificatemodificationNostipulation.4.8.2. WhomayrequestcertificatemodificationNostipulation.4.8.3. ProcessingcertificatemodificationrequestsTheCAmayrelyonapreviouslyverifiedcertificaterequesttoissueareplacementcertificate,solongasthecertificatebeingreferencedwasnotrevokedduetofraudorotherillegalconduct,if:(1)TheexpirationdateofthereplacementcertificateisthesameastheexpirationdateoftheVMCthatis

beingreplaced,and(2)TheSubjectInformationoftheCertificateisthesameastheSubjectintheVMCthatisbeingreplaced.



4.8.5. ConductconstitutingacceptanceofmodifiedcertificateNostipulation.

4.8.6. PublicationofthemodifiedcertificatebytheCANostipulation.


4.9. CERTIFICATEREVOCATIONANDSUSPENSION

4.9.1. CircumstancesforRevocation4.9.1.1. ReasonsforRevokingaSubscriberCertificateTheCASHALLrevokeaCertificatewithin24hoursifoneormoreofthefollowingoccurs:

1. TheSubscriberrequestsinwritingthattheCArevoketheCertificate;2. TheSubscribernotifiestheCAthattheoriginalcertificaterequestwasnotauthorizedanddoesnot

retroactivelygrantauthorization;or3. TheCAobtainsevidencethatthevalidationofdomainauthorizationorcontrolforanyFully-

QualifiedDomainNameintheCertificateshouldnotbereliedupon.TheCASHOULDrevokeacertificatewithin24hoursandMUSTrevokeaCertificatewithin5daysifoneormoreofthefollowingoccurs:

1. TheCertificatenolongercomplieswiththerequirementsofSections6.1.5and6.1.6;2. TheCAobtainsevidencethattheCertificatewasmisused;3. TheCAismadeawarethataSubscriberhasviolatedoneormoreofitsmaterialobligationsunderthe

SubscriberAgreementorTermsofUse;4. TheCAismadeawareofanycircumstanceindicatingthatuseofaFully-QualifiedDomaininthe

Certificateisnolongerlegallypermitted(e.g.acourtorarbitratorhasrevokedaDomainNameRegistrant'srighttousetheDomainName,arelevantlicensingorservicesagreementbetweentheDomainNameRegistrantandtheApplicanthasterminated,ortheDomainNameRegistranthasfailedtorenewtheDomainName);

5. TheCAismadeawareofamaterialchangeintheinformationcontainedintheCertificate;6. TheCAismadeawarethattheCertificatewasnotissuedinaccordancewiththeseRequirementsor

theCA'sCertificatePolicyorCertificationPracticeStatement;7. TheCAdeterminesorismadeawarethatanyoftheinformationappearingintheCertificateis

inaccurate;8. TheCA'srighttoissueCertificatesundertheseRequirementsexpiresorisrevokedorterminated,

unlesstheCAhasmadearrangementstocontinuemaintainingtheCRL/OCSPRepository;9. RevocationisrequiredbytheCA'sCertificatePolicyand/orCertificationPracticeStatement.

4.9.1.2. ReasonsforRevokingaSubordinateCACertificateTheIssuingCASHALLrevokeaSubordinateCACertificatewithinseven(7)daysifoneormoreofthefollowingoccurs:

1. TheSubordinateCArequestsrevocationinwriting;2. TheSubordinateCAnotifiestheIssuingCAthattheoriginalcertificaterequestwasnotauthorized

anddoesnotretroactivelygrantauthorization;3. TheIssuingCAobtainsevidencethattheSubordinateCA'sPrivateKeycorrespondingtothePublic

KeyintheCertificatesufferedaKeyCompromiseornolongercomplieswiththerequirementsofSections6.1.5and6.1.6;

4. TheIssuingCAobtainsevidencethattheCertificatewasmisused;


5. TheIssuingCAismadeawarethattheCertificatewasnotissuedinaccordancewithorthatSubordinateCAhasnotcompliedwiththisdocumentortheapplicableCertificatePolicyorCertificationPracticeStatement;

6. TheIssuingCAdeterminesthatanyoftheinformationappearingintheCertificateisinaccurateormisleading;

7. TheIssuingCAorSubordinateCAceasesoperationsforanyreasonandhasnotmadearrangementsforanotherCAtoproviderevocationsupportfortheCertificate;

8. TheIssuingCA'sorSubordinateCA'srighttoissueCertificatesundertheseRequirementsexpiresorisrevokedorterminated,unlesstheIssuingCAhasmadearrangementstocontinuemaintainingtheCRL/OCSPRepository;or

9. RevocationisrequiredbytheIssuingCA'sCertificatePolicyand/orCertificationPracticeStatement.

4.9.2. WhoCanRequestRevocationTheSubscriber,RA,orIssuingCAcaninitiaterevocation.Additionally,Subscribers,RelyingParties,ApplicationSoftwareSuppliers,andotherthirdpartiesmaysubmitCertificateProblemReportsinformingtheissuingCAofreasonablecausetorevokethecertificate.

4.9.3. ProcedureforRevocationRequestTheCASHALLprovideaprocessforSubscriberstorequestrevocationoftheirownCertificates.TheprocessMUSTbedescribedintheCA'sCertificatePolicyorCertificationPracticeStatement.TheCASHALLmaintainacontinuous24x7abilitytoacceptandrespondtorevocationrequestsandCertificateProblemReports.TheCASHALLprovideSubscribers,RelyingParties,ApplicationSoftwareSuppliers,andotherthirdpartieswithclearinstructionsforreportingsuspectedPrivateKeyCompromise,Certificatemisuse,orothertypesoffraud,compromise,misuse,inappropriateconduct,oranyothermatterrelatedtoCertificates.TheCASHALLpubliclydisclosetheinstructionsthroughareadilyaccessibleonlinemeansandinsection1.5.2oftheirCPS.

4.9.4. RevocationRequestGracePeriodNostipulation.

4.9.5. TimewithinwhichCAMustProcesstheRevocationRequestWithin24hoursafterreceivingaCertificateProblemReport,theCASHALLinvestigatethefactsandcircumstancesrelatedtoaCertificateProblemReportandprovideapreliminaryreportonitsfindingstoboththeSubscriberandtheentitywhofiledtheCertificateProblemReport.

4.9.6. RevocationCheckingRequirementforRelyingPartiesNostipulation.Note:Followingcertificateissuance,acertificatemayberevokedforreasonsstatedinSection4.9.1.Therefore,relyingpartiesshouldchecktherevocationstatusofallcertificatesthatcontainaCDPorOCSPpointer.

4.9.7. CRLIssuanceFrequencyForthestatusofSubscriberCertificates:IftheCApublishesaCRL,thentheCASHALLupdateandreissueCRLsatleastonceeverysevendays,andthevalueofthenextUpdatefieldMUSTNOTbemorethantendaysbeyondthevalueofthethisUpdatefield.ForthestatusofSubordinateCACertificates:


TheCASHALLupdateandreissueCRLsatleast(i)onceeverytwelvemonthsand(ii)within24hoursafterrevokingaSubordinateCACertificate,andthevalueofthenextUpdatefieldMUSTNOTbemorethantwelvemonthsbeyondthevalueofthethisUpdatefield.

4.9.8. MaximumLatencyforCRLsNostipulation.

4.9.9. On-lineRevocation/StatusCheckingAvailabilityOCSPresponsesMUSTconformtoRFC6960and/orRFC5019.OCSPresponsesMUSTeither:

1. BesignedbytheCAthatissuedtheCertificateswhoserevocationstatusisbeingchecked,or2. BesignedbyanOCSPResponderwhoseCertificateissignedbytheCAthatissuedtheCertificate

whoserevocationstatusisbeingchecked.Inthelattercase,theOCSPsigningCertificateMUSTcontainanextensionoftypeid-pkix-ocsp-nocheck,asdefinedbyRFC6960.

4.9.10. On-lineRevocationCheckingRequirementsOCSPrespondersoperatedbytheCASHALLsupporttheHTTPGETmethod,asdescribedinRFC6960and/orRFC5019.ForthestatusofSubscriberCertificateswhichincludeanAuthorityInformationAccessextensionwithaid-ad-ocspaccessMethod(“AIAOCSPpointer”):

• TheCASHALLupdateinformationprovidedviaanOnlineCertificateStatusProtocolatleasteveryfourdays.OCSPresponsesfromthisserviceMUSThaveamaximumexpirationtimeoftendays.

CAsMAYdeclinetoprovidedefinitiveresponsesforthestatusofSubscriberCertificateswhichdonotincludeanAuthorityInformationAccessextensionwithaid-ad-ocspaccessMethod(“AIAOCSPpointer”).ForthestatusofSubordinateCACertificates:

• TheCASHALLupdateinformationprovidedviaanOnlineCertificateStatusProtocol(i)atleasteverytwelvemonths;and(ii)within24hoursafterrevokingaSubordinateCACertificate.

IftheOCSPresponderreceivesarequestforthestatusofacertificateserialnumberthatis"unused",thentheresponderMUSTNOTrespondwitha"good"status.TheOCSPresponderMAYprovidedefinitiveresponsesabout"reserved"certificateserialnumbers,asiftherewasacorrespondingCertificatethatmatchesthePrecertificate[RFC6962].AcertificateserialnumberwithinanOCSPrequestisoneofthefollowingthreeoptions:

1. "assigned"ifaCertificatewiththatserialnumberhasbeenissuedbytheIssuingCA,usinganycurrentorpreviouskeyassociatedwiththatCAsubject;or

2. "reserved"ifaPrecertificate[RFC6962]withthatserialnumberhasbeenissuedby(a)theIssuingCA;or(b)aPrecertificateSigningCertificate[RFC6962]associatedwiththeIssuingCA;or

3. "unused"ifneitherofthepreviousconditionsaremet.

4.9.11. OtherFormsofRevocationAdvertisementsAvailableNostipulation.

4.9.12. SpecialRequirementsRelatedtoKeyCompromise


SeeSection4.9.1.

4.9.13. CircumstancesforSuspensionTheRepositoryMUSTNOTincludeentriesthatindicatethataCertificateissuspended.

4.9.14. WhoCanRequestSuspensionNotapplicable.

4.9.15. ProcedureforSuspensionRequestNotapplicable.

4.9.16. LimitsonSuspensionPeriodNotapplicable.

4.10. CERTIFICATESTATUSSERVICES

4.10.1. OperationalCharacteristicsRevocationentriesonaCRLorOCSPResponseMUSTNOTberemoveduntilaftertheExpiryDateoftherevokedCertificate.

4.10.2. ServiceAvailabilityTheCASHALLoperateandmaintainitsCRLandOCSPcapabilitywithresourcessufficienttoprovidearesponsetimeoftensecondsorlessundernormaloperatingconditions.TheCASHALLmaintainanonline24x7RepositorythatapplicationsoftwarecanusetoautomaticallycheckthecurrentstatusofallunexpiredCertificatesissuedbytheCA.TheCASHALLmaintainacontinuous24x7abilitytorespondinternallytoahigh-priorityCertificateProblemReport,andwhereappropriate,forwardsuchacomplainttolawenforcementauthorities,and/orrevokeaCertificatethatisthesubjectofsuchacomplaint.

4.10.3. OptionalFeaturesNostipulation.

4.11. ENDOFSUBSCRIPTION

Nostipulation.

4.12. KEYESCROWANDRECOVERY

4.12.1. KeyescrowandrecoverypolicyandpracticesNotapplicable.4.12.2. SessionkeyencapsulationandrecoverypolicyandpracticesNotapplicable.


5. MANAGEMENT,OPERTIONAL,ANDPHYSICALCONTROLSTheCA/BrowserForum’sNetworkandCertificateSystemSecurityRequirementsareincorporatedbyreferenceasiffullysetforthherein.TheCASHALLdevelop,implement,andmaintainacomprehensivesecurityprogramdesignedto:

1. Protecttheconfidentiality,integrity,andavailabilityofCertificateDataandCertificateManagementProcesses;

2. Protectagainstanticipatedthreatsorhazardstotheconfidentiality,integrity,andavailabilityoftheCertificateDataandCertificateManagementProcesses;

3. Protectagainstunauthorizedorunlawfulaccess,use,disclosure,alteration,ordestructionofanyCertificateDataorCertificateManagementProcesses;

4. Protectagainstaccidentallossordestructionof,ordamageto,anyCertificateDataorCertificateManagementProcesses;and

5. ComplywithallothersecurityrequirementsapplicabletotheCAbylaw.TheCertificateManagementProcessMUSTinclude:

1. physicalsecurityandenvironmentalcontrols;2. systemintegritycontrols,includingconfigurationmanagement,integritymaintenanceoftrusted

code,andmalwaredetection/prevention;3. networksecurityandfirewallmanagement,includingportrestrictionsandIPaddressfiltering;4. usermanagement,separatetrusted-roleassignments,education,awareness,andtraining;and5. logicalaccesscontrols,activitylogging,andinactivitytime-outstoprovideindividualaccountability.

TheCA’ssecurityprogramMUSTincludeanannualRiskAssessmentthat:

1. Identifiesforeseeableinternalandexternalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofanyCertificateDataorCertificateManagementProcesses;

2. Assessesthelikelihoodandpotentialdamageofthesethreats,takingintoconsiderationthesensitivityoftheCertificateDataandCertificateManagementProcesses;and

3. Assessesthesufficiencyofthepolicies,procedures,informationsystems,technology,andotherarrangementsthattheCAhasinplacetocountersuchthreats.

BasedontheRiskAssessment,theCASHALLdevelop,implement,andmaintainasecurityplanconsistingofsecurityprocedures,measures,andproductsdesignedtoachievetheobjectivessetforthaboveandtomanageandcontroltherisksidentifiedduringtheRiskAssessment,commensuratewiththesensitivityoftheCertificateDataandCertificateManagementProcesses.ThesecurityplanMUSTincludeadministrative,organizational,technical,andphysicalsafeguardsappropriatetothesensitivityoftheCertificateDataandCertificateManagementProcesses.ThesecurityplanMUSTalsotakeintoaccountthen-availabletechnologyandthecostofimplementingthespecificmeasures,andSHALLimplementareasonablelevelofsecurityappropriatetotheharmthatmightresultfromabreachofsecurityandthenatureofthedatatobeprotected.

5.1. PHYSICALSECURITYCONTROLS

5.1.1. SitelocationandconstructionNostipulation.

5.1.2. PhysicalaccessNostipulation.


5.1.3. PowerandairconditioningNostipulation.

5.1.4. WaterexposuresNostipulation.

5.1.5. FirepreventionandprotectionNostipulation.

5.1.6. MediastorageNostipulation.

5.1.7. WastedisposalNostipulation.

5.1.8. Off-sitebackupNostipulation.

5.2. PROCEDURALCONTROLS

5.2.1. TrustedRolesNostipulation.

5.2.2. NumberofIndividualsRequiredperTaskTheCAPrivateKeySHALLbebackedup,stored,andrecoveredonlybypersonnelintrustedrolesusing,atleast,dualcontrolinaphysicallysecuredenvironment.

5.2.3. IdentificationandAuthenticationforTrustedRolesNostipulation.

5.2.4. RolesRequiringSeparationofDutiesNostipulation.

5.3. PERSONNELCONTROLS

5.3.1. Qualifications,Experience,andClearanceRequirementsPriortotheengagementofanypersonintheCertificateManagementProcess,whetherasanemployee,agent,oranindependentcontractoroftheCA,theCASHALLverifytheidentityandtrustworthinessofsuchperson.

5.3.2. BackgroundCheckProceduresNostipulation.

5.3.3. TrainingRequirementsandProceduresTheCASHALLprovideallpersonnelperforminginformationverificationdutieswithskills-trainingthatcoversbasicPublicKeyInfrastructureknowledge,authenticationandvettingpoliciesandprocedures(includingtheCA’sCertificatePolicyand/orCertificationPracticeStatement),commonthreatstothe


informationverificationprocess(includingphishingandothersocialengineeringtactics),andtheseRequirements.TheCASHALLmaintainrecordsofsuchtrainingandensurethatpersonnelentrustedwithValidationSpecialistdutiesmaintainaskilllevelthatenablesthemtoperformsuchdutiessatisfactorily.TheCASHALLdocumentthateachValidationSpecialistpossessestheskillsrequiredbyataskbeforeallowingtheValidationSpecialisttoperformthattask.TheCASHALLrequireallValidationSpecialiststopassanexaminationprovidedbytheCAontheinformationverificationrequirementsoutlinedintheseRequirements.

5.3.4. RetrainingFrequencyandRequirementsAllpersonnelinTrustedRolesSHALLmaintainskilllevelsconsistentwiththeCA’strainingandperformanceprograms.

5.3.5. JobRotationFrequencyandSequenceNostipulation.

5.3.6. SanctionsforUnauthorizedActionsNostipulation.

5.3.7. IndependentContractorControlsTheCASHALLverifythattheDelegatedThirdParty’spersonnelinvolvedintheissuanceofaCertificatemeetthetrainingandskillsrequirementsofSection5.3.3andthedocumentretentionandeventloggingrequirementsofSection5.4.1.5.3.8. DocumentationSuppliedtoPersonnelNostipulation.

5.4. AUDITLOGGINGPROCEDURES

5.4.1. TypesofEventsRecordedTheCAandeachDelegatedThirdPartySHALLrecorddetailsoftheactionstakentoprocessacertificaterequestandtoissueaCertificate,includingallinformationgeneratedanddocumentationreceivedinconnectionwiththecertificaterequest;thetimeanddate;andthepersonnelinvolved.TheCASHALLmaketheserecordsavailabletoitsQualifiedPractitionerasproofoftheCA’scompliancewiththeseRequirements.TheCASHALLrecordatleastthefollowingevents:1.CAcertificateandkeylifecycleevents,including:1.Keygeneration,backup,storage,recovery,archival,anddestruction;2.Certificaterequests,renewal,andre-keyrequests,andrevocation;3.Approvalandrejectionofcertificaterequests;4.Cryptographicdevicelifecyclemanagementevents;5.GenerationofCertificateRevocationListsandOCSPentries;6.IntroductionofnewCertificateProfilesandretirementofexistingCertificateProfiles.2.SubscriberCertificatelifecyclemanagementevents,including:1.Certificaterequests,renewal,andre-keyrequests,andrevocation;


2.AllverificationactivitiesstipulatedintheseRequirementsandtheCA'sCertificationPracticeStatement;3.Approvalandrejectionofcertificaterequests;4.IssuanceofCertificates;and5.GenerationofCertificateRevocationListsandOCSPentries.3.Securityevents,including:1.SuccessfulandunsuccessfulPKIsystemaccessattempts;2.PKIandsecuritysystemactionsperformed;3.Securityprofilechanges;4.Installation,updateandremovalofsoftwareonaCertificateSystem;5.Systemcrashes,hardwarefailures,andotheranomalies;6.Firewallandrouteractivities;and7.EntriestoandexitsfromtheCAfacility.LogentriesMUSTincludethefollowingelements:

1. Dateandtimeofentry;2. Identityofthepersonmakingthejournalentry;and3. Descriptionoftheentry.

5.4.2. FrequencyforProcessingandArchivingAuditLogsNostipulation.

5.4.3. RetentionPeriodforAuditLogsTheCASHALLretain,foratleasttwoyears:1.CAcertificateandkeylifecyclemanagementeventrecords(assetforthinSection5.4.1(1))afterthelateroccurrenceof:a.thedestructionoftheCAPrivateKey;orb.therevocationorexpirationofthefinalCACertificateinthatsetofCertificatesthathaveanX.509v3basicConstraintsextensionwiththecAfieldsettotrueandwhichshareacommonPublicKeycorrespondingtotheCAPrivateKey;2.SubscriberCertificatelifecyclemanagementeventrecords(assetforthinSection5.4.1(2))aftertherevocationorexpirationoftheSubscriberCertificate.3.Anysecurityeventrecords(assetforthinSection5.4.1(3))aftertheeventoccurred.

5.4.4. ProtectionofAuditLogNostipulation.

5.4.5. AuditLogBackupProceduresNostipulation.

5.4.6. AuditLogAccumulationSystem(internalvs.external)Nostipulation.

5.4.7. NotificationtoEvent-CausingSubjectNostipulation.

5.4.8. VulnerabilityAssessmentsAdditionally,theCA’ssecurityprogramMUSTincludeanannualRiskAssessmentthat:


1. Identifiesforeseeableinternalandexternalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofanyCertificateDataorCertificateManagementProcesses;

2. Assessesthelikelihoodandpotentialdamageofthesethreats,takingintoconsiderationthesensitivityoftheCertificateDataandCertificateManagementProcesses;and

3. Assessesthesufficiencyofthepolicies,procedures,informationsystems,technology,andotherarrangementsthattheCAhasinplacetocountersuchthreats.

5.5. RECORDSARCHIVAL

5.5.1. TypesofRecordsArchivedNostipulation.

5.5.2. RetentionPeriodforArchiveTheCASHALLretainalldocumentationrelatingtocertificaterequestsandtheverificationthereof,andallCertificatesandrevocationthereof,foratleasttwoyearsafteranyCertificatebasedonthatdocumentationceasestobevalid

5.5.3. ProtectionofArchiveNostipulation.

5.5.4. ArchiveBackupProceduresNostipulation.

5.5.5. RequirementsforTime-stampingofRecordsNostipulation.

5.5.6. ArchiveCollectionSystem(internalorexternal)Nostipulation.

5.5.7. ProcedurestoObtainandVerifyArchiveInformationNostipulation.

5.6. KEYCHANGEOVER

Nostipulation.

5.7. COMPROMISEANDDISASTERRECOVERY

5.7.1. IncidentandCompromiseHandlingProceduresCAorganizationsSHALLhaveanIncidentResponsePlanandaDisasterRecoveryPlan.TheCASHALLdocumentabusinesscontinuityanddisasterrecoveryproceduresdesignedtonotifyandreasonablyprotectApplicationSoftwareSuppliers,Subscribers,andRelyingPartiesintheeventofadisaster,securitycompromise,orbusinessfailure.TheCAisnotrequiredtopubliclydiscloseitsbusinesscontinuityplansbutSHALLmakeitsbusinesscontinuityplanandsecurityplansavailabletotheCA’sauditorsuponrequest.TheCASHALLannuallytest,review,andupdatetheseprocedures.


ThebusinesscontinuityplanMUSTinclude:

1. Theconditionsforactivatingtheplan,2. Emergencyprocedures,3. Fallbackprocedures,4. Resumptionprocedures,5. Amaintenanceschedulefortheplan;6. Awarenessandeducationrequirements;7. Theresponsibilitiesoftheindividuals;8. Recoverytimeobjective(RTO);9. Regulartestingofcontingencyplans.10. TheCA’splantomaintainorrestoretheCA’sbusinessoperationsinatimelymannerfollowing

interruptiontoorfailureofcriticalbusinessprocesses11. Arequirementtostorecriticalcryptographicmaterials(i.e.,securecryptographicdeviceand

activationmaterials)atanalternatelocation;12. Whatconstitutesanacceptablesystemoutageandrecoverytime13. Howfrequentlybackupcopiesofessentialbusinessinformationandsoftwarearetaken;14. ThedistanceofrecoveryfacilitiestotheCA’smainsite;and15. Proceduresforsecuringitsfacilitytotheextentpossibleduringtheperiodoftimefollowinga

disasterandpriortorestoringasecureenvironmenteitherattheoriginaloraremotesite.

5.7.2. RecoveryProceduresifComputingResources,Software,and/orDataAreCorrupted

Nostipulation.

5.7.3. RecoveryProceduresAfterKeyCompromiseNostipulation.

5.7.4. BusinessContinuityCapabilitiesafteraDisasterNostipulation.

5.8. CAORRATERMINATION

Nostipulation.

6. TECHNICALSECURITYCONTROLS

6.1. KEYPAIRGENERATIONANDINSTALLATION

6.1.1. KeyPairGeneration6.1.1.1. CAKeyPairGenerationForRootCAKeyPairsthatareeither(i)usedasRootCAKeyPairsor(ii)KeyPairsgeneratedforasubordinateCAthatisnottheoperatoroftheRootCAoranAffiliateoftheRootCA,theCASHALL:

1. prepareandfollowaKeyGenerationScript,2. haveaQualifiedPractitionerwitnesstheRootCAKeyPairgenerationprocessorrecordavideoof

theentireRootCAKeyPairgenerationprocess,and


3. haveaQualifiedPractitionerissueareportopiningthattheCAfolloweditskeyceremonyduringitsKeyandCertificategenerationprocessandthecontrolsusedtoensuretheintegrityandconfidentialityoftheKeyPair.

ForotherCAKeyPairsthatarefortheoperatoroftheRootCAoranAffiliateoftheRootCA,theCASHOULD:1. prepareandfollowaKeyGenerationScriptand2. haveaQualifiedPractitionerwitnesstheRootCAKeyPairgenerationprocessorrecordavideoof

theentireRootCAKeyPairgenerationprocess.Inallcases,theCASHALL:

1. generatethekeysinaphysicallysecuredenvironmentasdescribedintheCA’sCertificatePolicyand/orCertificationPracticeStatement;

2. generatetheCAkeysusingpersonnelintrustedrolesundertheprinciplesofmultiplepersoncontrolandsplitknowledge;

3. generatetheCAkeyswithincryptographicmodulesmeetingtheapplicabletechnicalandbusinessrequirementsasdisclosedintheCA’sCertificatePolicyand/orCertificationPracticeStatement;

4. logitsCAkeygenerationactivities;and5. maintaineffectivecontrolstoprovidereasonableassurancethatthePrivateKeywasgeneratedand

protectedinconformancewiththeproceduresdescribedinitsCertificatePolicyand/orCertificationPracticeStatementand(ifapplicable)itsKeyGenerationScript.

6.1.1.2. RAKeyPairGenerationNostipulation.

6.1.1.3. SubscriberKeyPairGenerationNostipulation.

6.1.2. PrivateKeyDeliverytoSubscriberNostipulation.

6.1.3. PublicKeyDeliverytoCertificateIssuerNostipulation.

6.1.4. CAPublicKeyDeliverytoRelyingPartiesNostipulation.

6.1.5. AlgorithmtypeandkeysizesCertificatesMUSTmeetthefollowingrequirementsforalgorithmtypeandkeysize.

6.1.5.1. RootCACertificates

• Digestalgorithm:SHA-256,SHA-384orSHA-512• MinimumRSAmodulussize(bits):2048• ECCcurve:NISTP-256,P-384,orP-521

6.1.5.2. SubordinateCACertificates

• Digestalgorithm:SHA-256,SHA-384orSHA-512• MinimumRSAmodulussize(bits):2048• ECCcurve:NISTP-256,P-384,orP-521

6.1.5.3. SubscriberCertificates

• Digestalgorithm:SHA-256,SHA-384orSHA-512


• MinimumRSAmodulussize(bits):2048• ECCcurve:NISTP-256,P-384,orP-521

6.1.6. PublicKeyParametersGenerationandQualityCheckingRSA:TheCASHALLconfirmthatthevalueofthepublicexponentisanoddnumberequalto3ormore.Additionally,thepublicexponentSHOULDbeintherangebetween216+1and2256-1.ThemodulusSHOULDalsohavethefollowingcharacteristics:anoddnumber,notthepowerofaprime,andhavenofactorssmallerthan752.[Source:Section5.3.3,NISTSP800-89].ECC:TheCASHOULDconfirmthevalidityofallkeysusingeithertheECCFullPublicKeyValidationRoutineortheECCPartialPublicKeyValidationRoutine.[Source:Sections5.6.2.3.2and5.6.2.3.3,respectively,ofNISTSP56A:Revision2].

6.1.7. KeyUsagePurposesPrivateKeyscorrespondingtoRootCertificatesMUSTNOTbeusedtosignCertificatesexceptinthefollowingcases:

1.Self-signedCertificatestorepresenttheRootCAitself;2.CertificatesforSubordinateCAsandCrossCertificateswhichcontainid-kp-BrandIndicatorforMessageIdentification(OID:1.3.6.1.5.5.7.3.31)asthesoleKeyPurposeIdintheextendedKeyUsageextension;3.Certificatesforinfrastructurepurposes(administrativerolecertificates,internalCAoperationaldevicecertificates);and4.CertificatesforOCSPResponseverification.

PrivateKeyscorrespondingtoSubordinateCAorCrossCertificatesMUSTNOTsignCertificatesunlesstheCertificatetobesignedcontainsoneofthefollowingOIDsasthesoleKeyPurposeIdintheextendedKeyUsageextension:a.id-kp-BrandIndicatorforMessageIdentification(OID:1.3.6.1.5.5.7.3.31);orb.id-kp-OCSPSigning(OID:1.3.6.1.5.5.7.3.9)

6.2. PRIVATEKEYPROTECTIONANDCRYPTOGRAPHICMODULEENGINEERINGCONTROLS

TheCASHALLimplementphysicalandlogicalsafeguardstopreventunauthorizedcertificateissuance.ProtectionoftheCAPrivateKeyoutsidethevalidatedsystemordevicespecifiedaboveMUSTconsistofphysicalsecurity,encryption,oracombinationofboth,implementedinamannerthatpreventsdisclosureoftheCAPrivateKey.TheCASHALLencryptitsPrivateKeywithanalgorithmandkey-lengththat,accordingtothestateoftheart,arecapableofwithstandingcryptanalyticattacksfortheresiduallifeoftheencryptedkeyorkeypart.

6.2.1. CryptographicModuleStandardsandControlsNostipulation.

6.2.2. PrivateKey(noutofm)Multi-personControlNostipulation.

6.2.3. PrivateKeyEscrowNostipulation.

6.2.4. PrivateKeyBackup


SeeSection5.2.2.

6.2.5. PrivateKeyArchivalPartiesotherthantheSubordinateCASHALLNOTarchivetheSubordinateCAPrivateKeyswithoutauthorizationbytheSubordinateCA.

6.2.6. PrivateKeyTransferintoorfromaCryptographicModuleIftheIssuingCAgeneratedthePrivateKeyonbehalfoftheSubordinateCA,thentheIssuingCASHALLencryptthePrivateKeyfortransporttotheSubordinateCA.IftheIssuingCAbecomesawarethataSubordinateCA’sPrivateKeyhasbeencommunicatedtoanunauthorizedpersonoranorganizationnotaffiliatedwiththeSubordinateCA,thentheIssuingCASHALLrevokeallcertificatesthatincludethePublicKeycorrespondingtothecommunicatedPrivateKey.

6.2.7. PrivateKeyStorageonCryptographicModuleTheCASHALLprotectitsPrivateKeyinasystemordevicethathasbeenvalidatedasmeetingatleastFIPS140level3oranappropriateCommonCriteriaProtectionProfileorSecurityTarget,EAL4(orhigher),whichincludesrequirementstoprotectthePrivateKeyandotherassetsagainstknownthreats.

6.2.8. ActivatingPrivateKeysNostipulation.

6.2.9. DeactivatingPrivateKeysNostipulation.

6.2.10. DestroyingPrivateKeysNostipulation.

6.2.11. CryptographicModuleCapabilitiesNostipulation.

6.3. OTHERASPECTSOFKEYPAIRMANAGEMENT

6.3.1. PublicKeyArchivalNostipulation.

6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriodsThemaximumvalidityperiodMUSTNOTexceed398days.IfanApplicantisalicenseeofaRegisteredMarkorWordMarkratherthantheRegistrant,theexpirationdateofthecertificateSHALLhaveanexpirationdatethatisnolaterthanthefinalexpirationdateofthelicenseheldbytheApplicanttousetheRegisteredMarkorWordMark,whichSHALLbeconfirmedbytheCAduringtheverificationprocess.

6.4. ACTIVATIONDATA

6.4.1. ActivationdatagenerationandinstallationNostipulation.

6.4.2. Activationdataprotection


Nostipulation.

6.4.3. OtheraspectsofactivationdataNostipulation.

6.5. COMPUTERSECURITYCONTROLS

6.5.1. SpecificComputerSecurityTechnicalRequirementsTheCASHALLenforcemulti-factorauthenticationforallaccountscapableofdirectlycausingcertificateissuance.

6.5.2. ComputerSecurityRatingNostipulation.

6.6. LIFECYCLETECHNICALCONTROLS

6.6.1. SystemdevelopmentcontrolsNostipulation.

6.6.2. SecuritymanagementcontrolsNostipulation.

6.6.3. LifecyclesecuritycontrolsNostipulation.

6.7. NETWORKSECURITYCONTROLS

Nostipulation.

6.8. TIME-STAMPING

Nostipulation.

7. CERTIFICATE,CRL,ANDOCSPPROFILES

7.1. CERTIFICATEPROFILE

VerifiedMarkCertificatesSHALLcomplywiththeVerifiedMarkCertificateprofilerequirementssetoutinthissection.CAsSHALLonlyissueVerifiedMarkCertificatesfromadedicatedsub-CAthatcontainstheEKUspecifiedinsection7.1.2.2(f).TheCASHALLalsomeetthetechnicalrequirementssetforthinSection2.2–PublicationofInformation,Section6.1.5–KeySizes,andSection6.1.6–PublicKeyParametersGenerationandQualityChecking.CAsSHALLgeneratenon-sequentialCertificateserialnumbersgreaterthanzero(0)containingatleast64bitsofoutputfromaCSPRNG.


7.1.1. VersionNumber(s)CertificatesMUSTbeoftypeX.509v3.

7.1.2. CertificateContentandExtensions;ApplicationofRFC5280ThissectionspecifiestheadditionalrequirementsforCertificatecontentandextensionsforCertificates.

7.1.2.1. RootCACertificatea. basicConstraints

ThisextensionMUSTappearasacriticalextension.ThecAfieldMUSTbesettrue.ThepathLenConstraintfieldSHOULDNOTbepresent.

b. keyUsage

ThisextensionMUSTbepresentandMUSTbemarkedcritical.BitpositionsforkeyCertSignandcRLSignMUSTbeset.IftheRootCAPrivateKeyisusedforsigningOCSPresponses,thenthedigitalSignaturebitMUSTbeset.

c. certificatePolicies

ThisextensionSHOULDNOTbepresent.

d. extendedKeyUsageThisextensionMUSTNOTbepresent.

7.1.2.2. SubordinateCACertificatea. certificatePolicies

ThisextensionMUSTbepresentandSHOULDNOTbemarkedcritical.TheCAMUSTincludeCertificatePolicyOIDsinSubordinateCACertificates,asspecifiedfromoneofthefollowingtwooptions:

1) BothofthefollowingOIDs,asspecified:a. ThefirstcertificatepoliciesvaluecontainsanidentifierthatnamestheCA’s

CertificationPracticeStatement(CPS)applicabletotheVerifiedMarkCertificate,togetherwithaURLforthewebpagewheretheCertificationPracticeStatementcanbepubliclyreviewed.TheCACPSidentifieristhePolicyIdentifierofthecertificatepoliciesextension.TheCACPSURLisappendedasaCPSpointerqualifier.

b. ThesecondcertificatepoliciesvaluecontainsaVerifiedMarkCertificateGeneralPolicyIdentifier(1.3.6.1.4.1.53087.1.1)whichindicatesadherencetoandcompliancewiththeseVMCRequirementsandtheVMCTerms.ThisidentifierisassignedtothePolicyIdentifierofthecertificatepoliciesextension.

2) anyPolicy(2.5.29.32.0).TheanyPolicyPolicyOIDMUSTNOTbeincludediftheSubordinateCAisnotcontrolledbytheRootCA.

b. cRLDistributionPoints

ThisextensionMUSTbepresentandMUSTNOTbemarkedcritical.ItMUSTcontaintheHTTPURLoftheCA’sCRLservice.

c. authorityInformationAccess

ThisextensionSHOULDbepresentandMUSTNOTbemarkedcritical.ItSHOULDcontaintheHTTPURLoftheIssuingCA’scertificate(accessMethod=1.3.6.1.5.5.7.48.2).ItMAYcontaintheHTTPURLoftheIssuingCA’sOCSPresponder(accessMethod=1.3.6.1.5.5.7.48.1).

d. basicConstraints


ThisextensionMUSTbepresentandMUSTbemarkedcritical.ThecAfieldMUSTbesettrue.ThepathLenConstraintfieldMAYbepresent.

e. keyUsage

ThisextensionMUSTbepresentandMUSTbemarkedcritical.BitpositionsforkeyCertSignandcRLSignMUSTbeset.IftheSubordinateCAPrivateKeyisusedforsigningOCSPresponses,thenthedigitalSignaturebitMUSTbeset.

f. extkeyUsage

TheExtendedKeyUsageextension[RFC5280]MUSTbepresentandMUSTcontainid-kp-BrandIndicatorforMessageIdentification(OID:1.3.6.1.5.5.7.3.31)asspecifiedinSection7oftheIETFInternet-Draftathttps://tools.ietf.org/html/draft-chuang-bimi-certificate-00.ThisindicatestheapplicationoftheVerifiedMarkCertificateProfile.OtherKeyPurposeIdsMUSTNOTbeincluded.ThisextensionSHOULDbemarkednon-critical.

7.1.2.3. SubscriberCertificatea. certificatePolicies

ThisextensionMUSTbepresentandSHOULDNOTbemarkedcritical.certificatePolicies:policyIdentifier(Required)EachVerifiedMarkCertificateissuedbytheCAtoaSubscriberSHALLbeidentifiedbythepresenceofthefollowingVerifiedMarkCertificateOIDsinthecertificate’scertificatePoliciesextensionthat:

(i) indicatewhichCApolicystatementrelatestothatCertificate,(ii) asserttheCA'sadherencetoandcompliancewiththeseVMCRequirementsandassert

therequirementofadherencetoandcompliancewiththeVMCTermsasaconditionofissuanceoftheVerifiedMarkCertificate.

ThefirstcertificatepoliciesvaluecontainsanidentifierthatnamestheCA’sCertificationPracticeStatement(CPS)applicabletotheVerifiedMarkCertificate,togetherwithaURLforthewebpagewheretheCertificationPracticeStatementcanbepubliclyreviewed.TheCACPSidentifieristhePolicyIdentifierofthecertificatepoliciesextension.TheCACPSURLisappendedasaCPSpointerqualifier.ThesecondcertificatepoliciesvaluecontainsaVerifiedMarkCertificateGeneralPolicyIdentifier(1.3.6.1.4.1.53087.1.1)whichindicatesadherencetoandcompliancewiththeseVMCRequirementsandtheVMCTerms.ThisidentifierisassignedtothePolicyIdentifierofthecertificatepoliciesextension.

b. cRLDistributionPoints

ThisextensionMUSTbepresent.ItMUSTNOTbemarkedcritical,anditMUSTcontaintheHTTPURLoftheCA’sCRLservice.

c. authorityInformationAccess

ThisextensionSHOULDbepresent.ItMUSTNOTbemarkedcritical,anditSHOULDcontaintheHTTPURLoftheIssuingCA’scertificate(accessMethod=1.3.6.1.5.5.7.48.2)..ItMAYcontaintheHTTPURLoftheIssuingCA’sOCSPresponder(accessMethod=1.3.6.1.5.5.7.48.1).

d. basicConstraints(optional)

ThecAfieldMUSTNOTbetrue.


e. keyUsage(optional)

Ifpresent,bitpositionsforkeyCertSignandcRLSignMUSTNOTbeset.

f. extKeyUsage(required)

TheExtendedKeyUsageextension[RFC5280]MUSTcontainid-kp-BrandIndicatorforMessageIdentification(OID:1.3.6.1.5.5.7.3.31)asspecifiedinSection7oftheIETFInternet-Draftathttps://tools.ietf.org/html/draft-chuang-bimi-certificate-00.ThisindicatestheapplicationoftheVerifiedMarkCertificateProfile.OtherKeyPurposeIdsMUSTNOTbeincluded.ThisisREQUIRED,andtheextensionSHOULDbemarkednon-critical.

g. signedCertificateTimestampList(OID:1.3.6.1.4.1.11129.2.4.2)VerifiedMarkCertificatespre-certificatesMUSTbeloggedtoatleastoneofwell-knownCertificateTransparency(CT)logs[RFC6962]whichthenprovideSignedCertificateTimestamps(SCT).TheSCTmustbeaddedtotheCertificateTransparencyextensionasaSignedCertificateTimestampListencodedasanoctetstring[RFC6962section3.3].TheAuthindicatorsWorkingGroupmaintainsalistofacceptableCTlogs,andthecurrentlistisattachedasAppendixF.ThisisREQUIRED,andSHOULDNOTbemarkedcritical.

h. logotypeextension(OID:1.3.6.1.5.5.7.1.12)

TheextensionMUST:• containsubjectLogowithaLogotypeDataelement[RFC3709]containingtheMark

RepresentationassertedbytheSubjectoftheVerifiedMarkCertificateandverifiedbytheCA.• embedtheimageelementin“data:”URLasdefinedinRFC6170section4.• TheMarkRepresentationMUST:• embeddedsecuredSVGimage[RFC6170]• usetheSVGTinyPSprofiletosecuretheSVG• becompressed• followotherrequirementssetforthin[RFC6170section5.2]TheMarkRepresentationMUSTNOTcontain<script>tags.AdditionallytheAuthindicatorsWorkingGrouphaspublishedaSVGTinyPSGuidelinesdocumentaswellasaRNCtooltohelpvalidatetheSVG.TheVMCSVGisalsorequiredtofollowthosespecifications.ThelogotypeextensionisREQUIRED,andSHOULDbemarkednon-critical.TheCASHALLverifythattheApplicantprovidedMarkRepresentationmeetsthissecureprofile.

7.1.2.4. AllCertificatesAllotherfieldsandextensionsMUSTbesetinaccordancewithRFC5280.TheCASHALLNOTissueaCertificatethatcontainsakeyUsageflag,extendedKeyUsagevalue,Certificateextension,orotherdatanotspecifiedinsection7.1.2.1,7.1.2.2,or7.1.2.3unlesstheCAisawareofareasonforincludingthedataintheCertificate.CAsSHALLNOTissueaCertificatewith:

a. ExtensionsthatdonotapplyinthecontextofthepublicInternet(suchasanextendedKeyUsagevalueforaservicethatisonlyvalidinthecontextofaprivatelymanagednetwork),unless:i. suchvaluefallswithinanOIDarcforwhichtheApplicantdemonstratesownership,orii. theApplicantcanotherwisedemonstratetherighttoassertthedatainapubliccontext;or

b. semanticsthat,ifincluded,willmisleadaRelyingPartyaboutthecertificateinformationverifiedby

theCA(suchasincludingextendedKeyUsagevalueforasmartcard,wheretheCAisnotabletoverifythatthecorrespondingPrivateKeyisconfinedtosuchhardwareduetoremoteissuance).


7.1.2.5. ApplicationofRFC5280Forpurposesofclarification,aPrecertificate,asdescribedinRFC6962–CertificateTransparency,SHALLnotbeconsideredtobea“certificate”subjecttotherequirementsofRFC5280-InternetX.509PublicKeyInfrastructureCertificateandCertificateRevocationList(CRL)ProfileundertheseRequirements.

7.1.3. AlgorithmObjectIdentifiersCAsMUSTissueCertificatesusingonlythosealgorithmidentifierslistedinSection6.1.5.

7.1.4. NameForms

7.1.4.1. IssuerInformationThecontentoftheCertificateIssuerDistinguishedNamefieldMUSTmatchtheSubjectDNoftheIssuingCAtosupportNamechainingasspecifiedinRFC5280,section4.1.2.4.

7.1.4.2. SubjectInformation–SubscriberCertificatesByissuingtheCertificate,theCArepresentsthatitfollowedtheproceduresetforthinitsCertificatePolicyand/orCertificationPracticeStatementtoverifythat,asoftheCertificate’sissuancedate,alloftheSubjectInformationwasaccurate.CAsSHALLNOTincludeaDomainNameinaSubjectattributeexceptasspecifiedinSection3.2.2.4orSection3.2.2.5.SubjectattributesMUSTNOTcontainonlymetadatasuchas'.','-',and''(i.e.space)characters,and/oranyotherindicationthatthevalueisabsent,incomplete,ornotapplicable.

7.1.4.2.1. SubjectAlternativeNameExtensionRequiredContents:ThisextensionMUSTcontainatleastoneentry.EachentryMUSTbeadNSNamecontainingtheFully-QualifiedDomainName.TheCAMUSTconfirmthattheApplicantcontrolstheFully-QualifiedDomainNameorhasbeengrantedtherighttouseitbytheDomainNameRegistrant,asappropriate.CAsSHALLNOTissuecertificateswithasubjectAlternativeNameextensioncontaininganInternalName.EntriesinthedNSNameMUSTbeinthe"preferrednamesyntax",asspecifiedinRFC5280,andthusMUSTNOTcontainunderscorecharacters("_").

7.1.4.2.2. SubjectDistinguishedNameFieldsa. CertificateField:subject:commonName(OID2.5.4.3)

Required/Optional:Deprecated(Discouraged,butnotprohibited)Contents:ThecontentsMUSTeitherbethesameastheSubjectOrganizationNamedefinedinsection7.1.4.4.2(b),ortheWordMarkfielddefinedinsection7.1.4.4.2(p).

b. CertificateField:subject:organizationName(OID2.5.4.10)

RequiredContents:ThisfieldMUSTcontaintheSubject’sfulllegalorganizationnameaslistedintheofficialrecordsoftheIncorporatingorRegistrationAgencyintheSubject’sJurisdictionofIncorporationorRegistrationorasotherwiseverifiedbytheCAasprovidedherein.ACAMAYabbreviatetheorganizationprefixesorsuffixesintheorganizationname,e.g.,iftheofficialrecordshows“CompanyNameIncorporated”theCAMAYinclude“CompanyName,Inc.”


When abbreviating a Subject’s full legal name as allowed by this subsection, the CA MUST useabbreviationsthatarenotmisleadingintheJurisdictionofIncorporationorRegistration.Inaddition,anassumednameorDBAnameusedbytheSubjectMAYbeincludedatthebeginningofthisfield,providedthatitisfollowedbythefulllegalorganizationnameinparenthesis.If thecombinationofnamesor theorganizationnameby itselfexceeds64characters, theCAMAYabbreviatepartsoftheorganizationname,and/oromitnon-materialwordsintheorganizationnameinsuchawaythatthetextinthisfielddoesnotexceedthe64-characterlimit;providedthattheCAchecksthisfieldinaccordancewithsection3.2andaRelyingPartywillnotbemisledintothinkingthattheyaredealingwithadifferentorganization.Incaseswherethisisnotpossible,theCAMUSTNOTissuetheVerifiedMarkCertificate.

c. CertificateField:Numberandstreet:subject:streetAddress(OID:2.5.4.9)OptionalContents:Thesubject:streetAddressfieldMUSTcontaintheSubject’sstreetaddressinformationasverifiedunderSection3.2.

d. CertificateField:subject:localityName(OID:2.5.4.7)

Requiredifthesubject:stateOrProvinceNamefieldisabsent.Optionalifthesubject:stateOrProvinceNamefieldispresent.Contents:Ifpresent,thesubject:localityNamefieldMUSTcontaintheSubject’slocalityinformationasverifiedunderSection3.2.Ifthesubject:countryNamefieldspecifiestheISO3166-1user-assignedcodeofXXinaccordancewithSection7.1.4.2.2(g),thelocalityNamefieldMAYcontaintheSubject’slocalityand/orstateorprovinceinformationasverifiedunderSection3.2.2.1.

e. CertificateField:subject:stateOrProvinceName(OID:2.5.4.8)Requiredifthesubject:localityNamefieldisabsent.Optionalifthesubject:localityNamefieldispresent.Contents:Ifpresent,thesubject:stateOrProvinceNamefieldMUSTcontaintheSubject’sstateorprovinceinformationasverifiedunderSection3.2.Ifthesubject:countryNamefieldspecifiestheISO3166-1user-assignedcodeofXXinaccordancewithSection7.1.4.2.2(g),thesubject:stateOrProvinceNamefieldMAYcontainthefullnameoftheSubject’scountryinformationasverifiedunderSection3.2.2.1.

f. CertificateField:subject:postalCode(OID:2.5.4.17)OptionalContents:Thesubject:postalCodefieldMUSTcontaintheSubject’sziporpostalinformationasverifiedunderSection3.2.2.1.

g. CertificateField:subject:countryName(OID:2.5.4.6))RequiredContents:Thesubject:countryNameMUSTcontainthetwo-letterISO3166-1countrycodeassociatedwiththelocationoftheSubjectverifiedunderSection3.2.2.1..IfaCountryisnotrepresentedbyanofficialISO3166-1countrycode,theCAMAYspecifytheISO3166-1user-assignedcodeofXXindicatingthatanofficialISO3166-1alpha-2codehasnotbeenassigned.

h. CertificateField:subject:organizationalUnitName(OID:2.5.4.11)

OptionalTheOrganizationalUnitNamefieldspecifiesanorganizationalunit.Itidentifiesanorganizationalunitwithwhichthecertificateisaffiliated.ThedesignatedorganizationalunitisunderstoodtobepartofanorganizationdesignatedbyanorganizationNamefield.ThevalueforOrganizationalUnitNameisastringchosenbytheorganizationofwhichitispart(e.g.,OU="TechnologyDivision").SeeISO/IEC9594-6:2014(E)Rec.ITU-TX.520(10/2012).


i. CertificateField:subject:businessCategory(OID:2.5.4.15)RequiredContents:ThisfieldMUSTcontainoneofthefollowingstrings:"PrivateOrganization","GovernmentEntity","BusinessEntity",or"Non-CommercialEntity"dependinguponwhethertheSubjectqualifiesunderthetermsofSection3.2.11,2,3,or4oftheseRequirements,respectively.

j. Certificatefields:

Locality(ifrequired):subject:jurisdictionLocalityName(OID:1.3.6.1.4.1.311.60.2.1.1)

Stateorprovince(ifrequired): subject:jurisdictionStateOrProvinceName(OID:1.3.6.1.4.1.311.60.2.1.2)

Country:subject:jurisdictionCountryName(OID:1.3.6.1.4.1.311.60.2.1.3)

RequiredContents:ThesefieldsMUSTNOTcontaininformationthatisnotrelevanttotheleveloftheIncorporatingAgencyorRegistrationAgency.Forexample,theJurisdictionofIncorporationforanIncorporatingAgencyorJurisdictionofRegistrationforaRegistrationAgencythatoperatesatthecountrylevelMUSTincludethecountryinformationbutMUSTNOTincludethestateorprovinceorlocalityinformation.Similarly,thejurisdictionfortheapplicableIncorporatingAgencyorRegistrationAgencyatthestateorprovincelevelMUSTincludebothcountryandstateorprovinceinformation,butMUSTNOTincludelocalityinformation.And,thejurisdictionfortheapplicableIncorporatingAgencyorRegistrationAgencyatthelocalitylevelMUSTincludethecountryandstateorprovinceinformation,wherethestateorprovinceregulatestheregistrationoftheentitiesatthelocalitylevel,aswellasthelocalityinformation.CountryinformationMUSTbespecifiedusingtheapplicableISOcountrycode.Stateorprovinceorlocalityinformation(whereapplicable)fortheSubject’sJurisdictionofIncorporationorRegistrationMUSTbespecifiedusingthefullnameoftheapplicablejurisdiction.

k. Certificatefield:Subject:serialNumber(OID:2.5.4.5)RequiredContents:ForPrivateOrganizations,thisfieldMUSTcontaintheRegistration(orsimilar)NumberassignedtotheSubjectbytheIncorporatingorRegistrationAgencyinitsJurisdictionofIncorporationorRegistration,asappropriate.IftheJurisdictionofIncorporationorRegistrationdoesnotprovideaRegistrationNumber,thenthedateofIncorporationorRegistrationSHALLbeenteredintothisfieldinanyoneofthecommondateformats.ForGovernmentEntitiesthatdonothaveaRegistrationNumberorreadilyverifiabledateofcreation,theCASHALLenterappropriatelanguagetoindicatethattheSubjectisaGovernmentEntity.ForBusinessEntities,theRegistrationNumberthatwasreceivedbytheBusinessEntityupongovernmentregistrationSHALLbeenteredinthisfield.ForthoseBusinessEntitiesthatregisterwithanIncorporatingAgencyorRegistrationAgencyinajurisdictionthatdoesnotissuenumberspursuanttogovernmentregistration,thedateoftheregistrationSHALLbeenteredintothisfieldinanyoneofthecommondateformats.

l. CertificateField:Subject:legalEntityIdentifier(OID:1.3.6.1.4.1.53087.1.5)Optional:Contents:Containsa20-characteralphanumericLEIstringfromavalidregistration.Thevalidationprocessisasfollows:1)ThisinformationSHALLbevalidatedbymatchingtheorganizationnameandregistrationnumberfoundintheGlobalLEIIndexagainsttheSubjectOrganizationNameField(seeVerifiedMarkRequirementsSection7.1.4.4.2(b))andSubjectSerialNumberField(seeVerifiedMarkRequirementsSection71.4.4.2(k))withinthecontextofthesubject’sjurisdictionasspecifiedin


VerifiedMarkRequirementsSection7.1.4.4.2(j))TheaddressinformationfromVerifiedMarkvalidationSHALLbecomparedtotheHeadquartersAddressinformationintheLEIrecordinordertodetectpotentialmatchingerrorsorerrorsintheregistrationinformation.Iftheaddressesdonotmatch,theCAwillattempttovalidatetheaddressfoundintheLEIrecordasaconfirmedofficelocationfortheSubscriber,ifpossible.3)TheCASHALLverifythattheValidationSourcesfieldoftheassociatedLEIrecordcontainsthedesignationFULLY_CORROBORATEDbeforeincludinganLEIinaVMC.

m. Certificatefield:Subject:trademarkCountryOrRegionName(OID:1.3.6.1.4.1.53087.1.3)

RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.1;ProhibitedotherwiseContents:ThisstringvalueidentifiesthecountryorregionoftheTrademarkOfficethatregisteredtheRegisteredMarkasanWIPOST.3twolettercountryandintergovernmental/regionalagencycode(seelistathttp://www.wipo.int/export/sites/www/standards/en/pdf/03-03-01.pdf).RegionalagenciessuchastheAfricanRegionalIntellectualPropertyOrganization(ARIPO)(AP),BeneluxOfficeforIntellectualProperty(BOIP)(BX,)EuropeanUnionIntellectualPropertyOffice(EUIPO)(EM),andAfricanIntellectualPropertyOrganization(OA)SHALLbeencodedusingtheir2-lettercodesinthisfield.

n. Certificatefield:Subject:trademarkOfficeName(OID:1.3.6.1.4.1.53087.1.2)

RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.1andtheapplicablecountry/regionhasmorethanonenational/regionalintellectualpropertyagencywheretrademarkscanberegistered;optionaliftheCertificateotherwisecontainsaMarkverifiedinaccordancewithSection3.2.16.1Contents:ThisstringvalueidentifiestheTrademarkOfficebyinsertingtheURLlistedinthe“Website”columnortheTrademarkOfficenamelistedinthe“Office”columnintheWIPOdirectoryofcountryandregionalintellectualpropertyagenciesathttps://www.wipo.int/directory/en/urls.jspfortheTrademarkOfficethatregisteredtheRegisteredMarkincludedintheVerifiedMarkCertificate.Effective2022-07-01,theNamefortheTrademarkOfficeSHALLbeencodedinthisfieldandtheURLfortheTrademarkOfficeSHALLNOTbeencodedinthisfield.

o. Certificatefield:Subject:trademarkRegistration(OID:1.3.6.1.4.1.53087.1.4)

RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.1;ProhibitedotherwiseContents:ThisstringvaluecontainstheregistrationnumbergivenbytheTrademarkOfficetoidentifytheRegisteredMark.ThisfieldisREQUIRED.

p. Certificatefield:Subject:wordMark(OID:1.3.6.1.4.1.53087.1.6)

OptionalContents:ContainsaWordMarkortheword(s)includedinaCombinedMark.

q. Certificatefield: Subject:organizationIdentifier(OID:2.5.4.97)OptionalContents:Ifpresent,thisfieldMUSTcontainaRegistrationReferenceforaLegalEntityassignedinaccordancetotheidentifiedRegistrationScheme.TheorganizationIdentifierMUSTbeencodedasaPrintableStringorUTF8String.TheRegistrationSchemeMUSTbeidentifiedusingtheusingthefollowingstructureinthepresented

order:• 3characterRegistrationSchemeidentifier;• 2characterISO3166countrycodeforthenationinwhichtheRegistrationSchemeisoperated,

oriftheschemeisoperatedgloballyISO3166code"XG"SHALLbeused;• FortheNTRRegistrationSchemeidentifier,ifrequiredunderSection9.2.4,a2characterISO

3166-2identifierforthesubdivision(stateorprovince)ofthenationinwhichtheRegistrationSchemeisoperated,precededbyplus"+"(0x2B(ASCII),U+002B(UTF-8));


• ahyphen-minus"-"(0x2D(ASCII),U+002D(UTF-8));• RegistrationReferenceallocatedinaccordancewiththeidentifiedRegistrationSchemeNote:RegistrationReferencesMAYcontainhyphens,butRegistrationSchemes,ISO3166countrycodes,andISO3166-2identifiersdonot.Thereforeifmorethanonehyphenappearsinthestructure,theleftmosthyphenisaseparator,andtheremaininghyphensarepartoftheRegistrationReference.Asinsection7.1.4.4.2(j),thespecifiedlocationinformationMUSTmatchthescopeoftheregistration

beingreferenced.Examples:• NTRGB-12345678(NTRscheme,GreatBritain,UniqueIdentifieratCountrylevelis12345678)• NTRUS+CA-12345678(NTRScheme,UnitedStates-California,UniqueidentifieratStatelevelis

12345678)• VATDE-123456789(VATScheme,Germany,UniqueIdentifieratCountryLevelis12345678)• PSDBE-NBB-1234.567.890(PSDScheme,Belgium,NCA'sidentifierisNBB,SubjectUnique

IdentifierassignedbytheNCAis1234.567.890)RegistrationSchemeslistedinAppendixJarecurrentlyrecognizedasvalidundertheseguidelines.TheCASHALL:1. confirmthattheorganizationrepresentedbytheRegistrationReferenceisthesameasthe

organizationnamedintheorganizationNamefieldasspecifiedinSection7.1.4.4.2(b)withinthecontextofthesubject’sjurisdictionasspecifiedinSection7.1.4.4.2(j);

2. furtherverifytheRegistrationReferencematchesotherinformationverifiedinaccordancewithsection3.2;

3. takeappropriatemeasurestodisambiguatebetweendifferentorganizationsasdescribedinAppendixJforeachRegistrationScheme;

4. ApplythevalidationrulesrelevanttotheRegistrationSchemeasspecifiedinAppendixJ.

r. Certificatefield: Subject:markType(OID:1.3.6.1.4.1.53087.1.13)OptionalforCertificatesissuedpriorto2022-07-01thatcontainMarksverifiedinaccordancewithSection3.2.16.1;RequiredotherwiseContents:IftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.1,thenthisfieldMUSTcontainthestring“RegisteredMark”.IftheCertificatescontainsaMarkverifiedinaccordancewithSection3.2.16.2,thenthisfieldMUSTcontainthestring“GovernmentMark”.AnyothervaluesMUSTNOTbeincluded.

s. Certificatefields:Locality(ifrequired):

subject:statuteLocalityName(OID:1.3.6.1.4.1.53087.3.4)Stateorprovince(ifrequired):

subject:statuteStateOrProvinceName(OID:1.3.6.1.4.1.53087.3.3)Country:

subject:statuteCountryName(OID:1.3.6.1.4.1.53087.3.2)RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.2;ProhibitedotherwiseContents:CertificatesMUSTNOTcontainthesefieldsunlesstheyarerelevanttotheleveloftheGovernmentEntityorNon-CommercialEntity(InternationalOrganization)thatestablishedtheGovernmentMarkthroughstatute,regulation,treaty,orgovernmentaction.Forexample,thejurisdictionforaGovernmentEntityorNon-CommercialEntity(InternationalOrganization)thatoperatesatthecountrylevelMUSTincludethestatuteCountryfieldbutMUSTNOTincludethestatuteStateOrProvinceandstatuteLocalityfields.Similarly,thejurisdictionfortheapplicableGovernmentEntityorNon-CommercialEntity(InternationalOrganization)atthestateorprovincelevelMUSTincludebothstatuteCountryandstatuteStateOrProvincefieldsbutMUSTNOTincludethestatuteLocalityfield.And,thejurisdictionfortheapplicableGovernmentEntityorNon-CommercialEntity(InternationalOrganization)atthelocalitylevelMUSTincludethestatuteCountryandstatuteStateOrProvincefields,wherethestateor


provinceregulatestheregistrationoftheentitiesatthelocalitylevel,aswellasthestatuteLocalityfield.statuteCountryfieldvaluesMUSTbespecifiedusingtheapplicableISOcountrycode.statuteStateOrProvinceandstatuteLocalityfieldvalues(whereapplicable)MUSTbespecifiedusingthefullnameoftheapplicablejurisdiction.

t. Certificatefield: Subject:statuteCitation(OID:1.3.6.1.4.1.53087.3.5)RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.2;ProhibitedotherwiseContents:IftheCertificatescontainsaMarkverifiedinaccordancewithSection3.2.16.2,thenthisfieldMUSTincludetheofficialstatute,regulation,treaty,orgovernmentactionbywhichtheGovernmentMarkwasgrantedorclaimed,asconfirmedbytheCA.Thefieldmaycontaincommonabbreviations,andSHOULDconform,ifpossible,toapplicablelegalguidelinesinthejurisdictionforhowsuchofficialstatutes,regulations,orgovernmentactionsarenormallycited(e.g.,“TheBluebook:AUniformSystemofCitation”orothersimilarstandardsystemofcitation.)Inaddition,theCAMAYincludebriefexplanatorytexttoassistRelyingPartiesinlocatingtheofficialstatute,regulation,treaty,orgovernmentactionbywhichtheGovernmentMarkwasgrantedorclaimed.

u. Certificatefield: Subject:statuteURL(OID:1.3.6.1.4.1.53087.3.6)OptionaliftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.2;Prohibitedotherwise

v. Contents: If present, this field MUST contain a HTTP/HTTPS URL where the official statute,regulation,treaty,orgovernmentactionbywhichtheGovernmentMarkwasgrantedorclaimedcanbefound.OtherSubjectAttributes

OtherattributesMAYbepresentwithinthesubjectfield.Ifpresent,otherattributesMUSTcontaininformationthathasbeenverifiedbytheCA.

7.1.4.3. SubjectInformation–RootCertificatesandSubordinateCACertificatesByissuingaSubordinateCACertificate,theCArepresentsthatitfollowedtheproceduresetforthinitsCertificatePolicyand/orCertificationPracticeStatementtoverifythat,asoftheCertificate’sissuancedate,alloftheSubjectInformationwasaccurate.

7.1.4.3.1. SubjectDistinguishedNameFieldsa.CertificateField:subject:commonName(OID2.5.4.3)

RequiredContents:ThisfieldMUSTbepresentandthecontentsSHOULDbeanidentifierforthecertificatesuchthatthecertificate'sNameisuniqueacrossallcertificatesissuedbytheissuingcertificate.

b.CertificateField:subject:organizationName(OID2.5.4.10)

RequiredContents:ThisfieldMUSTbepresentandthecontentsMUSTcontaineithertheSubjectCA’snameasverifiedunderSection3.2.TheCAmayincludeinformationinthisfieldthatdiffersslightlyfromtheverifiedname,suchascommonvariationsorabbreviations,providedthattheCAdocumentsthedifferenceandanyabbreviationsusedarelocallyacceptedabbreviations;e.g.,iftheofficialrecordshows“CompanyNameIncorporated”,theCAMAYuse“CompanyNameInc.”or“CompanyName”.

c.CertificateField:subject:countryName(OID:2.5.4.6)

RequiredContents:ThisfieldMUSTcontainthetwo-letterISO3166-1countrycodeforthecountryinwhichtheCA’splaceofbusinessislocated.


7.1.5. NameConstraintsCAsMUSTNOTincludethenameConstraintsextensioninCertificates.

7.1.6. CertificatePolicyObjectIdentifier7.1.6.1. RootCACertificatesARootCACertificateSHOULDNOTcontainthecertificatePoliciesextension.

7.1.6.2. SubordinateCACertificatesAsspecifiedin7.1.2.2(a).

7.1.6.3. SubscriberCertificatesAsspecifiedin7.1.2.3(a).

7.1.7. UsageofPolicyConstraintsExtensionNostipulation.

7.1.8. PolicyQualifiersSyntaxandSemanticsNostipulation.

7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtensionNostipulation.

7.2. CRLPROFILE

7.2.1. Versionnumber(s)Nostipulation.

7.2.2. CRLandCRLentryextensionsNostipulation.

7.3. OCSPPROFILE

7.3.1. Versionnumber(s)Nostipulation.

7.3.2. OCSPextensionsNostipulation.

8. COMPLIANCEAUDITANDOTHERASSESSMENTSTheCASHALLatalltimes:

1. IssueCertificatesandoperate itsPKI inaccordancewithall lawapplicable to itsbusinessand theCertificatesitissuesineveryjurisdictioninwhichitoperates;

2. ComplywiththeseRequirements;3. Complywiththeauditrequirementssetforthinthissection;and4. BelicensedasaCAineachjurisdictionwhereitoperates,iflicensingisrequiredbythelawofsuch

jurisdictionfortheissuanceofCertificates.


8.1. FREQUENCYORCIRCUMSTANCESOFASSESSMENT

TheperiodduringwhichtheCAissuesCertificatesSHALLbedividedintoanunbrokensequenceofauditperiods.AnauditperiodMUSTNOTexceedoneyearinduration.

8.2. IDENTITY/QUALIFICATIONSOFASSESSOR

TheCA’sauditSHALLbeperformedbyaQualifiedPractitioner.AQualifiedPractitionermeansanaturalperson,LegalEntity,orgroupofnaturalpersonsorLegalEntitiesthatcollectivelypossessthefollowingqualificationsandskills:

1. Independencefromthesubjectoftheaudit;2. TheabilitytoconductanauditthataddressesthecriteriaspecifiedinanEligibleAuditScheme(see

Section8.4);3. EmploysindividualswhohaveproficiencyinexaminingPublicKeyInfrastructuretechnology,

informationsecuritytoolsandtechniques,informationtechnologyandsecurityauditing,andthethird-partyattestationfunction;

4. QualifiedPractitionerenrolledintheWebTrustprogram;5. Boundbylaw,governmentregulation,orprofessionalcodeofethics;and6. MaintainsProfessionalLiability/Errors&Omissionsinsurancewithpolicylimitsofatleastone

millionUSdollarsincoverage.

8.3. ASSESSOR'SRELATIONSHIPTOASSESSEDENTITY

Nostipulation.

8.4. TOPICSCOVEREDBYASSESSMENT

TheCASHALLundergoanauditinaccordancewithoneofthefollowingschemes:1. “WebTrustforCAsv2.0ornewer”AND“WebTrustPrinciplesandCriteriaforCertification

Authorities–VerifiedMarkCertificates”TheauditschemeMUSTincorporateperiodicmonitoringand/oraccountabilityprocedurestoensurethatitsauditscontinuetobeconductedinaccordancewiththerequirementsofthescheme.TheauditMUSTbeconductedbyaQualifiedPractitioner,asspecifiedinSection8.2.

8.5. ACTIONSTAKENASARESULTOFDEFICIENCY

Nostipulation.

8.6. COMMUNICATIONOFRESULTS

TheAuditReportSHALLstateexplicitlythatitcoverstherelevantsystemsandprocessesusedintheissuanceofallCertificatesthatasserttheVMCpolicyidentifierOID(1.3.6.1.4.1.53087.1.1).TheCASHALLmaketheAuditReportpubliclyavailable.TheCAisnotrequiredtomakepubliclyavailableanygeneralauditfindingsthatdonotimpacttheoverallauditopinion.TheCASHOULDmakeitsAuditReportpubliclyavailablenolaterthanthreemonthsaftertheendoftheauditperiod.Intheeventofadelaygreaterthanthreemonths,andifsorequestedbyanApplicationSoftwareSupplier,theCASHALLprovideanexplanatorylettersignedbytheQualifiedPractitioner.


8.7. SELF-AUDITS

DuringtheperiodinwhichtheCAissuesCertificates,theCASHALLmonitoradherencetoitsCertificatePolicy,CertificationPracticeStatementandtheseRequirementsandstrictlycontrolitsservicequalitybyperformingselfauditsonatleastaquarterlybasisagainstarandomlyselectedsampleofthegreaterofonecertificateoratleastthreepercentoftheCertificatesissuedbyitduringtheperiodcommencingimmediatelyafterthepreviousself-auditsamplewastaken.

9. OTHERBUSINESSANDLEGALMATTERS

9.1. FEES

9.1.1. CertificateissuanceorrenewalfeesNostipulation.

9.1.2. CertificateaccessfeesNostipulation.

9.1.3. RevocationorstatusinformationaccessfeesNostipulation.

9.1.4. FeesforotherservicesNostipulation.

9.1.5. RefundpolicyNostipulation.

9.2. FINANCIALRESPONSIBILITY

9.2.1. InsurancecoverageNostipulation.

9.2.2. OtherassetsNostipulation.

9.2.3. Insuranceorwarrantycoverageforend-entitiesNostipulation.

9.3. CONFIDENTIALITYOFBUSINESSINFORMATION

9.3.1. ScopeofconfidentialinformationNostipulation.

9.3.2. InformationnotwithinthescopeofconfidentialinformationNostipulation.


9.3.3. ResponsibilitytoprotectconfidentialinformationNostipulation.

9.4. PRIVACYOFPERSONALINFORMATION

9.4.1. PrivacyplanNostipulation.

9.4.2. InformationtreatedasprivateNostipulation.

9.4.3. InformationnotdeemedprivateNostipulation.

9.4.4. ResponsibilitytoprotectprivateinformationNostipulation.

9.4.5. NoticeandconsenttouseprivateinformationNostipulation.

9.4.6. DisclosurepursuanttojudicialoradministrativeprocessNostipulation.

9.4.7. OtherinformationdisclosurecircumstancesNostipulation.

9.5. INTELLECTUALPROPERTYRIGHTS

Nostipulation.

9.6. REPRESENTATIONSANDWARRANTIES

9.6.1. CARepresentationsandWarrantiesByissuingaCertificate,theCAmakesthecertificatewarrantieslistedhereintothefollowingCertificateBeneficiaries:

1. TheSubscriberthatisapartytotheSubscriberAgreementorTermsofUsefortheCertificate;2. AllApplicationSoftwareSupplierswithwhomtheRootCAhasenteredintoacontractforinclusionof

itsRootCertificateinsoftwaredistributedbysuchApplicationSoftwareSupplier;and3. AllRelyingPartieswhoreasonablyrelyonaValidCertificate.

TheCArepresentsandwarrantstotheCertificateBeneficiariesthat,duringtheperiodwhentheCertificateisvalid,theCAhascompliedwiththeseRequirementsanditsCertificatePolicyand/orCertificationPracticeStatementinissuingandmanagingtheCertificate.TheCertificateWarrantiesspecificallyinclude,butarenotlimitedto,thefollowing:

1. RighttoUseDomainName:That,atthetimeofissuance,theCA(i)implementedaprocedureforverifyingthattheApplicanteitherhadtherighttouse,orhadcontrolof,theDomainName(s)listedintheCertificate’ssubjectfieldandsubjectAltNameextension(orwasdelegatedsuchrightorcontrolbysomeone who had such right to use or control); (ii) followed the procedure when issuing the


Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/orCertificationPracticeStatement;

2. AuthorizationforCertificate:That,atthetimeofissuance,theCA(i)implementedaprocedureforverifying that the Subject authorized the issuance of the Certificate and that the ApplicantRepresentative is authorized to request the Certificate on behalf of the Subject; (ii) followed theprocedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’sCertificatePolicyand/orCertificationPracticeStatement;

3. Accuracyof Information: That, at the time of issuance, the CA (i) implemented a procedure forverifyingtheaccuracyofalloftheinformationcontainedintheCertificate;(ii)followedtheprocedurewhenissuingtheCertificate;and(iii)accuratelydescribedtheprocedureintheCA’sCertificatePolicyand/orCertificationPracticeStatement;

4. Identity of Applicant: That, if the Certificate contains Subject Identity Information, the CA (i)implementedaproceduretoverifytheidentityoftheApplicantinaccordancewithSections3.2;(ii)followedtheprocedurewhenissuingtheCertificate;and(iii)accuratelydescribedtheprocedureintheCA’sCertificatePolicyand/orCertificationPracticeStatement;

5. SubscriberAgreement:That,iftheCAandSubscriberarenotAffiliated,theSubscriberandCAarepartiestoalegallyvalidandenforceableSubscriberAgreementthatsatisfiestheseRequirements,or,if the CA and Subscriber are the same entity or are Affiliated, the Applicant RepresentativeacknowledgedtheTermsofUse;

6. Status: That the CA maintains a 24 x 7 publicly-accessible Repository with current informationregardingthestatus(validorrevoked)ofallunexpiredCertificates;and

7. Revocation: That the CA will revoke the Certificate for any of the reasons specified in theseRequirements.

TheRootCASHALLberesponsiblefortheperformanceandwarrantiesoftheSubordinateCA,fortheSubordinateCA’scompliancewiththeseRequirements,andforallliabilitiesandindemnificationobligationsoftheSubordinateCAundertheseRequirements,asiftheRootCAweretheSubordinateCAissuingtheCertificates.

9.6.2. RARepresentationsandWarrantiesNostipulation.

9.6.3. SubscriberRepresentationsandWarrantiesTheCASHALLrequire,aspartoftheSubscriberAgreementorTermsofUse,thattheApplicantmakethecommitmentsandwarrantiesinthissectionforthebenefitoftheCAandtheCertificateBeneficiaries.PriortotheissuanceofaCertificate,theCASHALLobtain,fortheexpressbenefitoftheCAandtheCertificateBeneficiaries,either:

1. TheApplicant’sagreementtotheSubscriberAgreementwiththeCA,or2. TheApplicant’sacknowledgementoftheTermsofUse.

TheCASHALLimplementaprocesstoensurethateachSubscriberAgreementorTermsofUseislegallyenforceableagainsttheApplicant.Ineithercase,theAgreementMUSTapplytotheCertificatetobeissuedpursuanttothecertificaterequest.TheCAMAYuseanelectronicor"click-through"AgreementprovidedthattheCAhasdeterminedthatsuchagreementsarelegallyenforceable.AseparateAgreementMAYbeusedforeachcertificaterequest,orasingleAgreementMAYbeusedtocovermultiplefuturecertificaterequestsandtheresultingCertificates,solongaseachCertificatethattheCAissuestotheApplicantisclearlycoveredbythatSubscriberAgreementorTermsofUse.TheSubscriberAgreementorTermsofUseMUSTcontainprovisionsimposingontheApplicantitself(ormadebytheApplicantonbehalfofitsprincipaloragentunderasubcontractororhostingservicerelationship)thefollowingobligationsandwarranties:


1. AccuracyofInformation:AnobligationandwarrantytoprovideaccurateandcompleteinformationatalltimestotheCA,bothinthecertificaterequestandasotherwiserequestedbytheCAinconnectionwiththeissuanceoftheCertificate(s)tobesuppliedbytheCA;

2. AcceptanceofCertificate:AnobligationandwarrantythattheSubscriberwillreviewandverifytheCertificatecontentsforaccuracy;

3. Useof Certificate: Anobligation andwarranty to install theCertificate onlyon servers that areaccessible at the subjectAltName(s) listed in the Certificate, and to use the Certificate solely incompliancewithallapplicablelawsandsolelyinaccordancewiththeSubscriberAgreementorTermsofUse;

4. Reporting and Revocation: An obligation and warranty to promptly request revocation of theCertificate,andceaseusingit,ifanyinformationintheCertificateisorbecomesincorrectorinaccurate.

5. Responsiveness: Anobligation to respond to the CA’s instructions concerningCertificatemisusewithinaspecifiedtimeperiod.

6. AcknowledgmentandAcceptance: AnacknowledgmentandacceptancethattheCAisentitledtorevoke the certificate immediately if the Applicant were to violate the terms of the SubscriberAgreementorTermsofUseoriftheCAdiscoversthattheCertificateisbeingusedtoenablecriminalactivitiessuchasphishingattacks,fraud,orthedistributionofmalware.

9.6.4. RelyingPartyRepresentationsandWarrantiesNostipulation.

9.6.5. RepresentationsandWarrantiesofOtherParticipantsNostipulation.

9.7. DISCLAIMERSOFWARRANTIES

Nostipulation.

9.8. LIMITATIONSOFLIABILITY

IftheCAhasissuedandmanagedtheCertificateincompliancewiththeseRequirementsanditsCertificatePolicyand/orCertificationPracticeStatement,theCAMAYlimitliabilitytotheCertificateBeneficiariesoranyotherthirdpartiesforanylossessufferedasaresultofuseorrelianceonsuchCertificatebeyondthosespecifiedintheCA'sCertificatePolicyand/orCertificationPracticeStatement,pursuanttotheminimumliabilityrequirementbelow.IftheCAhasnotissuedormanagedtheCertificateincompliancewiththeseRequirementsanditsCertificatePolicyand/orCertificationPracticeStatement,theCAMAYseektolimititsliabilitytotheSubscriberandtoRelyingParties,regardlessofthecauseofactionorlegaltheoryinvolved,foranyandallclaims,lossesordamagessufferedasaresultoftheuseorrelianceonsuchCertificatebyanyappropriatemeansthattheCAdesires.IftheCAchoosestolimititsliabilityforCertificatesthatarenotissuedormanagedincompliancewiththeseRequirementsoritsCertificatePolicyand/orCertificationPracticeStatement,thentheCASHALLincludethelimitationsonliabilityintheCA’sCertificatePolicyand/orCertificationPracticeStatement,pursuanttotheminimumliabilityrequirementbelow.TheCAMAYNOTlimititsliabilitytoSubscribersorRelyingPartiesforlegallyrecognizedandprovableclaimstoamonetaryamountlessthantwothousandUSdollarsperSubscriberorRelyingPartyperVerifiedMarkCertificate.

9.9. INDEMNITIES

9.9.1. IndemnificationbyCAsNostipulation.


9.9.2. IndemnificationbySubscribersNostipulation.

9.9.3. IndemnificationbyRelyingPartiesNostipulation.

9.10. TERMANDTERMINATION

9.10.1. TermNostipulation.

9.10.2. TerminationNostipulation.

9.10.3. EffectofterminationandsurvivalNostipulation.

9.11. INDIVIDUALNOTICESANDCOMMUNICATIONSWITHPARTICIPANTS

Nostipulation.

9.12. AMENDMENTS

9.12.1. ProcedureforamendmentNostipulation.

9.12.2. NotificationmechanismandperiodNostipulation.

9.12.3. CircumstancesunderwhichOIDmustbechangedNostipulation.

9.13. DISPUTERESOLUTIONPROVISIONS

Nostipulation.

9.14. GOVERNINGLAW

Nostipulation.

9.15. COMPLIANCEWITHAPPLICABLELAW

Nostipulation.

9.16. MISCELLANEOUSPROVISIONS

9.16.1. EntireAgreementNostipulation.


9.16.2. AssignmentNostipulation.

9.16.3. SeverabilityIntheeventofaconflictbetweentheseRequirementsandalaw,regulationorgovernmentorder(hereinafter'Law')ofanyjurisdictioninwhichaCAoperatesorissuescertificates,aCAMAYmodifyanyconflictingrequirementtotheminimumextentnecessarytomaketherequirementvalidandlegalinthejurisdiction.ThisappliesonlytooperationsorcertificateissuancesthataresubjecttothatLaw.Insuchevent,theCASHALLimmediately(andpriortoissuingacertificateunderthemodifiedrequirement)includeinSection9.16.3oftheCA’sCPSadetailedreferencetotheLawrequiringamodificationoftheseRequirementsunderthissection,andthespecificmodificationtotheseRequirementsimplementedbytheCA.TheCAMUSTalso(priortoissuingacertificateunderthemodifiedrequirement)notifytheAuthindicatorsWorkingGroupoftherelevantinformationnewlyaddedtoitsCPSbysendingamessagetotheAuthindicatorsWorkingGroupandreceivingconfirmationthatithasbeenreceived,sothattheAuthindicatorsWorkingGroupmayconsiderpossiblerevisionstotheseRequirementsaccordingly.AnymodificationtoCApracticeenabledunderthissectionMUSTbediscontinuedifandwhentheLawnolongerapplies,ortheseRequirementsaremodifiedtomakeitpossibletocomplywithboththemandtheLawsimultaneously.Anappropriatechangeinpractice,modificationtotheCA’sCPSandanoticetotheAuthindicatorsWorkingGroup,asoutlinedabove,MUSTbemadewithin90days.

9.16.4. Enforcement(attorneys'feesandwaiverofrights)Nostipulation.

9.16.5. ForceMajeureNostipulation.

9.17. OTHERPROVISIONS

Nostipulation.


APPENDIXA–DNSCONTACTPROPERTIESThesemethodsallowdomainownerstopublishcontactinformationinDNSforthepurposeofvalidatingdomaincontrol.A.1.CAAMethodsA.1.1.CAAcontactemailPropertySYNTAX:contactemail<utf8emailaddress>TheCAAcontactemailpropertytakesanemailaddressasitsparameter.TheentireparametervalueMUSTbeavalidemailaddressasdefinedinsection3.4ofRFC5322andextendedbysection3.2ofRFC6532,withnoadditionalpaddingorstructure,oritcannotbeused.Thefollowingisanexamplewheretheholderofthedomainspecifiedthecontactpropertyusinganemailaddress.$ORIGINexample.com.CAA0contactemail"[email protected]"ThecontactemailpropertyMAYbecritical,ifthedomainownerdoesnotwantCAswhodonotunderstandittoissuecertificatesforthedomain.A.1.2.CAAcontactphonePropertySYNTAX:contactphone<rfc3966GlobalNumber>TheCAAcontactphonepropertytakesaphonenumberasitsparameter.TheentireparametervalueMUSTbeavalidGlobalNumberasdefinedinRFC3966section5.1.4,oritcannotbeused.GlobalNumbersMUSThaveapreceding+andacountrycodeandMAYcontainvisualseparators.Thefollowingisanexamplewheretheholderofthedomainspecifiedthecontactpropertyusingaphonenumber.$ORIGINexample.com.

CAA0contactphone"+1(555)123-4567"ThecontactphonepropertyMAYbecriticalifthedomainownerdoesnotwantCAswhodonotunderstandittoissuecertificatesforthedomain.A.2.DNSTXTMethodsA.2.1.DNSTXTRecordEmailContactTheDNSTXTrecordMUSTbeplacedonthe_validation-contactemailsubdomainofthedomainbeingvalidated.TheentireRDATAvalueofthisTXTrecordMUSTbeavalidemailaddressasdefinedinsection3.4ofRFC5322andextendedbysection3.2ofRFC6532,withnoadditionalpaddingorstructure,oritcannotbeused.A.2.2.DNSTXTRecordPhoneContact


TheDNSTXTrecordMUSTbeplacedonthe_validation-contactphonesubdomainofthedomainbeingvalidated.TheentireRDATAvalueofthisTXTrecordMUSTbeavalidGlobalNumberasdefinedinRFC3966section5.1.4,oritcannotbeused.


APPENDIXB– MAPPINGOFCOMBINED,DESIGN,ANDWORDMARKTERMINOLOGYTOTERMINOLOGYOFAUTHORIZEDTRADEMARKOFFICES


ThistableisincludedasanexampleofhowtomapthestandardsandterminologyoftheVerifiedMarkCertificatesRequirementstothestandardsandterminologyofsamplecountries.CAsshouldgenerallyfollowthesemappingexamplesfortrademarksissuedbyothercountries.

Country/Region

CombinedMark DesignMark WordMark

UnitedStates(US)1

MarkscomprisingwordsplusadesignarecodedasMarkDrawingCode3-DesignPlusWords,Letters,and/orNumbersMarkscomprisingstylizedlettersand/ornumeralswithnodesignfeaturearecodedasMarkDrawingCode5

SpecialFormDrawings.MarkscomprisingonlyadesignarecodedasMarkDrawingCode2-DesignOnly

StandardCharacterDrawings-Markscomprisingwords,letters,numbers,oranycombinationthereofwithoutclaimtoanyparticularfontstyle,size,orcolorarecodedasMarkDrawingCode4-StandardCharacterMark.[PriortoNovember2,2003,typeddrawings(seeTMEP§807.03(i))thesewerecodedasMarkDrawingCode1]

Canada(CA)2 CompositeMark DesignMark StandardCharacterTrademark

EuropeanUnion(EM)3

Type:Figurativemarkcontainingwordelements-Afigurativemarkconsistingofacombinationofverbalandfigurativeelements

Type:Figurativemark-Itisatrademarkwherenon-standardcharacters,stylisationorlayout,oragraphicfeatureoracolourareused,includingmarksthatconsistexclusivelyoffigurativeelements

Type:Wordmark-Awordmarkconsistsexclusivelyofwordsorletters,numerals,otherstandardtypographiccharactersoracombinationthereofthatcanbetyped

UnitedKingdom(GB)4

LogoMark5(Image) LogoMark(Image) WordMark6

1https://tmep.uspto.gov/RDMS/TMEP/current#/current/TMEP-800d1e2068.htmlhttp://www.lo101.com/mdc.html2https://trademark.witmart.com/canada/registration3https://euipo.europa.eu/ohimportal/en/trade-mark-definition4https://www.trademarkdirect.co.uk/blog/word-marks-logo-marks5Seehttps://trademarks.ipo.gov.uk/ipo-tmcase/page/Results/1/UK00002192618forBurgerKingcombinedmarkregistrationintheUK.Thesearchdropdownfieldonthesiteusestheterm“design”.Theregistrationdoesnotappeartocalloutthewordsinthecombinedmark,soMVAsmustextractthewordstoinsertintheVMCSec.4.5.2.4.4WordMarkfield.6Seehttps://trademarks.ipo.gov.uk/ipo-tmcase/page/Results/1/UK00001351798forwordmarkregistrationforBurgerKing.Thesearchdropdownfieldonthesiteusestheterm“word”.Theregistrationdoesnotappeartocalloutthewordsinthecombinedmark,soMVAsmustextractthewordstoinsertintheVMCSec.4.5.2.4.4WordMarkfield.NotethatUKtrademarkregistrationforwordmarksallows“series”ofthesamewordmarktobelistedinasingleregistration(wherewordsarearrangedindifferentconfigurations–linear,stacked–butalwaysreadthesamewaytoaconsumer).


Germany(DE)7

Combinedwordandfigurativemark(Wort-Bildmarke)-Combinedword/figurativemarksconsistofacombinationofwordelementsandgraphicalelements,orofwordsinletteringstyles.

FigurativeMark(Bildmarke)-arepictures,graphicalelementsorimages(withoutwordsorwordelements).

WordMark(Wortmarke)-aretrademarksthatconsistofwords,letters,numbersorothercharactersthatarepartofthestandardsetofcharactersusedbytheDeutschesPatentundMarkenamt(DPMA).

Japan(JP)8 Combined(結合商標) Symbol(記号商標)Figurative/GraphicTrademark(図形商標)Combined(結合商標)

WordOnly(文字商標)

Australia(AU)

FigurativeMark9 FigurativeMark10 WordMark11

Spain(ES)12 DeviceMark DeviceMark WordMark

7Englishdefinitionfromglossaryin:https://www.dpma.de/docs/dpma/veroeffentlichungen/broschueren/200129_bromarken_engl_nichtbarr.arm.pdfEnglish/Germanmappingisbylookingatthe"550Markenform"(Germanversion)of:https://register.dpma.de/register/htdocs/prod/en/hilfe/recherchefelder/marken/index.htmlandusingthelanguagetranslatortooltomaptoEnglish.Seealsosection“Whatisthedifferencebetweenawordmarkandacombinedword/figurativemarkorfigurativemark?”inhttps://www.dpma.de/english/trade_marks/faq/index.html8https://www.globalipdb.inpit.go.jp/jpowp/wp-content/uploads/2018/11/170c54c04df539b80e52f33800a1e643.pdfandhttps://www.jetro.go.jp/ext_images/world/asia/sg/ip/pdf/search_ip_communique2016.pdfAlsohttps://elaws.e-gov.go.jp/document?lawid=334AC00000001279Seehttps://search.ipaustralia.gov.au/trademarks/search/view/381026?s=9f1d9c31-769b-4472-a055-e8c636007f26Notethatregistrationshows“AMERICANSTANDARDIDEALSTANDARD”for“Words”field.10Seehttps://search.ipaustralia.gov.au/trademarks/search/view/373483?s=9f1d9c31-769b-4472-a055-e8c636007f26forDeltatrianglefigurativemarkregistration.Notethatregistrationshows“A”for“Words”field(unclear–aplaceholder?).11Seehttps://search.ipaustralia.gov.au/trademarks/search/view/723899?s=6f75163b-7cac-44f6-9784-7cf7496ceec0.Notethatregistrationshows“BURGERKING”for“Words”field12https://companiesinn.com/articles/different-types-trademark


APPENDIXC–AUTHORIZEDTRADEMARKOFFICESFORVMCS

ThisAppendixisintentionallyleftblank.


APPENDIXD-VMCTERMSOFUSE(“VMCTERMS”)AllMarkAssertingEntities(MAEs)arerequired,asaconditionofbeingissuedaVerifiedMarkCertificate,toagreetotheseVMCTerms.Anyandalluse,display,orrelianceonanyVerifiedMarkCertificate(andanyMarkRepresentationandanyotherdataorinformationtherein)byConsumingEntities,RelyingParties,andanyotherperson,issubjecttoandconditionaluponacceptanceoftheseVMCTerms.TheOID1.3.6.1.4.1.53087.1.1intheVerifiedMarkCertificateincorporatesbyreferencetheseVMCTerms.IfanypersondoesnotagreetotheseVMCTerms,suchpersonmaynotobtain,use,publish,orrelyuponanyVerifiedMarkCertificateoronanyMarkRepresentationoranyotherdataorinformationinaVerifiedMarkCertificate.1. Definitions.CapitalizedwordswillhavemeaningssetoutinSection1.6oftheVerifiedMarkCertificate

Requirements..2. LimitedRighttoReproduceandDisplay.TheMAEherebygrants,subjecttotheterms,conditionsand

restrictionsintheVMCRequirementsandtheseVMCTerms:2.1. totheIssuingCA,alimited,non-exclusive,worldwidelicensetoissueaVerifiedMarkCertificatethat

containstheVMCMarksandtologsaidcertificateinalimitednumberofCertificateTransparencyLogsasrequiredbytheVMCRequirements;and

2.2. toConsumingEntities,alimited,non-exclusive,worldwidelicensetousetheVMCMarksinconjunctionwithinternallogorecognitionsystems,andtohost,store,reproduce,display,process,andmodifyaspermittedbysection3.1theVMCMarksonlyindirectvisualassociationwithcommunications,correspondence,orservicesauthoredorprovidedbytheMAEfromorthroughoneofthesamedomainsincludedwithintheVerifiedMarkCertificate’sSubjectAlternativeNamefield;and

2.3. tocertificatetransparencylogoperatorsifdifferentfromtheIssuingCA,alimited,non-exclusive,worldwidelicensetoretainacopyofandtoreproducetheVerifiedMarkCertificatetosupportadurablepublicrecordofthoseissuedcertificates,andforthepurposeofpermittingmembersofthepublictoaudittheverificationofVerifiedMarkCertificates.

Nootherlicenseisgrantedtoanyotherparty,orforanyotheruse.3. LicenseRestrictionsandConditions.AnyConsumingEntitythatincorporatesorintendstoincorporate

theVMCMarksobtainedthroughanissuedandpublishedVerifiedMarkCertificateintoitsproductsandservices,agreesthatitslicensetodosoissubjecttoandconditionalonthefollowing:3.1. QualityControl,SameTreatment.TheConsumingEntitymaynotdistortatdisplaytimeanyMark

RepresentationobtainedfromapublishedVerifiedMarkCertificate,changeitscolorsorbackground,modifyitstransparency,oralteritinanywayotherthantoadjustitssizeorscale,ortocropitinamannerconsistentwithcroppingperformedonotherMarkRepresentationsdisplayedinthesamecontext.IfaConsumingEntitydisplaysaWordMarkobtainedfromapublishedVerifiedMarkCertificate,itmustdosoinaneutralmannerappliedconsistentlytoallWordMarksfromallVerifiedMarkCertificatesthatareshowninthesamevisualcontext.TheConsumingEntitymaydisplayaMarkincludedinaVerifiedMarkCertificatewithoutalsodisplayingaWordMarkincludedinthesameVerifiedMarkCertificate,buttheConsumingEntitymaynotdisplayaWordMarkincludedinaVerifiedMarkCertificatewithoutalsodisplayingtheMarkincludedinthesameVerifiedMarkCertificate.

3.2. NoPartnershiporRelationshipsimplied.SubjecttoanexpressagreementtothecontrarybetweentheConsumingEntityandtheMAE,neithertheVMCMarksnoranyothercontentoftheVerifiedMarkCertificatemaybeusedordisplayedinanywaythatreasonablyimpliesanyrelationshipbetweentheConsumingEntityandtheMAE,beyondthebarelicensor-licenseerelationshipcreatedbytheseVMCTerms.

3.3. CRLorOCSPChecks.ConsumingEntitiesmustchecktheCertificateRevocationListsmaintainedbytheCAorperformanon-linerevocationstatuscheckusingOCSPtodeterminewhetheraVerifiedMarkCertificatehasbeenrevokednolessfrequentlythanevery7days.


3.4. LawfulUse.ConsumingEntitiesmayonlyusetheMarkRepresentationinaVerifiedMarkCertificateinaccordancewithapplicablelaw.

4. SufficientOwnershiporLicense.TheMAEwarrantsthattheVMCMarkspublishedviaaVerifiedMark

CertificaterepresentaRegisteredMark(andWordMark,ifany)thattheMAEownsorforwhichtheMAEhasobtainedsufficientlicensetobeabletograntthelimitedlicenseintheseVMCTerms,andthatitwillimmediatelyrevoketheVerifiedMarkCertificateifitnolongerownsorhasasufficientlicensetotheapplicableRegisteredMark(orWordMark,ifany).TheMAEwilldefendandwillbeliableforanyintellectualpropertyorotherclaimsagainstanyConsumingEntity,RelyingPartyorCAthatarisefromthecontentoftheMAE’sapplicationforaVerifiedMarkCertificate.

5. Noobligationtodisplay.TheMAEacknowledgesthatConsumingEntitiesareundernoobligationto

displaytheVMCMarksinconnectionwithcontenttheMAEpublishesthatisassociatedwiththedomainstheMAEownsorcontrolsasaDomainRegistrant,evenifacommunicationormessageisconfirmedtobefromtheMAEandasuitableVMCMarkcanbeobtainedandsafelydisplayedfromtheapplicableVerifiedMarkCertificate.Instead,ConsumingEntitiesmaychoosetodisplaytheVMCMarksinaccordancewiththeseVMCTerms,ornotdisplaythem,attheiroption.

6. Termination.ImmediatelyuponrevocationorexpirationoftheVerifiedMarkCertificate,theMAEwill

ceasepublishingorusingtheVerifiedMarkCertificate,andthelicensegrantedtoConsumingEntitiesinSection2.2aboveSHALLterminate.ThelicensetoaConsumingEntityinSection2.2abovealsoterminatesautomaticallyandimmediatelyuponbreachofanyprovisionoftheseVMCTermsbytheConsumingEntity.ConsumingEntitiesmustimmediatelyceaseanyandalluseoftheVMCMarksuponterminationoftheapplicablelicense.

7. UpdatestoVMCRequirementsandVMCTerms.TheVMCRequirementsandVMCTermsmaybeupdated

fromtimetotime.AllpartiesagreethattheversionoftheVMCRequirementsandVMCTermsineffectatthetimeofissuanceofaVerifiedMarkCertificateSHALLapplythroughthedateofexpirationorrevocationoftheVerifiedMarkCertificate(and,forthoseprovisionsthatbytheirnatureextendbeyondthedateofexpirationorrevocation,untiltheprovisionsnolongerwouldapplybytheirterms).Itistheresponsibilityofeachentitywhoobtains,uses,publishesorreliesuponaVerifiedMarkCertificatetoreviewandfamiliarizeitselffromtimetotimewithanyupdatedversionsoftheVMCRequirementsandVMCTerms.


APPENDIXE-OPTIONALRULESFORMATCHINGMARKREPRESENTATIONSUBMITTEDBYSUBSCRIBERWITHREGISTEREDMARKVERIFIEDBYCATheseareoptionalrulesapprovedbytheAuthindicatorswhichCAsMAYusewhenmatchingtheMarkRepresentationsubmittedbytheSubscriberwiththeRegisteredMarkverifiedbytheCA.TrademarksregisteredintheUnitedStates

[ThisAppendixisstillbeingdrafted.]


APPENDIXF-CTLOGSAPPROVEDBYAUTHINDICATORSWORKINGGROUPLogURL Namehttps://gorgon.ct.digicert.com/log Gorgon


APPENDIXG–ADDITIONALF2FVERIFICATIONPROCEDURETheContractSignerorCertificateApproverfortheVerifiedMarkCertificatemustperformtheF2FVerificationProcedurefortheApplicantaccordingtotheprocessdescribedineitherSection1orSection2below,asselectedbytheCAatitsdiscretion.IftheContractSignerandCertificateApproverrolesarefulfilledbydifferentnaturalpersons,thenonlyoneofContractSignerorCertificateApprovermustperformtheF2FVerificationProcedure.Inallcases,thenaturalpersonperformingtheF2FVerificationProcedureisreferredtoasthe“DesignatedIndividual”intheproceduredefinedbelow.Section1–NotarizationprocessfordocumentsignedbyDesignatedIndividualIfthisF2FVerificationProcedureisselectedbytheCA,theDesignatedIndividualmustperformtheNotarizationprocedurefortheApplicantasdescribedbelow.1. ReceiveinformationfromtheDesignatedIndividual.TheCAwillasktheDesignatedIndividualtosubmit

thefollowinginformation:name,emailaddress,andtelephonenumberforuseintheNotarizationprocessdescribedinSections2and3below.

2. ConductNotarizationProcess.TheCAwillarrangeforaNotarytomeetwiththeDesignatedIndividual.TheNotaryMUSTNOTbeanemployeeoftheSubscriberoramemberofanylawfirmusedbytheSubscriber.TheNotarizationprocessMAYbeperformedbyRemoteNotarization,providedthatitisconductedinaccordancewithapplicablelawintheNotary'sjurisdiction.TheDesignatedIndividualMUSTbelocatedinajurisdictioninwhichtheNotaryispermittedtoNotarizeaccordingtoapplicablelaw.TheCAwillprovidetheNotaryinadvancewithaVerificationDocumentfortheDesignatedIndividualtosignbeforetheNotaryandbeNotarized.ThenotaryshouldbeinstructedtoconfirmtheDesignatedIndividual’sfaceconformstothephotoontheDesignatedIndividual’sphotoID,andthatthenameoftheDesignatedIndividuallistedonthephotoIDconformstotheDesignatedIndividualnameontheVerificationDocument.TheNotarymustobservetheDesignatedIndividualasheorshesignstheVerificationDocument,thenNotarizetheVerificationDocument,TheNotaryshouldrecordanyrequireddetailsoftheNotarizationprocessintheNotary’snotaryjournal(orequivalent)asnormallyrequiredinthejurisdictionforaNotarization.Digitalsignaturesmaybeusedifacceptedinthejurisdiction.TheNotarymusttheneither:(1)SendaphotoorPDFcopyoftheNotarizedVerificationDocumenttotheCAaccordingtotheCA’sinstructionsandgivetheoriginaldocumenttotheDesignatedIndividualforhisorherfilesordestruction,or(2)sendtheoriginalsignedVerificationDocumenttotheCA.TheNotaryshouldnotretainacopyoftheVerificationDocumentortheDesignatedIndividual’sphotoIDintheNotary’sownfilesunlessrequiredtodosobyapplicablelaworregulationinthejurisdiction,inwhichcasetheNotaryshouldtreatthedocumentandphotoIDasPIItobearchivedanddisposedofinasecuremannerandinaccordancewithanyapplicablelaworregulation.

Section2–Web-basedF2FsessionwithDesignatedIndividual.IfthisF2FVerificationProcedureisselectedbytheCA,theCAoritsthirdpartyagentwillperformaweb-basedrecordedorphotographedsessionwiththeDesignatedIndividual.Thisformofvalidationmustincludethefollowingbasicsteps:

1. ReceiveinformationfromtheDesignatedIndividual.TheCAwillasktheDesignatedIndividualto

submitthefollowinginformation:name,emailaddress,andtelephonenumberforuseintheweb-basedF2FprocessdescribedinSections2and3below.

2. Processforweb-basedF2Fsession.Theweb-basedF2Fsessionwillincludethefollowingsteps.


a) TheCAoragentinitiatesalive,recordedvideoconferencewithDesignatedIndividual.The

recordingcaneitherbesavedbytheCA,orappropriatescreenshotsoftheconferencecanbesavedbytheCAinstead.

b) TheDesignatedIndividualrecitesonthevideoconferencehisorherbasicinformation,includingname,address,organization,title,telephonenumber,IDtype(passportnationalID,driver’slicense,etc.),andIDnumberthatwillbeusedduringthevalidationsession.

c) TheCAoragentaskstheDesignatedIndividualtopresenthisorherIDdocumenttothecamera,closeenoughtoprovideaclearpictureofthefront,back,andanyotherpagesasmaybenecessarytoreadandexaminethedocumentandcaptureitonthevideoand/orscreenshots.TheCAoragentisnotexpectedtodeterminewhetherornottheIDdocumentisgenuine,onlytorecordwhatwaspresented.TheCAagentmayrejecttheIDdocumentattheCAagent’sdiscretionifappropriate(e.g.,expired,namemis-match,photomis-match).

d) TheCAoragentaskstheDesignatedIndividualtoholdIDinfrontofhisorherface,toturnthedocumentaroundinthatposition,andtowavehisorherotherhandinthespacebetweentheIDandtheDesignatedIndividual’sface.TheCAmustmakereasonableaccommodationsifnecessaryincasetheDesignatedIndividualhasarelevantphysicaldisability.TheCAoragentmayaskadditionalquestionsathisorherdiscretion.

e) Thevideoconferenceiscompleted.TheCAoragentthenapprovesorfailstheIDverificationrequestbasedontheprocedureandsecurelyarchivestherecording.

TheCAmayuseacompetentthirdpartyserviceprovidertrustedbytheCAtoperformthisrecordedorphotographedweb-basedsessionwithDesignatedIndividualsolongastheCAobtainsandretainstherecordedsessionand/orscreenshotsinthevalidationfile.Section3–PIIandPrivacyRequirementsVMCDesignatedIndividualPII&PrivacyProcessesTheissuanceofaVMCrequirestheissuingCAtovalidatethefollowinginformation:

• Theapplyingorganization’sownershipoftheirbusinessdomain• Theapplyingorganization’sownershipofthelogotobeused• TheDesignatedIndividual’sconnectiontotheorganization• TheDesignatedIndividual’sidentity

DuetothenovelnatureofvalidatingtheidentityoftheDesignatedIndividualthroughF2Fverification,whichisperformedeitherthroughameetingwithanotaryorequivalentorthroughaweb-basedF2Fsession,additionalinformationthatisnottypicallycollectedforcertificateissuanceisrequired.Assuch,measurestoprotecttheDesignatedIndividual’spersonallyidentifiableinformationmustbeexercised.

InitialDesignatedIndividualGuidanceforNotarizationprocess1. BeforeanapplicantbeginstheNotarizationprocess,eachCAshould:

• SetexpectationsandpreparetheDesignatedIndividualbyprovidingashortlistofitemsneededforandabriefexplanationoftheNotarizationprocessandrequiredpersonaldocumentsandinformation:○ DescriptionoftheNotarizationprocessthatwillbefollowedandPIIdetailstobecollected,

includingtypesofgovernment-issuedIDthatwillbeaccepted.• ProvidelinkstotheCA’sofficialprivacypolicies

2. DuringtheNotarizationprocess,eachCAmustensure:


• DesignatedIndividualPIIiscollectedviasecureportalorsafefilesharesite.SuchPIIalsoincludesinformationassociatedwithtypicalaccountsetupsuchasname,title,phone,andemailaddressoftheDesignatedIndividual.

CAPIIRetentionTransparencyGuidance• WherePIIiscollected,theCAmustincludelinkstoorinformationaboutthefollowing:

○ Summaryofthecollection,use,storage,anddestructionofinformationasitappliestotheapplicationandprocess;pointtorelevantstandards

• ExplanationandreasoningforcollectionofrequiredinformationbytheCA(and,ifapplicable,bythenotary)• Contextastotherelativenormalcyofthis(e.g.forstandardnotarization

process,SSLcertsorhomeloansetc.)• IncludeCA’sofficialprivacypolicies

3. GuidanceonPIIsenttoNotary

• Forthein-personmeetingtheDesignatedIndividualshouldprovideonlythebelowfieldstotheCA.Thecollectionofadditional,personallyidentifiableinformationisnotrequiredorrecommended.○ Name○ Emailaddress○ Meetinglocation,date,time○ Cellphonenumber(forthepurposesofcoordinatingthemeetingbetweentheDesignated

Individualandnotary)4. GuidanceonDesignatedIndividualPIITreatmentbyNotary

• TheNotarymustmaintainlimitedDesignatedIndividualPII,asnotedintherequiredfieldsofItem3,includingdataentriesinaNotaryJournalthattheNotarymustretainbylaworpractice(orsimilarrecordthataLatinNotary,lawyer,orsolicitormustretain).

• TheCAshouldprovidetheDesignatedIndividualwithinformationaboutthein-personmeetinganddocument(s)thatwillbepresentedforsignature(s).○ TheCAshouldprovidetheDesignatedIndividualthelifecycledetailsofthesigned

documentsorPIIretainedbytheNotary.InitialDesignatedIndividualGuidanceforweb-basedF2FsessionprocessCAsmustfollowtheirownPIIandprivacyprotectionrequirementsforallweb-basedF2Fsessionprocesstheyconduct,andfollowallapplicablelaws.IfaCAusesanexternalserviceprovidertoconductweb-basedF2Fsessions,theCAmustfirstconductduediligenceabouttheserviceprovider,andconfirmthattheserviceproviderhasPIIandprivacyprotectionrequirementsforallweb-basedF2Fsessionprocesstheyconduct,andfollowallapplicablelaws.1. Beforeanapplicantbeginstheweb-basedF2Fsessionprocess,eachCAshould:

• SetexpectationsandpreparetheDesignatedIndividualbyprovidingashortlistofitemsneededforandabriefexplanationoftheweb-basedF2Fsessionprocessandrequiredpersonaldocumentsandinformation:○ Descriptionoftheweb-basedF2FsessionprocessthatwillbefollowedandPIIdetailstobe

collected,includingtypesofgovernment-issuedIDthatwillbeaccepted.• ProvidelinkstotheCA’sofficialprivacypolicies

2. Duringtheweb-basedF2Fsessionprocess,eachCAmustensure:


• DesignatedIndividualPIIiscollectedviasecureportalorsafefilesharesite.SuchPIIalsoincludesinformationassociatedwithtypicalaccountsetupsuchasname,title,phone,andemailaddressoftheDesignatedIndividual.

CAPIIRetentionTransparencyGuidance• WherePIIiscollected,theCAmustincludelinkstoorinformationaboutthefollowing:

○ Summaryofthecollection,use,storage,anddestructionofinformationasitappliestotheapplicationandprocess;pointtorelevantstandards

• ExplanationandreasoningforcollectionofrequiredinformationbytheCA(and,ifapplicable,bytheweb-basedF2Fsession)• IncludeCA’sofficialprivacypolicies


APPENDIXH-COUNTRY-SPECIFICINTERPRETATIVEGUIDELINES(NORMATIVE)NOTE:ThisappendixprovidesalternativeinterpretationsoftheVMCRequirementsforcountriesthathavealanguage,cultural,technical,orlegalreasonfordeviatingfromastrictinterpretationoftheseRequirements.Morespecificinformationforparticularcountriesmaybeaddedtothisappendixinthefuture.1.OrganizationNames(1) Non-LatinOrganizationNameWhereanVerifiedMarkApplicant’sorganizationnameisnotregisteredwithaQGISinLatincharactersandtheApplicant’sforeigncharacterorganizationnameandregistrationhavebeenverifiedwithaQGISinaccordancewiththeseRequirements,aCAMAYincludeaLatincharacterorganizationnameintheVerifiedMarkCertificate.Insuchacase,theCAMUSTfollowtheprocedureslaiddowninthissection.(2)RomanizedNamesInordertoincludeatransliteration/Romanizationoftheregisteredname,theRomanizationMUSTbeverifiedbytheCAusingasystemofficiallyrecognizedbytheGovernmentintheApplicant’sJurisdictionofIncorporation.IftheCAcannotrelyonatransliteration/RomanizationoftheregisterednameusingasystemofficiallyrecognizedbytheGovernmentintheApplicant’sJurisdictionofIncorporation,thenitMUSTrelyononeoftheoptionsbelow,inorderofpreference:

(A) AsystemrecognizedbytheInternationalOrganizationforStandardization(ISO);(B) AsystemrecognizedbytheUnitedNations;or(C) ALawyer’sOpinionorAccountant’sLetterconfirmingtheproperRomanizationoftheregistered

name.(3) TranslatedNameInordertoincludeaLatincharacternameintheVerifiedMarkcertificatethatisnotadirectRomanizationoftheregisteredname(e.g.anEnglishName)theCAMUSTverifythattheLatincharacternameis:

(A) IncludedintheArticlesofIncorporation(orequivalentdocument)filedaspartoftheorganizationregistration;or

(B) RecognizedbyaQTISintheApplicant’sJurisdictionofIncorporationastheApplicant’srecognizednamefortaxfilings;or

(C) ConfirmedwithaQIIStobethenameassociatedwiththeregisteredorganization;or(D) ConfirmedbyaVerifiedLegalOpinionorAccountant’sLettertobeatranslatedtradingname

associatedwiththeregisteredorganization.

Country-SpecificProceduresH-1.JapanAsinterpretationoftheproceduressetoutabove:1.OrganizationNames

(A) TheRevisedHepburnmethodofRomanization,aswellasKunrei-shikiandNihon-shikimethodsdescribedinISO3602,areacceptableforJapaneseRomanizations.

(B) TheCAMAYverifytheRomanizedtransliteration,languagetranslation(e.g.Englishname),orotherrecognizedRoman-lettersubstituteoftheApplicant’sformallegalnamewitheitheraQIIS,VerifiedLegalOpinion,orVerifiedAccountantLetter.

(C) TheCAMAYusetheFinancialServicesAgencytoverifyaRomanized,translated,orotherrecognizedRoman-lettersubstitutename.Whenused,theCAMUSTverifythatthetranslatedEnglishisrecordedintheauditedFinancialStatements.

(D)WhenrelyingonArticlesofIncorporationtoverifyaRomanized,translated,orotherrecognizedRoman-lettersubstitutename,theArticlesofIncorporationMUSTbeaccompaniedeither:byadocument,signedwiththeoriginalJapaneseCorporateStamp,thatprovesthattheArticlesofIncorporationareauthenticandcurrent,orbyaVerifiedLegalOpinionoraVerifiedAccountantLetter.TheCAMUSTverifytheauthenticityoftheCorporateStamp.

(E)ARomanized,translated,orotherrecognizedRoman-letteredsubstitutenameconfirmedinaccordancewiththisAppendixH-1storedintheROBINSdatabaseoperatedbyJIPDECMAYberelied


uponbyaCAfordeterminingtheallowedorganizationnameduringanyissuanceorrenewalprocessofanVerifiedMarkCertificatewithouttheneedtore-performtheaboveprocedures.

2.AccountingPractitionerInJapan:

(A)AccountingPractitionerincludeseitheracertifiedpublicaccountant(公認会計士-Konin-kaikei-shi)oralicensedtaxaccountant(税理士–Zei-ri-shi).

(B)TheCAMUSTverifytheprofessionalstatusoftheAccountingPractitionerthroughdirectcontactwiththerelevantlocalmemberassociationthatisaffiliatedwitheithertheJapaneseInstituteofCertifiedPublicAccountants(http://www.hp.jicpa.or.jp),theJapanFederationofCertifiedTaxAccountant’sAssociations(http://www.nichizeiren.or.jp),oranyotherauthoritativesourcerecognizedbytheJapaneseMinistryofFinance(http://www.mof.go.jp)asprovidingthecurrentregistrationstatusofsuchprofessionals.

3.LegalPractitionerInJapan:

(A)LegalPractitionerincludesanyofthefollowing: alicensedlawyer(弁護士-Ben-go-shi), ajudicialscrivener(司法書士-Shiho-sho-shilawyer),anadministrativesolicitor(行政書士-Gyosei-

sho-shiLawyer),oranotarypublic(公証人-Ko-sho-nin). ForpurposesoftheseRequirements,aJapaneseNotaryPublicisconsideredequivalenttoaLatin

Notary.(B)TheCAMUSTverifytheprofessionalstatusoftheLegalPractitionerbydirectcontactthroughthe

relevantlocalmemberassociationthatisaffiliatedwithoneofthefollowingnationalassociations: theJapanFederationofBarAssociations(http://www.nichibenren.or.jp), theJapanFederationofShiho-ShoshiLawyer’sAssociations(http://www.shiho-shoshi.or.jp), theJapanFederationofAdministrativeSolicitors(http://www.gyosei.or.jp), theJapanNationalNotariesAssociation(http://www.koshonin.gr.jp),or anyotherauthoritativesourcerecognizedbytheJapaneseMinistryofJustice(http://www.moj.go.jp)

asprovidingthecurrentregistrationstatusofsuchprofessionals.


APPENDIXI–ABSTRACTSYNTAXNOTATIONONEMODULEFOREVCERTIFICATESThedefinitionoftheseattributesisidenticaltothoseincludedinEVCertificatesandareincludedinVerifiedMarkCertificates.CABFSelectedAttributeTypes{joint-iso-itu-t(2)international-organizations(23)ca-browser-forum(140)module(4)cabfSelectedAttributeTypes(1)1}DEFINITIONS::=BEGIN--EXPORTSAllIMPORTS--fromRec.ITU-TX.501|ISO/IEC9594-2selectedAttributeTypes,ID,ldap-enterpriseFROMUsefulDefinitions{joint-iso-itu-tds(5)module(1)usefulDefinitions(0)7}--fromtheX.500seriesub-locality-name,ub-state-nameFROMUpperBounds{joint-iso-itu-tds(5)module(1)upperBounds(10)7}--fromRec.ITU-TX.520|ISO/IEC9594-6DirectoryString{},CountryNameFROMSelectedAttributeTypesselectedAttributeTypes;id-evat-jurisdictionID::={ldap-enterprise311ev(60)21}id-evat-jurisdiction-localityNameID::={id-evat-jurisdiction1}id-evat-jurisdiction-stateOrProvinceNameID::={id-evat-jurisdiction2}id-evat-jurisdiction-countryNameID::={id-evat-jurisdiction3}jurisdictionLocalityNameATTRIBUTE::={SUBTYPEOFnameWITHSYNTAXDirectoryString{ub-locality-name}LDAP-SYNTAXdirectoryString.&idLDAP-NAME{"jurisdictionL"}IDid-evat-jurisdiction-localityName}jurisdictionStateOrProvinceNameATTRIBUTE::={SUBTYPEOFnameWITHSYNTAXDirectoryString{ub-state-name}LDAP-SYNTAXdirectoryString.&idLDAP-NAME{"jurisdictionST"}IDid-evat-jurisdiction-stateOrProvinceName}jurisdictionCountryNameATTRIBUTE::={SUBTYPEOFnameWITHSYNTAXCountryNameSINGLEVALUETRUELDAP-SYNTAXcountryString.&idLDAP-NAME{"jurisdictionC"}IDid-evat-jurisdiction-countryName}END


APPENDIXJ–REGISTRATIONSCHEMESThefollowingRegistrationSchemesarecurrentlyrecognizedasvalidundertheseRequirements:NTR:TheinformationcarriedinthisfieldSHALLbethesameasheldinSubjectSerialNumberFieldasspecifiedin7.1.4.4.2(k)andthecountrycodeusedintheRegistrationSchemeidentifierSHALLmatchthatofthesubject’sjurisdictionasspecifiedinSection7.1.4.4.2(j).WheretheSubjectJurisdictionofIncorporationorRegistrationFieldin7.1.4.4.2(j)includesmorethanthecountrycode,theadditionallocalityinformationSHALLbeincludedasspecifiedinsectionin7.1.4.4.2(j).VAT:ReferenceallocatedbythenationaltaxauthoritiestoaLegalEntity.ThisinformationSHALLbevalidatedusinginformationprovidedbythenationaltaxauthorityagainsttheorganizationasidentifiedbytheSubjectOrganizationNameField(see7.1.4.4.2(b))andSubjectSerialNumberField(see7.1.4.4.2(k))withinthecontextofthesubject’sjurisdictionasspecifiedinSection7.1.4.4.2(j).PSD:AuthorizationnumberasspecifiedinETSITS119495clause4.4allocatedtoapaymentserviceproviderandcontainingtheinformationasspecifiedinETSITS119495clause5.2.1.ThisinformationSHALLbeobtaineddirectlyfromthenationalcompetentauthorityregisterforpaymentservicesorfromaninformationsourceapprovedbyagovernmentagency,regulatorybody,orlegislationforthispurpose.ThisinformationSHALLbevalidatedbybeingmatcheddirectlyorindirectly(forexample,bymatchingagloballyuniqueregistrationnumber)againsttheorganizationasidentifiedbytheSubjectOrganizationNameField(see7.1.4.4.2(b))andSubjectSerialNumberField(see7.1.4.4.2(k))withinthecontextofthesubject’sjurisdictionasspecifiedinSection7.1.4.4.2(j).ThestatedaddressoftheorganizationcombinedwiththeorganizationnameSHALLNOTbetheonlyinformationusedtodisambiguatetheorganization.

Minimum Security Requirements for Issuance of Verified ...

Documents

Transcript of Minimum Security Requirements for Issuance of Verified ...