This section describes the certificate application process, including the information required to make and support a successful application.
4.1 Certificate Application Requirements
The Affiliate, Reseller or Partner [ARP] may issue Certificates to Private Organisations that satisfy the following requirements:
a) The Private Organisation is a legally recognised entity whose existence was created by a filing with (or an act of) the Incorporating Agency in its Jurisdiction of Incorporation (e.g., by issuance of a certificate of incorporation);
b) The Private Organisation has designated with the Incorporating Agency a Registered Agent, Registered Office (as required under the laws of the Jurisdiction of Incorporation) or equivalent;
c) The Private Organisation is not designated on the records of the Incorporating Agency by labels such as “inactive,” “invalid,” “not current,” or the equivalent;
d) The Private Organisation’s Jurisdiction of Incorporation and/or its Place of Business is not in any country where Digi-Sign is prohibited from doing business or issuing a certificate by the laws of Digi-Sign’s jurisdiction; and
e) The Private Organisation is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of Digi-Sign’s jurisdiction.
ARP may issue Certificates to Government Entities that satisfy the following requirements:
a) The legal existence of the Government Entity is established by the law of the Jurisdiction of Incorporation;
b) The Government Entity is not in any country where Digi-Sign is prohibited from doing business or issuing a certificate by the laws of Digi-Sign’s jurisdiction; and
c) The Government Entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of Digi-Sign’s jurisdiction.
All qualifying Certificate applicants must complete the enrolment process, which may include:
• Generate a RSA key pair and demonstrate to ARP ownership of the private key half of the key pair through the submission of a valid PKCS#10 Certificate Signing Request [CSR], or SPKAC request for certain certificates.
• Make all reasonable efforts to protect the integrity of the private key half of the key pair
• Submit to Digi-Sign a certificate application request, including application information as detailed in the Digi-Sign CPS, a public key half of a key pair, and agree to the terms of the relevant subscriber agreement
• Provide proof of identity through the submission of official documentation if, and as, requested by Digi-Sign during the enrolment process
Certificate applications are submitted to the Digi-Sign approved Registration Agent [RA] or Light Registration Agent [LRA].
4.1.1 ARP Customer Certificate Applications
ARP Customers may act as RAs under the practices and policies stated within the Digi-Sign CPS. The RA may make the application on behalf of the applicant pursuant to this ARP contract.
Under such circumstances, the RA is responsible for all the functions on behalf of the applicant and such responsibilities are detailed and maintained within the this ARP contract.
4.1.2 Digi-CA™ Service Account Holder Certificate Applications
Digi-CA™ Service Account Holders act as RAs under the practices and policies stated within the CPS. The RA makes the application for a secure server certificate to be used by a named server, or a secure email certificate to be used by a named employee, partner or extranet user under a domain name that the ARP has validated either belongs to, or may legally be used by the Digi-CA™ Service Account holding organisation.
4.1.3 Methods of application
Generally, applicants will complete the online forms made available by the ARP or by approved RAs at the respective official websites. Under special circumstances, the applicant may submit an application via email; however, this process is available at the discretion of the ARP or its RAs.
Digi-CA™ Service Account Holder applications are made through the Digi-CA™ Service Management Console – a web based console hosted and supported by Digi-Sign.
4.2 Application Validation
Prior to issuing a Certificate, the ARP employs controls to validate the identity of the subscriber information featured in the certificate application.
4.2. ARP Certificates Validation Process
Before issuing a Certificate, the ARP ensures that all Subject organisation information in the Certificate conforms to the requirements of, and has been verified in accordance with, these guidelines and matches the information confirmed and documented by the ARP pursuant to its verification processes.
As a general rule, the ARP is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth below. The Acceptable Methods of Verification set forth in each of Sections 4.2.1 through 4.2.11 below (which usually include alternatives) are considered to be acceptable methods of verification that may be employed by the ARP. In all cases, however, the ARP will take any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement.
4.2.1. Verification of Applicant’s Legal Existence and Identity
(a) Verification Requirements. To verify Applicant’s legal existence and identity, the ARP will do the following:
(1) Legal Existence: Verify that the Applicant is a legally recognised entity, in existence and validly formed (e.g., incorporated) with the Incorporating Agency in Applicant’s Jurisdiction of Incorporation, and not designated on the records of the Incorporating Agency by labels such as “inactive,” “invalid,” “not current,” or the equivalent.
(2) Organisation Name: Verify that the Applicant’s formal legal name as recorded with the Incorporating Agency in Applicant’s Jurisdiction of Incorporation matches Applicant’s name in the Certificate Request.
(3) Registration Number: Obtain the specific unique Registration Number assigned to Applicant by the Incorporating Agency in the Applicant’s Jurisdiction of Incorporation
(4) Registered Agent: Obtain the identity and address of the Applicant’s Registered Agent or Registered Office (as applicable) in the Applicant’s Jurisdiction of Incorporation.
(b) Acceptable Method of Verification. All of the foregoing will be verified directly with or obtained directly from the Incorporating Agency in the Applicant’s Jurisdiction of Incorporation. Such verification may be through use of a Qualified Government Information Source operated by or on behalf of the Incorporating Agency, or by direct contact with the Incorporating Agency in person or via mail, email, web address, or telephone using an address or phone number obtained from a Qualified Independent Information Source.
4.2.2 Verification of Applicant’s Legal Existence and Identity – Assumed Name
(a) Verification Requirements. If, in addition to the Applicant’s formal legal name as recorded with the Incorporating Agency in Applicant’s Jurisdiction of Incorporation, Applicant’s identity as asserted in the Certificate is to contain any assumed name (also known as “doing business as”, “DBA”, or “d/b/a” in the US and “trading as” in the UK) under which Applicant conducts business, the ARP will verify that: (i) the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these guidelines), and (ii) that such filing continues to be valid.
(b) Acceptable Method of Verification. To verify any assumed name under which Applicant conducts business:
(1) The ARP may verify the assumed name through use of a Qualified Government Information Source operated by or on behalf of an appropriate government agency in the jurisdiction of the Applicant’s Place of Business, or by direct contact with such government agency in person or via mail, email, web address, or telephone; or
(2) The ARP may verify the assumed name through use of a Qualified Independent Information Source [QIIS] provided that the QIIS has verified the assumed name with the appropriate government agency.
(3) The ARP may rely on a Verified Legal Opinion, or a Verified Accountant Letter that indicates the assumed name under which Applicant conducts business, the government agency such assumed name is registered with, and that such filing continues to be valid.
4.2.3 Verification of Applicant’s Physical Existence
(a) Address of Applicant’s Place of Business
(1) Verification Requirements. To verify Applicant’s physical existence and business presence, the ARP will verify that the physical address provided by Applicant is an address where Applicant conducts business operations (e.g., not a mail drop or P.O. Box), and is the address of Applicant’s Place of Business.
(2) Acceptable Methods of Verification. To verify the address of Applicant’s Place of Business:
(A) For Applicants whose Place of Business is in the same country as the Applicant’s Jurisdiction of Incorporation:
(1) For Applicants listed at the same Place of Business address in the current version of at least one QIIS, the ARP will confirm that the Applicant’s address as listed in the Certificate Request is a valid business address for Applicant by reference to such QIIS, and may rely on Applicant’s representation that such address is its Place of Business;
(2) For Applicants who are not listed at the same Place of Business address in the current version of at least one QIIS, the ARP will confirm that the address provided by the Applicant in the Certificate Request is in fact Applicant’s business address by obtaining documentation of a site visit to the business address which will be performed by a reliable individual or firm. The documentation of the site visit will:
(a) Verify that the Applicant’s business is located at the exact address stated in the Certificate Request (e.g., via permanent signage, employee confirmation, etc.);
(b) Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location;
(c) Indicate whether there is a permanent sign (that cannot be moved) that identifies the Applicant
(d) Indicate whether there is evidence that Applicant is conducting ongoing business activities at the site (e.g., that it is not just a mail drop, P.O. box, etc.), and
(e) Include one or more photos of (i) the exterior of the site (showing signage indicating the Applicant’s name, if present, and showing the street address if possible), and (ii) the interior reception area or workspace.
(3) For all Applicants, the ARP may alternatively rely on a Verified Legal Opinion or a Verified Accountant Letter that indicates the address of Applicant’s Place of Business and that business operations are conducted there.
(B) For Applicants whose Place of Business is not in the same country as the Applicant’s Jurisdiction of Incorporation, the ARP will rely on a Verified Legal Opinion that indicates the address of Applicant’s Place of Business and that business operations are conducted there.
(b) Telephone Number for Applicant’s Place of Business
(1) Verification Requirements. To further verify Applicant’s physical existence and business presence, as well as to assist in confirming other verification requirements, the ARP will verify that the telephone number provided by Applicant is a main phone number for Applicant’s Place of Business.
(2) Acceptable Methods of Verification. To verify Applicant’s telephone number, the ARP will perform A and one of B, C, or D as listed below:
(A) Confirm Applicant’s telephone number by calling it and obtaining an affirmative response sufficient to enable a reasonable person to conclude that the Applicant is reachable by telephone at the number dialed; and
(B) Confirm that the telephone number provided by the Applicant is listed as the Applicant’s telephone number for the verified address of its Place of Business in records provided by the applicable phone company or alternatively in at least one QIIS; or
(C) During a site visit, the person who is conducting the site visit will confirm the Applicant’s main telephone number by calling it and obtaining an affirmative response sufficient to enable a reasonable person to conclude that the Applicant is reachable by telephone at the number dialled. The ARP will also confirm that the Applicant’s main telephone number is not a mobile phone; or
(D) Rely on a Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant telephone number provided is a main phone number for Applicant’s Place of Business;
4.2.4 Verification of Applicant’s Operational Existence
(a) Verification Requirements. If the Applicant has been in existence for less than three (3) years, as indicated by the records of the Incorporating Agency, and is not listed in the current version of one QIIS, the ARP will verify that the Applicant has the ability to engage in business.
(b) Acceptable Methods of Verification. To verify the Applicant’s operational existence, the ARP will perform one of the following:
(1) Verify the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. The ARP will receive authenticated documentation directly from a Regulated Financial Institution verifying that the Applicant has an active current Demand Deposit Account with the institution.
(2) Rely on a Verified Legal Opinion or a Verified Accountant Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution;
4.2.5 Verification of Applicant’s Domain Name
(a) Verification Requirements. To verify Applicant’s registration or exclusive control of the domain name(s) to be listed in the Certificate, the ARP will verify that each such domain name satisfies the following requirements:
(1) The domain name is registered with an Internet Corporation for Assigned Names and Numbers (ICANN)-approved registrar or a registry listed by the Internet Assigned Numbers Authority (IANA);
(2) Domain registration information in the WHOIS database should be public and should show the name, physical address, and administrative contact information for the organisation.
(3) The Applicant:
(A) is the registered holder of the domain name; or
(B) has been granted the exclusive right to use the domain name by the registered holder of the domain name;
(4) The Applicant is aware of its registration or exclusive control of the domain name.
(b) Acceptable Methods of Verification
(1) Applicant as Registered Holder. Acceptable methods by which the ARP may verify that the Applicant is the registered holder of the domain name includes the following:
(A) Performing a WHOIS inquiry on the Internet for the domain name supplied by the Applicant, and obtaining a response indicating that the Applicant is the entity registered to the domain name; or
(B) Communicating with the contact listed on the WHOIS record to confirm that the Applicant is the registered holder of the domain name and having the contact update the WHOIS records to reflect the proper domain registration;
(C) In cases where domain registration information is private, the ARP may contact the applicant through the domain registrar by email or paper mail if the domain registrar offers services to forward such communication to the registered domain holder.
(2) Applicant’s Exclusive Right to Use. In cases where Applicant is not the registered holder of the domain name, the ARP will verify the Applicant’s exclusive right to use a domain name.
(A) In cases where the registered domain holder can be contacted using information obtained from WHOIS, or through the domain registrar, Digi-Sign will obtain positive confirmation from the registered domain holder by paper mail, email, telephone, or facsimile that the applicant has been granted the exclusive right to use the requested Fully Qualified Domain Name (FQDN).
If the Top-Level Domain is a generic top-level domain (gTLD) such as .com, .net, or .org in accordance to RFC 1591, the ARP will obtain positive confirmation with the second level domain registration holder unless explicitly delegated by the holder. For example, if the requested FQDN is www1.www.example.com, the ARP will obtain positive confirmation from the domain holder of example.com.
If the Top-Level Domain is a 2 letter Country Code Top-Level Domain (ccTLD), Digi-Sign will obtain positive confirmation with the domain holder at the domain level appropriate based on the rules of the ccTLD. For example, if the requested FQDN is www.mysite.users.internet.co.uk, the ARP will obtain positive confirmation from the domain holder of internet.co.uk.
In addition, the ARP will also verify the Applicant‘s exclusive right to use the domain name using one of the following methods:
(1) Relying on a Verified Legal Opinion to the effect that the Applicant has the exclusive right to use the specified domain name in identifying itself on the Internet; or
(2) Relying on a representation from the Contract Signer, or the Certificate Approver if expressly authorised in a mutually agreed upon contract, coupled with a practical demonstration by the Applicant establishing that it controls the confirmed domain name by making an agreed-upon change in information found online on a web page identified by a uniform resource identifier containing the Applicant’s FQDN;
(B) In cases where the registered domain holder cannot be contacted, the ARP will:
(1) Rely on a Verified Legal Opinion to the effect that the Applicant has the exclusive right to use the specified domain name in identifying itself on the Internet, and
(2) Rely on a representation from the Contract Signer, or the Certificate Approver if expressly authorised in a mutually agreed upon contract, coupled with a practical demonstration by the Applicant establishing that it controls the confirmed domain name by making an agreed-upon change in information found online on a web page identified by a uniform resource identifier containing the Applicant’s FQDN;
(3) Knowledge. Acceptable methods by which the ARP may verify the Applicant is aware that it has exclusive control of the domain name include the following:
(A) Relying on a Verified Legal Opinion to the effect that the Applicant is aware that it has exclusive control of the domain name; or
(B) Obtaining a confirmation from the Contract Signer or Certificate Approver verifying that the Applicant is aware that it has exclusive control of the domain name.
(4) Mixed Character Set Domain Names. Certificates may include domain names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The ARP will visually compare any domain names with mixed character set with known high risk domains. If similarity is found then the Certificate Request will be flagged as High Risk. The ARP must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organisation.
4.2.6 Verification of Name, Title, and Authority of Contract Signer and Certificate Approver
(a) Verification Requirements. For both the Contract Signer and the Certificate Approver, the ARP will verify the following:
(1) Name, Title and Agency. the ARP will verify the name and title of the Contract Signer and the Certificate Approver, as applicable. The ARP will also verify that the Contract Signer and the Certificate Approver are agents representing the Applicant.
(2) Authorisation of Contract Signer. The ARP will verify, through a source other than the Contract Signer, that the Contract Signer is expressly authorised by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant, including a contract that designates one or more Certificate Approvers on behalf of Applicant (“Signing Authority”).
(3) Authorisation of Certificate Approver. The ARP will verify, through a source other than the Certificate Approver, that the Certificate Approver is expressly authorised by the Applicant to do the following, as of the date of the Certificate Request (“Authority”):
(a) Submit, and if applicable authorise a Certificate Requester to submit, the Certificate Request on behalf of the Applicant; and
(b) Provide, and if applicable authorise a Certificate Requester to provide, the information requested from the Applicant by the ARP for issuance of the Certificate; and
(c) Approve Certificate Requests submitted by a Certificate Requester
(b) Acceptable Methods of Verification – Name, Title and Agency. Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include:
(1) Name and Title: the ARP may verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such role is in fact the named person designated to act in such role.
(2) Agency: the ARP may verify agency of the Contract Signer and the Certificate Approver by:
(A) Contacting the Applicant’s Human Resources Department by phone or mail (at the phone number or address for Applicant’s Place of Business and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; or
(B) Obtaining an Independent Confirmation From Applicant, or a Verified Legal Opinion (as described in Section 4.2.9(a)), or a Verified Accountant Letter (as described in Section 4.2.9(b)) verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has been otherwise been appointed as an agent of Applicant
The ARP may also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the ARP and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified.
(c) Acceptable Methods of Verification - Authorisation. Acceptable methods of verification of the Signing Authority of the Contract Signer, and the Authority of the Certificate Approver, as applicable, include:
(1) Legal Opinion: The Signing Authority of the Contract Signer, and/or the Authority of the Certificate Approver, may be verified by reliance on a Verified Legal Opinion (as described in Section 4.2.9(a));
(2) Accountant Letter: The Signing Authority of the Contract Signer, and/or the Authority of the Certificate Approver, may be verified by reliance on a Verified Accountant Letter (as described in Section 4.2.9 (b));
(3) Corporate Resolution: The Signing Authority of the Contract Signer, and/or the Authority of the Certificate Approver, may be verified by reliance on a properly authenticated corporate resolution that confirms that the person has been granted such Signing Authority, provided that such resolution is (1) certified by the appropriate corporate officer (e.g., secretary), and (2) the ARP can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification.
(4) Independent Confirmation from Applicant: The Signing Authority of the Contract Signer, and/or the Authority of the Certificate Approver, may be verified by obtaining an Independent Confirmation From Applicant.
(5) Contract between CA and Applicant: The Authority of the Certificate Approver may be verified by reliance on a contract between Digi-Sign and the Applicant that designates the Certificate Approver with such Authority, provided the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer has been verified.
(d) Pre-Authorised Certificate Approver. Where the ARP and the Applicant contemplate the submission of multiple future Certificate Requests, then, after the ARP:
(1) Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant, and
(2) Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in the preceding Subsection (c) above,
The ARP and the Applicant may enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorises one or more Certificate Approver(s) designated in such agreement to exercise Authority with respect to each future Certificate Application submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s).
Such an agreement will provide that the Applicant shall be obligated under the Subscriber Agreement for all Certificates issued at the request of, or approved by, such Certificate Approver(s) until such Authority is revoked, and will include mutually agreed-upon provisions for (i) authenticating the Certificate Approver when Certificate Requests are approved, (ii) periodic re-confirmation of the Authority of the Certificate Approver, (iii) secure procedure by which the Applicant can notify the ARP that the Authority of any such Certificate Approver is revoked, and (iv) such other appropriate precautions as are reasonably necessary.
4.2.7 Verification of Signature on Subscriber Agreement and Certificate Requests
Both the Subscriber Agreement and each Certificate Request must be signed. The Subscriber Agreement must be signed by an authorised Contract Signer. The Certificate Request will be signed by the Certificate Requester submitting the document. If the Certificate requester is not also an authorised Certificate Approver, an authorised Certificate Approver must independently approve the Certificate Request. In all cases, the signature must be a legally valid and enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or Certificate Request), that binds the Applicant to the terms of each respective document.
(a) Verification Requirements
(1) Signature. The ARP will authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant.
(2) Approval Alternative: In cases where an Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the Certificate Request by a Certificate Approver in accordance with the requirements of Section 4.2.6 can substitute for authentication of the signature of the Certificate Requester on such Certificate Request.
(b) Acceptable Methods of Signature Verification. Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include:
(1) A phone call to the Applicant’s or Agent’s phone number, as verified in accordance with the Guidelines, asking to speak to the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant.
(2) A letter mailed to the Applicant’s or Agent’s address, as verified through independent means in accordance with these guidelines, c/o of the Certificate Requester or Contract Signer, as applicable, followed by a phone or mail response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant.
(3) Use of a signature process that establishes the name and title of the signer in a secure manner, such as through use of an appropriately secure login process that identifies the signer before signing, or through use of a digital signature made with reference to an appropriately verified certificate.
(4) Notarisation by a notary, provided that the ARP independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer;
4.2.8 Verification of Approval of Certificate Request
(a) Verification Requirements. In cases where an Certificate Request is submitted by a Certificate Requester, before the ARP may issue the requested Certificate, the ARP will verify that an authorised Certificate Approver reviewed and approved the V Certificate Request.
(b) Acceptable Methods of Verification. Acceptable methods of verifying the Certificate Approver’s approval of an Certificate Request include:
(1) Contacting the Certificate Approver by phone or mail at a verified phone number or address for the applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the Certificate Request;
(2) Notifying the Certificate Approver that one or more new Certificate Requests are available for review and approval at a designated access-controlled and secure website, followed by a login by and an indication of approval from the Certificate Approver in the manner required by the website; or
(3) Verifying the signature of the Certificate Requestor on the Certificate Request in accordance with Section 4.2.7 of The Guidelines.
4.2.9 Verification of Certain Information Sources
(a) Verified Legal Opinion
(1) Verification Requirements. Before relying on any legal opinion submitted to the ARP, the ARP will verify that such legal opinion meets the following requirements (“Verified Legal Opinion”):
(A) Status of Author. The ARP will verify that the legal opinion is authored by an independent legal practitioner retained by and representing the Applicant (or an in-house legal practitioner employed by the Applicant) (Legal Practitioner) who is either:
(i) A lawyer (or solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the Applicant’s Jurisdiction of Incorporation or any jurisdiction where the Applicant maintains an office or physical facility; or
(ii) A notary that is a member of the International Union of Latin Notaries, and is licensed to practice in the country of Applicant’s Jurisdiction of Incorporation or any jurisdiction where the Applicant maintains an office or physical facility (and that such jurisdiction recognises the role of the Latin Notary).
(B) Basis of Opinion. The ARP will verify that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Legal Opinion are based on the Legal Practitioner’s stated familiarity with the relevant facts and the exercise of the Legal Practitioner’s professional judgment and expertise.
(C) Authenticity. The ARP will confirm the authenticity of the Verified Legal Opinion.
(2) Acceptable Methods of Verification. Acceptable methods of establishing the foregoing requirements for a Verified Legal Opinion include:
(A) Status of Author. The ARP will verify the professional status of the author of the legal opinion by directly contacting the authority responsible for registering or licensing such Legal Practitioner(s) in the applicable jurisdiction.
(B) Basis of Opinion. The text of the legal opinion will make clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner’s stated familiarity with the relevant facts and the exercise of the practitioner’s professional judgment and expertise. The legal opinion may also include disclaimers and other limitations customary in the Legal Practitioner’s jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner should the legal opinion prove to be erroneous.
(C) Authenticity. To confirm the authenticity of the legal opinion, The ARP will call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner and obtain confirmation from the Legal Practitioner or the Legal Practitioner’s assistant that the legal opinion is authentic.
(b) Verified Accountant Letter
(1) Verification Requirements. Before relying on any accountant letter submitted to the ARP, the ARP will verify that such accountant letter meets the following requirements (“Verified Accountant Letter”):
(A) Status of Author. The ARP will verify that the accountant letter is authored by an independent professional accountant retained by and representing the Applicant (or an in-house professional accountant employed by the Applicant) (Accounting Practitioner) who is a certified public accountant, chartered accountant, or equivalent licensed by a full member of the International Federation of Accountants [IFAC] to practice accounting in the country of the Applicant’s Jurisdiction of Incorporation or any jurisdiction where the Applicant maintains an office or physical facility; or
(B) Basis of Opinion. The ARP will verify that the Accounting Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Accountant Letter are based on the Accounting Practitioner’s stated familiarity with the relevant facts and the exercise of the Accounting Practitioner’s professional judgment and expertise.
(C) Authenticity. The ARP will confirm the authenticity of the Verified Accountant Letter.
(2) Acceptable Methods of Verification. Acceptable methods of establishing the foregoing requirements for a Verified Accountant Letter are:
(A) Status of Author. The ARP will verify the professional status of the author of the accountant letter by directly contacting the authority responsible for registering or licensing such Accounting Practitioner (s) in the applicable jurisdiction.
(B) Basis of Opinion. The text of the accountant letter will make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the accountant letter is based on the Accounting Practitioner’s stated familiarity with the relevant facts and the exercise of the practitioner’s professional judgment and expertise. The accountant letter may also include disclaimers and other limitations customary in the Accounting Practitioner’s jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner should the accountant letter prove to be erroneous. Acceptable forms of an accountant letter is attached as Appendix D
(C) Authenticity. To confirm the authenticity of the accountant’s opinion, the ARP will call or send a copy of the accountant letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioner and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner’s assistant that the accountant letter is authentic.
(c) Independent Confirmation From Applicant. An “Independent Confirmation From Applicant” is a confirmation of a particular fact (e.g., knowledge of its exclusive control of a domain name, confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the Authority of a Certificate Approver, etc.) that:
(i) Received by the ARP from a person employed by the Applicant (other than the person who is the subject of the inquiry) that has the appropriate authority to confirm such a fact (“Confirming Person”), and who represents that he/she has confirmed such fact;
(ii) Received by the ARP in a manner that authenticates and verifies the source of the confirmation; and
(iii) Binding on the Applicant.
An Independent Confirmation From Applicant may be obtained via the following procedure:
(1) Confirmation Request: the ARP will initiate an appropriate out-of-band communication requesting verification or confirmation of the particular fact in issue (“Confirmation Request”) as follows:
(A) Addressee: The Confirmation Request will be directed to:
(i) A position within Applicant’s organisation that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current Qualified Government Information Source (e.g., an SEC filing), a Qualified Independent Information Source, a Verified Legal Opinion, a Verified Accountant Letter, or by contacting the Applicant’s Human Resources Department by phone or mail (at the phone number or address for Applicant’s Place of Business, verified in accordance with these guidelines); or
(ii) Applicant’s Registered Agent or Registered Office in the Jurisdiction of Incorporation as listed in the official records of the Incorporating Agency, with instructions that it be forwarded to an appropriate Confirming Person.
(B) Means of Communication: The Confirmation Request will be directed to the Confirming Person in a manner reasonably likely to reach such person. The following options are acceptable:
(i) By paper mail, addressed to the Confirming Person at:
(a) The address of Applicant’s Place of Business as verified by the ARP in accordance with these guidelines; or
(b) The business address for such Confirming Person specified in a current Qualified Government Information Source (e.g., an SEC filing), a Qualified Independent Information Source, a Verified Legal Opinion, or a Verified Accountant Letter; or
(c) The address of Applicant’s Registered Agent or Registered Office listed in the official records of the Jurisdiction of Incorporation; or
(ii) By e-mail addressed to the Confirming Person at the business e-mail address for such person listed in a current Qualified Government Information Source, a Qualified Independent Information Source, a Verified Legal Opinion, or a Verified Accountant Letter; or
(iii) By telephone call to the Confirming Person, where such person is contacted by calling the main phone number of Applicant’s Place of Business (verified in accordance with these guidelines) and asking to speak to such person, and a person taking the ARP identifies himself as such person; or
(iv) By facsimile to the Confirming Person at the Place of Business. The facsimile number must be listed in a current Qualified Government Information Source, a QIIS, a Verified Legal Opinion, or a Verified Accountant Letter. The cover page must be clearly addressed to the Confirming Person.
(2) Confirmation Response: the ARP will receive a response to the Confirmation Request from a Confirming Person that confirms the particular fact in issue. Such response may be provided to Digi-Sign by telephone, by e-mail, or by paper mail, so long as Digi-Sign can reliably verify that it was provided by a Confirming Person in response to the Confirmation Request.
(d) Qualified Independent Information Sources [QIIS]. A regularly-updated and current online publicly available database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognised as a dependable source of such information. A Commercial database is QIIS if the following are true:
(1) data that will be relied upon has been independently verified by other independent information sources;
(2) the database distinguishes between self-reported data and data reported by independent information sources;
(3) the database provider identifies how frequently they update the information in their database;
(4) changes in the data that will be relied upon will be reflected in the database in no more than 12 months; and
(5) the database provider uses authoritative sources independent of the subject or multiple corroborated sources to which the data pertains.
Databases in which the ARP or its owners or affiliated companies maintain a controlling interest, or in which any registration agents [Ras] or subcontractors to whom Digi-Sign has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest do not qualify as a QIIS. Digi-Sign may check the accuracy of the database and ensure its data is acceptable.
(e) Qualified Government Information Source [QGIS]. A regularly-updated and current online publicly available database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognised as a dependable source of such information provided they are maintained by a Government Entity, the reporting of data is required by law and false or misleading reporting is punishable with criminal or civil penalties.
4.2.10 Other Verification Requirements
(a) High Risk Status
(1) Verification Requirements. The ARP will seek to identify Applicants likely to be at a high risk of being targeted for fraudulent attacks (“High Risk Applicants”), and conduct such additional verification activity and take such additional precautions as are reasonably necessary to ensure that such Applicants are properly verified under these guidelines.
(2) Acceptable Methods of Verification. The ARP may identify High Risk Applicants by checking appropriate lists of organisation names that are most commonly targeted in phishing and other fraudulent schemes, and automatically flagging Certificate Requests from Applicants named on these lists for further scrutiny before issuance. Examples of such lists include:
(A) Lists of phishing targets published by the Anti-Phishing Work Group [APWG]; and
(B) Internal databases maintained by the ARP that include previously revoked Certificates and previously rejected Certificate Requests due to suspected phishing or other fraudulent usage;
The information should then be used to flag suspicious new Certificate Requests. If an Applicant is flagged as a High Risk Applicant, the ARP will perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organisation.
(b) Denied Lists and Other Legal Black Lists
(1) Verification Requirements. The ARP will verify that if the Applicant, the Contract Signer or Certificate Approver, or if the Applicant’s Jurisdiction of Incorporation or Place of Business is on any such list:
(a) Is identified on any government denied list, list of prohibited persons, or other list that prohibits doing business with such organisation or person under the laws of the country of the ARP’s jurisdiction(s) of operation; and
(b) Has its Jurisdiction of Incorporation or Place of Business in any country with which the laws of the ARP’s jurisdiction prohibit doing business
The ARP will not issue any Certificate to the Applicant if either the Applicant, the Contract Signer, or Certificate Approver or if the Applicant’s Jurisdiction of Incorporation or Place of Business is on any such list.
(2) Acceptable Methods of Verification. The ARP will take reasonable steps to verify with the following lists and regulations:
If the ARP has operations in the U.S., the ARP will take reasonable steps to verify with the following US Government Denied lists and regulations:
(A) BIS Denied Persons List - http://www.bis.doc.gov/dpl/thedeniallist.asp
(B) BIS Denied Entities List - http://www.bis.doc.gov/Entities/Default.htm
(C) US Treasury Department List of Specially Designated Nationals and Blocked Persons - http://www.treas.gov/ofac/t11sdn.pdf
(D) US Government export regulations
(3) If the ARP has operations in any other country other than the US, the ARP may take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country.
4.2.11 Final Cross-Correlation and Due Diligence
(a) The results of the verification processes and procedures outlined in this CPS and these guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the ARP will have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the Certificate and look for discrepancies or other details requiring further explanation except for Subscriber Certificates approved by an Enterprise RA.
(b) The ARP will obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary to resolve the discrepancies or details requiring further explanation.
(c) The ARP will refrain from issuing an Certificate until the entire corpus of information and documentation assembled in support of the Certificate is such that issuance of the Certificate will not communicate inaccurate factual information that the ARP knows, or by the exercise of due diligence should discover, from the assembled information and documentation. If satisfactory explanation and/or additional documentation are not received within a reasonable time, Digi-Sign may decline the Certificate Request and notify the Applicant accordingly.
(d) The ARP will perform the requirements of this Final Cross-Correlation and Due Diligence section 4.2.11 through employees under its control and having appropriate training, experience, and judgment in confirming organisational identification and authorisation. Notwithstanding the foregoing, in the case of Enterprise Certificates to be issued in compliance with the requirements of Section 30 of these guidelines, the Enterprise RA may perform the requirements of this Final Cross-Correlation and Due Diligence section.
4.3 Validation Information for Certificate Applications
Applications for the ARP certificates are supported by appropriate documentation to establish the identity of an applicant.
From time to time, the ARP may modify the requirements related to application information for individuals, to respond to the ARP’s requirements, the business context of the usage of a digital certificate, or as prescribed by law.
4.3.1 Application Information for Organisational Applicants
Application information shall include, but not be limited to, the following information:
a) Organisation Name: Applicant’s formal legal organisation name to be included in Certificate, as recorded with the Incorporating Agency in Applicant’s Jurisdiction of Incorporation (for Private Organisations), or as specified in the law of Applicant’s Jurisdiction of Incorporation (for Government Entities);
b) Assumed Name (Optional): Applicant’s assumed name (e.g., d/b/a name) to be included in the Certificate, as recorded in the jurisdiction of Applicant’s Place of Business, if applicable;
c) Domain Name: Applicant’s domain name to be included in the Certificate;
d) Jurisdiction of Incorporation: Applicant’s Jurisdiction of Incorporation to be included in the Certificate, and consisting of:
i. City or town (if any),
ii. State or province (if any), and
iii. Country.
e) Incorporating Agency: The name of the Applicant’s Incorporating Agency;
f) Registration Number: The unique registration number assigned to Applicant by the Incorporating Agency in Applicant’s Jurisdiction of Incorporation and to be included in the Certificate (for Private Organisation Applicants only).
g) Applicant Address: The address of Applicant’s Place of Business, including –
i. Building number and street,
ii. City or town,
iii. State or province (if any),
iv. Country,
v. Postal code or zip code), and
vi. Main telephone number.
h) Certificate Approver: Name and contact information of the Certificate Approver submitting and signing, or that has authorised the Certificate Requester to submit and sign, the Certificate Application on behalf of the Applicant; and
i) Certificate Requester: Name and contact information of the Certificate Requester submitting the Certificate Request on behalf of the Applicant, if other than the Certificate Approver.
The following elements are critical information elements for a Digi-Sign certificate issued to an Organisation.
4.3.2 Validity Period for Validated Data
The maximum validity period for validated data that can be used to support issuance of an Certificates (before revalidation is required) is as follows:
a) Legal existence and identity – three (3) years;
b) Assumed name – three (3) years;
c) Address of Place of Business – three (3) years, but thereafter data may be refreshed by checking a Qualified Independent Information Source, even where a site visit was originally required;
d) Telephone number for Place of Business – three (3) years;
e) Bank account verification – three (3) years;
f) Domain name – three (3) years;
g) Identity and authority of Certificate Approver – three (3) years, unless a contract is in place between the ARP and the Applicant that specifies a different term, in which case, the term specified in such contract will control. For example, the contract may use terms that allow the assignment of roles that are perpetual until revoked, or until the contract expires or is terminated.
4.3.3 Reuse and Updating Information and Documentation
The ARP may issue multiple Certificates listing the same Subject and based on a single Certificate Request, subject to the aging and updating requirement in (b) below.
a) Each Certificate issued by the ARP will be supported by a valid current Certificate Request and a Subscriber Agreement signed by the Applicant Representative on behalf of the Applicant.
b) The age of information used by the ARP to verify such an Certificate Request will not exceed the Maximum Validity Period for such information set forth in these guidelines, based on the earlier of the date the information was obtained (e.g., the date of a confirmation phone call) or the date the information was last updated by the source (e.g., if an online database was accessed by the ARP on July 1, but contained data last updated by the vendor on February 1, then the date of information would be considered to be February 1).
c) In the case of outdated information, the ARP will repeat the verification processes required as set out in these guidelines.
4.4 Validation Requirements for Certificate Applications
Upon receipt of an application for a digital certificate and based on the submitted information, Digi-Sign confirms the following information:
(1) Applicant’s existence and identity, including:
a. Applicant’s legal existence and identity (as established with an Incorporating Agency);
b. Applicant’s physical existence (business presence at a physical address); and
c. Applicant’s operational existence (business activity)
(2) Applicant is a registered holder or has exclusive control of the domain name to be included in the Certificate
(3) Applicant’s authorisation for the Certificate, including:
a. the name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester;
b. that Contract Signer signed the Subscriber Agreement; and
c. that a Certificate Approver has signed or otherwise approved the Certificate Request
For all Digi-Sign Certificates, the subscriber has a continuous obligation to monitor the accuracy of the submitted information and notify Digi-Sign of any changes that would affect the validity of the certificate. Failure to comply with the obligations as set out in the subscriber agreement will result in the revocation of the Subscriber's Digital Certificate without further notice to the Subscriber and the Subscriber shall pay any Charges payable but that have not yet been paid under the Agreement.