Authentication of Organization Identity

3.1.8.1 Authentication of the Identity of Organizational End-User Subscribers (Class 3) The identity of organizational end-user Subscribers and other enrollment information provided by Certificate Applicants (except for Nonverified Subscriber Information) shall be confirmed in accordance with the procedures set forth in VeriSign’s documented Validation Procedures.

Affiliates’ procedures for the authentication of organizational identity shall be submitted to VeriSign for approval, and such approval shall be a condition of an Affiliate beginning its operations as CA or RA to approve Certificate Applications for or issue Class 3 organizational Certificates. In addition to the procedures below, the Certificate Applicant must demonstrate that it rightfully holds the private key corresponding to the public key to be listed in the Certificate in accordance with CP § 3.1.7.

3.1.8.1.1 Authentication for Retail Organizational Certificates

Confirmation of the identity of a Certificate Applicant for a Retail organizational Certificate shall include:

• A determination that the organization exists by using at least one third party identity proofing service or database, or alternatively, organizational documentation issued by or filed with the applicable government that confirms the existence of the organization,

• In the case of server Certificates, a determination that the Certificate Applicant is the record owner of the domain name of the server that is the Subject of the Certificate or is otherwise authorized to use the domain,

• A confirmation by telephone, confirmatory postal mail, or comparable procedure to the Certificate Applicant to confirm certain information about the organization, confirm that the organization has authorized the Certificate Application, and confirm that the person submitting the Certificate Application on behalf of the Certificate Applicant is authorized to do so, and

• In the case of Global Server IDs, the additional checks necessary to satisfy United States export regulations and licenses issued by the United States Department of Commerce Bureau of Industry and Science (“BIS”) (formerly known as the Bureau of Export Administration (“BXA”).

3.1.8.1.2 Authentication for Managed PKI for SSL or Managed PKI for SSL Premium Edition With respect to Managed PKI for SSL Customers and Managed PKI for SSL Premium Edition Customers, the identity confirmation process begins with VeriSign’s or an Affiliate’s

confirmation of the identity of the Managed PKI for SSL Customer or Managed PKI for SSL Premium Edition Customer itself in accordance with CP § 3.1.8.2. Following such confirmation, the Managed PKI for SSL Customer or Managed PKI for SSL Premium Edition Customer is responsible for approving the issuance of Certificates to servers within its own organization by:

• Ensuring that the server designated as the Subject of a Secure Server ID or Global Server ID actually exists, and

• Ensuring the organization has authorized the issuance of a Secure Server ID or Global Server ID to the server.

3.1.8.1.3 Authentication for Class 3 Organizational ASB Certificates

Confirmation of the identity of a Certificate Applicant for a Class 3 Organizational ASB Certificate shall include:

• A determination that the organization exists by using at least one third party identity proofing service or database, or alternatively, organizational documentation issued by or filed with the applicable government that confirms the existence of the organization,

• A confirmation by telephone, confirmatory postal mail, and/or comparable procedure to the Certificate Applicant to confirm certain information about the organization, confirm that the organization has authorized the Certificate Application, confirm the employment of the representative submitting the Certificate Application on behalf of the Certificate Applicant, and confirm the authority of the representative to act on behalf of the Certificate Applicant, and

• A confirmation by telephone, confirmatory postal mail, and/or comparable procedure to the Certificate Applicant’s representative to confirm that the person named as

representative has submitted the Certificate Application.

3.1.8.2 Authentication of the Identity of CAs and RAs (Class 1-3)

Affiliates, Managed PKI Customers, Gateway Customers, and ASB Customers, before becoming CAs or RAs, enter into an agreement with an entity above it within the Class 1, 2, or 3 VTN hierarchy (the “Superior Entity”) or a Universal Service Center or Reseller marketing on behalf of VeriSign or an Affiliate. The table below shows the possible Superior Entities corresponding to each CA Certificate Applicant.

CA or RA Superior Entity

Processing Center VeriSign

Service Center Processing Center

Managed PKI Customer or Gateway Customer

Processing Center or Service Center

ASB Customer ASB Provider

Table 6 – CAs and RAs and Their Superior Entities

The Superior Entity shall authenticate the identity of the prospective Affiliate, Managed PKI Customer, Gateway Customer, or ASB Customer before final approval of its status as CA or RA, except where VeriSign or an Affiliate delegates such responsibility to a Universal Service Center or Reseller. Where such delegation has occurred, the Universal Service Center or Reseller shall authenticate the identity of the prospective Managed PKI Customer. For purposes of the CP, however, VeriSign or the Affiliate remains the Superior Entity, rather than the Universal Service Center or Reseller. Affiliates’ procedures for the authentication of the organizational identity of Managed PKI Customers, Gateway Customers, and ASB Customers shall be submitted to VeriSign for approval, and such approval is a condition of an Affiliate beginning its operations as a provider of Managed PKI , Gateway, or Authentication Service Bureau services, as the case may be. Universal Service Centers’ and Resellers’ procedures for such authentication of

organizational identity shall be submitted to VeriSign or the applicable Affiliate, and such approval is a condition of a Universal Service Center or Reseller beginning its operations as a provider of Managed PKI or Authentication Service Bureau services, as the case may be.

The identity of Affiliates, Managed PKI Customers, Gateway Customers, and ASB Customers shall be confirmed either by:

• The personal appearance of an authorized representative of the organization before authorized personnel of the organization’s Superior Entity, a Universal Service Center, or Reseller, coupled with authorization procedures to ensure the confirmation of the

organization and the authority of its personnel, or

• In the case of VeriSign or an Affiliate confirming the identity of Managed PKI Customers, Gateway Customers, and ASB Customers, the procedures set forth in the Affiliate Practices Legal Requirements Guidebook or, in the case of Universal Service Centers or Resellers confirming the identity of Managed PKI Customers or ASB

Customers, the VeriSign or Affiliate requirements placed on Universal Service Centers and Resellers. These procedures include:

o The checks required for the confirmation of the identity of organizational end-user Subscribers under CP § 3.1.8.1, except that instead of a Certificate Application, the validation is of an application to become an Managed PKI Customer, Gateway Customer, or ASB Customer, and

o In the case of Managed PKI Customers or Gateway Customers, confirming that the person identified as Managed PKI Administrator or Gateway Administrator is authorized to act in the capacity.