From 8e7fc7d5cac0cc27c44fe2aa88cf45f5606f4b94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 4 Mar 2024 16:52:43 +0100 Subject: [PATCH 01/16] SC68: Allow VATEL and VATXI (#478) * Allow VATEL for organizationIdentifier (#473) * Remove white space and fix an internal document reference. * Formatting improvements in Appendix H * Allow Greece to use "EL" for the "VAT" Registration scheme as allowed in [Council Directive 2006/112/EC](https://eur-lex.europa.eu/eli/dir/2006/112/oj), article 215. * Fix formatting issues. * Fix formatting issues. * Improved language for allowing "EL" for the tax authorities of Greece. * Improved language for allowing current and future ISO 3166 exceptions for the country prefix of tax authorities. * Update EVG.md Apply ballot SC68 * Update EVG.md Updated date of the document --------- Co-authored-by: Dimitris Zacharopoulos --- docs/EVG.md | 50 +++++++++----------------------------------------- 1 file changed, 9 insertions(+), 41 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 4f1d5df91..365cb8132 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1,11 +1,11 @@ --- title: Guidelines for the Issuance and Management of Extended Validation Certificates -subtitle: Version 1.8.0 +subtitle: Version 1.8.1 author: - CA/Browser Forum -date: 30 November, 2022 +date: 4 March, 2024 copyright: | - Copyright 2022 CA/Browser Forum + Copyright 2024 CA/Browser Forum This work is licensed under the Creative Commons Attribution 4.0 International license. --- @@ -70,6 +70,7 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti | 1.7.8 | SC48 | Domain Name and IP Address Encoding | 22-Jul-2021 | 25-Aug-2021 | | 1.7.9 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | | 1.8.0 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | +| 1.8.1 | SC68 | Allow VATEL and VATXI for organizationIdentifier | 1-Feb-2024 | 4-Mar-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -531,7 +532,7 @@ The Registration Scheme MUST be identified using the using the following structu * a hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); * Registration Reference allocated in accordance with the identified Registration Scheme -Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. +Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. As in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. @@ -1692,49 +1693,16 @@ END # Appendix H – Registration Schemes -The following Registration Schemes are currently recognized as valid under these -guidelines: +The following Registration Schemes are currently recognized as valid under these guidelines: * **NTR**: - The information carried in this field shall be the same as held in - Subject Registration Number Field as specified in - [Section 9.2.5](#925-subject-registration-number-field) and the country code - used in the Registration Scheme identifier shall match that of the - subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). - - Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 - includes more than the country code, the additional locality information shall - be included as specified in [Section 9.2.8](#928-subject-organization-identifier-field) - and/or [Section 9.8.2](#982-cabrowser-forum-organization-identifier-extension). + The information carried in this field shall be the same as held in Subject Registration Number Field as specified in [Section 9.2.5](#925-subject-registration-number-field) and the country code used in the Registration Scheme identifier shall match that of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 includes more than the country code, the additional locality information shall be included as specified in [Section 9.2.8](#928-subject-organization-identifier-field) and/or [Section 9.8.2](#982-cabrowser-forum-organization-identifier-extension). * **VAT**: - Reference allocated by the national tax authorities to a Legal Entity. This - information shall be validated using information provided by the national tax - authority against the organization as identified by the Subject Organization - Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and - Subject Registration Number Field (see - Section 9.2.5](#925-subject-registration-number-field)) within the context of - the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). + Reference allocated by the national tax authorities to a Legal Entity. This information shall be validated using information provided by the national tax authority against the organization as identified by the Subject Organization Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and Subject Registration Number Field (see [Section 9.2.5](#925-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). For the purpose of identifying tax authorities, the country prefix described in article 215 of EU Council Directive 2006/112/EC, as amended, MAY be used instead of the ISO 3166 2-letter country codes. * **PSD**: - Authorization number as specified in ETSI TS 119 495 clause 4.4 - allocated to a payment service provider and containing the information as - specified in ETSI TS 119 495 clause 5.2.1. This information SHALL be - obtained directly from the national competent authority register for - payment services or from an information source approved by a government - agency, regulatory body, or legislation for this purpose. This information - SHALL be validated by being matched directly or indirectly (for example, by - matching a globally unique registration number) against the organization as - identified by the Subject Organization Name Field (see - [Section 9.2.1](#921-subject-organization-name-field)) and - Subject Registration Number Field (see - [Section 9.2.5](#925-subject-registration-number-field)) within the context of - the subject’s jurisdiction as specified in - [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). - The stated address of the organization combined with the organization name - SHALL NOT be the only information used to disambiguate the organization. + Authorization number as specified in ETSI TS 119 495 clause 4.4 allocated to a payment service provider and containing the information as specified in ETSI TS 119 495 clause 5.2.1. This information SHALL be obtained directly from the national competent authority register for payment services or from an information source approved by a government agency, regulatory body, or legislation for this purpose. This information SHALL be validated by being matched directly or indirectly (for example, by matching a globally unique registration number) against the organization as identified by the Subject Organization Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and Subject Registration Number Field (see [Section 9.2.5](#925-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). The stated address of the organization combined with the organization name SHALL NOT be the only information used to disambiguate the organization. From a65402cff89affe1fc0a1f0e49807c7e42e1608a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Tue, 16 Apr 2024 15:50:51 +0200 Subject: [PATCH 02/16] Ballot SC-69: Clarify router and firewall logging requirements (#477) (#491) * Ballot SC-69: Clarify router and firewall logging requirements (#477) * Remove monitoring requirement for unused serial numbers * Change Firewall logging requirements * Typo correction * Add separate lists for do and don't for logging * Add additional controls * Typo corrections * Quote first usage * Incorporating feedback * Remove incorrect quote * Update BR as per SC69 publication change.md Changed version and date and added the new ballot at the end of section 1.2.1 --------- Co-authored-by: Martijn Katerbarg --- docs/BR.md | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index c85365b1f..80a149e95 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,9 +1,9 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.2 +subtitle: Version 2.0.3 author: - CA/Browser Forum -date: 8-January-2024 +date: 15-April-2024 copyright: | @@ -135,7 +135,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.0 | SC62 | Certificate Profiles Update | 22-Apr-2023 | 15-Sep-2023 | | 2.0.1 | SC63 | Make OCSP optional, require CRLs, and incentivize automation | 17-Aug-2023 | 15-Mar-2024 | | 2.0.2 | SC66 | 2023 Cleanup | 23-Nov-2023 | 8-Jan-2024 | - +| 2.0.3 | SC69 | Clarify router and firewall logging requirements | 13-March-2024 | 15-April-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -1356,8 +1356,6 @@ For the status of Subordinate CA Certificates: If the OCSP responder receives a request for the status of a certificate serial number that is "unused", then the responder SHOULD NOT respond with a "good" status. If the OCSP responder is for a CA that is not Technically Constrained in line with [Section 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile) or [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile), the responder MUST NOT respond with a "good" status for such requests. -The CA SHOULD monitor the OCSP responder for requests for "unused" serial numbers as part of its security response procedures. - The OCSP responder MAY provide definitive responses about "reserved" certificate serial numbers, as if there was a corresponding Certificate that matches the Precertificate [RFC6962]. A certificate serial number within an OCSP request is one of the following three options: @@ -1545,15 +1543,24 @@ The CA SHALL record at least the following events: 3. Security profile changes; 4. Installation, update and removal of software on a Certificate System; 5. System crashes, hardware failures, and other anomalies; - 6. Firewall and router activities; and + 6. Relevant router and firewall activities (as described in [Section 5.4.1.1](#5411-router-and-firewall-activities-logs)); and 7. Entries to and exits from the CA facility. -Log records MUST include the following elements: +Log records MUST include at least the following elements: 1. Date and time of event; -2. Identity of the person making the journal record; and +2. Identity of the person making the journal record (when applicable); and 3. Description of the event. +#### 5.4.1.1 Router and firewall activities logs + +Logging of router and firewall activities necessary to meet the requirements of Section 5.4.1, Subsection 3.6 MUST at a minimum include: + + 1. Successful and unsuccessful login attempts to routers and firewalls; and + 2. Logging of all administrative actions performed on routers and firewalls, including configuration changes, firmware updates, and access control modifications; and + 3. Logging of all changes made to firewall rules, including additions, modifications, and deletions; and + 4. Logging of all system events and errors, including hardware failures, software crashes, and system restarts. + ### 5.4.2 Frequency of processing audit log ### 5.4.3 Retention period for audit log From c4a34fe2292022e0a04ba66b5a85df75907ac2a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 19 Apr 2024 09:31:06 +0200 Subject: [PATCH 03/16] SC65: Convert EVGs into RFC 3647 format v2 (#440) (#493) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * SC65: Convert EVGs into RFC 3647 format v2 (#440) * Add files via upload * EVG.md * Update EVG.md * Create EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Delete EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG to match section 6 of the RFC 3647.md Updated section 1.1 from scope to overview Added section 3.2.1 for the possesion of the private key Changed totally/created new section 3.2.2 to cover all section 11 Moved section 8.1 to section 8 and renamed the others to meet RFC3647 Added the self-audits (8.1.1) under section 8.1 Left/created section 8.7 for pre/readiness audits which do not exist under RFC 3647 * Update EVG updating links.md 2 links were updated regarding section 8 * Update EVG.md Another link updated from 3.2.14.1 to 3.2.2.14.1 * Update branch for BRs pointing to new sections of EVGs (#476) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell * Integrate newer ballots (#406) * Update README (#294) Co-authored-by: Jos Purvis * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Jos Purvis * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis Co-authored-by: Wayne Thayer * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi Co-authored-by: Jos * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi Co-authored-by: Jos * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Ryan Sleevi Co-authored-by: Jos Purvis * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1) Signed-off-by: dependabot[bot] * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson * Update version and date table Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Jos Purvis * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell * Update version, table, and date Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Purvis * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1) Signed-off-by: dependabot[bot] * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Jos Purvis * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409, effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b. Co-authored-by: Corey Bonnell * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409, effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b. Co-authored-by: Corey Bonnell * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Corey Bonnell Co-authored-by: Jos Purvis * Integrate SC-48 CN requirements Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Corey Bonnell Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - https://github.com/cabforum/servercert/pull/402#discussion_r1040210458 (added "CRL") - https://github.com/cabforum/servercert/pull/414#discussion_r1073714166 (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to https://github.com/cabforum/servercert/pull/414#discussion_r1073772243) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable * Update docs/BR.md Editorial Co-authored-by: Aaron Gable * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Aaron Gable * Update BR.md --------- Co-authored-by: Ryan Dickson Co-authored-by: Ryan Sleevi Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Aaron Gable * Fall 2023 clean up (#460) * Issue#169 Issue #169 - updated 3.2.2.5.6 and 3.2.2.5.7 - added RFC 8738 in References * Issue #174 Issue #174 - Updated title in section 3.2.2.4.10 - Updated section 3.2.2.4.18 * Issue #337 Issue #337 - Updated title of the document to include TLS Server And also: - updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name * Issue #423 Issue #423 Updated section 1.6.3 - removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada - removing version of the NetSec and changing the link to redirect to the NetSec documents * Issue #430 Issue #430 Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse" * Issue #444 Issue #444 Added empty section 7.1.5 * Issue #450 Issue #450 Updated including link to the 6.2.7 section * Issue #453 Issue #453 Updated section as indicated * PR #415 PR #415 Updated title * Update BR.md Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order * Update BR.md Updated version and changelog * Issue #461 Issue #461 Used 2 option for the update * Update docs/BR.md Co-authored-by: Corey Bonnell * Add line breaks in 7.1.2.11.2 According to #462 * Revert the change of the NSSR version Put back the version 1.7 in the NetSec * Update BR.md --------- Co-authored-by: Corey Bonnell --------- Co-authored-by: Ryan Dickson Co-authored-by: Ryan Sleevi Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Aaron Gable * Update BRs with the new EVGs section numbers.md Changed sections 3.2.2.4.7 and 7.1.2.7.5, updating the following: Section 3.2.2.4.7 EVG 11.14.3 to new 3.2.2.14.3 Section 7.1.2.7.5 EVG 9.2 to new 7.1.4.2 * Update EVG.md Updated section 7.1.2.2 to fix the link to section 7.1.4.2.8 --------- Co-authored-by: Martijn Katerbarg Co-authored-by: Ryan Dickson Co-authored-by: Ryan Sleevi Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Aaron Gable * Update EVG.md * Update BR.md Update of the TLS BRs with updated pointers to the new EVG sections * Update EVG.md Changed version and date of the EVGs and added the correspondent ballot number --------- Co-authored-by: Martijn Katerbarg Co-authored-by: Ryan Dickson Co-authored-by: Ryan Sleevi Co-authored-by: Corey Bonnell Co-authored-by: Corey Bonnell Co-authored-by: Jos Co-authored-by: Jos Purvis Co-authored-by: Ryan Sleevi Co-authored-by: Paul van Brouwershaven Co-authored-by: Ryan Sleevi Co-authored-by: Wayne Thayer Co-authored-by: Clint Wilson Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Aaron Gable --- docs/BR.md | 12 +- docs/EVG.md | 1657 ++++++++++++++++++++++---------------- docs/RFC3647_Template.md | 270 +++++++ 3 files changed, 1241 insertions(+), 698 deletions(-) create mode 100644 docs/RFC3647_Template.md diff --git a/docs/BR.md b/docs/BR.md index 80a149e95..e4dcc98e1 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,9 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.3 +subtitle: Version 2.0.4 author: - CA/Browser Forum -date: 15-April-2024 + +date: 17-April-2024 + copyright: | @@ -136,7 +138,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.1 | SC63 | Make OCSP optional, require CRLs, and incentivize automation | 17-Aug-2023 | 15-Mar-2024 | | 2.0.2 | SC66 | 2023 Cleanup | 23-Nov-2023 | 8-Jan-2024 | | 2.0.3 | SC69 | Clarify router and firewall logging requirements | 13-March-2024 | 15-April-2024 | - +| 2.0.4 | SC65 | Convert EVGs into RFC 3647 format | 15-March-2024 | 15-May-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -767,7 +769,7 @@ Confirming the Applicant's control over the FQDN by confirming the presence of a If a Random Value is used, the CA SHALL provide a Random Value unique to the Certificate request and SHALL not use the Random Value after i. 30 days or - ii. if the Applicant submitted the Certificate request, the time frame permitted for reuse of validated information relevant to the Certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of these Guidelines or Section 11.14.3 of the EV Guidelines). + ii. if the Applicant submitted the Certificate request, the time frame permitted for reuse of validated information relevant to the Certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of these Guidelines or Section 3.2.2.14.3 of the EV Guidelines). **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. @@ -2384,7 +2386,7 @@ For a Subscriber Certificate to be Extended Validation, it MUST comply with the | __Field__ | __Requirements__ | | -- | ------- | -| `subject` | See Guidelines for the Issuance and Management of Extended Validation Certificates, Section 9.2. | +| `subject` | See Guidelines for the Issuance and Management of Extended Validation Certificates, Section 7.1.4.2. | | `certificatePolicies` | MUST be present. MUST assert the [Reserved Certificate Policy Identifier](#7161-reserved-certificate-policy-identifiers) of `2.23.140.1.1` as a `policyIdentifier`. See [Section 7.1.2.7.9](#71279-subscriber-certificate-certificate-policies). | | All other extensions | See [Section 7.1.2.7.6](#71276-subscriber-certificate-extensions) and the Guidelines for the Issuance and Management of Extended Validation Certificates. | diff --git a/docs/EVG.md b/docs/EVG.md index 365cb8132..340dc917f 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1,17 +1,18 @@ --- title: Guidelines for the Issuance and Management of Extended Validation Certificates -subtitle: Version 1.8.1 + +subtitle: Version 2.0.0 author: - CA/Browser Forum -date: 4 March, 2024 +date: 17 April, 2024 copyright: | Copyright 2024 CA/Browser Forum + This work is licensed under the Creative Commons Attribution 4.0 International license. --- -# Introduction - +# 1. INTRODUCTION The Guidelines describe an integrated set of technologies, protocols, identity proofing, lifecycle management, and auditing practices specifying the minimum requirements that must be met in order to issue and maintain Extended Validation Certificates ("EV Certificates") concerning an organization. Subject Organization information from valid EV Certificates can then be used in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site or other services they are accessing. Although initially intended for use in establishing Web-based data communication conduits via TLS/SSL protocols, extensions are envisioned for S/MIME, time-stamping, VoIP, IM, Web services, etc. The primary purposes of Extended Validation Certificates are to: 1) identify the legal entity that controls a Web or service site, and 2) enable encrypted communications with that site. The secondary purposes include significantly enhancing cybersecurity by helping establish the legitimacy of an organization claiming to operate a Web site, and providing a vehicle that can be used to assist in addressing problems related to distributing malware, phishing, identity theft, and diverse forms of online fraud. @@ -24,8 +25,15 @@ The Guidelines for the Issuance and Management of Extended Validation Certificat The CA/Browser Forum is a voluntary open organization of certification authorities and suppliers of Internet browsers and other relying-party software applications. Membership is listed at . -## Document History +## 1.1 Overview +These Guidelines for the issuance and management of Extended Validation Certificates describe certain of the minimum requirements that a Certification Authority must meet in order to issue Extended Validation Certificates. Subject Organization information from Valid EV Certificates may be displayed in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site they are accessing. These Guidelines incorporate the Baseline Requirements established by the CA/Browser Forum by reference. A copy of the Baseline Requirements is available on the CA/Browser Forum's website at . + +These Guidelines address the basic issue of validating Subject identity information in EV Certificates and some related matters. They do not address all of the related matters, such as certain technical and operational ones. This version of the Guidelines addresses only requirements for EV Certificates intended to be used for SSL/TLS authentication on the Internet and for code signing. Similar requirements for S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions. + +These Guidelines do not address the verification of information, or the issuance, use, maintenance, or revocation of EV Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, where its Root CA Certificate is not distributed by any Application Software Supplier. +## 1.2 Document name and identification +### 1.2.1 Revisions | **Ver.** | **Ballot** | **Description** | **Adopted** | **Effective\*** | |-|-|-----|--|--| | 1.4.0 | 72 | Reorganize EV Documents | 29 May 2012 | 29 May 2012 | @@ -71,6 +79,7 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti | 1.7.9 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | | 1.8.0 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | | 1.8.1 | SC68 | Allow VATEL and VATXI for organizationIdentifier | 1-Feb-2024 | 4-Mar-2024 | +| 2.0.0 | SC65 | Convert EVGs into RFC 3647 format | 15-March-2024 | 15-May-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -78,28 +87,42 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti | **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | |--|--|----------| -| 2020-01-31 | [9.2.8](#928-subject-organization-identifier-field) | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | -| 2020-09-01 | [9.4](#94-maximum-validity-period-for-ev-certificate) & Appendix F | Certificates issued MUST NOT have a Validity Period greater than 398 days. | -| 2020-10-01 | [11.1.3](#1113-disclosure-of-verification-sources) | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | -| 2022-09-01 | [9.2.7](#927-subject-organizational-unit-name-field) | CAs MUST NOT include the organizationalUnitName field in the Subject | +| 2020-01-31 | [9.2.8] | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | +| 2020-09-01 | [9.4] & Appendix F | Certificates issued MUST NOT have a Validity Period greater than 398 days. | +| 2020-10-01 | [11.1.3] | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | +| 2022-09-01 | [9.2.7] | CAs MUST NOT include the organizationalUnitName field in the Subject | **Implementers' Note**: Version 1.3 of these EV Guidelines was published on 20 November 2010 and supplemented through May 2012 when version 1.4 was published. ETSI TS 102 042 and ETSI TR 101 564 Technical Report: Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs reference version 1.3 of these EV Guidelines, and ETSI Draft EN 319 411-1 references version 1.4. Version 1.4.5 of Webtrust(r) for Certification Authorities – Extended Validation Audit Criteria references version 1.4.5 of these EV Guidelines. As illustrated in the Document History table above, the CA/Browser Forum continues to improve relevant industry guidelines, including this document, the Baseline Requirements, and the Network and Certificate System Security Requirements. We encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty. We will respond to implementation questions directed to questions@cabforum.org. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. -# 1. Scope +## 1.3 PKI participants -These Guidelines for the issuance and management of Extended Validation Certificates describe certain of the minimum requirements that a Certification Authority must meet in order to issue Extended Validation Certificates. Subject Organization information from Valid EV Certificates may be displayed in a special manner by certain relying-party software applications (e.g., browser software) in order to provide users with a trustworthy confirmation of the identity of the entity that controls the Web site they are accessing. These Guidelines incorporate the Baseline Requirements established by the CA/Browser Forum by reference. A copy of the Baseline Requirements is available on the CA/Browser Forum's website at . +### 1.3.1 Certification authorities -These Guidelines address the basic issue of validating Subject identity information in EV Certificates and some related matters. They do not address all of the related matters, such as certain technical and operational ones. This version of the Guidelines addresses only requirements for EV Certificates intended to be used for SSL/TLS authentication on the Internet and for code signing. Similar requirements for S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions. +### 1.3.2 Registration authorities +The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence). +Affiliates and/or RAs must comply with the qualification requirements of [Section 5.3.2](#532-background-check-procedures). -These Guidelines do not address the verification of information, or the issuance, use, maintenance, or revocation of EV Certificates by enterprises that operate their own Public Key Infrastructure for internal purposes only, where its Root CA Certificate is not distributed by any Application Software Supplier. +The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 5.3](#53-personnel-controls) and the document retention and event logging requirements of [Section 5.4](#54-audit-logging-procedures). + +In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. + +#### 1.3.2.1 Enterprise Registration authorities +The CA MAY contractually authorize a Subscriber to perform the RA function and authorize the CA to issue additional EV Certificates. In such case, the Subscriber SHALL be considered an Enterprise RA, and the following requirements SHALL apply: -# 2. Purpose +1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; +2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and +3. The Final Cross-Correlation and Due Diligence requirements of [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. -## 2.1. Purpose of EV Certificates +Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 8](#8-compliance-audit-and-other-assessments). In all other cases, the requirements of [Section 8](#8-compliance-audit-and-other-assessments) SHALL apply. +### 1.3.3 Subscribers +### 1.3.4 Relying parties +### 1.3.5 Other participants +## 1.4 Certificate usage +### 1.4.1 Appropriate certificate uses EV Certificates are intended for establishing Web-based data communication conduits via the TLS/SSL protocols and for verifying the authenticity of executable code. -### 2.1.1. Primary Purposes +#### 1.4.1.1 Primary Purposes The primary purposes of an EV Certificate are to: @@ -107,7 +130,7 @@ The primary purposes of an EV Certificate are to: 2. **Enable encrypted communications with a Web site**: Facilitate the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a Web site. -### 2.1.2. Secondary Purposes +#### 1.4.1.2 Secondary Purposes The secondary purposes of an EV Certificate are to help establish the legitimacy of a business claiming to operate a Web site or distribute executable code, and to provide a vehicle that can be used to assist in addressing problems related to phishing, malware, and other forms of online identity fraud. By providing more reliable third-party verified identity and address information regarding the business, EV Certificates may help to: @@ -115,21 +138,23 @@ The secondary purposes of an EV Certificate are to help establish the legitimacy 2. Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves to users; and 3. Assist law enforcement organizations in their investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the Subject. -### 2.1.3. Excluded Purposes - +### 1.4.2 Prohibited certificate uses EV Certificates focus only on the identity of the Subject named in the Certificate, and not on the behavior of the Subject. As such, an EV Certificate is **not** intended to provide any assurances, or otherwise represent or warrant: 1. That the Subject named in the EV Certificate is actively engaged in doing business; 2. That the Subject named in the EV Certificate complies with applicable laws; 3. That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or 4. That it is "safe" to do business with the Subject named in the EV Certificate. + +## 1.5 Policy administration +### 1.5.1 Organization administering the document +### 1.5.2 Contact person +### 1.5.3 Person determining CPS suitability for the policy +### 1.5.4 CPS approval procedures -# 3. References - -See Baseline Requirements, which are available at . - -# 4. Definitions +## 1.6 Definitions and acronyms +### 1.6.1 Definitions Capitalized Terms are defined in the Baseline Requirements except where provided below: **Accounting Practitioner**: A certified public accountant, chartered accountant, or a person with an equivalent license within the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility; provided that an accounting standards body in the jurisdiction maintains full (not "suspended" or "associate") membership status with the International Federation of Accountants. @@ -215,9 +240,9 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Private Organization**: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency or equivalent in its Jurisdiction of Incorporation. -**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 17.6](#176-auditor-qualification). +**Qualified Auditor**: An independent public accounting firm that meets the auditing qualification requirements specified in [Section 8.2](#82-identityqualifications-of-assessor). -**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 11.11.6](#11116-qualified-government-information-source). +**Qualified Government Information Source**: A database maintained by a Government Entity (e.g. SEC filings) that meets the requirements of [Section 3.2.2.11.6](#322116-qualified-government-information-source). **Qualified Government Tax Information Source**: A Qualified Governmental Information Source that specifically contains tax information relating to Private Organizations, Business Entities, or Individuals. @@ -254,11 +279,11 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **Translator**: An individual or Business Entity that possesses the requisite knowledge and expertise to accurately translate the words of a document written in one language to the native language of the CA. -**Verified Accountant Letter**: A document meeting the requirements specified in [Section 11.11.2](#11112-verified-accountant-letter). +**Verified Accountant Letter**: A document meeting the requirements specified in [Section 3.2.2.11.2](#322112-verified-accountant-letter). -**Verified Legal Opinion**: A document meeting the requirements specified in [Section 11.11.1](#11111-verified-legal-opinion). +**Verified Legal Opinion**: A document meeting the requirements specified in [Section 3.2.2.11.1](#322111-verified-legal-opinion). -**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 11.5](#115-verified-method-of-communication) as a reliable way of communicating with the Applicant. +**Verified Method of Communication**: The use of a telephone number, a fax number, an email address, or postal delivery address, confirmed by the CA in accordance with [Section 3.2.2.5](#3225-verified-method-of-communication) as a reliable way of communicating with the Applicant. **Verified Professional Letter**: A Verified Accountant Letter or Verified Legal Opinion. @@ -268,8 +293,7 @@ Capitalized Terms are defined in the Baseline Requirements except where provided **WebTrust Seal of Assurance**: An affirmation of compliance resulting from the WebTrust Program for CAs. -# 5. Abbreviations and Acronyms - +### 1.6.2 Acronyms Abbreviations and Acronyms are defined in the Baseline Requirements except as otherwise defined herein: | **Acronym** | **Meaning** | @@ -294,45 +318,17 @@ Abbreviations and Acronyms are defined in the Baseline Requirements except as ot | SEC | (US Government) Securities and Exchange Commission | | UTC(k) | National realization of Coordinated Universal Time | -# 6. Conventions +### 1.6.3 References +See Baseline Requirements, which are available at . +### 1.6.4 Conventions Terms not otherwise defined in these Guidelines shall be as defined in applicable agreements, user manuals, certification practice statements (CPS), and certificate policies (CP) of the CA issuing EV Certificates. The key words "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in these Guidelines shall be interpreted in accordance with RFC 2119. By convention, this document omits time and timezones when listing effective requirements such as dates. Except when explicitly specified, the associated time with a date shall be 00:00:00 UTC. -# 7. Certificate Warranties and Representations - -## 7.1. EV Certificate Warranties - -When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following: - -A. **Legal Existence**: The CA has confirmed with the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or Registration; -B. **Identity**: The CA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject named in the EV Certificate matches the name on the official government records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration, and if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business; -C. **Right to Use Domain Name**: The CA has taken all steps reasonably necessary to verify that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate has the right to use all the Domain Name(s) listed in the EV Certificate; -D. **Authorization for EV Certificate**: The CA has taken all steps reasonably necessary to verify that the Subject named in the EV Certificate has authorized the issuance of the EV Certificate; -E. **Accuracy of Information**: The CA has taken all steps reasonably necessary to verify that all of the other information in the EV Certificate is accurate, as of the date the EV Certificate was issued; -F. **Subscriber Agreement**: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or, if they are affiliated, the Applicant Representative has acknowledged and accepted the Terms of Use; -G. **Status**: The CA will follow the requirements of these Guidelines and maintain a 24 x 7 online-accessible Repository with current information regarding the status of the EV Certificate as Valid or revoked; and -H. **Revocation**: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the revocation reasons specified in these Guidelines. - -## 7.2. By the Applicant - -EV Certificate Applicants make the commitments and warranties set forth in Section 9.6.3 of the Baseline Requirements for the benefit of the CA and Certificate Beneficiaries. - -# 8. Community and Applicability - -## 8.1. Issuance of EV Certificates - -The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements. - -If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA / Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly. - -## 8.2. EV Policies - -### 8.2.1. Implementation - +# 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES Each CA must develop, implement, enforce, display prominently on its Web site, and periodically update as necessary its own auditable EV Certificate practices, policies and procedures, such as a Certification Practice Statement (CPS) and Certificate Policy (CP) that: A. Implement the requirements of these Guidelines as they are revised from time-to-time; @@ -344,1024 +340,1174 @@ B. Implement the requirements of C. Specify the CA's and its Root CA's entire root certificate hierarchy including all roots that its EV Certificates depend on for proof of those EV Certificates' authenticity. -### 8.2.2. Disclosure - -Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 17.1](#171-eligible-audit-schemes)). +## 2.1 Repositories +## 2.2 Publication of certification information +Each CA MUST publicly disclose its Certificate Policy and/or Certification Practice Statement through an appropriate and readily accessible online means that is available on a 24x7 basis. The CA SHALL publicly disclose its CA business practices to the extent required by the CA's selected audit scheme (see [Section 8](#8-compliance-audit-and-other-assessments)). The CA's Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647. The Certificate Policy and/or Certification Practice Statement MUST include all material required by RFC 3647. -## 8.3. Commitment to Comply with Recommendations - Each CA SHALL publicly give effect to these Guidelines and represent that they will adhere to the latest published version by incorporating them into their respective EV Policies, using a clause such as the following (which must include a link to the official version of these Guidelines): > [Name of CA] conforms to the current version of the CA/Browser Forum Guidelines for Issuance and Management of Extended Validation Certificates published at . In the event of any inconsistency between this document and those Guidelines, those Guidelines take precedence over this document. In addition, the CA MUST include (directly or by reference) the applicable requirements of these Guidelines in all contracts with Subordinate CAs, RAs, Enterprise RAs, and subcontractors that involve or relate to the issuance or maintenance of EV Certificates. The CA MUST enforce compliance with such terms. -## 8.4. Insurance +## 2.3 Time or frequency of publication +## 2.4 Access controls on repositories +# 3. IDENTIFICATION AND AUTHENTICATION +## 3.1 Naming +### 3.1.1 Types of names +### 3.1.2 Need for names to be meaningful +### 3.1.3 Anonymity or pseudonymity of subscribers +### 3.1.4 Rules for interpreting various name forms +### 3.1.5 Uniqueness of names +### 3.1.6 Recognition, authentication, and role of trademarks -Each CA SHALL maintain the following insurance related to their respective performance and obligations under these Guidelines: +## 3.2 Initial identity validation -A. Commercial General Liability insurance (occurrence form) with policy limits of at least two million US dollars in coverage; and +### 3.2.1 Method to prove possession of private key -B. Professional Liability/Errors and Omissions insurance, with policy limits of at least five million US dollars in coverage, and including coverage for: - i. claims for damages arising out of an act, error, or omission, unintentional breach of contract, or neglect in issuing or maintaining EV Certificates, and; - ii. claims for damages arising out of infringement of the proprietary rights of any third party (excluding copyright, and trademark infringement), and invasion of privacy and advertising injury. +### 3.2.2 Authentication of organization identity -Such insurance must be with a company rated no less than A- as to Policy Holder's Rating in the current edition of Best's Insurance Guide (or with an association of companies each of the members of which are so rated). +#### 3.2.2.1 Overview -A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that it has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0. +This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement. -## 8.5. Obtaining EV Certificates +##### 3.2.2.1.1 Verification Requirements – Overview -### 8.5.1. General +Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following: -The CA MAY only issue EV Certificates to Applicants that meet the Private Organization, Government Entity, Business Entity and Non-Commercial Entity requirements specified below. +1. Verify Applicant's existence and identity, including; -### 8.5.2. Private Organization Subjects + A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 3.2.2.2](#3222-verification-of-applicants-legal-existence-and-identity)), -An Applicant qualifies as a Private Organization if: + B. Verify the Applicant's physical existence (business presence at a physical address), and -1. The entity's legal existence is created or recognized by a by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument); + C. Verify the Applicant's operational existence (business activity). -2. The entity designated with the Incorporating or Registration Agency a Registered Agent, a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration), or an equivalent facility; +2. Verify the Applicant is a registered holder, or has control, of the Domain Name(s) to be included in the EV Certificate; -3. The entity is not designated on the records of the Incorporating or Registration Agency by labels such as "inactive," "invalid," "not current," or the equivalent; +3. Verify a reliable means of communication with the entity to be named as the Subject in the Certificate; -4. The entity has a verifiable physical existence and business presence; +4. Verify the Applicant's authorization for the EV Certificate, including; -5. The entity's Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + A. Verify the name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester, -6. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + B. Verify that a Contract Signer signed the Subscriber Agreement or that a duly authorized Applicant Representative acknowledged and agreed to the Terms of Use; and -### 8.5.3. Government Entity Subjects + C. Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request. -An Applicant qualifies as a Government Entity if: +##### 3.2.2.1.2 Acceptable Methods of Verification – Overview -1. The entity's legal existence was established by the political subdivision in which the entity operates; +As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 3.2.2 through 3.2.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. -2. The entity is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and +##### 3.2.2.1.3 Disclosure of Verification Sources -3. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. +Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means. -### 8.5.4. Business Entity Subjects +This Agency Information SHALL include at least the following: -An Applicant qualifies as a Business Entity if: +* Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency (such as a name, jurisdiction, and website); and, +* The accepted value or values for each of the `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1), `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2), and `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and, +* The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and, +* A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list. -1. The entity is a legally recognized entity that filed certain forms with a Registration Agency in its jurisdiction, the Registration Agency issued or approved the entity's charter, certificate, or license, and the entity's existence can be verified with that Registration Agency; +The CA MUST document where to obtain this information within Section 3.2 of the CA's Certificate Policy and/or Certification Practice Statement. -2. The entity has a verifiable physical existence and business presence; +#### 3.2.2.2 Verification of Applicant's Legal Existence and Identity -3. At least one Principal Individual associated with the entity is identified and validated by the CA; +##### 3.2.2.2.1 Verification Requirements -4. The identified Principal Individual attests to the representations made in the Subscriber Agreement; +To verify the Applicant's legal existence and identity, the CA MUST do the following. -5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 11.3](#113-verification-of-applicants-legal-existence-and-identity--assumed-name); +1. **Private Organization Subjects** -6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and + A. **Legal Existence**: Verify that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated) with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, and not designated on the records of the Incorporating or Registration Agency by labels such as "inactive", "invalid", "not current", or the equivalent. + B. **Organization Name**: Verify that the Applicant's formal legal name as recorded with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Incorporation or Registration. + D. **Registered Agent**: Obtain the identity and address of the Applicant's Registered Agent or Registered Office (as applicable in the Applicant's Jurisdiction of Incorporation or Registration). -7. The entity and the identified Principal Individual associated with the entity are not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. +2. **Government Entity Subjects** -### 8.5.5. Non-Commercial Entity Subjects + A. **Legal Existence**: Verify that the Applicant is a legally recognized Government Entity, in existence in the political subdivision in which such Government Entity operates. + B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of incorporation, registration, or formation, or the identifier for the legislative act that created the Government Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity. -An Applicant qualifies as a Non-Commercial Entity if: +3. **Business Entity Subjects** -1. The Applicant is an International Organization Entity, created under a charter, treaty, convention or equivalent instrument that was signed by, or on behalf of, more than one country's government. The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility; and + A. **Legal Existence**: Verify that the Applicant is engaged in business under the name submitted by the Applicant in the Application. + B. **Organization Name**: Verify that the Applicant's formal legal name as recognized by the Registration Agency in the Applicant's Jurisdiction of Registration matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: Attempt to obtain the specific unique Registration Number assigned to the Applicant by the Registration Agency in the Applicant's Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Registration. + D. **Principal Individual**: Verify the identity of the identified Principal Individual. -2. The Applicant is not headquartered in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and +4. **Non-Commercial Entity Subjects (International Organizations)** -3. The Applicant is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. + A. **Legal Existence**: Verify that the Applicant is a legally recognized International Organization Entity. + B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. + C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity. -Subsidiary organizations or agencies of an entity that qualifies as a Non-Commercial Entity also qualifies for EV Certificates as a Non-Commercial Entity. +##### 3.2.2.2.2 Acceptable Method of Verification -# 9. EV Certificate Content and Profile +1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 3.2.2.2.1](#32221-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. -This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate. +2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 3.2.2.2.1](#32221-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: + i. a Qualified Government Information Source in the political subdivision in which such Government Entity operates; + ii. a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or + iii. from a judge that is an active member of the federal, state or local judiciary within that political subdivision. -## 9.1. Issuer Information + Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 3.2.2.11.1](#322111-verified-legal-opinion). -Issuer Information listed in an EV Certificate MUST comply with Section 7.1.4.1 of the Baseline Requirements. + Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. -## 9.2. Subject Distinguished Name Fields +3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 3.2.2.2.1](#32221-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. -Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: +4. **Principal Individual**: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency's face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation. -### 9.2.1. Subject Organization Name Field + A. **Face-To-Face Validation**: The face-to-face validation MUST be conducted before either an employee of the CA, a Latin Notary, a Notary (or equivalent in the Applicant's jurisdiction), a Lawyer, or Accountant (Third-Party Validator). The Principal Individual(s) MUST present the following documentation (Vetting Documents) directly to the Third-Party Validator: -__Certificate Field__: `subject:organizationName` (OID 2.5.4.10) -__Required/Optional__: Required -__Contents__: This field MUST contain the Subject's full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows "Company Name Incorporated" the CA MAY include "Company Name, Inc." + i. A Personal Statement that includes the following information: -When abbreviating a Subject's full legal name as allowed by this subsection, the CA MUST use abbreviations that are not misleading in the Jurisdiction of Incorporation or Registration. + 1. Full name or names by which a person is, or has been, known (including all other names used); + 2. Residential Address at which he/she can be located; + 3. Date of birth; and + 4. An affirmation that all of the information contained in the Certificate Request is true and correct. -In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. + ii. A current signed government-issued identification document that includes a photo of the Individual and is signed by the Individual such as: -If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 11.12.1](#11121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. + 1. A passport; + 2. A driver's license; + 3. A personal identification card; + 4. A concealed weapons permit; or + 5. A military ID. -### 9.2.2. Subject Common Name Field + iii. At least two secondary documentary evidences to establish his/her identity that include the name of the Individual, one of which MUST be from a financial institution. -__Certificate Field__: `subject:commonName` (OID: 2.5.4.3) -__Required/Optional__: Deprecated (Discouraged, but not prohibited) -__Contents__: If present, this field MUST contain a single Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This field MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. + 1. Acceptable financial institution documents include: -### 9.2.3. Subject Business Category Field + a. A major credit card, provided that it contains an expiration date and it has not expired' + b. A debit card from a regulated financial institution, provided that it contains an expiration date and it has not expired, + c. A mortgage statement from a recognizable lender that is less than six months old, + d. A bank statement from a regulated financial institution that is less than six months old. -__Certificate Field__: `subject:businessCategory` (OID: 2.5.4.15) -__Required/Optional__: Required -__Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 8.5.2](#852-private-organization-subjects), [Section 8.5.3](#853-government-entity-subjects), [Section 8.5.4](#854-business-entity-subjects) or [Section 8.5.5](#855-non-commercial-entity-subjects), respectively. + 2. Acceptable non-financial documents include: -### 9.2.4. Subject Jurisdiction of Incorporation or Registration Field + a. Recent original utility bills or certificates from a utility company confirming the arrangement to pay for the services at a fixed address (not a mobile/cellular telephone bill), + b. A copy of a statement for payment of a lease, provided that the statement is dated within the past six months, + c. A certified copy of a birth certificate, + d. A local authority tax bill for the current year, + e. A certified copy of a court order, such as a divorce certificate, annulment papers, or adoption papers. -__Certificate Fields__: + The Third-Party Validator performing the face-to-face validation MUST: -Locality (if required): - `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1) + i. Attest to the signing of the Personal Statement and the identity of the signer; and + ii. Identify the original Vetting Documents used to perform the identification. In addition, the Third-Party Validator MUST attest on a copy of the current signed government-issued photo identification document that it is a full, true, and accurate reproduction of the original. -State or province (if required): - `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2) + B. **Verification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), lawyer, or accountant in the jurisdiction of the Individual's residency, and that the Third-Party Validator actually did perform the services and did attest to the signature of the Individual. -Country: - `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) + C. **Cross-checking of Information**: The CA MUST obtain the signed and attested Personal Statement together with the attested copy of the current signed government-issued photo identification document. The CA MUST review the documentation to determine that the information is consistent, matches the information in the application, and identifies the Individual. The CA MAY rely on electronic copies of this documentation, provided that: -__Required/Optional__: Required -__Contents__: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction. + i. the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and + ii. electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA's jurisdiction. -Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. +5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 3.2.2.2.1](#32221-verification-requirements) (4) MUST be verified either: -### 9.2.5. Subject Registration Number Field + A. With reference to the constituent document under which the International Organization was formed; or + B. Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or + C. Directly against any current list of qualified entities that the CA/Browser Forum may maintain at www.cabforum.org. + D. In cases where the International Organization applying for the EV Certificate is an organ or agency - including a non-governmental organization of a verified International Organization, then the CA may verify the International Organization Applicant directly with the verified umbrella International Organization of which the Applicant is an organ or agency. -__Certificate Field__: `subject:serialNumber` (OID: 2.5.4.5) -__Required/Optional__: __Required__ -__Contents__: For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats. +6. The CA may rely on a Verified Professional Letter to establish the Applicant's information listed in (1)-(5) above if: -For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity. + i. the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and + ii. the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS. -For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats. +#### 3.2.2.3 Verification of Applicant's Legal Existence and Identity – Assumed Name -Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 11.1.3](#1113-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. +##### 3.2.2.3.1 Verification Requirements -### 9.2.6. Subject Physical Address of Place of Business Field +If, in addition to the Applicant's formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, the Applicant's identity, as asserted in the EV Certificate, is to contain any assumed name (also known as "doing business as", "DBA", or "d/b/a" in the US, and "trading as" in the UK) under which the Applicant conducts business, the CA MUST verify that: -__Certificate Fields__: - Number and street: `subject:streetAddress` (OID: 2.5.4.9) - City or town: `subject:localityName` (OID: 2.5.4.7) - State or province (where applicable): `subject:stateOrProvinceName` (OID: 2.5.4.8) - Country: `subject:countryName` (OID: 2.5.4.6) - Postal code: `subject:postalCode` (OID: 2.5.4.17) -__Required/Optional__: As stated in Section 7.1.4.2.2 d, e, f, g and h of the Baseline Requirements. -__Contents__: This field MUST contain the address of the physical location of the Subject's Place of Business. + i. the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and + ii. that such filing continues to be valid. -### 9.2.7. Subject Organizational Unit Name Field +##### 3.2.2.3.2 Acceptable Method of Verification -__Certificate Field__: `subject:organizationalUnitName` (OID: 2.5.4.11) -__Required/Optional/Prohibited:__ __Prohibited__. +To verify any assumed name under which the Applicant conducts business: -### 9.2.8. Subject Organization Identifier Field +1. The CA MAY verify the assumed name through use of a Qualified Government Information Source operated by, or on behalf of, an appropriate government agency in the jurisdiction of the Applicant's Place of Business, or by direct contact with such government agency in person or via mail, e-mail, Web address, or telephone; or +2. The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. +3. The CA MAY rely on a Verified Professional Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. -__Certificate Field__: `subject:organizationIdentifier` (OID: 2.5.4.97) -__Required/Optional__: Optional -__Contents__: If present, this field MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. +#### 3.2.2.4 Verification of Applicant's Physical Existence -The organizationIdentifier MUST be encoded as a PrintableString or UTF8String. +##### 3.2.2.4.1 Address of Applicant's Place of Business -The Registration Scheme MUST be identified using the using the following structure in the presented order: +1. **Verification Requirements**: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business. -* 3 character Registration Scheme identifier; -* 2 character ISO 3166 country code for the nation in which the Registration Scheme is operated, or if the scheme is operated globally ISO 3166 code "XG" shall be used; -* For the NTR Registration Scheme identifier, if required under [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated, preceded by plus "+" (0x2B (ASCII), U+002B (UTF-8)); -* a hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); -* Registration Reference allocated in accordance with the identified Registration Scheme +2. **Acceptable Methods of Verification** -Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. -As in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. + A. **Place of Business in the Country of Incorporation or Registration** -Examples: -* `NTRGB-12345678` (NTR scheme, Great Britain, Unique Identifier at Country level is 12345678) -* `NTRUS+CA-12345678` (NTR Scheme, United States - California, Unique identifier at State level is 12345678) -* `VATDE-123456789` (VAT Scheme, Germany, Unique Identifier at Country Level is 12345678) -* `PSDBE-NBB-1234.567.890` (PSD Scheme, Belgium, NCA's identifier is NBB, Subject Unique Identifier assigned by the NCA is 1234.567.890) + i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 3.2.2.2](#3222-verification-of-applicants-legal-existence-and-identity) to verify legal existence: -Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) are currently recognized as valid under these guidelines. + 1. For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business; -The CA SHALL: + 2. For Applicants who are not listed at the same Place of Business address in the current version of either at least one QIIS or QTIS, the CA MUST confirm that the address provided by the Applicant in the EV Certificate Request is the Applicant's or a Parent/Subsidiary Company's business address, by obtaining documentation of a site visit to the business address, which MUST be performed by a reliable individual or firm. The documentation of the site visit MUST: -1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 9.2.1](#921-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field); -2. further verify the Registration Reference matches other information verified in accordance with [Section 11](#11-verification-requirements); -3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; -4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). + a. Verify that the Applicant's business is located at the exact address stated in the EV Certificate Request (e.g., via permanent signage, employee confirmation, etc.), + b. Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location, + c. Indicate whether there is a permanent sign (that cannot be moved) that identifies the Applicant, + d. Indicate whether there is evidence that the Applicant is conducting ongoing business activities at the site (not that it is just, for example, a mail drop, P.O. box, etc.), and + e. Include one or more photos of + i. the exterior of the site (showing signage indicating the Applicant's name, if present, and showing the street address if possible), and + ii. the interior reception area or workspace. -### 9.2.9. Other Subject Attributes + ii. For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there. + iii. For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction. + iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 3.2.2.2](#3222-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. -CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 9.2](#92-subject-distinguished-name-fields). + B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. -## 9.3. Certificate Policy Identification +#### 3.2.2.5 Verified Method of Communication -### 9.3.1. EV Certificate Policy Identification Requirements +##### 3.2.2.5.1 Verification Requirements -This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy. +To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant. -### 9.3.2. EV Subscriber Certificates +##### 3.2.2.5.2 Acceptable Methods of Verification -Each EV Certificate issued by the CA to a Subscriber MUST contain a policy identifier that is either defined by these Guidelines or the CA in the certificate's `certificatePolicies` extension that: +To verify a Verified Method of Communication with the Applicant, the CA MUST: -1. indicates which CA policy statement relates to that Certificate, -2. asserts the CA's adherence to and compliance with these Guidelines, and -3. is either the CA/Browser Forum’s EV policy identifier or a policy identifier that, by pre-agreement with the Application Software Supplier, marks the Certificate as being an EV Certificate. +A. Verify that the Verified Method of Communication belongs to the Applicant, or a Parent/Subsidiary or Affiliate of the Applicant, by matching it with one of the Applicant's Parent/Subsidiary or Affiliate's Places of Business in: -The following Certificate Policy identifier is the CA/Browser Forum’s EV policy identifier: -`{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines (1) } (2.23.140.1.1)`, if the Certificate complies with these Guidelines. + i. records provided by the applicable phone company; + ii. a QGIS, QTIS, or QIIS; or + iii. a Verified Professional Letter; and -### 9.3.3. Root CA Certificates +B. Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication. -The Application Software Supplier identifies Root CAs that are approved to issue EV Certificates by storing EV policy identifiers in metadata associated with Root CA Certificates. +#### 3.2.2.6 Verification of Applicant's Operational Existence -### 9.3.4. EV Subordinate CA Certificates +##### 3.2.2.6.1 Verification Requirements -1. Certificates issued to Subordinate CAs that are not controlled by the issuing CA MUST contain one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA. -2. Certificates issued to Subordinate CAs that are controlled by the Root CA MAY contain the special `anyPolicy` identifier (OID: 2.5.29.32.0). +The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 3.2.2.2](#3222-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. -### 9.3.5. Subscriber Certificates +##### 3.2.2.6.2 Acceptable Methods of Verification -A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate's `certificatePolicies` extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines. +To verify the Applicant's ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: -## 9.4. Maximum Validity Period For EV Certificate +1. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; -The Validity Period for an EV Certificate SHALL NOT exceed 398 days. - -It is RECOMMENDED that EV Subscriber Certificates have a Maximum Validity Period of twelve months. - -## 9.5. Subscriber Public Key - -The requirements in Section 6.1.1.3 of the Baseline Requirements apply equally to EV Certificates. - -## 9.6. Certificate Serial Number - -The requirements in Section 7.1 of the Baseline Requirements apply equally to EV Certificates. - -## 9.7. Additional Technical Requirements for EV Certificates +2. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; -All provisions of the Baseline Requirements concerning Minimum Cryptographic Algorithms, Key Sizes, and Certificate Extensions apply to EV Certificates with the following exceptions: +3. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or -1. If a Subordinate CA Certificates is issued to a Subordinate CA not controlled by the entity that controls the Root CA, the policy identifiers in the `certificatePolicies` extension MUST include the CA's Extended Validation policy identifier. +4. Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. - Otherwise, it MAY contain the anyPolicy identifier. +##### 3.2.2.7 Verification of Applicant's Domain Name -2. The following fields MUST be present if the Subordinate CA is not controlled by the entity that controls the Root CA. +##### 3.2.2.7.1 Verification Requirements - * `certificatePolicies:policyQualifiers:policyQualifierId` - - `id-qt 1` [RFC 5280] +1. For each Fully-Qualified Domain Name listed in a Certificate which is not an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant's control over the Onion Domain Name in accordance with Appendix B of the Baseline Requirements. - * `certificatePolicies:policyQualifiers:qualifier:cPSuri` +2. **Mixed Character Set Domain Names**: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization. - HTTP URL for the Root CA's Certification Practice Statement +#### 3.2.2.8 Verification of Name, Title, and Authority of Contract Signer and Certificate Approver -3. The `certificatePolicies` extension in EV Certificates issued to Subscribers MUST include the following: +##### 3.2.2.8.1 Verification Requirements - * `certificatePolicies:policyIdentifier` (Required) +For both the Contract Signer and the Certificate Approver, the CA MUST verify the following. - The Issuer's EV policy identifier +1. **Name, Title and Agency**: The CA MUST verify the name and title of the Contract Signer and the Certificate Approver, as applicable. The CA MUST also verify that the Contract Signer and the Certificate Approver are agents representing the Applicant. +2. **Signing Authority of Contract Signer**: The CA MUST verify that the Contract Signer is authorized by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant, including a contract that designates one or more Certificate Approvers on behalf of the Applicant. +3. **EV Authority of Certificate Approver**: The CA MUST verify, through a source other than the Certificate Approver him- or herself, that the Certificate Approver is expressly authorized by the Applicant to do the following, as of the date of the EV Certificate Request: - * `certificatePolicies:policyQualifiers:policyQualifierId` (Required) + A. Submit, and, if applicable, authorize a Certificate Requester to submit, the EV Certificate Request on behalf of the Applicant; and + B. Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and + C. Approve EV Certificate Requests submitted by a Certificate Requester. - `id-qt 1` [RFC 5280] +##### 3.2.2.8.2 Acceptable Methods of Verification – Name, Title and Agency - * `certificatePolicies:policyQualifiers:qualifier:cPSuri` (Required) +Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. - HTTP URL for the Subordinate CA's Certification Practice Statement +1. **Name and Title**: The CA MAY verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such a role is in fact the named person designated to act in such role. -4. The `cRLDistributionPoints` extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an `authorityInformationAccess` extension. +2. **Agency**: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: -## 9.8. Certificate Extensions + A. Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; + B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 3.2.2.11.4](#322114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or + C. Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant. -The extensions listed in [Section 9.8](#98-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 9.8](#98-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. + The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. -If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 9.8](#98-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. +##### 3.2.2.8.3 Acceptable Methods of Verification – Authority -### 9.8.1. Subject Alternative Name Extension +Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: -__Certificate Field__: `subjectAltName:dNSName` -__Required/Optional__: __Required__ -__Contents__: This extension MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This extension MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. +1. **Verified Professional Letter**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Professional Letter; +2. **Corporate Resolution**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a properly authenticated corporate resolution that confirms that the person has been granted such Signing Authority, provided that such resolution is -### 9.8.2. CA/Browser Forum Organization Identifier Extension + i. certified by the appropriate corporate officer (e.g., secretary), and + ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification; -__Extension Name__: `cabfOrganizationIdentifier` (OID: 2.23.140.3.1) -__Verbose OID__: `{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }` -__Required/Optional__: __Optional (but see below)__ -__Contents__: If the subject:organizationIdentifier is present, this field MUST be present. +3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 3.2.2.11.4](#322114-independent-confirmation-from-applicant)); +4. **Contract between CA and Applicant**: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; +5. **Prior Equivalent Authority**: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority. -If present, this extension MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. + A. Prior Equivalent Authority of a Contract Signer MAY be relied upon for confirmation or verification of the signing authority of the Contract Signer when the Contract Signer has executed a binding contract between the CA and the Applicant with a legally valid and enforceable seal or handwritten signature and only when the contract was executed more than 90 days prior to the EV Certificate application. The CA MUST record sufficient details of the previous agreement to correctly identify it and associate it with the EV application. Such details MAY include any of the following: -The Registration Scheme MUST be encoded as described by the following ASN.1 grammar: + i. Agreement title, + ii. Date of Contract Signer's signature, + iii. Contract reference number, and + iv. Filing location. -```ASN.1 -id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) international-organizations(23) - ca-browser-forum(140) certificate-extensions(3) - cabf-organizationIdentifier(1) -} + B. Prior Equivalent Authority of a Certificate Approver MAY be relied upon for confirmation or verification of the EV Authority of the Certificate Approver when the Certificate Approver has performed one or more of the following: -ext-CABFOrganizationIdentifier EXTENSION ::= { - SYNTAX CABFOrganizationIdentifier - IDENTIFIED BY id-CABFOrganizationIdentifier -} + i. Under contract to the CA, has served (or is serving) as an Enterprise RA for the Applicant, or + ii. Has participated in the approval of one or more certificate requests, for certificates issued by the CA and which are currently and verifiably in use by the Applicant. In this case the CA MUST have contacted the Certificate Approver by phone at a previously validated phone number or have accepted a signed and notarized letter approving the certificate request. -CABFOrganizationIdentifier ::= SEQUENCE { - registrationSchemeIdentifier PrintableString (SIZE(3)), - registrationCountry PrintableString (SIZE(2)), - registrationStateOrProvince [0] IMPLICIT PrintableString - (SIZE(0..128)) OPTIONAL, - registrationReference UTF8String -} -``` +6. **QIIS or QGIS**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by a QIIS or QGIS that identifies the Contract Signer and/or the Certificate Approver as a corporate officer, sole proprietor, or other senior official of the Applicant. -where the subfields have the same values, meanings, and restrictions described in [Section 9.2.8](#928-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 9.2.8](#928-subject-organization-identifier-field). +7. **Contract Signer's Representation/Warranty**: Provided that the CA verifies that the Contract Signer is an employee or agent of the Applicant, the CA MAY rely on the signing authority of the Contract Signer by obtaining a duly executed representation or warranty from the Contract Signer that includes the following acknowledgments: -# 10. EV Certificate Request Requirements + A. That the Applicant authorizes the Contract Signer to sign the Subscriber Agreement on the Applicant's behalf, + B. That the Subscriber Agreement is a legally valid and enforceable agreement, + C. That, upon execution of the Subscriber Agreement, the Applicant will be bound by all of its terms and conditions, + D. That serious consequences attach to the misuse of an EV certificate, and + E. The contract signer has the authority to obtain the digital equivalent of a corporate seal, stamp or officer's signature to establish the authenticity of the company's Web site. -## 10.1. General Requirements +Note: An example of an acceptable representation/warranty appears in [Appendix E](#appendix-e---sample-contract-signers-representationwarranty-informative). -### 10.1.1. Documentation Requirements +##### 3.2.2.8.4 Pre-Authorized Certificate Approver -The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. +Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA: -### 10.1.2. Role Requirements +1. Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and -The following Applicant roles are required for the issuance of an EV Certificate. +2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 3.2.2.8.3](#32283-acceptable-methods-of-verification--authority). -1. **Certificate Requester**: The EV Certificate Request MUST be submitted by an authorized Certificate Requester. A Certificate Requester is a natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. +The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s). -2. **Certificate Approver**: The EV Certificate Request MUST be approved by an authorized Certificate Approver. A Certificate Approver is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to +Such an agreement MUST provide that the Applicant shall be obligated under the Subscriber Agreement for all EV Certificates issued at the request of, or approved by, such Certificate Approver(s) until such EV Authority is revoked, and MUST include mutually agreed-upon provisions for: - i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and - ii. to approve EV Certificate Requests submitted by other Certificate Requesters. + i. authenticating the Certificate Approver when EV Certificate Requests are approved, + ii. periodic re-confirmation of the EV Authority of the Certificate Approver, + iii. secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and + iv. such other appropriate precautions as are reasonably necessary. -3. **Contract Signer**: A Subscriber Agreement applicable to the requested EV Certificate MUST be signed by an authorized Contract Signer. A Contract Signer is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. +#### 3.2.2.9 Verification of Signature on Subscriber Agreement and EV Certificate Requests -4. **Applicant Representative**: In the case where the CA and the Subscriber are affiliated, Terms of Use applicable to the requested EV Certificate MUST be acknowledged and agreed to by an authorized Applicant Representative. An Applicant Representative is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to acknowledge and agree to the Terms of Use. +Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 3.2.2.8.4](#32284-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. -The Applicant MAY authorize one individual to occupy two or more of these roles. The Applicant MAY authorize more than one individual to occupy any of these roles. +##### 3.2.2.9.1 Verification Requirements -## 10.2. EV Certificate Request Requirements +1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. -The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 11.14](#1114-requirements-for-re-use-of-existing-documentation). +2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 3.2.2.10](#32210-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. -## 10.3. Requirements for Subscriber Agreement and Terms of Use +##### 3.2.2.9.2 Acceptable Methods of Signature Verification -Section 9.6.3 of the Baseline Requirements applies equally to EV Certificates. In cases where the Certificate Request does not contain all necessary information about the Applicant, the CA MUST additionally confirm the data with the Certificate Approver or Contract Signer rather than the Certificate Requester. +Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following: -# 11. Verification Requirements +1. Contacting the Applicant using a Verified Method of Communication for the Applicant, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; -## 11.1. General Overview +2. A letter mailed to the Applicant's or Agent's address, as verified through independent means in accordance with these Guidelines, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response through a Verified Method of Communication from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; -This part of the Guidelines sets forth Verification Requirements and Acceptable Methods of Verification for each such Requirement. +3. Use of a signature process that establishes the name and title of the signer in a secure manner, such as through use of an appropriately secure login process that identifies the signer before signing, or through use of a digital signature made with reference to an appropriately verified certificate; or -### 11.1.1. Verification Requirements – Overview +4. Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer. -Before issuing an EV Certificate, the CA MUST ensure that all Subject organization information to be included in the EV Certificate conforms to the requirements of, and is verified in accordance with, these Guidelines and matches the information confirmed and documented by the CA pursuant to its verification processes. Such verification processes are intended to accomplish the following: +#### 3.2.2.10 Verification of Approval of EV Certificate Request -1. Verify Applicant's existence and identity, including; +##### 3.2.2.10.1 Verification Requirements - A. Verify the Applicant's legal existence and identity (as more fully set forth in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity)), +In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. - B. Verify the Applicant's physical existence (business presence at a physical address), and +##### 3.2.2.10.2 Acceptable Methods of Verification - C. Verify the Applicant's operational existence (business activity). +Acceptable methods of verifying the Certificate Approver's approval of an EV Certificate Request include: -2. Verify the Applicant is a registered holder, or has control, of the Domain Name(s) to be included in the EV Certificate; +1. Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request; +2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or +3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 3.2.2.9](#3229-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). -3. Verify a reliable means of communication with the entity to be named as the Subject in the Certificate; +#### 3.2.2.11 Verification of Certain Information Sources -4. Verify the Applicant's authorization for the EV Certificate, including; +##### 3.2.2.11.1 Verified Legal Opinion - A. Verify the name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester, +1. **Verification Requirements**: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements: - B. Verify that a Contract Signer signed the Subscriber Agreement or that a duly authorized Applicant Representative acknowledged and agreed to the Terms of Use; and + A. **Status of Author**: The CA MUST verify that the legal opinion is authored by an independent legal practitioner retained by and representing the Applicant (or an in-house legal practitioner employed by the Applicant) (Legal Practitioner) who is either: - C. Verify that a Certificate Approver has signed or otherwise approved the EV Certificate Request. + i. A lawyer (or solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility, or + ii. A Latin Notary who is currently commissioned or licensed to practice in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility (and that such jurisdiction recognizes the role of the Latin Notary); -### 11.1.2. Acceptable Methods of Verification – Overview + B. **Basis of Opinion**: The CA MUST verify that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Legal Opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the Legal Practitioner's professional judgment and expertise; + C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Legal Opinion. -As a general rule, the CA is responsible for taking all verification steps reasonably necessary to satisfy each of the Verification Requirements set forth in the subsections below. The Acceptable Methods of Verification set forth in each of Sections 11.2 through 11.14 (which usually include alternatives) are considered to be the minimum acceptable level of verification required of the CA. In all cases, however, the CA is responsible for taking any additional verification steps that may be reasonably necessary under the circumstances to satisfy the applicable Verification Requirement. +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Legal Opinion are: -### 11.1.3. Disclosure of Verification Sources + A. **Status of Author**: The CA MUST verify the professional status of the author of the legal opinion by directly contacting the authority responsible for registering or licensing such Legal Practitioner(s) in the applicable jurisdiction; + B. **Basis of Opinion**: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as [Appendix B](#appendix-b---sample-attorney-opinions-confirming-specified-information); + C. **Authenticity**: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner's assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS. -Effective as of 1 October 2020, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the CA MUST publicly disclose Agency Information about the Incorporating Agency or Registration Agency. This disclosure SHALL be through an appropriate and readily accessible online means. + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 3.2.2.11.1](#322111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. -This Agency Information SHALL include at least the following: +##### 3.2.2.11.2 Verified Accountant Letter -* Sufficient information to unambiguously identify the Incorporating Agency or Registration Agency (such as a name, jurisdiction, and website); and, -* The accepted value or values for each of the `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1), `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2), and `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) fields, when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisdiction(s) that the Agency is appropriate for; and, -* The acceptable form or syntax of Registration Numbers used by the Incorporating Agency or Registration Agency, if the CA restricts such Numbers to an acceptable form or syntax; and, -* A revision history that includes a unique version number and date of publication for any additions, modifications, and/or removals from this list. +1. **Verification Requirements**: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements: -The CA MUST document where to obtain this information within Section 3.2 of the CA's Certificate Policy and/or Certification Practice Statement. + A. **Status of Author**: The CA MUST verify that the accountant letter is authored by an Accounting Practitioner retained or employed by the Applicant and licensed within the country of the Applicant's Jurisdiction of Incorporation, Jurisdiction of Registration, or country where the Applicant maintains an office or physical facility. Verification of license MUST be through the member organization or regulatory organization in the Accounting Practitioner's country or jurisdiction that is appropriate to contact when verifying an accountant's license to practice in that country or jurisdiction. Such country or jurisdiction must have an accounting standards body that maintains full membership status with the International Federation of Accountants. + B. **Basis of Opinion**: The CA MUST verify that the Accounting Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Accountant Letter are based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the Accounting Practitioner's professional judgment and expertise; + C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Accountant Letter. -## 11.2. Verification of Applicant's Legal Existence and Identity +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Accountant Letter are listed here. -### 11.2.1. Verification Requirements + A. **Status of Author**: The CA MUST verify the professional status of the author of the accountant letter by directly contacting the authority responsible for registering or licensing such Accounting Practitioners in the applicable jurisdiction. + B. **Basis of Opinion**: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as [Appendix C](#appendix-c---sample-accountant-letters-confirming-specified-information). + C. **Authenticity**: To confirm the authenticity of the accountant's opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner's assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS. -To verify the Applicant's legal existence and identity, the CA MUST do the following. + In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 3.2.2.11.2](#322112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. -1. **Private Organization Subjects** +##### 3.2.2.11.3 Face-to-Face Validation - A. **Legal Existence**: Verify that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated) with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, and not designated on the records of the Incorporating or Registration Agency by labels such as "inactive", "invalid", "not current", or the equivalent. - B. **Organization Name**: Verify that the Applicant's formal legal name as recorded with the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: Obtain the specific Registration Number assigned to the Applicant by the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Where the Incorporating or Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Incorporation or Registration. - D. **Registered Agent**: Obtain the identity and address of the Applicant's Registered Agent or Registered Office (as applicable in the Applicant's Jurisdiction of Incorporation or Registration). +1. **Verification Requirements**: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements: -2. **Government Entity Subjects** + A. **Qualification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), Lawyer, or Accountant in the jurisdiction of the individual's residency; + B. **Document Chain of Custody**: The CA MUST verify that the Third-Party Validator viewed the Vetting Documents in a face-to-face meeting with the individual being validated; + C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the attestation and vetting documents. - A. **Legal Existence**: Verify that the Applicant is a legally recognized Government Entity, in existence in the political subdivision in which such Government Entity operates. - B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of incorporation, registration, or formation, or the identifier for the legislative act that created the Government Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is a Government Entity. +2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for vetting documents are: -3. **Business Entity Subjects** + A. **Qualification of Third-Party Validator**: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction; + B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; + C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 3.2.2.11.3](#322113-face-to-face-validation) (1)(A), no further verification of authenticity is required. - A. **Legal Existence**: Verify that the Applicant is engaged in business under the name submitted by the Applicant in the Application. - B. **Organization Name**: Verify that the Applicant's formal legal name as recognized by the Registration Agency in the Applicant's Jurisdiction of Registration matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: Attempt to obtain the specific unique Registration Number assigned to the Applicant by the Registration Agency in the Applicant's Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the CA SHALL obtain the Applicant's date of Registration. - D. **Principal Individual**: Verify the identity of the identified Principal Individual. +##### 3.2.2.11.4 Independent Confirmation From Applicant -4. **Non-Commercial Entity Subjects (International Organizations)** +An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is: - A. **Legal Existence**: Verify that the Applicant is a legally recognized International Organization Entity. - B. **Entity Name**: Verify that the Applicant's formal legal name matches the Applicant's name in the EV Certificate Request. - C. **Registration Number**: The CA MUST attempt to obtain the Applicant's date of formation, or the identifier for the legislative act that created the International Organization Entity. In circumstances where this information is not available, the CA MUST enter appropriate language to indicate that the Subject is an International Organization Entity. +A. Received by the CA from a Confirming Person (someone other than the person who is the subject of the inquiry) that has the appropriate authority to confirm such a fact, and who represents that he/she has confirmed such fact; +B. Received by the CA in a manner that authenticates and verifies the source of the confirmation; and +C. Binding on the Applicant. -### 11.2.2. Acceptable Method of Verification +An Independent Confirmation from the Applicant MAY be obtained via the following procedure: -1. **Private Organization Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (1) MUST be verified directly with, or obtained directly from, the Incorporating or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration. Such verification MAY be through use of a Qualified Government Information Source operated by, or on behalf of, the Incorporating or Registration Agency, or by direct contact with the Incorporating or Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Incorporating or Registration Agency, or from a Qualified Independent Information Source. +1. **Confirmation Request**: The CA MUST initiate a Confirmation Request via an appropriate out-of-band communication, requesting verification or confirmation of the particular fact at issue as follows: -2. **Government Entity Subjects**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (2) MUST either be verified directly with, or obtained directly from, one of the following: - i. a Qualified Government Information Source in the political subdivision in which such Government Entity operates; - ii. a superior governing Government Entity in the same political subdivision as the Applicant (e.g. a Secretary of State may verify the legal existence of a specific State Department), or - iii. from a judge that is an active member of the federal, state or local judiciary within that political subdivision. + A. **Addressee**: The Confirmation Request MUST be directed to: - Any communication from a judge SHALL be verified in the same manner as is used for verifying factual assertions that are asserted by an Attorney as set forth in [Section 11.11.1](#11111-verified-legal-opinion). + i. A position within the Applicant's organization that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current QGIS, QIIS, QTIS, Verified Legal Opinion, Verified Accountant Letter, or by contacting the Applicant using a Verified Method of Communication; or + ii. The Applicant's Registered Agent or Registered Office in the Jurisdiction of Incorporation as listed in the official records of the Incorporating Agency, with instructions that it be forwarded to an appropriate Confirming Person; or + iii. A named individual verified to be in the direct line of management above the Contract Signer or Certificate Approver by contacting the Applicant's Human Resources Department by phone or mail (at the phone number or address for the Applicant's Place of Business, verified in accordance with these Guidelines). - Such verification MAY be by direct contact with the appropriate Government Entity in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained from a Qualified Independent Information Source. + B. **Means of Communication**: The Confirmation Request MUST be directed to the Confirming Person in a manner reasonably likely to reach such person. The following options are acceptable: -3. **Business Entity Subjects**: Unless verified under subsection (6), Items listed in [Section 11.2.1](#1121-verification-requirements) (3) (A) through (C) above, MUST be verified directly with, or obtained directly from, the Registration Agency in the Applicant's Jurisdiction of Registration. Such verification MAY be performed by means of a Qualified Government Information Source, a Qualified Governmental Tax Information Source, or by direct contact with the Registration Agency in person or via mail, e-mail, Web address, or telephone, using an address or phone number obtained directly from the Qualified Government Information Source, Qualified Governmental Tax Information Source or Registration Agency, or from a Qualified Independent Information Source. In addition, the CA MUST validate a Principal Individual associated with the Business Entity pursuant to the requirements in subsection (4), below. + i. By paper mail addressed to the Confirming Person at: -4. **Principal Individual**: A Principal Individual associated with the Business Entity MUST be validated in a face-to-face setting. The CA MAY rely upon a face-to-face validation of the Principal Individual performed by the Registration Agency, provided that the CA has evaluated the validation procedure and concluded that it satisfies the requirements of the Guidelines for face-to-face validation procedures. Where no face-to-face validation was conducted by the Registration Agency, or the Registration Agency's face-to-face validation procedure does not satisfy the requirements of the Guidelines, the CA SHALL perform face-to-face validation. + 1. The address of the Applicant's Place of Business as verified by the CA in accordance with these Guidelines, or + 2. The business address for such Confirming Person specified in a current QGIS, QTIS, QIIS, Verified Professional Letter, or + 3. The address of the Applicant's Registered Agent or Registered Office listed in the official records of the Jurisdiction of Incorporation, or - A. **Face-To-Face Validation**: The face-to-face validation MUST be conducted before either an employee of the CA, a Latin Notary, a Notary (or equivalent in the Applicant's jurisdiction), a Lawyer, or Accountant (Third-Party Validator). The Principal Individual(s) MUST present the following documentation (Vetting Documents) directly to the Third-Party Validator: + ii. By e-mail addressed to the Confirming Person at the business e-mail address for such person listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter; or + iii. By telephone call to the Confirming Person, where such person is contacted by calling the main phone number of the Applicant's Place of Business (verified in accordance with these Guidelines) and asking to speak to such person, and a person taking the call identifies him- or herself as such person; or + iv. By facsimile to the Confirming Person at the Place of Business. The facsimile number must be listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter. The cover page must be clearly addressed to the Confirming Person. - i. A Personal Statement that includes the following information: +2. **Confirmation Response**: The CA MUST receive a response to the Confirmation Request from a Confirming Person that confirms the particular fact at issue. Such response MAY be provided to the CA by telephone, by e-mail, or by paper mail, so long as the CA can reliably verify that it was provided by a Confirming Person in response to the Confirmation Request. - 1. Full name or names by which a person is, or has been, known (including all other names used); - 2. Residential Address at which he/she can be located; - 3. Date of birth; and - 4. An affirmation that all of the information contained in the Certificate Request is true and correct. +3. The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if: - ii. A current signed government-issued identification document that includes a photo of the Individual and is signed by the Individual such as: + A. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias; + B. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person. - 1. A passport; - 2. A driver's license; - 3. A personal identification card; - 4. A concealed weapons permit; or - 5. A military ID. +##### 3.2.2.11.5 Qualified Independent Information Source - iii. At least two secondary documentary evidences to establish his/her identity that include the name of the Individual, one of which MUST be from a financial institution. +A Qualified Independent Information Source (QIIS) is a regularly-updated and publicly available database that is generally recognized as a dependable source for certain information. A database qualifies as a QIIS if the CA determines that: - 1. Acceptable financial institution documents include: +1. Industries other than the certificate industry rely on the database for accurate location, contact, or other information; and - a. A major credit card, provided that it contains an expiration date and it has not expired' - b. A debit card from a regulated financial institution, provided that it contains an expiration date and it has not expired, - c. A mortgage statement from a recognizable lender that is less than six months old, - d. A bank statement from a regulated financial institution that is less than six months old. +2. The database provider updates its data on at least an annual basis. - 2. Acceptable non-financial documents include: +The CA SHALL use a documented process to check the accuracy of the database and ensure its data is acceptable, including reviewing the database provider's terms of use. The CA SHALL NOT use any data in a QIIS that the CA knows is - a. Recent original utility bills or certificates from a utility company confirming the arrangement to pay for the services at a fixed address (not a mobile/cellular telephone bill), - b. A copy of a statement for payment of a lease, provided that the statement is dated within the past six months, - c. A certified copy of a birth certificate, - d. A local authority tax bill for the current year, - e. A certified copy of a court order, such as a divorce certificate, annulment papers, or adoption papers. + i. self-reported and + ii. not verified by the QIIS as accurate. - The Third-Party Validator performing the face-to-face validation MUST: +Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. - i. Attest to the signing of the Personal Statement and the identity of the signer; and - ii. Identify the original Vetting Documents used to perform the identification. In addition, the Third-Party Validator MUST attest on a copy of the current signed government-issued photo identification document that it is a full, true, and accurate reproduction of the original. +##### 3.2.2.11.6 Qualified Government Information Source - B. **Verification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), lawyer, or accountant in the jurisdiction of the Individual's residency, and that the Third-Party Validator actually did perform the services and did attest to the signature of the Individual. +A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity. - C. **Cross-checking of Information**: The CA MUST obtain the signed and attested Personal Statement together with the attested copy of the current signed government-issued photo identification document. The CA MUST review the documentation to determine that the information is consistent, matches the information in the application, and identifies the Individual. The CA MAY rely on electronic copies of this documentation, provided that: +##### 3.2.2.11.7 Qualified Government Tax Information Source - i. the CA confirms their authenticity (not improperly modified when compared with the underlying original) with the Third-Party Validator; and - ii. electronic copies of similar kinds of documents are recognized as legal substitutes for originals under the laws of the CA's jurisdiction. +A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States). -5. **Non-Commercial Entity Subjects (International Organization)**: Unless verified under subsection (6), all items listed in [Section 11.2.1](#1121-verification-requirements) (4) MUST be verified either: +#### 3.2.2.12 Other Verification Requirements - A. With reference to the constituent document under which the International Organization was formed; or - B. Directly with a signatory country's government in which the CA is permitted to do business. Such verification may be obtained from an appropriate government agency or from the laws of that country, or by verifying that the country's government has a mission to represent it at the International Organization; or - C. Directly against any current list of qualified entities that the CA/Browser Forum may maintain at www.cabforum.org. - D. In cases where the International Organization applying for the EV Certificate is an organ or agency - including a non-governmental organization of a verified International Organization, then the CA may verify the International Organization Applicant directly with the verified umbrella International Organization of which the Applicant is an organ or agency. +##### 3.2.2.12.1 High Risk Status -6. The CA may rely on a Verified Professional Letter to establish the Applicant's information listed in (1)-(5) above if: +The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirements apply equally to EV Certificates. - i. the Verified Professional Letter includes a copy of supporting documentation used to establish the Applicant's legal existence, such as a certificate of registration, articles of incorporation, operating agreement, statute, or regulatory act, and - ii. the CA confirms the Applicant's organization name specified in the Verified Professional Letter with a QIIS or QGIS. +##### 3.2.2.12.2 Denied Lists and Other Legal Block Lists -## 11.3. Verification of Applicant's Legal Existence and Identity – Assumed Name +1. **Verification Requirements**: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant's Jurisdiction of Incorporation, Registration, or Place of Business: -### 11.3.1. Verification Requirements + A. Is identified on any government denied list, list of prohibited persons, or other list that prohibits doing business with such organization or person under the laws of the country of the CA's jurisdiction(s) of operation; or + B. Has its Jurisdiction of Incorporation, Registration, or Place of Business in any country with which the laws of the CA's jurisdiction prohibit doing business. -If, in addition to the Applicant's formal legal name, as recorded with the applicable Incorporating Agency or Registration Agency in the Applicant's Jurisdiction of Incorporation or Registration, the Applicant's identity, as asserted in the EV Certificate, is to contain any assumed name (also known as "doing business as", "DBA", or "d/b/a" in the US, and "trading as" in the UK) under which the Applicant conducts business, the CA MUST verify that: + The CA MUST NOT issue any EV Certificate to the Applicant if either the Applicant, the Contract Signer, or Certificate Approver or if the Applicant's Jurisdiction of Incorporation or Registration or Place of Business is on any such list. - i. the Applicant has registered its use of the assumed name with the appropriate government agency for such filings in the jurisdiction of its Place of Business (as verified in accordance with these Guidelines), and - ii. that such filing continues to be valid. +2. **Acceptable Methods of Verification** The CA MUST take reasonable steps to verify with the following lists and regulations: -### 11.3.2. Acceptable Method of Verification + A. If the CA has operations in the U.S., the CA MUST take reasonable steps to verify with the following US Government denied lists and regulations: -To verify any assumed name under which the Applicant conducts business: + i. BIS Denied Persons List - [https://www.bis.doc.gov/index.php/the-denied-persons-list](https://www.bis.doc.gov/index.php/the-denied-persons-list) + ii. BIS Denied Entities List - [https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list](https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list) + iii. US Treasury Department List of Specially Designated Nationals and Blocked Persons - [https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx](https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx) + iv. US Government export regulations -1. The CA MAY verify the assumed name through use of a Qualified Government Information Source operated by, or on behalf of, an appropriate government agency in the jurisdiction of the Applicant's Place of Business, or by direct contact with such government agency in person or via mail, e-mail, Web address, or telephone; or -2. The CA MAY verify the assumed name through use of a Qualified Independent Information Source provided that the QIIS has verified the assumed name with the appropriate government agency. -3. The CA MAY rely on a Verified Professional Letter that indicates the assumed name under which the Applicant conducts business, the government agency with which the assumed name is registered, and that such filing continues to be valid. + B. If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country. -## 11.4. Verification of Applicant's Physical Existence +##### 3.2.2.12.3 Parent/Subsidiary/Affiliate Relationship -### 11.4.1. Address of Applicant's Place of Business +A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 3.2.2.4.1](#32241-address-of-applicants-place-of-business), [Section 3.2.2.5](#3225-verified-method-of-communication), [Section 3.2.2.6.1](#32261-verification-requirements), or [Section 3.2.2.7.1](#32271-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: -1. **Verification Requirements**: To verify the Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by the Applicant is an address where the Applicant or a Parent/Subsidiary Company conducts business operations (not, for example, a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of the Applicant's Place of Business. +1. QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS; +2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 3.2.2.11.4](#322114-independent-confirmation-from-applicant)); +3. Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; +4. Verified Professional Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter; or +5. Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is: -2. **Acceptable Methods of Verification** + i. certified by the appropriate corporate officer (e.g., secretary), and + ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. - A. **Place of Business in the Country of Incorporation or Registration** +#### 3.2.2.13 Final Cross-Correlation and Due Diligence - i. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence: +1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. +2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. +3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. +4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 5.3.2](#532-background-check-procedures). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: - 1. For Applicants listed at the same Place of Business address in the current version of either at least one QGIS (other than that used to verify legal existence), QIIS or QTIS, the CA MUST confirm that the Applicant's address, as listed in the EV Certificate Request, is a valid business address for the Applicant or a Parent/Subsidiary Company by reference to such QGIS, QIIS, or QTIS, and MAY rely on the Applicant's representation that such address is its Place of Business; + A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or + B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or + C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 8.1.1](#811-self-audits) and [Section 8.2](#82-identityqualifications-of-assessor). - 2. For Applicants who are not listed at the same Place of Business address in the current version of either at least one QIIS or QTIS, the CA MUST confirm that the address provided by the Applicant in the EV Certificate Request is the Applicant's or a Parent/Subsidiary Company's business address, by obtaining documentation of a site visit to the business address, which MUST be performed by a reliable individual or firm. The documentation of the site visit MUST: +In the case of EV Certificates to be issued in compliance with the requirements of [Section 1.3.2](#132-registration-authorities), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. - a. Verify that the Applicant's business is located at the exact address stated in the EV Certificate Request (e.g., via permanent signage, employee confirmation, etc.), - b. Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location, - c. Indicate whether there is a permanent sign (that cannot be moved) that identifies the Applicant, - d. Indicate whether there is evidence that the Applicant is conducting ongoing business activities at the site (not that it is just, for example, a mail drop, P.O. box, etc.), and - e. Include one or more photos of - i. the exterior of the site (showing signage indicating the Applicant's name, if present, and showing the street address if possible), and - ii. the interior reception area or workspace. +#### 3.2.2.14 Requirements for Re-use of Existing Documentation - ii. For all Applicants, the CA MAY alternatively rely on a Verified Professional Letter that indicates the address of the Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there. - iii. For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in the Applicant's jurisdiction. - iv. For Applicants whose Place of Business is in the same country as the Applicant's Jurisdiction of Incorporation or Registration and where the QGIS used in [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company's address as listed in the EV Certificate Request, and MAY rely on the Applicant's representation that such address is its Place of Business. +For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. - B. **Place of Business not in the Country of Incorporation or Registration**: The CA MUST rely on a Verified Professional Letter that indicates the address of the Applicant's Place of Business and that business operations are conducted there. +##### 3.2.2.14.1 Validation For Existing Subscribers -## 11.5. Verified Method of Communication +If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: -### 11.5.1. Verification Requirements +1. The Principal Individual verified under [Section 3.2.2.2.2](#32222-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; +2. The Applicant's Place of Business under [Section 3.2.2.4.1](#32241-address-of-applicants-place-of-business); +3. The Applicant's Verified Method of Communication required by [Section 3.2.2.5](#3225-verified-method-of-communication) but still MUST perform the verification required by [Section 3.2.2.5.2](#32252-acceptable-methods-of-verification) (B); +4. The Applicant's Operational Existence under [Section 3.2.2.6](#3226-verification-of-applicants-operational-existence); +5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 3.2.2.8](#3228-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and +6. The Applicant's right to use the specified Domain Name under [Section 3.2.2.7](#3227-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. -To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant. +##### 3.2.2.14.2 Re-issuance Requests -### 11.5.2. Acceptable Methods of Verification +A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: -To verify a Verified Method of Communication with the Applicant, the CA MUST: +1. The expiration date of the replacement certificate is the same as the expiration date of the EV Certificate that is being replaced, and +2. The Subject Information of the Certificate is the same as the Subject in the EV Certificate that is being replaced. -A. Verify that the Verified Method of Communication belongs to the Applicant, or a Parent/Subsidiary or Affiliate of the Applicant, by matching it with one of the Applicant's Parent/Subsidiary or Affiliate's Places of Business in: +##### 3.2.2.14.3 Age of Validated Data - i. records provided by the applicable phone company; - ii. a QGIS, QTIS, or QIIS; or - iii. a Verified Professional Letter; and +1. Except for reissuance of an EV Certificate under [Section 3.2.2.14.2](#322142-re-issuance-requests) and except when permitted otherwise in [Section 3.2.2.14.1](#322141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: -B. Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication. + A. Legal existence and identity – 398 days; + B. Assumed name – 398 days; + C. Address of Place of Business – 398 days; + D. Verified Method of Communication – 398 days; + E. Operational existence – 398 days; + F. Domain Name – 398 days; + G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. -## 11.6. Verification of Applicant's Operational Existence +2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. +3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 3.2.2.9](#3229-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 3.2.2.10](#32210-verification-of-approval-of-ev-certificate-request). +4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.2.14.1](#322141-validation-for-existing-subscribers). -### 11.6.1. Verification Requirements +### 3.2.3 Authentication of individual identity +### 3.2.4 Non-verified subscriber information +### 3.2.5 Validation of authority +### 3.2.6 Criteria for interoperation -The CA MUST verify that the Applicant has the ability to engage in business by verifying the Applicant's, or Affiliate/Parent/Subsidiary Company's, operational existence. The CA MAY rely on its verification of a Government Entity's legal existence under [Section 11.2](#112-verification-of-applicants-legal-existence-and-identity) as verification of a Government Entity's operational existence. +## 3.3 Identification and authentication for re-key requests +### 3.3.1 Identification and authentication for routine re-key +### 3.3.2 Identification and authentication for re-key after revocation -### 11.6.2. Acceptable Methods of Verification +## 3.4 Identification and authentication for revocation request -To verify the Applicant's ability to engage in business, the CA MUST verify the operational existence of the Applicant, or its Affiliate/Parent/Subsidiary Company, by: +# 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS -1. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; +## 4.1 Certificate Application -2. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; +### 4.1.1 Who can submit a certificate application +The CA MAY only issue EV Certificates to Applicants that meet the Private Organization, Government Entity, Business Entity and Non-Commercial Entity requirements specified below. -3. Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or +#### 4.1.1.1 Private Organization Subjects -4. Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution. +An Applicant qualifies as a Private Organization if: -## 11.7. Verification of Applicant's Domain Name +1. The entity's legal existence is created or recognized by a by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument); -### 11.7.1. Verification Requirements +2. The entity designated with the Incorporating or Registration Agency a Registered Agent, a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration), or an equivalent facility; -1. For each Fully-Qualified Domain Name listed in a Certificate which is not an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to an Onion Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant's control over the Onion Domain Name in accordance with Appendix B of the Baseline Requirements. +3. The entity is not designated on the records of the Incorporating or Registration Agency by labels such as "inactive," "invalid," "not current," or the equivalent; -2. **Mixed Character Set Domain Names**: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization. +4. The entity has a verifiable physical existence and business presence; -## 11.8. Verification of Name, Title, and Authority of Contract Signer and Certificate Approver +5. The entity's Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and -### 11.8.1. Verification Requirements +6. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. -For both the Contract Signer and the Certificate Approver, the CA MUST verify the following. +#### 4.1.1.2 Government Entity Subjects -1. **Name, Title and Agency**: The CA MUST verify the name and title of the Contract Signer and the Certificate Approver, as applicable. The CA MUST also verify that the Contract Signer and the Certificate Approver are agents representing the Applicant. -2. **Signing Authority of Contract Signer**: The CA MUST verify that the Contract Signer is authorized by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant, including a contract that designates one or more Certificate Approvers on behalf of the Applicant. -3. **EV Authority of Certificate Approver**: The CA MUST verify, through a source other than the Certificate Approver him- or herself, that the Certificate Approver is expressly authorized by the Applicant to do the following, as of the date of the EV Certificate Request: +An Applicant qualifies as a Government Entity if: - A. Submit, and, if applicable, authorize a Certificate Requester to submit, the EV Certificate Request on behalf of the Applicant; and - B. Provide, and, if applicable, authorize a Certificate Requester to provide, the information requested from the Applicant by the CA for issuance of the EV Certificate; and - C. Approve EV Certificate Requests submitted by a Certificate Requester. +1. The entity's legal existence was established by the political subdivision in which the entity operates; -### 11.8.2. Acceptable Methods of Verification – Name, Title and Agency +2. The entity is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and -Acceptable methods of verification of the name, title, and agency status of the Contract Signer and the Certificate Approver include the following. +3. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. -1. **Name and Title**: The CA MAY verify the name and title of the Contract Signer and the Certificate Approver by any appropriate method designed to provide reasonable assurance that a person claiming to act in such a role is in fact the named person designated to act in such role. +#### 4.1.1.3 Business Entity Subjects -2. **Agency**: The CA MAY verify the agency of the Contract Signer and the Certificate Approver by: +An Applicant qualifies as a Business Entity if: - A. Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee; - B. Obtaining an Independent Confirmation From the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)), or a Verified Professional Letter verifying that the Contract Signer and/or the Certificate Approver, as applicable, is either an employee or has otherwise been appointed as an agent of the Applicant; or - C. Obtaining confirmation from a QIIS or QGIS that the Contract Signer and/or Certificate Approver is an employee of the Applicant. +1. The entity is a legally recognized entity that filed certain forms with a Registration Agency in its jurisdiction, the Registration Agency issued or approved the entity's charter, certificate, or license, and the entity's existence can be verified with that Registration Agency; - The CA MAY also verify the agency of the Certificate Approver via a certification from the Contract Signer (including in a contract between the CA and the Applicant signed by the Contract Signer), provided that the employment or agency status and Signing Authority of the Contract Signer has been verified. +2. The entity has a verifiable physical existence and business presence; -### 11.8.3. Acceptable Methods of Verification – Authority +3. At least one Principal Individual associated with the entity is identified and validated by the CA; -Acceptable methods of verification of the Signing Authority of the Contract Signer, and the EV Authority of the Certificate Approver, as applicable, include: +4. The identified Principal Individual attests to the representations made in the Subscriber Agreement; -1. **Verified Professional Letter**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a Verified Professional Letter; -2. **Corporate Resolution**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by reliance on a properly authenticated corporate resolution that confirms that the person has been granted such Signing Authority, provided that such resolution is +5. The CA verifies the entity's use of any assumed name used to represent the entity pursuant to the requirements of [Section 3.2.2.3](#3223-verification-of-applicants-legal-existence-and-identity--assumed-name); - i. certified by the appropriate corporate officer (e.g., secretary), and - ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification; +6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and -3. **Independent Confirmation from Applicant**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by obtaining an Independent Confirmation from the Applicant (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); -4. **Contract between CA and Applicant**: The EV Authority of the Certificate Approver MAY be verified by reliance on a contract between the CA and the Applicant that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; -5. **Prior Equivalent Authority**: The signing authority of the Contract Signer, and/or the EV authority of the Certificate Approver, MAY be verified by relying on a demonstration of Prior Equivalent Authority. +7. The entity and the identified Principal Individual associated with the entity are not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. - A. Prior Equivalent Authority of a Contract Signer MAY be relied upon for confirmation or verification of the signing authority of the Contract Signer when the Contract Signer has executed a binding contract between the CA and the Applicant with a legally valid and enforceable seal or handwritten signature and only when the contract was executed more than 90 days prior to the EV Certificate application. The CA MUST record sufficient details of the previous agreement to correctly identify it and associate it with the EV application. Such details MAY include any of the following: +#### 4.1.1.4 Non-Commercial Entity Subjects - i. Agreement title, - ii. Date of Contract Signer's signature, - iii. Contract reference number, and - iv. Filing location. +An Applicant qualifies as a Non-Commercial Entity if: - B. Prior Equivalent Authority of a Certificate Approver MAY be relied upon for confirmation or verification of the EV Authority of the Certificate Approver when the Certificate Approver has performed one or more of the following: +1. The Applicant is an International Organization Entity, created under a charter, treaty, convention or equivalent instrument that was signed by, or on behalf of, more than one country's government. The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility; and - i. Under contract to the CA, has served (or is serving) as an Enterprise RA for the Applicant, or - ii. Has participated in the approval of one or more certificate requests, for certificates issued by the CA and which are currently and verifiably in use by the Applicant. In this case the CA MUST have contacted the Certificate Approver by phone at a previously validated phone number or have accepted a signed and notarized letter approving the certificate request. +2. The Applicant is not headquartered in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and -6. **QIIS or QGIS**: The Signing Authority of the Contract Signer, and/or the EV Authority of the Certificate Approver, MAY be verified by a QIIS or QGIS that identifies the Contract Signer and/or the Certificate Approver as a corporate officer, sole proprietor, or other senior official of the Applicant. +3. The Applicant is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction. -7. **Contract Signer's Representation/Warranty**: Provided that the CA verifies that the Contract Signer is an employee or agent of the Applicant, the CA MAY rely on the signing authority of the Contract Signer by obtaining a duly executed representation or warranty from the Contract Signer that includes the following acknowledgments: +Subsidiary organizations or agencies of an entity that qualifies as a Non-Commercial Entity also qualifies for EV Certificates as a Non-Commercial Entity. - A. That the Applicant authorizes the Contract Signer to sign the Subscriber Agreement on the Applicant's behalf, - B. That the Subscriber Agreement is a legally valid and enforceable agreement, - C. That, upon execution of the Subscriber Agreement, the Applicant will be bound by all of its terms and conditions, - D. That serious consequences attach to the misuse of an EV certificate, and - E. The contract signer has the authority to obtain the digital equivalent of a corporate seal, stamp or officer's signature to establish the authenticity of the company's Web site. +### 4.1.2 Enrollment process and responsibilities +The documentation requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates. +The Certificate Request requirements in Section 4.1.2 of the Baseline Requirements apply equally to EV Certificates subject to the additional more stringent ageing and updating requirement of [Section 3.2.2.14](#32214-requirements-for-re-use-of-existing-documentation). -Note: An example of an acceptable representation/warranty appears in [Appendix E](#appendix-e---sample-contract-signers-representationwarranty-informative). +## 4.2 Certificate application processing -### 11.8.4. Pre-Authorized Certificate Approver +### 4.2.1 Performing identification and authentication functions +The following Applicant roles are required for the issuance of an EV Certificate. -Where the CA and Applicant contemplate the submission of multiple future EV Certificate Requests, then, after the CA: +1. **Certificate Requester**: The EV Certificate Request MUST be submitted by an authorized Certificate Requester. A Certificate Requester is a natural person who is either the Applicant, employed by the Applicant, an authorized agent who has express authority to represent the Applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate Request on behalf of the Applicant. -1. Has verified the name and title of the Contract Signer and that he/she is an employee or agent of the Applicant; and +2. **Certificate Approver**: The EV Certificate Request MUST be approved by an authorized Certificate Approver. A Certificate Approver is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to -2. Has verified the Signing Authority of such Contract Signer in accordance with one of the procedures in [Section 11.8.3](#1183-acceptable-methods-of-verification--authority). + i. act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requester, and + ii. to approve EV Certificate Requests submitted by other Certificate Requesters. -The CA and the Applicant MAY enter into a written agreement, signed by the Contract Signer on behalf of the Applicant, whereby, for a specified term, the Applicant expressly authorizes one or more Certificate Approver(s) designated in such agreement to exercise EV Authority with respect to each future EV Certificate Request submitted on behalf of the Applicant and properly authenticated as originating with, or otherwise being approved by, such Certificate Approver(s). +3. **Contract Signer**: A Subscriber Agreement applicable to the requested EV Certificate MUST be signed by an authorized Contract Signer. A Contract Signer is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to sign Subscriber Agreements. -Such an agreement MUST provide that the Applicant shall be obligated under the Subscriber Agreement for all EV Certificates issued at the request of, or approved by, such Certificate Approver(s) until such EV Authority is revoked, and MUST include mutually agreed-upon provisions for: +4. **Applicant Representative**: In the case where the CA and the Subscriber are affiliated, Terms of Use applicable to the requested EV Certificate MUST be acknowledged and agreed to by an authorized Applicant Representative. An Applicant Representative is a natural person who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant, and who has authority on behalf of the Applicant to acknowledge and agree to the Terms of Use. - i. authenticating the Certificate Approver when EV Certificate Requests are approved, - ii. periodic re-confirmation of the EV Authority of the Certificate Approver, - iii. secure procedures by which the Applicant can notify the CA that the EV Authority of any such Certificate Approver is revoked, and - iv. such other appropriate precautions as are reasonably necessary. +The Applicant MAY authorize one individual to occupy two or more of these roles. The Applicant MAY authorize more than one individual to occupy any of these roles. -## 11.9. Verification of Signature on Subscriber Agreement and EV Certificate Requests +### 4.2.2 Approval or rejection of certificate applications +### 4.2.3 Time to process certificate applications -Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. +## 4.3 Certificate issuance -### 11.9.1. Verification Requirements +### 4.3.1 CA actions during certificate issuance +Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. -1. **Signature**: The CA MUST authenticate the signature of the Contract Signer on the Subscriber Agreement and the signature of the Certificate Requester on each EV Certificate Request in a manner that makes it reasonably certain that the person named as the signer in the applicable document is, in fact, the person who signed the document on behalf of the Applicant. +Root CA Private Keys MUST NOT be used to sign EV Certificates. -2. **Approval Alternative**: In cases where an EV Certificate Request is signed and submitted by a Certificate Requester who does not also function as a Certificate Approver, approval and adoption of the EV Certificate Request by a Certificate Approver in accordance with the requirements of [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request) can substitute for authentication of the signature of the Certificate Requester on such EV Certificate Request. +### 4.3.2 Notification to subscriber by the CA of issuance of certificate + +## 4.4 Certificate acceptance +### 4.4.1 Conduct constituting certificate acceptance +### 4.4.2 Publication of the certificate by the CA +### 4.4.3 Notification of certificate issuance by the CA to other entities + +## 4.5 Key pair and certificate usage +### 4.5.1 Subscriber private key and certificate usage +### 4.5.2 Relying party public key and certificate usage + +## 4.6 Certificate renewal +### 4.6.1 Circumstance for certificate renewal +### 4.6.2 Who may request renewal +### 4.6.3 Processing certificate renewal requests +### 4.6.4 Notification of new certificate issuance to subscriber +### 4.6.5 Conduct constituting acceptance of a renewal certificate +### 4.6.6 Publication of the renewal certificate by the CA +### 4.6.7 Notification of certificate issuance by the CA to other entities + +## 4.7 Certificate re-key +### 4.7.1 Circumstance for certificate re-key +### 4.7.2 Who may request certification of a new public key +### 4.7.3 Processing certificate re-keying requests +### 4.7.4 Notification of new certificate issuance to subscriber +### 4.7.5 Conduct constituting acceptance of a re-keyed certificate +### 4.7.6 Publication of the re-keyed certificate by the CA +### 4.7.7 Notification of certificate issuance by the CA to other entities + +## 4.8 Certificate modification +### 4.8.1 Circumstance for certificate modification +### 4.8.2 Who may request certificate modification +### 4.8.3 Processing certificate modification requests +### 4.8.4 Notification of new certificate issuance to subscriber +### 4.8.5 Conduct constituting acceptance of modified certificate +### 4.8.6 Publication of the modified certificate by the CA +### 4.8.7 Notification of certificate issuance by the CA to other entities + +## 4.9 Certificate revocation and suspension +### 4.9.1 Circumstances for revocation +### 4.9.2 Who can request revocation +### 4.9.3 Procedure for revocation request +### 4.9.4 Revocation request grace period +### 4.9.5 Time within which CA must process the revocation request +### 4.9.6 Revocation checking requirement for relying parties +### 4.9.7 CRL issuance frequency (if applicable) +### 4.9.8 Maximum latency for CRLs (if applicable) +### 4.9.9 On-line revocation/status checking availability +### 4.9.10 On-line revocation checking requirements +### 4.9.11 Other forms of revocation advertisements available +### 4.9.12 Special requirements re key compromise +### 4.9.13 Circumstances for suspension +### 4.9.14 Who can request suspension +### 4.9.15 Procedure for suspension request +### 4.9.16 Limits on suspension period + +## 4.10 Certificate status services +### 4.10.1 Operational characteristics +### 4.10.2 Service availability +### 4.10.3 Optional features + +## 4.11 End of subscription + +## 4.12 Key escrow and recovery +### 4.12.1 Key escrow and recovery policy and practices +### 4.12.2 Session key encapsulation and recovery policy and practices + +# 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS +As specified in Section 5 of the Baseline Requirements. In addition, systems used to process and approve EV Certificate Requests MUST require actions by at least two trusted persons before creating an EV Certificate. -### 11.9.2. Acceptable Methods of Signature Verification +## 5.1 Physical controls +### 5.1.1 Site location and construction +### 5.1.2 Physical access +### 5.1.3 Power and air conditioning +### 5.1.4 Water exposures +### 5.1.5 Fire prevention and protection +### 5.1.6 Media storage +### 5.1.7 Waste disposal +### 5.1.8 Off-site backup + +## 5.2 Procedural controls +### 5.2.1 Trusted roles +### 5.2.2 Number of persons required per task +### 5.2.3 Identification and authentication for each role + +### 5.2.4 Roles requiring separation of duties +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. +2. Such controls MUST be auditable. + +## 5.3 Personnel controls -Acceptable methods of authenticating the signature of the Certificate Requester or Contract Signer include the following: +### 5.3.1 Qualifications, experience, and clearance requirements -1. Contacting the Applicant using a Verified Method of Communication for the Applicant, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; +### 5.3.2 Background check procedures +Prior to the commencement of employment of any person by the CA for engagement in the EV Processes, whether as an employee, agent, or an independent contractor of the CA, the CA MUST: -2. A letter mailed to the Applicant's or Agent's address, as verified through independent means in accordance with these Guidelines, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response through a Verified Method of Communication from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant; +1. **Verify the Identity of Such Person**: Verification of identity MUST be performed through: -3. Use of a signature process that establishes the name and title of the signer in a secure manner, such as through use of an appropriately secure login process that identifies the signer before signing, or through use of a digital signature made with reference to an appropriately verified certificate; or + A. The personal (physical) presence of such person before trusted persons who perform human resource or security functions, and + B. The verification of well-recognized forms of government-issued photo identification (e.g., passports and/or drivers licenses); -4. Notarization by a notary, provided that the CA independently verifies that such notary is a legally qualified notary in the jurisdiction of the Certificate Requester or Contract Signer. + and -## 11.10. Verification of Approval of EV Certificate Request +2. **Verify the Trustworthiness of Such Person**: Verification of trustworthiness SHALL include background checks, which address at least the following, or their equivalent: -### 11.10.1. Verification Requirements + A. Confirmation of previous employment, + B. Check of professional references; + C. Confirmation of the highest or most-relevant educational qualification obtained; + D. Search of criminal records (local, state or provincial, and national) where allowed by the jurisdiction in which the person will be employed; -In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. + and -### 11.10.2. Acceptable Methods of Verification +3. In the case of employees already in the employ of the CA at the time of adoption of these Guidelines whose identity and background has not previously been verified as set forth above, the CA SHALL conduct such verification within three months of the date of adoption of these Guidelines. -Acceptable methods of verifying the Certificate Approver's approval of an EV Certificate Request include: +### 5.3.3 Training requirements +The requirements in Section 5.3.3 of the Baseline Requirements apply equally to EV Certificates and these Guidelines. The required internal examination must relate to the EV Certificate validation criteria outlined in these Guidelines. -1. Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request; -2. Notifying the Certificate Approver that one or more new EV Certificate Requests are available for review and approval at a designated access-controlled and secure Web site, followed by a login by, and an indication of approval from, the Certificate Approver in the manner required by the Web site; or -3. Verifying the signature of the Certificate Approver on the EV Certificate Request in accordance with [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests). +### 5.3.4 Retraining frequency and requirements -## 11.11. Verification of Certain Information Sources +### 5.3.5 Job rotation frequency and sequence -### 11.11.1. Verified Legal Opinion +### 5.3.6 Sanctions for unauthorized actions -1. **Verification Requirements**: Before relying on a legal opinion submitted to the CA, the CA MUST verify that such legal opinion meets the following requirements: +### 5.3.7 Independent contractor requirements - A. **Status of Author**: The CA MUST verify that the legal opinion is authored by an independent legal practitioner retained by and representing the Applicant (or an in-house legal practitioner employed by the Applicant) (Legal Practitioner) who is either: +### 5.3.8 Documentation supplied to personnel - i. A lawyer (or solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility, or - ii. A Latin Notary who is currently commissioned or licensed to practice in the country of the Applicant's Jurisdiction of Incorporation or Registration or any jurisdiction where the Applicant maintains an office or physical facility (and that such jurisdiction recognizes the role of the Latin Notary); +## 5.4 Audit logging procedures +As specified in Section 5.4 of the Baseline Requirements. - B. **Basis of Opinion**: The CA MUST verify that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Legal Opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the Legal Practitioner's professional judgment and expertise; - C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Legal Opinion. +### 5.4.1 Types of events recorded +### 5.4.2 Frequency of processing log +### 5.4.3 Retention period for audit log +### 5.4.4 Protection of audit log +### 5.4.5 Audit log backup procedures +### 5.4.6 Audit collection system (internal vs. external) +### 5.4.7 Notification to event-causing subject +### 5.4.8 Vulnerability assessments -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Legal Opinion are: +## 5.5 Records archival +### 5.5.1 Types of records archived +### 5.5.2 Retention period for archive +### 5.5.3 Protection of archive +### 5.5.4 Archive backup procedures +### 5.5.5 Requirements for time-stamping of records +### 5.5.6 Archive collection system (internal or external) +### 5.5.7 Procedures to obtain and verify archive information - A. **Status of Author**: The CA MUST verify the professional status of the author of the legal opinion by directly contacting the authority responsible for registering or licensing such Legal Practitioner(s) in the applicable jurisdiction; - B. **Basis of Opinion**: The text of the legal opinion MUST make it clear that the Legal Practitioner is acting on behalf of the Applicant and that the conclusions of the legal opinion are based on the Legal Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The legal opinion MAY also include disclaimers and other limitations customary in the Legal Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Legal Practitioner, should the legal opinion prove to be erroneous. An acceptable form of legal opinion is attached as [Appendix B](#appendix-b---sample-attorney-opinions-confirming-specified-information); - C. **Authenticity**: To confirm the authenticity of the legal opinion, the CA MUST make a telephone call or send a copy of the legal opinion back to the Legal Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Legal Practitioner listed with the authority responsible for registering or licensing such Legal Practitioner, and obtain confirmation from the Legal Practitioner or the Legal Practitioner's assistant that the legal opinion is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Legal Practitioner in records provided by the applicable phone company, QGIS, or QIIS. +## 5.6 Key changeover - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.1](#11111-verified-legal-opinion) (2)(A), no further verification of authenticity is required. +## 5.7 Compromise and disaster recovery +### 5.7.1 Incident and compromise handling procedures +### 5.7.2 Computing resources, software, and/or data are corrupted +### 5.7.3 Entity private key compromise procedures +### 5.7.4 Business continuity capabilities after a disaster -### 11.11.2. Verified Accountant Letter +## 5.8 CA or RA termination -1. **Verification Requirements**: Before relying on an accountant letter submitted to the CA, the CA MUST verify that such accountant letter meets the following requirements: +# 6. TECHNICAL SECURITY CONTROLS - A. **Status of Author**: The CA MUST verify that the accountant letter is authored by an Accounting Practitioner retained or employed by the Applicant and licensed within the country of the Applicant's Jurisdiction of Incorporation, Jurisdiction of Registration, or country where the Applicant maintains an office or physical facility. Verification of license MUST be through the member organization or regulatory organization in the Accounting Practitioner's country or jurisdiction that is appropriate to contact when verifying an accountant's license to practice in that country or jurisdiction. Such country or jurisdiction must have an accounting standards body that maintains full membership status with the International Federation of Accountants. - B. **Basis of Opinion**: The CA MUST verify that the Accounting Practitioner is acting on behalf of the Applicant and that the conclusions of the Verified Accountant Letter are based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the Accounting Practitioner's professional judgment and expertise; - C. **Authenticity**: The CA MUST confirm the authenticity of the Verified Accountant Letter. +## 6.1 Key pair generation and installation -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for a Verified Accountant Letter are listed here. +### 6.1.1 Key pair generation +All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair and Certificate generation process: - A. **Status of Author**: The CA MUST verify the professional status of the author of the accountant letter by directly contacting the authority responsible for registering or licensing such Accounting Practitioners in the applicable jurisdiction. - B. **Basis of Opinion**: The text of the Verified Accountant Letter MUST make clear that the Accounting Practitioner is acting on behalf of the Applicant and that the information in the letter is based on the Accounting Practitioner's stated familiarity with the relevant facts and the exercise of the practitioner's professional judgment and expertise. The Verified Accountant Letter MAY also include disclaimers and other limitations customary in the Accounting Practitioner's jurisdiction, provided that the scope of the disclaimed responsibility is not so great as to eliminate any substantial risk (financial, professional, and/or reputational) to the Accounting Practitioner, should the Verified Accountant Letter prove to be erroneous. Acceptable forms of Verified Accountant Letter are attached as [Appendix C](#appendix-c---sample-accountant-letters-confirming-specified-information). - C. **Authenticity**: To confirm the authenticity of the accountant's opinion, the CA MUST make a telephone call or send a copy of the Verified Accountant Letter back to the Accounting Practitioner at the address, phone number, facsimile, or (if available) e-mail address for the Accounting Practitioner listed with the authority responsible for registering or licensing such Accounting Practitioners and obtain confirmation from the Accounting Practitioner or the Accounting Practitioner's assistant that the accountant letter is authentic. If a phone number is not available from the licensing authority, the CA MAY use the number listed for the Accountant in records provided by the applicable phone company, QGIS, or QIIS. + 1. Documented its Root CA key generation and protection procedures in its Certificate Policy, and its Certification Practices Statement; + 2. Included appropriate detail in its Root Key Generation Script; + 3. Maintained effective controls to provide reasonable assurance that the Root CA key pair was generated and protected in conformity with the procedures described in its CP/CPS and with its Root Key Generation Script; + 4. Performed, during the Root CA key generation process, all the procedures required by its Root Key Generation Script. - In circumstances where the opinion is digitally signed, in a manner that confirms the authenticity of the document and the identity of the signer, as verified by the CA in [Section 11.11.2](#11112-verified-accountant-letter) (2)(A), no further verification of authenticity is required. +### 6.1.2 Private key delivery to subscriber +### 6.1.3 Public key delivery to certificate issuer +### 6.1.4 CA public key delivery to relying parties +### 6.1.5 Key sizes +### 6.1.6 Public key parameters generation and quality checking +### 6.1.7 Key usage purposes (as per X.509 v3 key usage field) + +## 6.2 Private Key Protection and Cryptographic Module Engineering Controls +### 6.2.1 Cryptographic module standards and controls +### 6.2.2 Private key (n out of m) multi-person control +### 6.2.3 Private key escrow +### 6.2.4 Private key backup +### 6.2.5 Private key archival +### 6.2.6 Private key transfer into or from a cryptographic module +### 6.2.7 Private key storage on cryptographic module +### 6.2.8 Method of activating private key +### 6.2.9 Method of deactivating private key +### 6.2.10 Method of destroying private key +### 6.2.11 Cryptographic Module Rating + +## 6.3 Other aspects of key pair management +### 6.3.1 Public key archival + +### 6.3.2 Certificate operational periods and key pair usage periods +The Validity Period for an EV Certificate SHALL NOT exceed 398 days. -### 11.11.3. Face-to-Face Validation +It is RECOMMENDED that EV Subscriber Certificates have a Maximum Validity Period of twelve months. -1. **Verification Requirements**: Before relying on face-to-face vetting documents submitted to the CA, the CA MUST verify that the Third-Party Validator meets the following requirements: +## 6.4 Activation data +### 6.4.1 Activation data generation and installation +### 6.4.2 Activation data protection +### 6.4.3 Other aspects of activation data - A. **Qualification of Third-Party Validator**: The CA MUST independently verify that the Third-Party Validator is a legally-qualified Latin Notary or Notary (or legal equivalent in the Applicant's jurisdiction), Lawyer, or Accountant in the jurisdiction of the individual's residency; - B. **Document Chain of Custody**: The CA MUST verify that the Third-Party Validator viewed the Vetting Documents in a face-to-face meeting with the individual being validated; - C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the attestation and vetting documents. +## 6.5 Computer security controls +### 6.5.1 Specific computer security technical requirements +### 6.5.2 Computer security rating -2. **Acceptable Methods of Verification**: Acceptable methods of establishing the foregoing requirements for vetting documents are: +## 6.6 Life cycle technical controls +### 6.6.1 System development controls +### 6.6.2 Security management controls +### 6.6.3 Life cycle security controls - A. **Qualification of Third-Party Validator**: The CA MUST verify the professional status of the Third-Party Validator by directly contacting the authority responsible for registering or licensing such Third-Party Validators in the applicable jurisdiction; - B. **Document Chain of Custody**: The Third-Party Validator MUST submit a statement to the CA which attests that they obtained the Vetting Documents submitted to the CA for the individual during a face-to-face meeting with the individual; - C. **Verification of Attestation**: If the Third-Party Validator is not a Latin Notary, then the CA MUST confirm the authenticity of the vetting documents received from the Third-Party Validator. The CA MUST make a telephone call to the Third-Party Validator and obtain confirmation from them or their assistant that they performed the face-to-face validation. The CA MAY rely upon self-reported information obtained from the Third-Party Validator for the sole purpose of performing this verification process. In circumstances where the attestation is digitally signed, in a manner that confirms the authenticity of the documents, and the identity of the signer as verified by the CA in [Section 11.11.3](#11113-face-to-face-validation) (1)(A), no further verification of authenticity is required. +## 6.7 Network security controls -### 11.11.4. Independent Confirmation From Applicant +## 6.8 Time-stamping -An Independent Confirmation from the Applicant is a confirmation of a particular fact (e.g., confirmation of the employee or agency status of a Contract Signer or Certificate Approver, confirmation of the EV Authority of a Certificate Approver, etc.) that is: +# 7. CERTIFICATE, CRL, AND OCSP PROFILES -A. Received by the CA from a Confirming Person (someone other than the person who is the subject of the inquiry) that has the appropriate authority to confirm such a fact, and who represents that he/she has confirmed such fact; -B. Received by the CA in a manner that authenticates and verifies the source of the confirmation; and -C. Binding on the Applicant. +## 7.1 Certificate profile +This section sets forth minimum requirements for the content of the EV Certificate as they relate to the identity of the CA and the Subject of the EV Certificate. -An Independent Confirmation from the Applicant MAY be obtained via the following procedure: +### 7.1.1 Version number(s) -1. **Confirmation Request**: The CA MUST initiate a Confirmation Request via an appropriate out-of-band communication, requesting verification or confirmation of the particular fact at issue as follows: +### 7.1.2 Certificate extensions +The extensions listed in [Section 7.1.2](#712-certificate-extensions) are recommended for maximum interoperability between certificates and browsers / applications, but are not mandatory on the CAs except where indicated as “Required”. CAs may use other extensions that are not listed in [Section 7.1.2](#712-certificate-extensions), but are encouraged to add them to this section by ballot from time to time to help increase extension standardization across the industry. - A. **Addressee**: The Confirmation Request MUST be directed to: +If a CA includes an extension in a certificate that has a Certificate field which is named in [Section 7.1.2](#712-certificate-extensions), the CA must follow the format specified in that subsection. However, no extension or extension format shall be mandatory on a CA unless specifically stated as “Required” in the subsection that describes the extension. - i. A position within the Applicant's organization that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current QGIS, QIIS, QTIS, Verified Legal Opinion, Verified Accountant Letter, or by contacting the Applicant using a Verified Method of Communication; or - ii. The Applicant's Registered Agent or Registered Office in the Jurisdiction of Incorporation as listed in the official records of the Incorporating Agency, with instructions that it be forwarded to an appropriate Confirming Person; or - iii. A named individual verified to be in the direct line of management above the Contract Signer or Certificate Approver by contacting the Applicant's Human Resources Department by phone or mail (at the phone number or address for the Applicant's Place of Business, verified in accordance with these Guidelines). +#### 7.1.2.1 Subject Alternative Name Extension - B. **Means of Communication**: The Confirmation Request MUST be directed to the Confirming Person in a manner reasonably likely to reach such person. The following options are acceptable: +__Certificate Field__: `subjectAltName:dNSName` +__Required/Optional__: __Required__ +__Contents__: This extension MUST contain one or more host Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This extension MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. - i. By paper mail addressed to the Confirming Person at: +#### 7.1.2.2 CA/Browser Forum Organization Identifier Extension - 1. The address of the Applicant's Place of Business as verified by the CA in accordance with these Guidelines, or - 2. The business address for such Confirming Person specified in a current QGIS, QTIS, QIIS, Verified Professional Letter, or - 3. The address of the Applicant's Registered Agent or Registered Office listed in the official records of the Jurisdiction of Incorporation, or +__Extension Name__: `cabfOrganizationIdentifier` (OID: 2.23.140.3.1) +__Verbose OID__: `{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }` +__Required/Optional__: __Optional (but see below)__ +__Contents__: If the subject:organizationIdentifier is present, this field MUST be present. - ii. By e-mail addressed to the Confirming Person at the business e-mail address for such person listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter; or - iii. By telephone call to the Confirming Person, where such person is contacted by calling the main phone number of the Applicant's Place of Business (verified in accordance with these Guidelines) and asking to speak to such person, and a person taking the call identifies him- or herself as such person; or - iv. By facsimile to the Confirming Person at the Place of Business. The facsimile number must be listed in a current QGIS, QTIS, QIIS, Verified Legal Opinion, or Verified Accountant Letter. The cover page must be clearly addressed to the Confirming Person. +If present, this extension MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. -2. **Confirmation Response**: The CA MUST receive a response to the Confirmation Request from a Confirming Person that confirms the particular fact at issue. Such response MAY be provided to the CA by telephone, by e-mail, or by paper mail, so long as the CA can reliably verify that it was provided by a Confirming Person in response to the Confirmation Request. +The Registration Scheme MUST be encoded as described by the following ASN.1 grammar: -3. The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if: +```ASN.1 +id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) international-organizations(23) + ca-browser-forum(140) certificate-extensions(3) + cabf-organizationIdentifier(1) +} - A. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias; - B. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person. +ext-CABFOrganizationIdentifier EXTENSION ::= { + SYNTAX CABFOrganizationIdentifier + IDENTIFIED BY id-CABFOrganizationIdentifier +} -### 11.11.5. Qualified Independent Information Source +CABFOrganizationIdentifier ::= SEQUENCE { + registrationSchemeIdentifier PrintableString (SIZE(3)), + registrationCountry PrintableString (SIZE(2)), + registrationStateOrProvince [0] IMPLICIT PrintableString + (SIZE(0..128)) OPTIONAL, + registrationReference UTF8String +} +``` -A Qualified Independent Information Source (QIIS) is a regularly-updated and publicly available database that is generally recognized as a dependable source for certain information. A database qualifies as a QIIS if the CA determines that: +where the subfields have the same values, meanings, and restrictions described in [Section 7.1.4.2.8](#71428-subject-organization-identifier-field). The CA SHALL validate the contents using the requirements in [Section 7.1.4.2.8](#71428-subject-organization-identifier-field). -1. Industries other than the certificate industry rely on the database for accurate location, contact, or other information; and +### 7.1.3 Algorithm object identifiers +### 7.1.4 Name forms +#### 7.1.4.1 Issuer Information -2. The database provider updates its data on at least an annual basis. +Issuer Information listed in an EV Certificate MUST comply with Section 7.1.4.1 of the Baseline Requirements. -The CA SHALL use a documented process to check the accuracy of the database and ensure its data is acceptable, including reviewing the database provider's terms of use. The CA SHALL NOT use any data in a QIIS that the CA knows is +#### 7.1.4.2 Subject Distinguished Name Fields - i. self-reported and - ii. not verified by the QIIS as accurate. +Subject to the requirements of these Guidelines, the EV Certificate and certificates issued to Subordinate CAs that are not controlled by the same entity as the CA MUST include the following information about the Subject organization in the fields listed: -Databases in which the CA or its owners or affiliated companies maintain a controlling interest, or in which any Registration Authorities or subcontractors to whom the CA has outsourced any portion of the vetting process (or their owners or affiliated companies) maintain any ownership or beneficial interest, do not qualify as a QIIS. +##### 7.1.4.2.1 Subject Organization Name Field -### 11.11.6. Qualified Government Information Source +__Certificate Field__: `subject:organizationName` (OID 2.5.4.10) +__Required/Optional__: Required +__Contents__: This field MUST contain the Subject's full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows "Company Name Incorporated" the CA MAY include "Company Name, Inc." -A Qualified Government Information Source (QGIS) is a regularly-updated and current, publicly available, database designed for the purpose of accurately providing the information for which it is consulted, and which is generally recognized as a dependable source of such information provided that it is maintained by a Government Entity, the reporting of data is required by law, and false or misleading reporting is punishable with criminal or civil penalties. Nothing in these Guidelines shall prohibit the use of third-party vendors to obtain the information from the Government Entity provided that the third party obtains the information directly from the Government Entity. +When abbreviating a Subject's full legal name as allowed by this subsection, the CA MUST use abbreviations that are not misleading in the Jurisdiction of Incorporation or Registration. -### 11.11.7. Qualified Government Tax Information Source +In addition, an assumed name or DBA name used by the Subject MAY be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. -A Qualified Government Tax Information Source is a Qualified Government Information Source that specifically contains tax information relating to Private Organizations, Business Entities or Individuals (e.g., the IRS in the United States). +If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with [Section 3.2.2.12.1](#322121-high-risk-status) and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate. -## 11.12. Other Verification Requirements +##### 7.1.4.2.2 Subject Common Name Field -### 11.12.1. High Risk Status +__Certificate Field__: `subject:commonName` (OID: 2.5.4.3) +__Required/Optional__: Deprecated (Discouraged, but not prohibited) +__Contents__: If present, this field MUST contain a single Domain Name(s) owned or controlled by the Subject and to be associated with the Subject's server. Such server MAY be owned and operated by the Subject or another entity (e.g., a hosting service). This field MUST NOT contain a Wildcard Domain Name unless the FQDN portion of the Wildcard Domain Name is an Onion Domain Name verified in accordance with Appendix B of the Baseline Requirements. -The High Risk Certificate requirements of Section 4.2.1 of the Baseline Requirements apply equally to EV Certificates. +##### 7.1.4.2.3 Subject Business Category Field -### 11.12.2. Denied Lists and Other Legal Block Lists +__Certificate Field__: `subject:businessCategory` (OID: 2.5.4.15) +__Required/Optional__: Required +__Contents__: This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of [Section 4.1.1.1](#4111-private-organization-subjects), [Section 4.1.1.2](#4112-government-entity-subjects), [Section 4.1.1.3](#4113-business-entity-subjects) or [Section 4.1.1.4](#4114-non-commercial-entity-subjects), respectively. -1. **Verification Requirements**: The CA MUST verify whether the Applicant, the Contract Signer, the Certificate Approver, the Applicant's Jurisdiction of Incorporation, Registration, or Place of Business: +##### 7.1.4.2.4 Subject Jurisdiction of Incorporation or Registration Field - A. Is identified on any government denied list, list of prohibited persons, or other list that prohibits doing business with such organization or person under the laws of the country of the CA's jurisdiction(s) of operation; or - B. Has its Jurisdiction of Incorporation, Registration, or Place of Business in any country with which the laws of the CA's jurisdiction prohibit doing business. +__Certificate Fields__: - The CA MUST NOT issue any EV Certificate to the Applicant if either the Applicant, the Contract Signer, or Certificate Approver or if the Applicant's Jurisdiction of Incorporation or Registration or Place of Business is on any such list. +Locality (if required): + `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1) -2. **Acceptable Methods of Verification** The CA MUST take reasonable steps to verify with the following lists and regulations: +State or province (if required): + `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2) - A. If the CA has operations in the U.S., the CA MUST take reasonable steps to verify with the following US Government denied lists and regulations: +Country: + `subject:jurisdictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) - i. BIS Denied Persons List - [https://www.bis.doc.gov/index.php/the-denied-persons-list](https://www.bis.doc.gov/index.php/the-denied-persons-list) - ii. BIS Denied Entities List - [https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list](https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list) - iii. US Treasury Department List of Specially Designated Nationals and Blocked Persons - [https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx](https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx) - iv. US Government export regulations +__Required/Optional__: Required +__Contents__: These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. For example, the Jurisdiction of Incorporation for an Incorporating Agency or Jurisdiction of Registration for a Registration Agency that operates at the country level MUST include the country information but MUST NOT include the state or province or locality information. Similarly, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the state or province level MUST include both country and state or province information, but MUST NOT include locality information. And, the jurisdiction for the applicable Incorporating Agency or Registration Agency at the locality level MUST include the country and state or province information, where the state or province regulates the registration of the entities at the locality level, as well as the locality information. Country information MUST be specified using the applicable ISO country code. State or province or locality information (where applicable) for the Subject's Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction. - B. If the CA has operations in any other country, the CA MUST take reasonable steps to verify with all equivalent denied lists and export regulations (if any) in such other country. +Effective as of 1 October 2020, the CA SHALL ensure that, at time of issuance, the values within these fields have been disclosed within the latest publicly-available disclosure, as described in [Section 3.2.2.1.3](#32213-disclosure-of-verification-sources), as acceptable values for the applicable Incorporating Agency or Registration Agency. -### 11.12.3. Parent/Subsidiary/Affiliate Relationship +##### 7.1.4.2.5 Subject Registration Number Field -A CA verifying an Applicant using information of the Applicant's Parent, Subsidiary, or Affiliate, when allowed under [Section 11.4.1](#1141-address-of-applicants-place-of-business), [Section 11.5](#115-verified-method-of-communication), [Section 11.6.1](#1161-verification-requirements), or [Section 11.7.1](#1171-verification-requirements), MUST verify the Applicant's relationship to the Parent, Subsidiary, or Affiliate. Acceptable methods of verifying the Applicant's relationship to the Parent, Subsidiary, or Affiliate include the following: +__Certificate Field__: `subject:serialNumber` (OID: 2.5.4.5) +__Required/Optional__: __Required__ +__Contents__: For Private Organizations, this field MUST contain the Registration (or similar) Number assigned to the Subject by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration, as appropriate. If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats. -1. QIIS or QGIS: The relationship between the Applicant and the Parent, Subsidiary, or Affiliate is identified in a QIIS or QGIS; -2. Independent Confirmation from the Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by obtaining an Independent Confirmation from the appropriate Parent, Subsidiary, or Affiliate (as described in [Section 11.11.4](#11114-independent-confirmation-from-applicant)); -3. Contract between CA and Parent, Subsidiary, or Affiliate: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a contract between the CA and the Parent, Subsidiary, or Affiliate that designates the Certificate Approver with such EV Authority, provided that the contract is signed by the Contract Signer and provided that the agency and Signing Authority of the Contract Signer have been verified; -4. Verified Professional Letter: A CA MAY verify the relationship between an Applicant and a Parent, Subsidiary, or Affiliate by relying on a Verified Professional Letter; or -5. Corporate Resolution: A CA MAY verify the relationship between an Applicant and a Subsidiary by relying on a properly authenticated corporate resolution that approves creation of the Subsidiary or the Applicant, provided that such resolution is: +For Government Entities that do not have a Registration Number or readily verifiable date of creation, the CA SHALL enter appropriate language to indicate that the Subject is a Government Entity. - i. certified by the appropriate corporate officer (e.g., secretary), and - ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. +For Business Entities, the Registration Number that was received by the Business Entity upon government registration SHALL be entered in this field. For those Business Entities that register with an Incorporating Agency or Registration Agency in a jurisdiction that does not issue numbers pursuant to government registration, the date of the registration SHALL be entered into this field in any one of the common date formats. -## 11.13. Final Cross-Correlation and Due Diligence +Effective as of 1 October 2020, if the CA has disclosed a set of acceptable format or formats for Registration Numbers for the applicable Registration Agency or Incorporating Agency, as described in [Section 3.2.2.1.3](#32213-disclosure-of-verification-sources), the CA MUST ensure, prior to issuance, that the Registration Number is valid according to at least one currently disclosed format for that applicable Registration Agency or Incorporating agency. -1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. -2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. -3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: +##### 7.1.4.2.6 Subject Physical Address of Place of Business Field - A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or - B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or - C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). +__Certificate Fields__: + Number and street: `subject:streetAddress` (OID: 2.5.4.9) + City or town: `subject:localityName` (OID: 2.5.4.7) + State or province (where applicable): `subject:stateOrProvinceName` (OID: 2.5.4.8) + Country: `subject:countryName` (OID: 2.5.4.6) + Postal code: `subject:postalCode` (OID: 2.5.4.17) +__Required/Optional__: As stated in Section 7.1.4.2.2 d, e, f, g and h of the Baseline Requirements. +__Contents__: This field MUST contain the address of the physical location of the Subject's Place of Business. -In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. +##### 7.1.4.2.7 Subject Organizational Unit Name Field -## 11.14. Requirements for Re-use of Existing Documentation +__Certificate Field__: `subject:organizationalUnitName` (OID: 2.5.4.11) +__Required/Optional/Prohibited:__ __Prohibited__. -For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. +##### 7.1.4.2.8 Subject Organization Identifier Field + +__Certificate Field__: `subject:organizationIdentifier` (OID: 2.5.4.97) +__Required/Optional__: Optional +__Contents__: If present, this field MUST contain a Registration Reference for a Legal Entity assigned in accordance to the identified Registration Scheme. -### 11.14.1. Validation For Existing Subscribers +The organizationIdentifier MUST be encoded as a PrintableString or UTF8String. -If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: +The Registration Scheme MUST be identified using the using the following structure in the presented order: -1. The Principal Individual verified under [Section 11.2.2](#1122-acceptable-method-of-verification) (4) if the individual is the same person as verified by the CA in connection with the Applicant's previously issued and currently valid EV Certificate; -2. The Applicant's Place of Business under [Section 11.4.1](#1141-address-of-applicants-place-of-business); -3. The Applicant's Verified Method of Communication required by [Section 11.5](#115-verified-method-of-communication) but still MUST perform the verification required by [Section 11.5.2](#1152-acceptable-methods-of-verification) (B); -4. The Applicant's Operational Existence under [Section 11.6](#116-verification-of-applicants-operational-existence); -5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 11.8](#118-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and -6. The Applicant's right to use the specified Domain Name under [Section 11.7](#117-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate. +* 3 character Registration Scheme identifier; +* 2 character ISO 3166 country code for the nation in which the Registration Scheme is operated, or if the scheme is operated globally ISO 3166 code "XG" shall be used; +* For the NTR Registration Scheme identifier, if required under [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field), a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated, preceded by plus "+" (0x2B (ASCII), U+002B (UTF-8)); +* a hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); +* Registration Reference allocated in accordance with the identified Registration Scheme -### 11.14.2. Re-issuance Requests +Note: Registration References MAY contain hyphens, but Registration Schemes, ISO 3166 country codes, and ISO 3166-2 identifiers do not. Therefore if more than one hyphen appears in the structure, the leftmost hyphen is a separator, and the remaining hyphens are part of the Registration Reference. -A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if: +As in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field), the specified location information MUST match the scope of the registration being referenced. -1. The expiration date of the replacement certificate is the same as the expiration date of the EV Certificate that is being replaced, and -2. The Subject Information of the Certificate is the same as the Subject in the EV Certificate that is being replaced. +Examples: -### 11.14.3. Age of Validated Data +* `NTRGB-12345678` (NTR scheme, Great Britain, Unique Identifier at Country level is 12345678) +* `NTRUS+CA-12345678` (NTR Scheme, United States - California, Unique identifier at State level is 12345678) +* `VATDE-123456789` (VAT Scheme, Germany, Unique Identifier at Country Level is 12345678) +* `PSDBE-NBB-1234.567.890` (PSD Scheme, Belgium, NCA's identifier is NBB, Subject Unique Identifier assigned by the NCA is 1234.567.890) -1. Except for reissuance of an EV Certificate under [Section 11.14.2](#11142-re-issuance-requests) and except when permitted otherwise in [Section 11.14.1](#11141-validation-for-existing-subscribers), the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits: +Registration Schemes listed in [Appendix H](#appendix-h--registration-schemes) are currently recognized as valid under these guidelines. - A. Legal existence and identity – 398 days; - B. Assumed name – 398 days; - C. Address of Place of Business – 398 days; - D. Verified Method of Communication – 398 days; - E. Operational existence – 398 days; - F. Domain Name – 398 days; - G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. +The CA SHALL: -2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. -3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). -4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). +1. confirm that the organization represented by the Registration Reference is the same as the organization named in the `organizationName` field as specified in [Section 7.1.4.2.1](#71421-subject-organization-name-field) within the context of the subject’s jurisdiction as specified in [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field); +2. further verify the Registration Reference matches other information verified in accordance with [Section 3.2](#32-initial-identity-validation); +3. take appropriate measures to disambiguate between different organizations as described in [Appendix H](#appendix-h--registration-schemes) for each Registration Scheme; +4. Apply the validation rules relevant to the Registration Scheme as specified in [Appendix H](#appendix-h--registration-schemes). -# 12. Certificate Issuance by a Root CA +##### 7.1.4.2.9 Other Subject Attributes -Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. +CAs SHALL NOT include any Subject Distinguished Name attributes except as specified in [Section 7.1.4.2](#7142-subject-distinguished-name-fields). -Root CA Private Keys MUST NOT be used to sign EV Certificates. +#### 7.1.4.3 Additional Technical Requirements for EV Certificates -# 13. Certificate Revocation and Status Checking +All provisions of the Baseline Requirements concerning Minimum Cryptographic Algorithms, Key Sizes, and Certificate Extensions apply to EV Certificates with the following exceptions: -The requirements in Section 4.9 of the Baseline Requirements apply equally to EV Certificates. +1. If a Subordinate CA Certificates is issued to a Subordinate CA not controlled by the entity that controls the Root CA, the policy identifiers in the `certificatePolicies` extension MUST include the CA's Extended Validation policy identifier. -# 14. Employee and third party issues + Otherwise, it MAY contain the anyPolicy identifier. -## 14.1. Trustworthiness and Competence +2. The following fields MUST be present if the Subordinate CA is not controlled by the entity that controls the Root CA. -### 14.1.1. Identity and Background Verification + * `certificatePolicies:policyQualifiers:policyQualifierId` -Prior to the commencement of employment of any person by the CA for engagement in the EV Processes, whether as an employee, agent, or an independent contractor of the CA, the CA MUST: + `id-qt 1` [RFC 5280] -1. **Verify the Identity of Such Person**: Verification of identity MUST be performed through: + * `certificatePolicies:policyQualifiers:qualifier:cPSuri` - A. The personal (physical) presence of such person before trusted persons who perform human resource or security functions, and - B. The verification of well-recognized forms of government-issued photo identification (e.g., passports and/or drivers licenses); + HTTP URL for the Root CA's Certification Practice Statement - and +3. The `certificatePolicies` extension in EV Certificates issued to Subscribers MUST include the following: -2. **Verify the Trustworthiness of Such Person**: Verification of trustworthiness SHALL include background checks, which address at least the following, or their equivalent: + * `certificatePolicies:policyIdentifier` (Required) - A. Confirmation of previous employment, - B. Check of professional references; - C. Confirmation of the highest or most-relevant educational qualification obtained; - D. Search of criminal records (local, state or provincial, and national) where allowed by the jurisdiction in which the person will be employed; + The Issuer's EV policy identifier - and + * `certificatePolicies:policyQualifiers:policyQualifierId` (Required) -3. In the case of employees already in the employ of the CA at the time of adoption of these Guidelines whose identity and background has not previously been verified as set forth above, the CA SHALL conduct such verification within three months of the date of adoption of these Guidelines. + `id-qt 1` [RFC 5280] -### 14.1.2. Training and Skills Level + * `certificatePolicies:policyQualifiers:qualifier:cPSuri` (Required) -The requirements in Section 5.3.3 of the Baseline Requirements apply equally to EV Certificates and these Guidelines. The required internal examination must relate to the EV Certificate validation criteria outlined in these Guidelines. + HTTP URL for the Subordinate CA's Certification Practice Statement -### 14.1.3. Separation of Duties +4. The `cRLDistributionPoints` extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an `authorityInformationAccess` extension. -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 11.13](#1113-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. -2. Such controls MUST be auditable. -## 14.2. Delegation of Functions to Registration Authorities and Subcontractors +### 7.1.5 Name constraints -### 14.2.1. General +### 7.1.6 Certificate policy object identifier +This section sets forth minimum requirements for the contents of EV Certificates as they relate to the identification of EV Certificate Policy. -The CA MAY delegate the performance of all or any part of a requirement of these Guidelines to an Affiliate or a Registration Authority (RA) or subcontractor, provided that the process employed by the CA fulfills all of the requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence). -Affiliates and/or RAs must comply with the qualification requirements of [Section 14.1](#141-trustworthiness-and-competence). +#### 7.1.6.1 EV Subscriber Certificates -The CA SHALL verify that the Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of [Section 14](#14-employee-and-third-party-issues) and the document retention and event logging requirements of [Section 15](#15-data-records). +Each EV Certificate issued by the CA to a Subscriber MUST contain a policy identifier that is either defined by these Guidelines or the CA in the certificate's `certificatePolicies` extension that: -### 14.2.2. Enterprise RAs +1. indicates which CA policy statement relates to that Certificate, +2. asserts the CA's adherence to and compliance with these Guidelines, and +3. is either the CA/Browser Forum’s EV policy identifier or a policy identifier that, by pre-agreement with the Application Software Supplier, marks the Certificate as being an EV Certificate. -The CA MAY contractually authorize a Subscriber to perform the RA function and authorize the CA to issue additional EV Certificates. In such case, the Subscriber SHALL be considered an Enterprise RA, and the following requirements SHALL apply: +The following Certificate Policy identifier is the CA/Browser Forum’s EV policy identifier: +`{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) ev-guidelines (1) } (2.23.140.1.1)`, if the Certificate complies with these Guidelines. -1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; -2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and -3. The Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. +#### 7.1.6.2 Root CA Certificates -Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 17.1](#171-eligible-audit-schemes). In all other cases, the requirements of [Section 17.1](#171-eligible-audit-schemes) SHALL apply. +The Application Software Supplier identifies Root CAs that are approved to issue EV Certificates by storing EV policy identifiers in metadata associated with Root CA Certificates. -### 14.2.3. Guidelines Compliance Obligation +#### 7.1.6.3 EV Subordinate CA Certificates -In all cases, the CA MUST contractually obligate each Affiliate, RA, subcontractor, and Enterprise RA to comply with all applicable requirements in these Guidelines and to perform them as required of the CA itself. The CA SHALL enforce these obligations and internally audit each Affiliate's, RA's, subcontractor's, and Enterprise RA's compliance with these Requirements on an annual basis. +1. Certificates issued to Subordinate CAs that are not controlled by the issuing CA MUST contain one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA. +2. Certificates issued to Subordinate CAs that are controlled by the Root CA MAY contain the special `anyPolicy` identifier (OID: 2.5.29.32.0). -### 14.2.4. Allocation of Liability +#### 7.1.6.4 Subscriber Certificates -As specified in Section 9.8 of the Baseline Requirements. +A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in the Certificate's `certificatePolicies` extension that indicates adherence to and compliance with these Guidelines. Each CA SHALL document in its Certificate Policy or Certification Practice Statement that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Guidelines. -# 15. Data Records +### 7.1.7 Usage of Policy Constraints extension -As specified in Section 5.4 of the Baseline Requirements. +### 7.1.8 Policy qualifiers syntax and semantics -# 16. Data Security +### 7.1.9 Processing semantics for the critical Certificate Policies extension -As specified in Section 5 of the Baseline Requirements. In addition, systems used to process and approve EV Certificate Requests MUST require actions by at least two trusted persons before creating an EV Certificate. +## 7.2 CRL profile +### 7.2.1 Version number(s) +### 7.2.2 CRL and CRL entry extensions -# 17. Audit +## 7.3 OCSP profile +### 7.3.1 Version number(s) +### 7.3.2 OCSP extensions -## 17.1. Eligible Audit Schemes +# 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS A CA issuing EV Certificates SHALL undergo an audit in accordance with one of the following schemes: @@ -1371,17 +1517,23 @@ iii. ETSI EN 319 411-1 audit for EVCP policy. If the CA is a Government Entity, an audit of the CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in one of the above audit schemes and certifies that the government CA has successfully passed the audit. -EV audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor. +## 8.1 Frequency or circumstances of assessment +CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 8](#8-compliance-audit-and-other-assessments). -## 17.2. Audit Period +### 8.1.1 Self audits +During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 3.2.2.13](#32213-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. -CAs issuing EV Certificates MUST undergo an annual audit that meets the criteria of [Section 17.1](#171-eligible-audit-schemes). +## 8.2 Identity/qualifications of assessor +A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. -## 17.3 Audit Record +## 8.3 Assessor's relationship to assessed entity +## 8.4 Topics covered by assessment +## 8.5 Actions taken as a result of deficiency +## 8.6 Communication of results CAs SHOULD make its audit report publicly available no later than three months after the end of the audit period. If there is a delay greater than three months and if so requested by an Application Software Supplier, the CA MUST provide an explanatory letter signed by its auditor. -## 17.4. Pre-Issuance Readiness Audit +## 8.7 Pre-issuance Readiness Audit 1. If the CA has a currently valid WebTrust Seal of Assurance for CAs, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against the WebTrust EV Program. 2. If the CA has a currently valid ETSI 102 042 audit, then, before issuing EV Certificates, the CA and its Root CA MUST successfully complete a point-in-time readiness assessment audit against ETSI TS 102 042. @@ -1392,31 +1544,107 @@ CAs SHOULD make its audit report publicly available no later than three months a The CA MUST complete any required point-in-time readiness assessment no earlier than twelve (12) months prior to issuing an EV Certificate. The CA MUST undergo a complete audit under such scheme within ninety (90) days of issuing the first EV Certificate. -## 17.5. Regular Self Audits +# 9. OTHER BUSINESS AND LEGAL MATTERS +## 9.1 Fees +### 9.1.1 Certificate issuance or renewal fees +### 9.1.2 Certificate access fees +### 9.1.3 Revocation or status information access fees +### 9.1.4 Fees for other services +### 9.1.5 Refund policy -During the period in which it issues EV Certificates, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least three percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. For all EV Certificates where the Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self audits against a randomly selected sample of at least six percent of the EV Certificates it has issued in the period beginning immediately after the last sample was taken. +## 9.2 Financial responsibility -## 17.6. Auditor Qualification +### 9.2.1 Insurance coverage +Each CA SHALL maintain the following insurance related to their respective performance and obligations under these Guidelines: -A Qualified Auditor (as defined in Section 8.2 of the Baseline Requirements) MUST perform the CA's audit. +A. Commercial General Liability insurance (occurrence form) with policy limits of at least two million US dollars in coverage; and -## 17.7. Root CA Key Pair Generation +B. Professional Liability/Errors and Omissions insurance, with policy limits of at least five million US dollars in coverage, and including coverage for: + i. claims for damages arising out of an act, error, or omission, unintentional breach of contract, or neglect in issuing or maintaining EV Certificates, and; + ii. claims for damages arising out of infringement of the proprietary rights of any third party (excluding copyright, and trademark infringement), and invasion of privacy and advertising injury. -All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally to EV Certificates. However, for Root CA Key Pairs generated after the release of these Guidelines, the Root CA Key Pair generation ceremony MUST be witnessed by the CA's Qualified Auditor in order to observe the process and the controls over the integrity and confidentiality of the Root CA Key Pairs produced. The Qualified Auditor MUST then issue a report opining that the CA, during its Root CA Key Pair and Certificate generation process: +Such insurance must be with a company rated no less than A- as to Policy Holder's Rating in the current edition of Best's Insurance Guide (or with an association of companies each of the members of which are so rated). - 1. Documented its Root CA key generation and protection procedures in its Certificate Policy, and its Certification Practices Statement; - 2. Included appropriate detail in its Root Key Generation Script; - 3. Maintained effective controls to provide reasonable assurance that the Root CA key pair was generated and protected in conformity with the procedures described in its CP/CPS and with its Root Key Generation Script; - 4. Performed, during the Root CA key generation process, all the procedures required by its Root Key Generation Script. +A CA MAY self-insure for liabilities that arise from such party's performance and obligations under these Guidelines provided that it has at least five hundred million US dollars in liquid assets based on audited financial statements in the past twelve months, and a quick ratio (ratio of liquid assets to current liabilities) of not less than 1.0. + +### 9.2.2 Other assets +### 9.2.3 Insurance or warranty coverage for end-entities +## 9.3 Confidentiality of business information +### 9.3.1 Scope of confidential information +### 9.3.2 Information not within the scope of confidential information +### 9.3.3 Responsibility to protect confidential information +## 9.4 Privacy of personal information +### 9.4.1 Privacy plan +### 9.4.2 Information treated as private +### 9.4.3 Information not deemed private +### 9.4.4 Responsibility to protect private information +### 9.4.5 Notice and consent to use private information +### 9.4.6 Disclosure pursuant to judicial or administrative process +### 9.4.7 Other information disclosure circumstances +## 9.5 Intellectual property rights +## 9.6 Representations and warranties + +### 9.6.1 CA representations and warranties +When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following: + +A. **Legal Existence**: The CA has confirmed with the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or Registration; + +B. **Identity**: The CA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject named in the EV Certificate matches the name on the official government records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration, and if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business; + +C. **Right to Use Domain Name**: The CA has taken all steps reasonably necessary to verify that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate has the right to use all the Domain Name(s) listed in the EV Certificate; + +D. **Authorization for EV Certificate**: The CA has taken all steps reasonably necessary to verify that the Subject named in the EV Certificate has authorized the issuance of the EV Certificate; + +E. **Accuracy of Information**: The CA has taken all steps reasonably necessary to verify that all of the other information in the EV Certificate is accurate, as of the date the EV Certificate was issued; + +F. **Subscriber Agreement**: The Subject named in the EV Certificate has entered into a legally valid and enforceable Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or, if they are affiliated, the Applicant Representative has acknowledged and accepted the Terms of Use; + +G. **Status**: The CA will follow the requirements of these Guidelines and maintain a 24 x 7 online-accessible Repository with current information regarding the status of the EV Certificate as Valid or revoked; and + +H. **Revocation**: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the revocation reasons specified in these Guidelines. + +### 9.6.2 RA representations and warranties -# 18. Liability and Indemnification +### 9.6.3 Subscriber representations and warranties +Section 9.6.3 of the Baseline Requirements applies equally to EV Certificates. In cases where the Certificate Request does not contain all necessary information about the Applicant, the CA MUST additionally confirm the data with the Certificate Approver or Contract Signer rather than the Certificate Requester. + +EV Certificate Applicants make the commitments and warranties set forth in Section 9.6.3 of the Baseline Requirements for the benefit of the CA and Certificate Beneficiaries. +### 9.6.4 Relying party representations and warranties +### 9.6.5 Representations and warranties of other participants +## 9.7 Disclaimers of warranties +## 9.8 Limitations of liability CAs MAY limit their liability as described in Section 9.8 of the Baseline Requirements except that a CA MUST NOT limit its liability to Subscribers or Relying Parties for legally recognized and provable claims to a monetary amount less than two thousand US dollars per Subscriber or Relying Party per EV Certificate. +## 9.9 Indemnities A CA's indemnification obligations and a Root CA's obligations with respect to subordinate CAs are set forth in Section 9.9 of the Baseline Requirements. -# Appendix A - User Agent Verification (Normative) +## 9.10 Term and termination +### 9.10.1 Term +### 9.10.2 Termination +### 9.10.3 Effect of termination and survival +## 9.11 Individual notices and communications with participants +## 9.12 Amendments +### 9.12.1 Procedure for amendment +### 9.12.2 Notification mechanism and period +### 9.12.3 Circumstances under which OID must be changed +## 9.13 Dispute resolution provisions +## 9.14 Governing law +## 9.15 Compliance with applicable law +## 9.16 Miscellaneous provisions +### 9.16.1 Entire agreement +### 9.16.2 Assignment + +### 9.16.3 Severability +The CA MAY issue EV Certificates, provided that the CA and its Root CA satisfy the requirements in these Guidelines and the Baseline Requirements. + +If a court or government body with jurisdiction over the activities covered by these Guidelines determines that the performance of any mandatory requirement is illegal, then such requirement is considered reformed to the minimum extent necessary to make the requirement valid and legal. This applies only to operations or certificate issuances that are subject to the laws of that jurisdiction. The parties involved SHALL notify the CA/Browser Forum of the facts, circumstances, and law(s) involved, so that the CA/Browser Forum may revise these Guidelines accordingly. +### 9.16.4 Enforcement (attorneys' fees and waiver of rights) +### 9.16.5 Force Majeure +## 9.17 Other provisions + +# Appendix A - User Agent Verification (Normative) The CA MUST host test Web pages that allow Application Software Suppliers to test their software with EV Certificates that chain up to each EV Root Certificate. At a minimum, the CA MUST host separate Web pages using certificates that are: i. valid; @@ -1697,12 +1925,55 @@ The following Registration Schemes are currently recognized as valid under these * **NTR**: - The information carried in this field shall be the same as held in Subject Registration Number Field as specified in [Section 9.2.5](#925-subject-registration-number-field) and the country code used in the Registration Scheme identifier shall match that of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 includes more than the country code, the additional locality information shall be included as specified in [Section 9.2.8](#928-subject-organization-identifier-field) and/or [Section 9.8.2](#982-cabrowser-forum-organization-identifier-extension). + The information carried in this field shall be the same as held in + Subject Registration Number Field as specified in + [Section 7.1.4.2.5](#71425-subject-registration-number-field) and the country code + used in the Registration Scheme identifier shall match that of the + subject’s jurisdiction as specified in + [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field). + + Where the Subject Jurisdiction of Incorporation or Registration Field in 9.2.4 + includes more than the country code, the additional locality information shall + be included as specified in [Section 7.1.4.2.8](#71428-subject-organization-identifier-field) + and/or [Section 7.1.2.2](#7122-cabrowser-forum-organization-identifier-extension). * **VAT**: - Reference allocated by the national tax authorities to a Legal Entity. This information shall be validated using information provided by the national tax authority against the organization as identified by the Subject Organization Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and Subject Registration Number Field (see [Section 9.2.5](#925-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). For the purpose of identifying tax authorities, the country prefix described in article 215 of EU Council Directive 2006/112/EC, as amended, MAY be used instead of the ISO 3166 2-letter country codes. + Reference allocated by the national tax authorities to a Legal Entity. This + information shall be validated using information provided by the national tax + authority against the organization as identified by the Subject Organization + Name Field (see [Section 7.1.4.2.1](#71421-subject-organization-name-field)) and + Subject Registration Number Field (see + Section 7.1.4.2.5](#71425-subject-registration-number-field)) within the context of + the subject’s jurisdiction as specified in + [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field). + For the purpose of identifying tax authorities, the country prefix described in article 215 of + EU Council Directive 2006/112/EC, as amended, MAY be used instead of the ISO 3166 2-letter country codes. + + * **PSD**: + + Authorization number as specified in ETSI TS 119 495 clause 4.4 + allocated to a payment service provider and containing the information as + specified in ETSI TS 119 495 clause 5.2.1. This information SHALL be + obtained directly from the national competent authority register for + payment services or from an information source approved by a government + agency, regulatory body, or legislation for this purpose. This information + SHALL be validated by being matched directly or indirectly (for example, by + matching a globally unique registration number) against the organization as + identified by the Subject Organization Name Field (see + [Section 7.1.4.2.1](#71421-subject-organization-name-field)) and + Subject Registration Number Field (see + [Section 7.1.4.2.5](#71425-subject-registration-number-field)) within the context of + the subject’s jurisdiction as specified in + [Section 7.1.4.2.4](#71424-subject-jurisdiction-of-incorporation-or-registration-field). + The stated address of the organization combined with the organization name + SHALL NOT be the only information used to disambiguate the organization. + + + + + + + -* **PSD**: - Authorization number as specified in ETSI TS 119 495 clause 4.4 allocated to a payment service provider and containing the information as specified in ETSI TS 119 495 clause 5.2.1. This information SHALL be obtained directly from the national competent authority register for payment services or from an information source approved by a government agency, regulatory body, or legislation for this purpose. This information SHALL be validated by being matched directly or indirectly (for example, by matching a globally unique registration number) against the organization as identified by the Subject Organization Name Field (see [Section 9.2.1](#921-subject-organization-name-field)) and Subject Registration Number Field (see [Section 9.2.5](#925-subject-registration-number-field)) within the context of the subject’s jurisdiction as specified in [Section 9.2.4](#924-subject-jurisdiction-of-incorporation-or-registration-field). The stated address of the organization combined with the organization name SHALL NOT be the only information used to disambiguate the organization. diff --git a/docs/RFC3647_Template.md b/docs/RFC3647_Template.md new file mode 100644 index 000000000..d995ea84f --- /dev/null +++ b/docs/RFC3647_Template.md @@ -0,0 +1,270 @@ +# 1. INTRODUCTION +## 1.1 Overview +## 1.2 Document name and identification +## 1.3 PKI participants +### 1.3.1 Certification authorities +### 1.3.2 Registration authorities +### 1.3.3 Subscribers +### 1.3.4 Relying parties +### 1.3.5 Other participants +## 1.4 Certificate usage +### 1.4.1 Appropriate certificate uses +### 1.4.2 Prohibited certificate uses +## 1.5 Policy administration +### 1.5.1 Organization administering the document +### 1.5.2 Contact person +### 1.5.3 Person determining CPS suitability for the policy +### 1.5.4 CPS approval procedures +## 1.6 Definitions and acronyms +# 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES +## 2.1 Repositories +## 2.2 Publication of certification information +## 2.3 Time or frequency of publication +## 2.4 Access controls on repositories +# 3. IDENTIFICATION AND AUTHENTICATION (11) +## 3.1 Naming +### 3.1.1 Types of names +### 3.1.2 Need for names to be meaningful +### 3.1.3 Anonymity or pseudonymity of subscribers +### 3.1.4 Rules for interpreting various name forms +### 3.1.5 Uniqueness of names +### 3.1.6 Recognition, authentication, and role of trademarks +## 3.2 Initial identity validation +### 3.2.1 Method to prove possession of private key +### 3.2.2 Authentication of organization identity +### 3.2.3 Authentication of individual identity +### 3.2.4 Non-verified subscriber information +### 3.2.5 Validation of authority +### 3.2.6 Criteria for interoperation +## 3.3 Identification and authentication for re-key requests +### 3.3.1 Identification and authentication for routine re-key +### 3.3.2 Identification and authentication for re-key after revocation +## 3.4 Identification and authentication for revocation request +# 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS +## 4.1 Certificate Application +### 4.1.1 Who can submit a certificate application +### 4.1.2 Enrollment process and responsibilities +## 4.2 Certificate application processing +### 4.2.1 Performing identification and authentication functions +### 4.2.2 Approval or rejection of certificate applications +### 4.2.3 Time to process certificate applications +## 4.3 Certificate issuance +### 4.3.1 CA actions during certificate issuance +### 4.3.2 Notification to subscriber by the CA of issuance of certificate +## 4.4 Certificate acceptance +### 4.4.1 Conduct constituting certificate acceptance +### 4.4.2 Publication of the certificate by the CA +### 4.4.3 Notification of certificate issuance by the CA to other entities +## 4.5 Key pair and certificate usage +### 4.5.1 Subscriber private key and certificate usage +### 4.5.2 Relying party public key and certificate usage +## 4.6 Certificate renewal +### 4.6.1 Circumstance for certificate renewal +### 4.6.2 Who may request renewal +### 4.6.3 Processing certificate renewal requests +### 4.6.4 Notification of new certificate issuance to subscriber +### 4.6.5 Conduct constituting acceptance of a renewal certificate +### 4.6.6 Publication of the renewal certificate by the CA +### 4.6.7 Notification of certificate issuance by the CA to other entities +## 4.7 Certificate re-key +### 4.7.1 Circumstance for certificate re-key +### 4.7.2 Who may request certification of a new public key +### 4.7.3 Processing certificate re-keying requests +### 4.7.4 Notification of new certificate issuance to subscriber +### 4.7.5 Conduct constituting acceptance of a re-keyed certificate +### 4.7.6 Publication of the re-keyed certificate by the CA +### 4.7.7 Notification of certificate issuance by the CA to other entities +## 4.8 Certificate modification +### 4.8.1 Circumstance for certificate modification +### 4.8.2 Who may request certificate modification +### 4.8.3 Processing certificate modification requests +### 4.8.4 Notification of new certificate issuance to subscriber +### 4.8.5 Conduct constituting acceptance of modified certificate +### 4.8.6 Publication of the modified certificate by the CA +### 4.8.7 Notification of certificate issuance by the CA to other entities +## 4.9 Certificate revocation and suspension +### 4.9.1 Circumstances for revocation +### 4.9.2 Who can request revocation +### 4.9.3 Procedure for revocation request +### 4.9.4 Revocation request grace period +### 4.9.5 Time within which CA must process the revocation request +### 4.9.6 Revocation checking requirement for relying parties +### 4.9.7 CRL issuance frequency (if applicable) +### 4.9.8 Maximum latency for CRLs (if applicable) +### 4.9.9 On-line revocation/status checking availability +### 4.9.10 On-line revocation checking requirements +### 4.9.11 Other forms of revocation advertisements available +### 4.9.12 Special requirements re key compromise +### 4.9.13 Circumstances for suspension +### 4.9.14 Who can request suspension +### 4.9.15 Procedure for suspension request +### 4.9.16 Limits on suspension period +## 4.10 Certificate status services +### 4.10.1 Operational characteristics +### 4.10.2 Service availability +### 4.10.3 Optional features +## 4.11 End of subscription +## 4.12 Key escrow and recovery +### 4.12.1 Key escrow and recovery policy and practices +### 4.12.2 Session key encapsulation and recovery policy and practices +# 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS (11) +## 5.1 Physical controls +### 5.1.1 Site location and construction +### 5.1.2 Physical access +### 5.1.3 Power and air conditioning +### 5.1.4 Water exposures +### 5.1.5 Fire prevention and protection +### 5.1.6 Media storage +### 5.1.7 Waste disposal +### 5.1.8 Off-site backup +## 5.2 Procedural controls +### 5.2.1 Trusted roles +### 5.2.2 Number of persons required per task +### 5.2.3 Identification and authentication for each role +### 5.2.4 Roles requiring separation of duties +## 5.3 Personnel controls +### 5.3.1 Qualifications, experience, and clearance requirements +### 5.3.2 Background check procedures +### 5.3.3 Training requirements +### 5.3.4 Retraining frequency and requirements +### 5.3.5 Job rotation frequency and sequence +### 5.3.6 Sanctions for unauthorized actions +### 5.3.7 Independent contractor requirements +### 5.3.8 Documentation supplied to personnel +## 5.4 Audit logging procedures +### 5.4.1 Types of events recorded +### 5.4.2 Frequency of processing log +### 5.4.3 Retention period for audit log +### 5.4.4 Protection of audit log +### 5.4.5 Audit log backup procedures +### 5.4.6 Audit collection system (internal vs. external) +### 5.4.7 Notification to event-causing subject +### 5.4.8 Vulnerability assessments +## 5.5 Records archival +### 5.5.1 Types of records archived +### 5.5.2 Retention period for archive +### 5.5.3 Protection of archive +### 5.5.4 Archive backup procedures +### 5.5.5 Requirements for time-stamping of records +### 5.5.6 Archive collection system (internal or external) +### 5.5.7 Procedures to obtain and verify archive information +## 5.6 Key changeover +## 5.7 Compromise and disaster recovery +### 5.7.1 Incident and compromise handling procedures +### 5.7.2 Computing resources, software, and/or data are corrupted +### 5.7.3 Entity private key compromise procedures +### 5.7.4 Business continuity capabilities after a disaster +## 5.8 CA or RA termination +# 6. TECHNICAL SECURITY CONTROLS (11) +## 6.1 Key pair generation and installation +### 6.1.1 Key pair generation +### 6.1.2 Private key delivery to subscriber +### 6.1.3 Public key delivery to certificate issuer +### 6.1.4 CA public key delivery to relying parties +### 6.1.5 Key sizes +### 6.1.6 Public key parameters generation and quality checking +### 6.1.7 Key usage purposes (as per X.509 v3 key usage field) +## 6.2 Private Key Protection and Cryptographic Module Engineering Controls +### 6.2.1 Cryptographic module standards and controls +### 6.2.2 Private key (n out of m) multi-person control +### 6.2.3 Private key escrow +### 6.2.4 Private key backup +### 6.2.5 Private key archival +### 6.2.6 Private key transfer into or from a cryptographic module +### 6.2.7 Private key storage on cryptographic module +### 6.2.8 Method of activating private key +### 6.2.9 Method of deactivating private key +### 6.2.10 Method of destroying private key +### 6.2.11 Cryptographic Module Rating +## 6.3 Other aspects of key pair management +### 6.3.1 Public key archival +### 6.3.2 Certificate operational periods and key pair usage periods +## 6.4 Activation data +### 6.4.1 Activation data generation and installation +### 6.4.2 Activation data protection +### 6.4.3 Other aspects of activation data +## 6.5 Computer security controls +### 6.5.1 Specific computer security technical requirements +### 6.5.2 Computer security rating +## 6.6 Life cycle technical controls +### 6.6.1 System development controls +### 6.6.2 Security management controls +### 6.6.3 Life cycle security controls +## 6.7 Network security controls +## 6.8 Time-stamping +# 7. CERTIFICATE, CRL, AND OCSP PROFILES +## 7.1 Certificate profile +### 7.1.1 Version number(s) +### 7.1.2 Certificate extensions +### 7.1.3 Algorithm object identifiers +### 7.1.4 Name forms +### 7.1.5 Name constraints +### 7.1.6 Certificate policy object identifier +### 7.1.7 Usage of Policy Constraints extension +### 7.1.8 Policy qualifiers syntax and semantics +### 7.1.9 Processing semantics for the critical Certificate Policies extension +## 7.2 CRL profile +### 7.2.1 Version number(s) +### 7.2.2 CRL and CRL entry extensions +## 7.3 OCSP profile +### 7.3.1 Version number(s) +### 7.3.2 OCSP extensions +# 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS +## 8.1 Frequency or circumstances of assessment +## 8.2 Identity/qualifications of assessor +## 8.3 Assessor's relationship to assessed entity +## 8.4 Topics covered by assessment +## 8.5 Actions taken as a result of deficiency +## 8.6 Communication of results +# 9. OTHER BUSINESS AND LEGAL MATTERS +## 9.1 Fees +### 9.1.1 Certificate issuance or renewal fees +### 9.1.2 Certificate access fees +### 9.1.3 Revocation or status information access fees +### 9.1.4 Fees for other services +### 9.1.5 Refund policy +## 9.2 Financial responsibility +### 9.2.1 Insurance coverage +### 9.2.2 Other assets +### 9.2.3 Insurance or warranty coverage for end-entities +## 9.3 Confidentiality of business information +### 9.3.1 Scope of confidential information +### 9.3.2 Information not within the scope of confidential information +### 9.3.3 Responsibility to protect confidential information +## 9.4 Privacy of personal information +### 9.4.1 Privacy plan +### 9.4.2 Information treated as private +### 9.4.3 Information not deemed private +### 9.4.4 Responsibility to protect private information +### 9.4.5 Notice and consent to use private information +### 9.4.6 Disclosure pursuant to judicial or administrative process +### 9.4.7 Other information disclosure circumstances +## 9.5 Intellectual property rights +## 9.6 Representations and warranties +### 9.6.1 CA representations and warranties +### 9.6.2 RA representations and warranties +### 9.6.3 Subscriber representations and warranties +### 9.6.4 Relying party representations and warranties +### 9.6.5 Representations and warranties of other participants +## 9.7 Disclaimers of warranties +## 9.8 Limitations of liability +## 9.9 Indemnities +## 9.10 Term and termination +### 9.10.1 Term +### 9.10.2 Termination +### 9.10.3 Effect of termination and survival +## 9.11 Individual notices and communications with participants +## 9.12 Amendments +### 9.12.1 Procedure for amendment +### 9.12.2 Notification mechanism and period +### 9.12.3 Circumstances under which OID must be changed +## 9.13 Dispute resolution provisions +## 9.14 Governing law +## 9.15 Compliance with applicable law +## 9.16 Miscellaneous provisions +### 9.16.1 Entire agreement +### 9.16.2 Assignment +### 9.16.3 Severability +### 9.16.4 Enforcement (attorneys' fees and waiver of rights) +### 9.16.5 Force Majeure +## 9.17 Other provisions From 049237e096650fe01f67780b7c24bd5211ee3038 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 6 May 2024 12:41:46 +0200 Subject: [PATCH 04/16] Update EVG.md (#511) Update EVGs as per SC72 over the new 2.0.0 version --- docs/EVG.md | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 340dc917f..c76e1e697 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1,10 +1,10 @@ --- title: Guidelines for the Issuance and Management of Extended Validation Certificates -subtitle: Version 2.0.0 +subtitle: Version 2.0.1 author: - CA/Browser Forum -date: 17 April, 2024 +date: 6 May, 2024 copyright: | Copyright 2024 CA/Browser Forum @@ -80,6 +80,7 @@ These Guidelines do not address the verification of information, or the issuance | 1.8.0 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | | 1.8.1 | SC68 | Allow VATEL and VATXI for organizationIdentifier | 1-Feb-2024 | 4-Mar-2024 | | 2.0.0 | SC65 | Convert EVGs into RFC 3647 format | 15-March-2024 | 15-May-2024 | +| 2.0.1 | SC72 | Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED | 3-April-2024 | 6-May-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -1437,32 +1438,13 @@ All provisions of the Baseline Requirements concerning Minimum Cryptographic Alg Otherwise, it MAY contain the anyPolicy identifier. -2. The following fields MUST be present if the Subordinate CA is not controlled by the entity that controls the Root CA. - - * `certificatePolicies:policyQualifiers:policyQualifierId` - - `id-qt 1` [RFC 5280] - - * `certificatePolicies:policyQualifiers:qualifier:cPSuri` - - HTTP URL for the Root CA's Certification Practice Statement - -3. The `certificatePolicies` extension in EV Certificates issued to Subscribers MUST include the following: +2. The `certificatePolicies` extension in EV Certificates issued to Subscribers MUST include the following: * `certificatePolicies:policyIdentifier` (Required) The Issuer's EV policy identifier - * `certificatePolicies:policyQualifiers:policyQualifierId` (Required) - - `id-qt 1` [RFC 5280] - - * `certificatePolicies:policyQualifiers:qualifier:cPSuri` (Required) - - HTTP URL for the Subordinate CA's Certification Practice Statement - -4. The `cRLDistributionPoints` extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an `authorityInformationAccess` extension. - +3. The `cRLDistributionPoints` extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an `authorityInformationAccess` extension. ### 7.1.5 Name constraints From 20af1b271f2b689344ae353d3e78dc6b772199db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 7 Jun 2024 19:05:30 +0200 Subject: [PATCH 05/16] Ballot SC-073: Compromised and Weak Keys (#500) (#509) * Ballot SC-073: Compromised and Weak Keys (#500) * Draft SC-073 language * Fix link * Update BR.md Updated version, date and revisions --------- Co-authored-by: Wayne Thayer --- docs/BR.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index e4dcc98e1..388634956 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,10 +1,10 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.4 +subtitle: Version 2.0.5 author: - CA/Browser Forum -date: 17-April-2024 +date: 7-June-2024 @@ -139,6 +139,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.2 | SC66 | 2023 Cleanup | 23-Nov-2023 | 8-Jan-2024 | | 2.0.3 | SC69 | Clarify router and firewall logging requirements | 13-March-2024 | 15-April-2024 | | 2.0.4 | SC65 | Convert EVGs into RFC 3647 format | 15-March-2024 | 15-May-2024 | +| 2.0.5 | SC73 | Compromised and weak keys | 3-May-2024 | 1-July-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -1232,7 +1233,7 @@ With the exception of Short-lived Subscriber Certificates, the CA SHALL revoke a 1. The Subscriber requests in writing, without specifying a CRLreason, that the CA revoke the Certificate (CRLReason "unspecified (0)" which results in no reasonCode extension being provided in the CRL); 2. The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization (CRLReason #9, privilegeWithdrawn); 3. The CA obtains evidence that the Subscriber's Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise (CRLReason #1, keyCompromise); -4. The CA is made aware of a demonstrated or proven method that can easily compute the Subscriber's Private Key based on the Public Key in the Certificate (such as a Debian weak key, see ) (CRLReason #1, keyCompromise); +4. The CA is made aware of a demonstrated or proven method that can easily compute the Subscriber's Private Key based on the Public Key in the Certificate, including but not limited to those identified in [Section 6.1.1.3(5)](#6113-subscriber-key-pair-generation) (CRLReason #1, keyCompromise); 5. The CA obtains evidence that the validation of domain authorization or control for any Fully-Qualified Domain Name or IP address in the Certificate should not be relied upon (CRLReason #4, superseded). With the exception of Short-lived Subscriber Certificates, the CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days and use the corresponding CRLReason (see Section 7.2.2) if one or more of the following occurs: @@ -1702,8 +1703,13 @@ The CA SHALL reject a certificate request if one or more of the following condit 1. The Key Pair does not meet the requirements set forth in [Section 6.1.5](#615-key-sizes) and/or [Section 6.1.6](#616-public-key-parameters-generation-and-quality-checking); 2. There is clear evidence that the specific method used to generate the Private Key was flawed; 3. The CA is aware of a demonstrated or proven method that exposes the Applicant's Private Key to compromise; -4. The CA has previously been made aware that the Applicant's Private Key has suffered a Key Compromise, such as through the provisions of [Section 4.9.1.1](#4911-reasons-for-revoking-a-subscriber-certificate); -5. The CA is aware of a demonstrated or proven method to easily compute the Applicant's Private Key based on the Public Key (such as a Debian weak key, see ). +4. The CA has previously been notified that the Applicant's Private Key has suffered a Key Compromise using the CA's procedure for revocation request as described in [Section 4.9.3](#493-procedure-for-revocation-request) and [Section 4.9.12](#4912-special-requirements-re-key-compromise); +5. The Public Key corresponds to an industry-demonstrated weak Private Key. For requests submitted on or after November 15, 2024, at least the following precautions SHALL be implemented: + 1. In the case of Debian weak keys vulnerability (https://wiki.debian.org/SSLkeys), the CA SHALL reject all keys found at https://github.com/cabforum/Debian-weak-keys/ for each key type (e.g. RSA, ECDSA) and size listed in the repository. For all other keys meeting the requirements of [Section 6.1.5](#615-key-sizes), with the exception of RSA key sizes greater than 8192 bits, the CA SHALL reject Debian weak keys. + 2. In the case of ROCA vulnerability, the CA SHALL reject keys identified by the tools available at https://github.com/crocs-muni/roca or equivalent. + 3. In the case of Close Primes vulnerability (https://fermatattack.secvuln.info/), the CA SHALL reject weak keys which can be factored within 100 rounds using Fermat’s factorization method. + + Suggested tools for checking for weak keys can be found here: https://cabforum.org/resources/tools/ If the Subscriber Certificate will contain an `extKeyUsage` extension containing either the values `id-kp-serverAuth` [RFC5280] or `anyExtendedKeyUsage` [RFC5280], the CA SHALL NOT generate a Key Pair on behalf of a Subscriber, and SHALL NOT accept a certificate request using a Key Pair previously generated by the CA. From 7be6839f23725d3dcd14a5ce1491e423e32512ed Mon Sep 17 00:00:00 2001 From: Martijn Katerbarg Date: Sat, 8 Jun 2024 11:21:18 +0200 Subject: [PATCH 06/16] Auto-comment on new issues stating which TLS BR and EVG versions were active at the time (#521) --- .../tag-version-at-issue-creation.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/tag-version-at-issue-creation.yml diff --git a/.github/workflows/tag-version-at-issue-creation.yml b/.github/workflows/tag-version-at-issue-creation.yml new file mode 100644 index 000000000..89cc74126 --- /dev/null +++ b/.github/workflows/tag-version-at-issue-creation.yml @@ -0,0 +1,36 @@ +name: Reference TLS BR and EVG version upon issue creation +on: + issues: + types: [opened] + +jobs: + tls-evg-version: + name: Reference TLS BR and EVG version upon issue creation + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Read version from TLS BR + id: read_tlsbr_version + run: | + subtitle=$(grep -Po '(?<=subtitle:\s).*$' docs/BR.md | tr -d '\r') + echo "tlsbr_version=$subtitle" >> $GITHUB_OUTPUT + + - name: Read version from EVG + id: read_evg_version + run: | + subtitle=$(grep -Po '(?<=subtitle:\s).*$' docs/EVG.md | tr -d '\r') + echo "evg_version=$subtitle" >> $GITHUB_OUTPUT + + - name: Add comment to issue + uses: peter-evans/create-or-update-comment@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.issue.number }} + body: | + This issue was created based on: + - TLS BR ${{ steps.read_tlsbr_version.outputs.tlsbr_version }} + - EVG ${{ steps.read_evg_version.outputs.evg_version }} + From 929d9b4a1ed1f13f92f6af672ad6f6a2153b8230 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 5 Aug 2024 13:46:34 +0200 Subject: [PATCH 07/16] Ballot SC-75 - Pre-sign linting (#527) * Ballot SC-75 - Pre-sign linting (#518) * Define "Linting" and relevant language in 4.3.1.2. * Addresses https://github.com/cabforum/servercert/pull/518#discussion_r1611584438 * Addressing comments of the email thread https://lists.cabforum.org/pipermail/servercert-wg/2024-May/004603.html up to 2024-06-05. * Delete duplicate text * Update to-be-issued with to-be-signed for consistency * Fix based on https://github.com/cabforum/servercert/commit/ff98db748736ed19c0c4fc41e59ced4d1ff97b3e#r142754475 * Second fix based on https://github.com/cabforum/servercert/commit/ff98db748736ed19c0c4fc41e59ced4d1ff97b3e#r142754475 * Language improvements * Language improvements * Fix capital first letter Co-authored-by: Corey Bonnell * Fix capital first letter Co-authored-by: Corey Bonnell * fix capitalization Co-authored-by: Corey Bonnell * Moving to a more appropriate section based on https://github.com/cabforum/servercert/pull/518#discussion_r1629665087 * Moving to a more appropriate section based on https://github.com/cabforum/servercert/pull/518#discussion_r1629666352 * Adding suggestion for CAs to report inaccurate linting results in open-source linting projects. * Language improvements * Improved language for the need of Linting Co-authored-by: Rob Stradling * Remove double space * Improve language * Clarify language for linting during self-audits Co-authored-by: Martijn Katerbarg * Fix typo * Small language improvement * Fix table formatting * Fix table formatting --------- Co-authored-by: Corey Bonnell Co-authored-by: Rob Stradling Co-authored-by: Martijn Katerbarg * Update BR.md changed version and dates as per SC75 --------- Co-authored-by: Dimitris Zacharopoulos Co-authored-by: Corey Bonnell Co-authored-by: Rob Stradling Co-authored-by: Martijn Katerbarg --- docs/BR.md | 139 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 90 insertions(+), 49 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 388634956..795ae352c 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,10 +1,10 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.5 +subtitle: Version 2.0.6 author: - CA/Browser Forum -date: 7-June-2024 +date: 5-August-2024 @@ -140,57 +140,61 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.3 | SC69 | Clarify router and firewall logging requirements | 13-March-2024 | 15-April-2024 | | 2.0.4 | SC65 | Convert EVGs into RFC 3647 format | 15-March-2024 | 15-May-2024 | | 2.0.5 | SC73 | Compromised and weak keys | 3-May-2024 | 1-July-2024 | +| 2.0.6 | SC75 | Pre-sign linting | 28-June-2024 | 6-August-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) ### 1.2.2 Relevant Dates -| **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | -|--|--|----------| -| 2013-01-01 | 6.1.6 | For RSA public keys, CAs SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. | -| 2013-01-01 | 4.9.10 | CAs SHALL support an OCSP capability using the GET method. | -| 2013-01-01 | 5 | CAs SHALL comply with the Network and Certificate System Security Requirements. | -| 2013-08-01 | 4.9.10 | OCSP Responders SHALL NOT respond "Good" for Unissued Certificates. | -| 2013-09-01 | 3.2.2.6 | CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a "registry-controlled" label or "public suffix". | -| 2013-12-31 | 6.1.5 | CAs SHALL confirm that the RSA Public Key is at least 2048 bits or that one of the following ECC curves is used: P-256, P-384, or P-521. A Root CA Certificate issued prior to 31 Dec. 2010 with an RSA key size less than 2048 bits MAY still serve as a trust anchor. | -| 2015-01-16 | 7.1.3 | CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January 2017. | -| 2015-04-01 | 6.3.2 | CAs SHALL NOT issue certificates with validity periods longer than 39 months, except under certain circumstances. | -| 2015-04-15 | 2.2 | A CA's CPS must state whether it reviews CAA Records, and if so, its policy or practice on processing CAA records for Fully-Qualified Domain Names. | -| 2015-11-01 | 7.1.4.2.1 | Issuance of Certificates with Reserved IP Address or Internal Name prohibited. | -| 2016-01-01 | 7.1.3 | CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA-1 hash algorithm. | -| 2016-06-30 | 6.1.7 | CAs MUST NOT issue Subscriber Certificates directly from Root CAs. | -| 2016-06-30 | 6.3.2 | CAs MUST NOT issue Subscriber Certificates with validity periods longer than 39 months, regardless of circumstance. | -| 2016‐09‐30 | 7.1 | CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG | -| 2016-10-01 | 7.1.4.2.1 | All Certificates with Reserved IP Address or Internal Name must be revoked. | -| 2016-12-03 | 1 and 2 | Ballot 156 amendments to sections 1.5.2, 2.3, and 2.4 are applicable | -| 2017-01-01 | 7.1.3 | CAs MUST NOT issue OCSP responder certificates using SHA-1 (inferred). | -| 2017-03-01 | 3.2.2.4 | CAs MUST follow revised validation requirements in Section 3.2.2.4. | -| 2017-09-08 | 3.2.2.8 | CAs MUST check and process CAA records | -| 2018-03-01 | 4.2.1 and 6.3.2 | Certificates issued MUST have a Validity Period no greater than 825 days and re-use of validation information limited to 825 days | -| 2018-05-31 | 2.2 | CP and CPS must follow RFC 3647 format | -| 2018-08-01 | 3.2.2.4.1 and .5 | CAs must stop using domain validation methods BR 3.2.2.4.1 and 3.2.2.4.5, stop reusing validation data from those methods | -| 2019-01-15 | 7.1.4.2.1 | All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019 | -| 2019-05-01 | 7.1.4.2.1 | underscore characters (“_”) MUST NOT be present in dNSName entries | -| 2019-06-01 | 3.2.2.4.3 | CAs SHALL NOT perform validations using this method after May 31, 2019. Completed validations using this method SHALL continue to be valid for subsequent issuance per the applicable certificate data reuse periods. -| 2019-08-01 | 3.2.2.5 | CAs SHALL maintain a record of which IP validation method, including the relevant BR version number, was used to validate every IP Address | -| 2019-08-01 | 3.2.2.5.4 | CAs SHALL NOT perform validations using this method after July 31, 2019. Completed validations using this method SHALL NOT be re-used for certificate issuance after July 31, 2019. Any certificate issued prior to August 1, 2019 containing an IP Address that was validated using any method that was permitted under the prior version of this Section 3.2.2.5 MAY continue to be used without revalidation until such certificate naturally expires | -| 2020-06-03 | 3.2.2.4.6 | CAs MUST NOT perform validation using this method after 3 months from the IPR review date of Ballot SC25 | -| 2020-08-01 | 8.6 | Audit Reports for periods on-or-after 2020-08-01 MUST be structured as defined. | -| 2020-09-01 | 6.3.2 | Certificates issued SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. | -| 2020-09-30 | 4.9.10 | OCSP responses MUST conform to the validity period requirements specified. | -| 2020-09-30 | 7.1.4.1 | Subject and Issuer Names for all possible certification paths MUST be byte-for-byte identical. | -| 2020-09-30 | 7.1.6.4 | Subscriber Certificates MUST include a CA/Browser Forum Reserved Policy Identifier in the Certificate Policies extension. | -| 2020-09-30 | 7.2 and 7.3 | All OCSP and CRL responses for Subordinate CA Certificates MUST include a meaningful reason code. | -| 2021-07-01 | 3.2.2.8 | CAA checking is no longer optional if the CA is the DNS Operator or an Affiliate. | -| 2021-07-01 | 3.2.2.4.18 and 3.2.2.4.19 | Redirects MUST be the result of one of the HTTP status code responses defined. | -| 2021-10-01 | 7.1.4.2.1 | Fully-Qualified Domain Names MUST consist solely of P-Labels and Non-Reserved LDH Labels. | -| 2021-12-01 | 3.2.2.4 | CAs MUST NOT use methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19 to issue wildcard certificates or with Authorization Domain Names other than the FQDN. | -| 2022-06-01 | 7.1.3.2.1 | CAs MUST NOT sign OCSP responses using the SHA-1 hash algorithm. | -| 2022-09-01 | 7.1.4.2.2 | CAs MUST NOT include the organizationalUnitName field in the Subject | -| 2023-01-15 | 7.2.2 | Sharded or partitioned CRLs MUST have a distributionPoint | -| 2023-07-15 | 4.9.1.1 and 7.2.2 | New CRL entries MUST have a revocation reason code | -| 2023-09-15 | Section 7 (and others) | CAs MUST use the updated Certificate Profiles passed in Version 2.0.0 | -| 2024-03-15 | 4.9.7 | CAs MUST generate and publish CRLs. | +| **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | +|----------------|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 2013-01-01 | 6.1.6 | For RSA public keys, CAs SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. | +| 2013-01-01 | 4.9.10 | CAs SHALL support an OCSP capability using the GET method. | +| 2013-01-01 | 5 | CAs SHALL comply with the Network and Certificate System Security Requirements. | +| 2013-08-01 | 4.9.10 | OCSP Responders SHALL NOT respond "Good" for Unissued Certificates. | +| 2013-09-01 | 3.2.2.6 | CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a "registry-controlled" label or "public suffix". | +| 2013-12-31 | 6.1.5 | CAs SHALL confirm that the RSA Public Key is at least 2048 bits or that one of the following ECC curves is used: P-256, P-384, or P-521. A Root CA Certificate issued prior to 31 Dec. 2010 with an RSA key size less than 2048 bits MAY still serve as a trust anchor. | +| 2015-01-16 | 7.1.3 | CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January 2017. | +| 2015-04-01 | 6.3.2 | CAs SHALL NOT issue certificates with validity periods longer than 39 months, except under certain circumstances. | +| 2015-04-15 | 2.2 | A CA's CPS must state whether it reviews CAA Records, and if so, its policy or practice on processing CAA records for Fully-Qualified Domain Names. | +| 2015-11-01 | 7.1.4.2.1 | Issuance of Certificates with Reserved IP Address or Internal Name prohibited. | +| 2016-01-01 | 7.1.3 | CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA-1 hash algorithm. | +| 2016-06-30 | 6.1.7 | CAs MUST NOT issue Subscriber Certificates directly from Root CAs. | +| 2016-06-30 | 6.3.2 | CAs MUST NOT issue Subscriber Certificates with validity periods longer than 39 months, regardless of circumstance. | +| 2016‐09‐30 | 7.1 | CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG | +| 2016-10-01 | 7.1.4.2.1 | All Certificates with Reserved IP Address or Internal Name must be revoked. | +| 2016-12-03 | 1 and 2 | Ballot 156 amendments to sections 1.5.2, 2.3, and 2.4 are applicable | +| 2017-01-01 | 7.1.3 | CAs MUST NOT issue OCSP responder certificates using SHA-1 (inferred). | +| 2017-03-01 | 3.2.2.4 | CAs MUST follow revised validation requirements in Section 3.2.2.4. | +| 2017-09-08 | 3.2.2.8 | CAs MUST check and process CAA records | +| 2018-03-01 | 4.2.1 and 6.3.2 | Certificates issued MUST have a Validity Period no greater than 825 days and re-use of validation information limited to 825 days | +| 2018-05-31 | 2.2 | CP and CPS must follow RFC 3647 format | +| 2018-08-01 | 3.2.2.4.1 and .5 | CAs must stop using domain validation methods BR 3.2.2.4.1 and 3.2.2.4.5, stop reusing validation data from those methods | +| 2019-01-15 | 7.1.4.2.1 | All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019 | +| 2019-05-01 | 7.1.4.2.1 | underscore characters (“_”) MUST NOT be present in dNSName entries | +| 2019-06-01 | 3.2.2.4.3 | CAs SHALL NOT perform validations using this method after May 31, 2019. Completed validations using this method SHALL continue to be valid for subsequent issuance per the applicable certificate data reuse periods. | +| 2019-08-01 | 3.2.2.5 | CAs SHALL maintain a record of which IP validation method, including the relevant BR version number, was used to validate every IP Address | +| 2019-08-01 | 3.2.2.5.4 | CAs SHALL NOT perform validations using this method after July 31, 2019. Completed validations using this method SHALL NOT be re-used for certificate issuance after July 31, 2019. Any certificate issued prior to August 1, 2019 containing an IP Address that was validated using any method that was permitted under the prior version of this Section 3.2.2.5 MAY continue to be used without revalidation until such certificate naturally expires | +| 2020-06-03 | 3.2.2.4.6 | CAs MUST NOT perform validation using this method after 3 months from the IPR review date of Ballot SC25 | +| 2020-08-01 | 8.6 | Audit Reports for periods on-or-after 2020-08-01 MUST be structured as defined. | +| 2020-09-01 | 6.3.2 | Certificates issued SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. | +| 2020-09-30 | 4.9.10 | OCSP responses MUST conform to the validity period requirements specified. | +| 2020-09-30 | 7.1.4.1 | Subject and Issuer Names for all possible certification paths MUST be byte-for-byte identical. | +| 2020-09-30 | 7.1.6.4 | Subscriber Certificates MUST include a CA/Browser Forum Reserved Policy Identifier in the Certificate Policies extension. | +| 2020-09-30 | 7.2 and 7.3 | All OCSP and CRL responses for Subordinate CA Certificates MUST include a meaningful reason code. | +| 2021-07-01 | 3.2.2.8 | CAA checking is no longer optional if the CA is the DNS Operator or an Affiliate. | +| 2021-07-01 | 3.2.2.4.18 and 3.2.2.4.19 | Redirects MUST be the result of one of the HTTP status code responses defined. | +| 2021-10-01 | 7.1.4.2.1 | Fully-Qualified Domain Names MUST consist solely of P-Labels and Non-Reserved LDH Labels. | +| 2021-12-01 | 3.2.2.4 | CAs MUST NOT use methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19 to issue wildcard certificates or with Authorization Domain Names other than the FQDN. | +| 2022-06-01 | 7.1.3.2.1 | CAs MUST NOT sign OCSP responses using the SHA-1 hash algorithm. | +| 2022-09-01 | 7.1.4.2.2 | CAs MUST NOT include the organizationalUnitName field in the Subject | +| 2023-01-15 | 7.2.2 | Sharded or partitioned CRLs MUST have a distributionPoint | +| 2023-07-15 | 4.9.1.1 and 7.2.2 | New CRL entries MUST have a revocation reason code | +| 2023-09-15 | Section 7 (and others) | CAs MUST use the updated Certificate Profiles passed in Version 2.0.0 | +| 2024-03-15 | 4.9.7 | CAs MUST generate and publish CRLs. | +| 2024-09-15 | 4.3.1.2 | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | +| 2025-03-15 | 4.3.1.2 | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | +| 2025-03-15 | 8.7 | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | ## 1.3 PKI Participants @@ -383,6 +387,8 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Legal Entity**: An association, corporation, partnership, proprietorship, trust, government entity or other entity with legal standing in a country's legal system. +**Linting**: A process in which the content of digitally signed data such as a Precertificate [RFC 6962], Certificate, Certificate Revocation List, or OCSP response, or data-to-be-signed object such as a `tbsCertificate` (as described in [RFC 5280, Section 4.1.1.1](https://tools.ietf.org/doc/html/rfc5280##section-4.1.1.1)) is checked for conformance with the profiles and requirements defined in these Requirements. + **Non-Reserved LDH Label**: From RFC 5890 (): "The set of valid LDH labels that do not have '`--`' in the third and fourth positions." **Object Identifier**: A unique alphanumeric or numeric identifier registered under the International Organization for Standardization's applicable standard for a specific object or object class. @@ -1100,8 +1106,35 @@ No stipulation. ### 4.3.1 CA actions during certificate issuance +#### 4.3.1.1 Manual authorization of certificate issuance for Root CAs + Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. +#### 4.3.1.2 Linting of to-be-signed Certificate content + +Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, it is considered best practice for the CA to implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by RFC 6962, Section 3.2. +Effective 2024-09-15, the CA SHOULD implement such a Linting process. +Effective 2025-03-15, the CA SHALL implement such a Linting process. + +Methods used to produce a certificate containing the to-be-signed Certificate content include, but are not limited to: + +1. Sign the `tbsCertificate` with a "dummy" Private Key whose Public Key component is not certified by a Certificate that chains to a publicly-trusted CA Certificate; or +2. Specify a static value for the `signature` field of the Certificate ASN.1 SEQUENCE. + +CAs MAY implement their own certificate Linting tools, but CAs SHOULD use the Linting tools that have been widely adopted by the industry (see https://cabforum.org/resources/tools/). + +CAs are encouraged to contribute to open-source Linting projects, such as by: + +- creating new or improving existing lints, +- reporting potentially inaccurate linting results as bugs, +- notifying maintainers of Linting software of checks that are not covered by existing lints, +- updating documentation of existing lints, and +- generating test certificates for positive/negative tests of specific lints. + +#### 4.3.1.3 Linting of issued Certificates + +CAs MAY use a Linting process to test each issued Certificate. + ### 4.3.2 Notification to subscriber by the CA of issuance of certificate No stipulation. @@ -1815,6 +1848,10 @@ The CA SHALL enforce multi-factor authentication for all accounts capable of dir ### 6.6.1 System development controls +If a CA uses Linting software developed by third parties, it SHOULD monitor for updated versions of that software and plan for updates no later than three (3) months from the release of the update. + +The CA MAY perform Linting on the corpus of its unexpired, un-revoked Subscriber Certificates whenever it updates the Linting software. + ### 6.6.2 Security management controls ### 6.6.3 Life cycle security controls @@ -3393,7 +3430,11 @@ The Audit Report MUST be available as a PDF, and SHALL be text searchable for al ## 8.7 Self-Audits -During the period in which the CA issues Certificates, the CA SHALL monitor adherence to its Certificate Policy, Certification Practice Statement and these Requirements and strictly control its service quality by performing self audits on at least a quarterly basis against a randomly selected sample of the greater of one certificate or at least three percent of the Certificates issued by it during the period commencing immediately after the previous self-audit sample was taken. Except for Delegated Third Parties that undergo an annual audit that meets the criteria specified in [Section 8.4](#84-topics-covered-by-assessment), the CA SHALL strictly control the service quality of Certificates issued or containing information verified by a Delegated Third Party by having a Validation Specialist employed by the CA perform ongoing quarterly audits against a randomly selected sample of at least the greater of one certificate or three percent of the Certificates verified by the Delegated Third Party in the period beginning immediately after the last sample was taken. The CA SHALL review each Delegated Third Party's practices and procedures to ensure that the Delegated Third Party is in compliance with these Requirements and the relevant Certificate Policy and/or Certification Practice Statement. +During the period in which the CA issues Certificates, the CA SHALL monitor adherence to its Certificate Policy, Certification Practice Statement and these Requirements and strictly control its service quality by performing self audits on at least a quarterly basis against a randomly selected sample of the greater of one certificate or at least three percent of the Certificates issued by it during the period commencing immediately after the previous self-audit sample was taken. + +Effective 2025-03-15, the CA SHOULD use a Linting process to verify the technical accuracy of Certificates within the selected sample set independently of previous linting performed on the same Certificates. + +Except for Delegated Third Parties that undergo an annual audit that meets the criteria specified in [Section 8.4](#84-topics-covered-by-assessment), the CA SHALL strictly control the service quality of Certificates issued or containing information verified by a Delegated Third Party by having a Validation Specialist employed by the CA perform ongoing quarterly audits against a randomly selected sample of at least the greater of one certificate or three percent of the Certificates verified by the Delegated Third Party in the period beginning immediately after the last sample was taken. The CA SHALL review each Delegated Third Party's practices and procedures to ensure that the Delegated Third Party is in compliance with these Requirements and the relevant Certificate Policy and/or Certification Practice Statement. The CA SHALL internally audit each Delegated Third Party's compliance with these Requirements on an annual basis. From ba28d04894d69c8fac62850b9d0de5061658c7c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 6 Sep 2024 13:26:44 +0200 Subject: [PATCH 08/16] Update BR.md (#517) (#537) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update BR.md (#517) Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com> * Update BR as per SC67.md Changed version number and add date --------- Co-authored-by: Chris Clements <24415256+ChristopherRC@users.noreply.github.com> --- docs/BR.md | 142 ++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 125 insertions(+), 17 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 795ae352c..d9b61fc57 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,10 +1,12 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.6 + +subtitle: Version 2.0.7 author: - CA/Browser Forum -date: 5-August-2024 +date: 6-September-2024 + @@ -88,7 +90,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 1.4.4 | 193 | 825-day Certificate Lifetimes | 17-Mar-2017 | 1-Mar-2018 | | 1.4.5 | 189 | Amend Section 6.1.7 of Baseline Requirements | 14-Apr-2017 | 14-May-2017 | | 1.4.6 | 195 | CAA Fixup | 17-Apr-2017 | 18-May-2017 | -| 1.4.7 | 196 | Define “Audit Period” | 17-Apr-2017 | 18-May-2017 | +| 1.4.7 | 196 | Define "Audit Period" | 17-Apr-2017 | 18-May-2017 | | 1.4.8 | 199 | Require commonName in Root and Intermediate Certificates | 9-May-2017 | 8-June-2017 | | 1.4.9 | 204 | Forbid DTPs from doing Domain/IP Ownership | 11-July-2017 | 11-Aug-2017 | | 1.5.0 | 212 | Canonicalise formal name of the Baseline Requirements | 1-Sept-2017 | 1-Oct-2017 | @@ -141,11 +143,13 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.4 | SC65 | Convert EVGs into RFC 3647 format | 15-March-2024 | 15-May-2024 | | 2.0.5 | SC73 | Compromised and weak keys | 3-May-2024 | 1-July-2024 | | 2.0.6 | SC75 | Pre-sign linting | 28-June-2024 | 6-August-2024 | +| 2.0.7 | SC67 | Require Multi-Perspective Issuance Corroboration | 2-August-2024 | 6-September-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) ### 1.2.2 Relevant Dates + | **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** | |----------------|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 2013-01-01 | 6.1.6 | For RSA public keys, CAs SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. | @@ -195,6 +199,8 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2024-09-15 | 4.3.1.2 | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | 2025-03-15 | 4.3.1.2 | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | 2025-03-15 | 8.7 | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | +| 2025-03-15 | 3.2.2.9 | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | + ## 1.3 PKI Participants @@ -389,6 +395,10 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Linting**: A process in which the content of digitally signed data such as a Precertificate [RFC 6962], Certificate, Certificate Revocation List, or OCSP response, or data-to-be-signed object such as a `tbsCertificate` (as described in [RFC 5280, Section 4.1.1.1](https://tools.ietf.org/doc/html/rfc5280##section-4.1.1.1)) is checked for conformance with the profiles and requirements defined in these Requirements. +**Multi-Perspective Issuance Corroboration**: A process by which the determinations made during domain validation and CAA checking by the Primary Network Perspective are corroborated by other Network Perspectives before Certificate issuance. + +**Network Perspective**: Related to Multi-Perspective Issuance Corroboration. A system (e.g., a cloud-hosted server instance) or collection of network components (e.g., a VPN and corresponding infrastructure) for sending outbound Internet traffic associated with a domain control validation method and/or CAA check. The location of a Network Perspective is determined by the point where unencapsulated outbound Internet traffic is typically first handed off to the network infrastructure providing Internet connectivity to that perspective. + **Non-Reserved LDH Label**: From RFC 5890 (): "The set of valid LDH labels that do not have '`--`' in the third and fourth positions." **Object Identifier**: A unique alphanumeric or numeric identifier registered under the International Organization for Standardization's applicable standard for a specific object or object class. @@ -403,6 +413,8 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Pending Prohibition​​**: The use of a behavior described with this label is highly discouraged, as it is planned to be deprecated and will likely be designated as MUST NOT in the future. +**Primary Network Perspective**: The Network Perspective used by the CA to make the determination of 1) the CA's authority to issue a Certificate for the requested domain(s) or IP address(es) and 2) the Applicant's authority and/or domain authorization or control of the requested domain(s) or IP address(es). + **Private Key**: The key of a Key Pair that is kept secret by the holder of the Key Pair, and that is used to create Digital Signatures and/or to decrypt electronic records or files that were encrypted with the corresponding Public Key. **Public Key**: The key of a Key Pair that may be publicly disclosed by the holder of the corresponding Private Key and that is used by a Relying Party to verify Digital Signatures created with the holder's corresponding Private Key and/or to encrypt messages so that they can be decrypted only with the holder's corresponding Private Key. @@ -624,8 +636,6 @@ The CA SHALL publicly disclose its Certificate Policy and/or Certification Pract The Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647 and MUST include all material required by RFC 3647. -Section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement SHALL state the CA's policy or practice on processing CAA Records for Fully-Qualified Domain Names; that policy shall be consistent with these Requirements. It shall clearly specify the set of Issuer Domain Names that the CA recognizes in CAA "issue" or "issuewild" records as permitting it to issue. The CA SHALL log all actions taken, if any, consistent with its processing practice. - The CA SHALL publicly give effect to these Requirements and represent that it will adhere to the latest published version. The CA MAY fulfill this requirement by incorporating these Requirements directly into its Certificate Policy and/or Certification Practice Statements or by incorporating them by reference using a clause such as the following (which MUST include a link to the official version of these Requirements): > [Name of CA] conforms to the current version of the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates published at . In the event of any inconsistency between this document and those Requirements, those Requirements take precedence over this document. @@ -778,12 +788,16 @@ If a Random Value is used, the CA SHALL provide a Random Value unique to the Cer i. 30 days or ii. if the Applicant submitted the Certificate request, the time frame permitted for reuse of validated information relevant to the Certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of these Guidelines or Section 3.2.2.14.3 of the EV Guidelines). +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. + **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. ##### 3.2.2.4.8 IP Address Confirming the Applicant's control over the FQDN by confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the FQDN in accordance with [Section 3.2.2.5](#3225-authentication-for-an-ip-address). +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same IP address as the Primary Network Perspective. + **Note**: Once the FQDN has been validated using this method, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names. ##### 3.2.2.4.9 Test Certificate @@ -812,6 +826,8 @@ Each email MAY confirm control of multiple FQDNs, provided that each email addre The Random Value SHALL be unique in each email. The email MAY be re-sent in its entirety, including the re-use of the Random Value, provided that its entire contents and recipient(s) SHALL remain unchanged. The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the selected contact address used for domain validation observed by the Primary Network Perspective. + **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. ##### 3.2.2.4.14 Email to DNS TXT Contact @@ -822,6 +838,8 @@ Each email MAY confirm control of multiple FQDNs, provided that each email addre The Random Value SHALL be unique in each email. The email MAY be re-sent in its entirety, including the re-use of the Random Value, provided that its entire contents and recipient(s) SHALL remain unchanged. The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the selected contact address used for domain validation observed by the Primary Network Perspective. + **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. ##### 3.2.2.4.15 Phone Contact with Domain Contact @@ -846,6 +864,8 @@ In the event of reaching voicemail, the CA may leave the Random Value and the AD The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the selected contact address used for domain validation observed by the Primary Network Perspective. + **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. ##### 3.2.2.4.17 Phone Contact with DNS CAA Phone Contact @@ -858,6 +878,8 @@ In the event of reaching voicemail, the CA may leave the Random Value and the AD The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the selected contact address used for domain validation observed by the Primary Network Perspective. + **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. ##### 3.2.2.4.18 Agreed-Upon Change to Website v2 @@ -887,6 +909,8 @@ If a Random Value is used, then: 1. The CA MUST provide a Random Value unique to the certificate request. 2. The Random Value MUST remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA MUST follow its CPS. +Except for Onion Domain Names, CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. + **Note**: * The CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names. @@ -906,6 +930,8 @@ If the CA follows redirects, the following apply: 2. Redirects MUST be to resource URLs with either the "http" or "https" scheme. 3. Redirects MUST be to resource URLs accessed via Authorized Ports. +Except for Onion Domain Names, CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. + **Note**: * The CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names. @@ -915,6 +941,8 @@ Confirming the Applicant's control over a FQDN by validating domain control of t The token (as defined in RFC 8737, Section 3) MUST NOT be used for more than 30 days from its creation. The CPS MAY specify a shorter validity period for the token, in which case the CA MUST follow its CPS. +Except for Onion Domain Names, CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same token as the Primary Network Perspective. + **Note**: Once the FQDN has been validated using this method, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names. #### 3.2.2.5 Authentication for an IP Address @@ -936,6 +964,8 @@ If a Random Value is used, the CA SHALL provide a Random Value unique to the cer i. 30 days or ii. if the Applicant submitted the certificate request, the time frame permitted for reuse of validated information relevant to the certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of this document). +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. + ##### 3.2.2.5.2 Email, Fax, SMS, or Postal Mail to IP Address Contact Confirming the Applicant's control over the IP Address by sending a Random Value via email, fax, SMS, or postal mail and then receiving a confirming response utilizing the Random Value. The Random Value MUST be sent to an email address, fax/SMS number, or postal mail address identified as an IP Address Contact. @@ -954,6 +984,8 @@ The Random Value SHALL remain valid for use in a confirming response for no more Confirming the Applicant’s control over the IP Address by obtaining a Domain Name associated with the IP Address through a reverse-IP lookup on the IP Address and then verifying control over the FQDN using a method permitted under [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same FQDN as the Primary Network Perspective. + ##### 3.2.2.5.4 Any Other Method Using any other method of confirmation, including variations of the methods defined in [Section 3.2.2.5](#3225-authentication-for-an-ip-address), provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant has control over the IP Address to at least the same level of assurance as the methods previously described in version 1.6.2 of these Requirements. @@ -970,18 +1002,22 @@ In the event of reaching voicemail, the CA may leave the Random Value and the IP The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. -##### 3.2.2.5.6 ACME “http-01” method for IP Addresses +##### 3.2.2.5.6 ACME "http-01" method for IP Addresses + +Confirming the Applicant's control over the IP Address by performing the procedure documented for an "http-01" challenge in RFC 8738. + +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same token as the Primary Network Perspective. -Confirming the Applicant's control over the IP Address by performing the procedure documented for an “http-01” challenge in RFC 8738. +##### 3.2.2.5.7 ACME "tls-alpn-01" method for IP Addresses -##### 3.2.2.5.7 ACME “tls-alpn-01” method for IP Addresses +Confirming the Applicant's control over the IP Address by performing the procedure documented for a "tls-alpn-01" challenge in RFC 8738. -Confirming the Applicant's control over the IP Address by performing the procedure documented for a “tls-alpn-01” challenge in RFC 8738. +CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same token as the Primary Network Perspective. #### 3.2.2.6 Wildcard Domain Validation Before issuing a Wildcard Certificate, the CA MUST establish and follow a documented procedure that determines if the FQDN portion of any -Wildcard Domain Name in the Certificate is “registry-controlled” or is a “public suffix” (e.g. “\*.com”, “\*.co.uk”, see RFC 6454 Section 8.2 for further explanation). +Wildcard Domain Name in the Certificate is "registry-controlled" or is a "public suffix" (e.g. "\*.com", "\*.co.uk", see RFC 6454 Section 8.2 for further explanation). If the FQDN portion of any Wildcard Domain Name is "registry-controlled" or is a "public suffix", CAs MUST refuse issuance unless the Applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue "\*.co.uk" or "\*.local", but MAY issue "\*.example.com" to Example Co.). @@ -1003,17 +1039,20 @@ Databases maintained by the CA, its owner, or its affiliated companies do not qu #### 3.2.2.8 CAA Records -As part of the Certificate issuance process, the CA MUST retrieve and process CAA records in accordance with RFC 8659 for each `dNSName` in the `subjectAltName` extension that does not contain an Onion Domain Name. If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater. +As part of the Certificate issuance process, the CA MUST retrieve and process CAA records in accordance with RFC 8659 for each `dNSName` in the `subjectAltName` extension that does not contain an Onion Domain Name. These practices MUST be described in Section 4.2 of the CA's Certificate Policy and/or Certification Practice Statement, including specifying the set of Issuer Domain Names that the CA recognizes in CAA "issue" or "issuewild" records as permitting it to issue. -This stipulation does not prevent the CA from checking CAA records at any other time. +Some methods relied upon for validating the Applicant's ownership or control of the subject domain(s) (see [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control)) or IP address(es) (see [Section 3.2.2.5](#3225-authentication-for-an-ip-address)) to be listed in a certificate require CAA records to be retrieved and processed from additional remote Network Perspectives before Certificate issuance (see [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration)). To corroborate the Primary Network Perspective, a remote Network Perspective's CAA check response MUST be interpreted as permission to issue, regardless of whether the responses from both Perspectives are byte-for-byte identical. Additionally, a CA MAY consider the response from a remote Network Perspective as corroborating if one or both of the Perspectives experience an acceptable CAA record lookup failure, as defined in this section. + +CAs MAY check CAA records at any other time. When processing CAA records, CAs MUST process the issue, issuewild, and iodef property tags as specified in RFC 8659, although they are not required to act on the contents of the iodef property tag. Additional property tags MAY be supported, but MUST NOT conflict with or supersede the mandatory property tags set out in this document. CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set. +If the CA issues a certificate after processing a CAA record, it MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater. + RFC 8659 requires that CAs "MUST NOT issue a certificate unless the CA determines that either (1) the certificate request is consistent with the applicable CAA RRset or (2) an exception specified in the relevant CP or CPS applies." For issuances conforming to these Baseline Requirements, CAs MUST NOT rely on any exceptions specified in their CP or CPS unless they are one of the following: * CAA checking is optional for certificates for which a Certificate Transparency Precertificate (see [Section 7.1.2.9](#7129-precertificate-profile)) was created and logged in at least two public logs, and for which CAA was checked at time of Precertificate issuance. * CAA checking is optional for certificates issued by a Technically Constrained Subordinate CA Certificate as set out in [Section 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile) or [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile), where the lack of CAA checking is an explicit contractual provision in the contract with the Applicant. -* For certificates issued prior to July 1, 2021, CAA checking is optional if the CA or an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) of the domain's DNS. CAs are permitted to treat a record lookup failure as permission to issue if: @@ -1021,7 +1060,71 @@ CAs are permitted to treat a record lookup failure as permission to issue if: * the lookup has been retried at least once; and * the domain's zone does not have a DNSSEC validation chain to the ICANN root. -CAs MUST document potential issuances that were prevented by a CAA record in sufficient detail to provide feedback to the CAB Forum on the circumstances, and SHOULD dispatch reports of such issuance requests to the contact(s) stipulated in the CAA iodef record(s), if present. CAs are not expected to support URL schemes in the iodef record other than mailto: or https:. +CAs MUST document potential issuances that were prevented by a CAA record in sufficient detail to provide feedback to the CA/Browser Forum on the circumstances, and SHOULD dispatch reports of such issuance requests to the contact(s) stipulated in the CAA iodef record(s), if present. CAs are not expected to support URL schemes in the iodef record other than mailto: or https:. + +#### 3.2.2.9 Multi-Perspective Issuance Corroboration + +Multi-Perspective Issuance Corroboration attempts to corroborate the determinations (i.e., domain validation pass/fail, CAA permission/prohibition) made by the Primary Network Perspective from multiple remote Network Perspectives before Certificate issuance. This process can improve protection against equally-specific prefix Border Gateway Protocol (BGP) attacks or hijacks. + +The CA MAY use either the same set, or different sets of Network Perspectives when performing Multi-Perspective Issuance Corroboration for the required 1) Domain Authorization or Control and 2) CAA Record checks. + +The set of responses from the relied upon Network Perspectives MUST provide the CA with the necessary information to allow it to affirmatively assess: +- a. the presence of the expected 1) Random Value, 2) Request Token, 3) IP Address, or 4) Contact Address, as required by the relied upon validation method specified in Sections 3.2.2.4 and 3.2.2.5; and +- b. the CA's authority to issue to the requested domain(s), as specified in Section 3.2.2.8. + +[Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) and [Section 3.2.2.5](#3225-authentication-for-an-ip-address) describe the validation methods that require the use of Multi-Perspective Issuance Corroboration and how a Network Perspective can corroborate the outcomes determined by the Primary Network Perspective. + +Results or information obtained from one Network Perspective MUST NOT be reused or cached when performing validation through subsequent Network Perspectives (e.g., different Network Perspectives cannot rely on a shared DNS cache to prevent an adversary with control of traffic from one Network Perspective from poisoning the DNS cache used by other Network Perspectives). The network infrastructure providing Internet connectivity to a Network Perspective MAY be administered by the same organization providing the computational services required to operate the Network Perspective. All communications between a remote Network Perspective and the CA MUST take place over an authenticated and encrypted channel relying on modern protocols (e.g., over HTTPS). + +A Network Perspective MAY use a recursive DNS resolver that is NOT co-located with the Network Perspective. However, the DNS resolver used by the Network Perspective MUST fall within the same Regional Internet Registry service region as the Network Perspective relying upon it. Furthermore, for any pair of DNS resolvers used on a Multi-Perspective Issuance Corroboration attempt, the straight-line distance between the two States, Provinces, or Countries the DNS resolvers reside in MUST be at least 500 km. The location of a DNS resolver is determined by the point where unencapsulated outbound DNS queries are typically first handed off to the network infrastructure providing Internet connectivity to that DNS resolver. + +CAs MAY immediately retry Multi-Perspective Issuance Corroboration using the same validation method or an alternative method (e.g., a CA can immediately retry validation using "Email to DNS TXT Contact" if "Agreed-Upon Change to Website - ACME" does not corroborate the outcome of Multi-Perspective Issuance Corroboration). When retrying Multi-Perspective Issuance Corroboration, CAs MUST NOT rely on corroborations from previous attempts. There is no stipulation regarding the maximum number of validation attempts that may be performed in any period of time. + +The "Quorum Requirements" Table describes quorum requirements related to Multi-Perspective Issuance Corroboration. If the CA does NOT rely on the same set of Network Perspectives for both Domain Authorization or Control and CAA Record checks, the quorum requirements MUST be met for both sets of Network Perspectives (i.e.,the Domain Authorization or Control set and the CAA record check set). Network Perspectives are considered distinct when the straight-line distance between the two States, Provinces, or Countries they reside in is at least 500 km. Network Perspectives are considered "remote" when they are distinct from the Primary Network Perspective and the other Network Perspectives represented in a quorum. + +A CA MAY reuse corroborating evidence for CAA record quorum compliance for a maximum of 398 days. After issuing a Certificate to a domain, remote Network Perspectives MAY omit retrieving and processing CAA records for the same domain or its subdomains in subsequent Certificate requests from the same Applicant for up to a maximum of 398 days. + +Table: Quorum Requirements + +| # of Distinct Remote Network Perspectives Used | # of Allowed non-Corroborations | +| --- | --- | +| 2-5 | 1 | +| 6+ | 2 | + +Remote Network Perspectives performing Multi-Perspective Issuance Corroboration: + +MUST: +- Network Hardening + - Rely upon networks (e.g., Internet Service Providers or Cloud Provider Networks) implementing measures to mitigate BGP routing incidents in the global Internet routing system for providing internet connectivity to the Network Perspective. + +SHOULD: +- Facility & Service Provider Requirements + - Be hosted from an ISO/IEC 27001 certified facility or equivalent security framework independently audited and certified or reported. + - Rely on services covered in one of the following reports: System and Organization Controls 2 (SOC 2), IASE 3000, ENISA 715, FedRAMP Moderate, C5:2020, CSA STAR CCM, or equivalent services framework independently audited and certified or reported. +- Vulnerability Detection and Patch Management + - Implement intrusion detection and prevention controls to protect against common network and system threats. + - Document and follow a vulnerability correction process that addresses the identification, review, response, and remediation of vulnerabilities. + - Undergo or perform a Vulnerability Scan at least every three (3) months. + - Undergo a Penetration Test on at least an annual basis. + - Apply recommended security patches within six (6) months of the security patch's availability, unless the CA documents that the security patch would introduce additional vulnerabilities or instabilities that outweigh the benefits of applying the security patch. +- System Hardening + - Disable all accounts, applications, services, protocols, and ports that are not used. + - Implement multi-factor authentication for all user accounts. +- Network Hardening + - Configure each network boundary control (firewall, switch, router, gateway, or other network control device or system) with rules that support only the services, protocols, ports, and communications identified as necessary to its operations. + - Rely upon networks (e.g., Internet Service Providers) that: 1) use mechanisms based on Secure Inter-Domain Routing (RFC 6480), for example, BGP Prefix Origin Validation (RFC 6811), 2) make use of other non-RPKI route-leak prevention mechanisms (such as RFC 9234), and 3) apply current best practices described in BCP 194. While It is RECOMMENDED that under normal operating conditions Network Perspectives performing Multi-Perspective Issuance Corroboration forward all Internet traffic via a network or set of networks that filter RPKI-invalid BGP routes as defined by RFC 6811, it is NOT REQUIRED. + +Beyond the above considerations, computing systems performing Multi-Perspective Issuance Corroboration are considered outside of the audit scope described in Section 8 of these Requirements. + +If any of the above considerations are performed by a Delegated Third Party, the CA MAY obtain reasonable evidence from the Delegated Third Party to ascertain assurance that one or more of the above considerations are followed. As an exception to Section 1.3.2, Delegated Third Parties are not required to be within the audit scope described in Section 8 of these Requirements to satisfy the above considerations. + +Phased Implementation Timeline: +- *Effective September 15, 2024*, the CA SHOULD implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. +- *Effective March 15, 2025*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. The CA MAY proceed with certificate issuance if the number of remote Network Perspectives that do not corroborate the determinations made by the Primary Network Perspective ("non-corroborations") is greater than allowed in the Quorum Requirements table. +- *Effective September 15, 2025*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table. +- *Effective March 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least three (3) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries. +- *Effective June 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least four (4) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries. +- *Effective December 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least five (5) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries. ### 3.2.3 Authentication of individual identity @@ -1338,7 +1441,7 @@ Within twenty-four (24) hours of issuing its first Certificate, the CA MUST gene CAs issuing Subscriber Certificates: 1. MUST update and publish a new CRL at least every: - - seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”); or + - seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod ("AIA OCSP pointer"); or - four (4) days in all other cases; 2. MUST update and publish a new CRL within twenty-four (24) hours after recording a Certificate as revoked. @@ -1572,6 +1675,11 @@ The CA SHALL record at least the following events: 4. Issuance of Certificates; 5. Generation of Certificate Revocation Lists; and 6. Signing of OCSP Responses (as described in [Section 4.9](#49-certificate-revocation-and-suspension) and [Section 4.10](#410-certificate-status-services)). + 7. Multi-Perspective Issuance Corroboration attempts from each Network Perspective, minimally recording the following information: + - a. an identifier that uniquely identifies the Network Perspective used; + - b. the attempted domain name and/or IP address; and + - c. the result of the attempt (e.g., "domain validation pass/fail", "CAA permission/prohibition"). + 8. Multi-Perspective Issuance Corroboration quorum results for each attempted domain name or IP address represented in a Certificate request (i.e., "3/4" which should be interpreted as "Three (3) out of four (4) attempted Network Perspectives corroborated the determinations made by the Primary Network Perspective). 3. Security events, including: 1. Successful and unsuccessful PKI system access attempts; @@ -3314,7 +3422,7 @@ Table: CRLReasons | certificateHold | 6 | MUST NOT be included if the CRL entry is for 1) a Certificate subject to these Requirements, or 2) a Certificate not subject to these Requirements and was either A) issued on-or-after 2020-09-30 or B) has a `notBefore` on-or-after 2020-09-30. | privilegeWithdrawn | 9 | Indicates that there has been a subscriber-side infraction that has not resulted in keyCompromise, such as the Certificate Subscriber provided misleading information in their Certificate Request or has not upheld their material obligations under the Subscriber Agreement or Terms of Use. | -The Subscriber Agreement, or an online resource referenced therein, MUST inform Subscribers about the revocation reason options listed above and provide explanation about when to choose each option. Tools that the CA provides to the Subscriber MUST allow for these options to be easily specified when the Subscriber requests revocation of their Certificate, with the default value being that no revocation reason is provided (i.e. the default corresponds to the CRLReason “unspecified (0)” which results in no reasonCode extension being provided in the CRL). +The Subscriber Agreement, or an online resource referenced therein, MUST inform Subscribers about the revocation reason options listed above and provide explanation about when to choose each option. Tools that the CA provides to the Subscriber MUST allow for these options to be easily specified when the Subscriber requests revocation of their Certificate, with the default value being that no revocation reason is provided (i.e. the default corresponds to the CRLReason "unspecified (0)" which results in no reasonCode extension being provided in the CRL). The privilegeWithdrawn reasonCode SHOULD NOT be made available to the Subscriber as a revocation reason option, because the use of this reasonCode is determined by the CA and not the Subscriber. @@ -3388,7 +3496,7 @@ The CA's audit SHALL be performed by a Qualified Auditor. A Qualified Auditor me The CA SHALL undergo an audit in accordance with one of the following schemes: -1. “WebTrust for CAs v2.1 or newer” AND “WebTrust for CAs SSL Baseline with Network Security v2.3 or newer”; or +1. "WebTrust for CAs v2.1 or newer" AND "WebTrust for CAs SSL Baseline with Network Security v2.3 or newer"; or 2. ETSI EN 319 411-1 v1.2.2, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or 3. If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either a. encompasses all requirements of one of the above schemes or From d820f37f9e1550805c210dcaf5162b7f86ccfb69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 2 Oct 2024 17:45:19 +0300 Subject: [PATCH 09/16] SC-077: Update WebTrust Audit name in Section 8.4 and References (#514) (#543) * SC-077: Update WebTrust Audit name in Section 8.4 and References (#514) * Add updated WebTrust Audit name Update 8.4 to reference updated WebTrust document names * Update BR.md --------- Co-authored-by: Clint Wilson * Update BR.md New TLS BRs version according to ballot SC77 --------- Co-authored-by: Clint Wilson Co-authored-by: Clint Wilson --- docs/BR.md | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index d9b61fc57..f8bdab1eb 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,11 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.7 +subtitle: Version 2.0.8 author: - CA/Browser Forum -date: 6-September-2024 +date: 2-October-2024 @@ -144,6 +144,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.5 | SC73 | Compromised and weak keys | 3-May-2024 | 1-July-2024 | | 2.0.6 | SC75 | Pre-sign linting | 28-June-2024 | 6-August-2024 | | 2.0.7 | SC67 | Require Multi-Perspective Issuance Corroboration | 2-August-2024 | 6-September-2024 | +| 2.0.8 | SC77 | Update WebTrust Audit name in Section 8.4 and References | 2-September-2024 | 2-October-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -614,6 +615,8 @@ RFC8954, Request for Comments: 8954, Online Certificate Status Protocol (OCSP) N WebTrust for Certification Authorities, SSL Baseline with Network Security, available at +[WebTrust Principles and Criteria for Certification Authorities – SSL Baseline](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria) + X.509, Recommendation ITU-T X.509 (08/2005) \| ISO/IEC 9594-8:2005, Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks. ### 1.6.4 Conventions @@ -3496,11 +3499,16 @@ The CA's audit SHALL be performed by a Qualified Auditor. A Qualified Auditor me The CA SHALL undergo an audit in accordance with one of the following schemes: -1. "WebTrust for CAs v2.1 or newer" AND "WebTrust for CAs SSL Baseline with Network Security v2.3 or newer"; or -2. ETSI EN 319 411-1 v1.2.2, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or -3. If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either - a. encompasses all requirements of one of the above schemes or - b. consists of comparable criteria that are available for public review. +1. WebTrust: + * "Principles and Criteria for Certification Authorities" Version 2.2 or newer; and either + * "WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security" Version 2.7 or newer; or + * "WebTrust Principles and Criteria for Certification Authorities – SSL Baseline" Version 2.8 or newer and "WebTrust Principles and Criteria for Certification Authorities – Network Security" Version 1.0 or newer +2. ETSI: + * ETSI EN 319 411-1 v1.4.1 or newer, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or +3. Other: + * If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either + a. encompasses all requirements of one of the above schemes; or + b. consists of comparable criteria that are available for public review. Whichever scheme is chosen, it MUST incorporate periodic monitoring and/or accountability procedures to ensure that its audits continue to be conducted in accordance with the requirements of the scheme. From 911e47e2657de64a7455ba16319b96ffdb5816cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Fri, 8 Nov 2024 12:04:37 +0100 Subject: [PATCH 10/16] =?UTF-8?q?SC-078=20-=20Subject=20organizationName?= =?UTF-8?q?=20alignment=20for=20DBA=20/=20Assumed=20Name=20(#=E2=80=A6=20(?= =?UTF-8?q?#552)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * SC-078 - Subject organizationName alignment for DBA / Assumed Name (#545) * Align with EVG and SBRs * Align IV with OV * Remove AssumedName Usage Co-authored-by: Corey Bonnell * Remove AssumedName Usage Co-authored-by: Corey Bonnell --------- Co-authored-by: Corey Bonnell * Update BR.md Update of date, version, ... --------- Co-authored-by: Martijn Katerbarg Co-authored-by: Corey Bonnell --- docs/BR.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index f8bdab1eb..ca03f6b29 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,11 +1,12 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.8 +subtitle: Version 2.0.9 author: - CA/Browser Forum -date: 2-October-2024 +date: 8-November-2024 + @@ -145,6 +146,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.6 | SC75 | Pre-sign linting | 28-June-2024 | 6-August-2024 | | 2.0.7 | SC67 | Require Multi-Perspective Issuance Corroboration | 2-August-2024 | 6-September-2024 | | 2.0.8 | SC77 | Update WebTrust Audit name in Section 8.4 and References | 2-September-2024 | 2-October-2024 | +| 2.0.9 | SC78 | Subject organizationName alignment for DBA / Assumed Name | 2-October-2024 | 8-November-2024 \* Effective Date and Additionally Relevant Compliance Date(s) @@ -2491,7 +2493,7 @@ Table: Individual Validated `subject` Attributes | `localityName` | MUST / MAY | MUST be present if `stateOrProvinceName` is absent, MAY be present otherwise. If present, MUST contain the Subject's locality information. | [Section 3.2.3](#323-authentication-of-individual-identity) | | `postalCode` | NOT RECOMMENDED | If present, MUST contain the Subject's zip or postal information. | [Section 3.2.3](#323-authentication-of-individual-identity) | | `streetAddress` | NOT RECOMMENDED | If present, MUST contain the Subject's street address information. Multiple instances MAY be present. | [Section 3.2.3](#323-authentication-of-individual-identity) | -| `organizationName` | NOT RECOMMENDED | If present, MUST contain the Subject's name or DBA. | [Section 3.2.3](#323-authentication-of-individual-identity) | +| `organizationName` | NOT RECOMMENDED | If present, MUST contain the Subject's name and/or DBA/tradename. The CA MAY include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations. If both are included, the DBA/tradename SHALL appear first, followed by the Subject's name in parentheses. | [Section 3.2.3](#323-authentication-of-individual-identity) | | `surname` | MUST | The Subject's surname. | [Section 3.2.3](#323-authentication-of-individual-identity) | | `givenName` | MUST | The Subject's given name. | [Section 3.2.3](#323-authentication-of-individual-identity) | | `organizationalUnitName` | MUST NOT | - | - | @@ -2524,7 +2526,7 @@ Table: Organization Validated `subject` Attributes | `localityName` | MUST / MAY | MUST be present if `stateOrProvinceName` is absent, MAY be present otherwise. If present, MUST contain the Subject's locality information. | [Section 3.2.2.1](#3221-identity) | | `postalCode` | NOT RECOMMENDED | If present, MUST contain the Subject's zip or postal information. | [Section 3.2.2.1](#3221-identity)) | | `streetAddress` | NOT RECOMMENDED | If present, MUST contain the Subject's street address information. Multiple instances MAY be present.| [Section 3.2.2.1](#3221-identity) | -| `organizationName` | MUST | The Subject's name or DBA. The CA MAY include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g. if the official record shows "Company Name Incorporated", the CA MAY use "Company Name Inc." or "Company Name". | [Section 3.2.2.2](#3222-dbatradename) | +| `organizationName` | MUST | The Subject's name and/or DBA/tradename. The CA MAY include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g. if the official record shows "Company Name Incorporated", the CA MAY use "Company Name Inc." or "Company Name". If both are included, the DBA/tradename SHALL appear first, followed by the Subject's name in parentheses. | [Section 3.2.2.2](#3222-dbatradename) | | `surname` | MUST NOT | - | - | | `givenName` | MUST NOT | - | - | | `organizationalUnitName` | MUST NOT | - | - | From ed6b5458d8927d6d5398822911e2182c8cf83ce6 Mon Sep 17 00:00:00 2001 From: Martijn Katerbarg Date: Thu, 14 Nov 2024 15:41:36 +0100 Subject: [PATCH 11/16] Update upload-artifact to v4 due to github deprecation (#562) --- .github/workflows/build-draft-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-draft-docs.yml b/.github/workflows/build-draft-docs.yml index f156aa54a..a8af8a55c 100644 --- a/.github/workflows/build-draft-docs.yml +++ b/.github/workflows/build-draft-docs.yml @@ -28,7 +28,7 @@ jobs: docx: true lint: true draft: ${{ !(github.event_name == 'push' && github.repository == 'cabforum/servercert' && github.ref == 'refs/heads/main') }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: ${{ matrix.document }}-${{ github.event.pull_request.head.sha || github.sha }}-${{ github.event_name }} path: | From 3b19b48cfb86e457ba679a67e51ed00fd3c5f5f5 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 14 Nov 2024 07:05:57 -0800 Subject: [PATCH 12/16] Ballot SC-76: Clarify and improve OCSP requirements (#535) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Ballot SC-XX: Clarify and improve OCSP requirements This ballot attempts to address three concerns: - The confusion around "reserved" serials, which do not actually exist because all Precertificate serials are assumed to also exist in corresponding Certificates and are therefore actually "assigned"; - Confusion around whether, and how quickly, OCSP responders must begin providing authoritative responses for Certificates and Precertificates; and - Confusion around whether and how the OCSP requirements apply to Certificates which do not contain an AIA OCSP URL, but for which the CA's OCSP responder is still willing to provide responses. Addresses https://github.com/mozilla/pkipolicy/issues/280 Addresses https://github.com/cabforum/servercert/issues/422 * Respond to comments, and reorganize further * Empty line before bullets * Address comments * Use singular, use "published or made available" * Use the singular even more * Discussion period feedback from Trev * Update BR.md --------- Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com> --- docs/BR.md | 56 ++++++++++++++++++++++++------------------------------ 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index ca03f6b29..ba1dcc58a 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,11 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.9 +subtitle: Version 2.1.0 author: - CA/Browser Forum -date: 8-November-2024 +date: 14-November-2024 @@ -146,7 +146,8 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.6 | SC75 | Pre-sign linting | 28-June-2024 | 6-August-2024 | | 2.0.7 | SC67 | Require Multi-Perspective Issuance Corroboration | 2-August-2024 | 6-September-2024 | | 2.0.8 | SC77 | Update WebTrust Audit name in Section 8.4 and References | 2-September-2024 | 2-October-2024 | -| 2.0.9 | SC78 | Subject organizationName alignment for DBA / Assumed Name | 2-October-2024 | 8-November-2024 +| 2.0.9 | SC78 | Subject organizationName alignment for DBA / Assumed Name | 2-October-2024 | 8-November-2024 | +| 2.1.0 | SC76 | Clarify and improve OCSP requirements | 14-November-2024 | 15-January-2025 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -200,11 +201,13 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2023-09-15 | Section 7 (and others) | CAs MUST use the updated Certificate Profiles passed in Version 2.0.0 | | 2024-03-15 | 4.9.7 | CAs MUST generate and publish CRLs. | | 2024-09-15 | 4.3.1.2 | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | +| 2025-01-15 | 4.9.9 | Subscriber Certificate OCSP responses MUST be available 15 minutes after issuance. | | 2025-03-15 | 4.3.1.2 | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | 2025-03-15 | 8.7 | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | | 2025-03-15 | 3.2.2.9 | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | + ## 1.3 PKI Participants The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other relying-party software applications. @@ -1465,50 +1468,41 @@ No stipulation. ### 4.9.9 On-line revocation/status checking availability -The following SHALL apply for communicating the status of Certificates which include an Authority Information Access extension with an id-ad-ocsp accessMethod. - -OCSP responses MUST conform to RFC6960 and/or RFC5019. OCSP responses MUST either: +The validity interval of an OCSP response is the difference in time between the `thisUpdate` and `nextUpdate` field, inclusive. For purposes of computing differences, a difference of 3,600 seconds shall be equal to one hour, and a difference of 86,400 seconds shall be equal to one day, ignoring leap-seconds. -1. Be signed by the CA that issued the Certificates whose revocation status is being checked, or -2. Be signed by an OCSP Responder whose Certificate is signed by the CA that issued the Certificate whose -revocation status is being checked. +A certificate serial is "assigned" if: -In the latter case, the OCSP signing Certificate MUST contain an extension of type `id-pkix-ocsp-nocheck`, as -defined by RFC6960. +- a Certificate or Precertificate with that serial number has been issued by the Issuing CA; or +- a Precertificate with that serial number has been issued by a Precertificate Signing Certificate, as defined in [Section 7.1.2.4](#7124-technically-constrained-precertificate-signing-ca-certificate-profile), associated with the Issuing CA. -### 4.9.10 On-line revocation checking requirements +A certificate serial is "unassigned" if it is not "assigned". -The following SHALL apply for communicating the status of Certificates which include an Authority Information Access extension with an id-ad-ocsp accessMethod. +The following SHALL apply for communicating the status of Certificates and Precertificates which include an Authority Information Access extension with an id-ad-ocsp accessMethod. OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019. The CA MAY process the Nonce extension (`1.3.6.1.5.5.7.48.1.2`) in accordance with RFC 8954. -The validity interval of an OCSP response is the difference in time between the `thisUpdate` and `nextUpdate` field, inclusive. For purposes of computing differences, a difference of 3,600 seconds shall be equal to one hour, and a difference of 86,400 seconds shall be equal to one day, ignoring leap-seconds. +For the status of a Subscriber Certificate or its corresponding Precertificate: -For the status of Subscriber Certificates: +- Effective 2025-01-15, an authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. +- For OCSP responses with validity intervals less than sixteen hours, the CA SHALL provide an updated OCSP response prior to one-half of the validity period before the nextUpdate. +- For OCSP responses with validity intervals greater than or equal to sixteen hours, the CA SHALL provide an updated OCSP response at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate. -1. OCSP responses MUST have a validity interval greater than or equal to eight hours; -2. OCSP responses MUST have a validity interval less than or equal to ten days; -3. For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate. -4. For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate. +For the status of a Subordinate CA Certificate, the CA SHALL provide an updated OCSP response at least every twelve months, and within 24 hours after revoking the Certificate. -For the status of Subordinate CA Certificates: +The following SHALL apply for communicating the status of *all* Certificates for which an OCSP responder is willing or required to respond. -* The CA SHALL update information provided via an Online Certificate Status Protocol +OCSP responses MUST conform to RFC6960 and/or RFC5019. OCSP responses MUST either: - i. at least every twelve months; and - ii. within 24 hours after revoking a Subordinate CA Certificate. +1. be signed by the CA that issued the Certificates whose revocation status is being checked, or +2. be signed by an OCSP Responder which complies with the OCSP Responder Certificate Profile in [Section 7.1.2.8](#7128-ocsp-responder-certificate-profile). -If the OCSP responder receives a request for the status of a certificate serial number that is "unused", then the responder SHOULD NOT respond with a "good" status. If the OCSP responder is for a CA that is not Technically Constrained in line with [Section 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile) or [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile), the responder MUST NOT respond with a "good" status for such requests. +OCSP responses for Subscriber Certificates MUST have a validity interval greater than or equal to eight hours and less than or equal to ten days. -The OCSP responder MAY provide definitive responses about "reserved" certificate serial numbers, as if there was a corresponding Certificate that matches the Precertificate [RFC6962]. +If the OCSP responder receives a request for the status of a certificate serial number that is "unassigned", then the responder SHOULD NOT respond with a "good" status. If the OCSP responder is for a CA that is not Technically Constrained in line with [Section 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile) or [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile), the responder MUST NOT respond with a "good" status for such requests. -A certificate serial number within an OCSP request is one of the following three options: +### 4.9.10 On-line revocation checking requirements -1. "assigned" if a Certificate with that serial number has been issued by the Issuing CA, using any current or previous key associated with that CA subject; or -2. "reserved" if a Precertificate [RFC6962] with that serial number has been issued by - a. the Issuing CA; or - b. a Precertificate Signing Certificate, as defined in [Section 7.1.2.4](#7124-technically-constrained-precertificate-signing-ca-certificate-profile), associated with the Issuing CA; or -3. "unused" if neither of the previous conditions are met. +No Stipulation. ### 4.9.11 Other forms of revocation advertisements available From 38f098f3e278f6e80ba7495906819de78c35cd68 Mon Sep 17 00:00:00 2001 From: Paul van Brouwershaven Date: Mon, 18 Nov 2024 10:41:45 +0100 Subject: [PATCH 13/16] SC-079v2 - Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate (#544) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate * Add exception Subscriber Certificates that chain up directly to the Certificate issued under this Certificate Profile * Update policyIdentifier description * Remove condition, a Cross-Certified Subordinate CA Certificate MUST always contain this extension Co-authored-by: Corey Bonnell * Update BR.md --------- Co-authored-by: Corey Bonnell Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com> --- docs/BR.md | 51 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 5 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index ba1dcc58a..d634f4820 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -148,6 +148,8 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.8 | SC77 | Update WebTrust Audit name in Section 8.4 and References | 2-September-2024 | 2-October-2024 | | 2.0.9 | SC78 | Subject organizationName alignment for DBA / Assumed Name | 2-October-2024 | 8-November-2024 | | 2.1.0 | SC76 | Clarify and improve OCSP requirements | 14-November-2024 | 15-January-2025 | +| 2.1.1 | SC79 | Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate | 18-November-2024 | 15-January-2025 | + \* Effective Date and Additionally Relevant Compliance Date(s) @@ -199,15 +201,13 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2023-01-15 | 7.2.2 | Sharded or partitioned CRLs MUST have a distributionPoint | | 2023-07-15 | 4.9.1.1 and 7.2.2 | New CRL entries MUST have a revocation reason code | | 2023-09-15 | Section 7 (and others) | CAs MUST use the updated Certificate Profiles passed in Version 2.0.0 | -| 2024-03-15 | 4.9.7 | CAs MUST generate and publish CRLs. | +| 2024-03-15 | 4.9.7 | CAs MUST generate and publish CRLs. | 2024-09-15 | 4.3.1.2 | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | 2025-01-15 | 4.9.9 | Subscriber Certificate OCSP responses MUST be available 15 minutes after issuance. | | 2025-03-15 | 4.3.1.2 | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | 2025-03-15 | 8.7 | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | | 2025-03-15 | 3.2.2.9 | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | - - ## 1.3 PKI Participants The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other relying-party software applications. @@ -2093,7 +2093,7 @@ The `subject` MUST comply with the requirements of [Section 7.1.4](#714-name-for | ---- | - | - | ----- | | `authorityKeyIdentifier` | MUST | N | See [Section 7.1.2.11.1](#712111-authority-key-identifier) | | `basicConstraints` | MUST | Y | See [Section 7.1.2.10.4](#712104-ca-certificate-basic-constraints) | -| `certificatePolicies` | MUST | N | See [Section 7.1.2.10.5](#712105-ca-certificate-certificate-policies) | +| `certificatePolicies` | MUST | N | See [Section 7.1.2.2.6](#71226-cross-certified-subordinate-ca-certificate-certificate-policies) | | `crlDistributionPoints` | MUST | N | See [Section 7.1.2.11.2](#712112-crl-distribution-points) | | `keyUsage` | MUST | Y | See [Section 7.1.2.10.7](#712107-ca-certificate-key-usage) | | `subjectKeyIdentifier` | MUST | N | See [Section 7.1.2.11.4](#712114-subject-key-identifier) | @@ -2171,6 +2171,47 @@ Each included Extended Key Usage key usage purpose: CAs MUST NOT include additional key usage purposes unless the CA is aware of a reason for including the key usage purpose in the Certificate. +##### 7.1.2.2.6 Cross-Certified Subordinate CA Certificate Certificate Policies + +The Certificate Policies extension MUST contain at least one `PolicyInformation`. Each `PolicyInformation` MUST match the following profile: + + +Table: No Policy Restrictions (Affiliated CA) + +| __Field__ | __Presence__ | __Contents__ | +| --- | - | ------ | +| `policyIdentifier` | MUST | When the Issuing CA wishes to express that there are no policy restrictions, and if the Subordinate CA is an Affiliate of the Issuing CA, then the Issuing CA MAY use the `anyPolicy` Policy Identifier, which MUST be the only `PolicyInformation` value. | +|     `anyPolicy` | MUST | | +| `policyQualifiers` | NOT RECOMMENDED | If present, MUST contain only permitted `policyQualifiers` from the table below. | + + +Table: Policy Restricted + +| __Field__ | __Presence__ | __Contents__ | +| --- | - | ------ | +| `policyIdentifier` | MUST | One of the following policy identifiers: | +|     A [Reserved Certificate Policy Identifier](#7161-reserved-certificate-policy-identifiers) | MUST | The CA MUST include at least one Reserved Certificate Policy Identifier (see [Section 7.1.6.1](#7161-reserved-certificate-policy-identifiers)) associated with the given Subscriber Certificate type (see [Section 7.1.2.7.1](#71271-subscriber-certificate-types)) transitively issued by this Certificate. | +|     `anyPolicy` | MUST NOT | The `anyPolicy` Policy Identifier MUST NOT be present. | +|     Any other identifier | MAY | If present, MUST be defined by the CA and documented by the CA in its Certificate Policy and/or Certification Practice Statement. | +| `policyQualifiers` | NOT RECOMMENDED | If present, MUST contain only permitted `policyQualifiers` from the table below. | + + +This Profile RECOMMENDS that the first `PolicyInformation` value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see [7.1.6.1](#7161-reserved-certificate-policy-identifiers))[^first_policy_note]. Regardless of the order of `PolicyInformation` values, the Certificate Policies extension MUST include at least one Reserved Certificate Policy Identifier. If any Subscriber Certificates will chain up directly to the Certificate issued under this Certificate Profile, this Cross-Certified Subordinate CA Certificate MUST contain exactly one Reserved Certificate Policy Identifier. + + +**Note**: policyQualifiers is NOT RECOMMENDED to be present in any Certificate issued under this Certificate Profile because this information increases the size of the Certificate without providing any value to a typical Relying Party, and the information may be obtained by other means when necessary. + + +If the `policyQualifiers` is permitted and present within a `PolicyInformation` field, it MUST be formatted as follows: + + +Table: Permitted `policyQualifiers` + +| __Qualifier ID__ | __Presence__ | __Field Type__ | __Contents__ | +| --- | - | - | ----- | +| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | The HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. | +| Any other qualifier | MUST NOT | - | - | + #### 7.1.2.3 Technically Constrained Non-TLS Subordinate CA Certificate Profile This Certificate Profile MAY be used when issuing a CA Certificate that will be considered Technically Constrained, and which will not be used to issue TLS certificates directly or transitively. @@ -2951,7 +2992,7 @@ Table: No Policy Restrictions (Affiliated CA) | __Field__ | __Presence__ | __Contents__ | | --- | - | ------ | -| `policyIdentifier` | MUST | When the Issuing CA wishes to express that there are no policy restrictions, the Subordinate CA MUST be an Affiliate of the Issuing CA. The Certificate Policies extension MUST contain only a single `PolicyInformation` value, which MUST contain the `anyPolicy` Policy Identifier. | +| `policyIdentifier` | MUST | When the Issuing CA wishes to express that there are no policy restrictions, and if the Subordinate CA is an Affiliate of the Issuing CA, then the Issuing CA MAY use the `anyPolicy` Policy Identifier, which MUST be the only `PolicyInformation` value. | |     `anyPolicy` | MUST | | | `policyQualifiers` | NOT RECOMMENDED | If present, MUST contain only permitted `policyQualifiers` from the table below. | From 096810820d605d1a2c90a9b10e4ef36ed65bd6cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:05:49 +0100 Subject: [PATCH 14/16] Update BR.md (#563) --- docs/BR.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index d634f4820..a7c9b0cb7 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,11 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.1.0 +subtitle: Version 2.1.1 author: - CA/Browser Forum -date: 14-November-2024 +date: 18-November-2024 From b7fd69b36171d81930e7758482984ce957a1ce7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 16 Dec 2024 17:50:13 +0100 Subject: [PATCH 15/16] =?UTF-8?q?Ballot=20SC-080=20V3:=20"Sunset=20the=20u?= =?UTF-8?q?se=20of=20WHOIS=20to=20identify=20Domain=20Contact=E2=80=A6=20(?= =?UTF-8?q?#560)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Ballot SC-080 V3: "Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods" (#555) BRs release version 2.1.2 --- docs/BR.md | 245 +++++++++++++++++++++++++++++------------------------ 1 file changed, 136 insertions(+), 109 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index a7c9b0cb7..8af1ad23d 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,15 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.1.1 +subtitle: Version 2.1.2 author: - CA/Browser Forum -date: 18-November-2024 - - - - +date: 16-December-2024 copyright: | Copyright 2024 CA/Browser Forum @@ -49,107 +45,107 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse ### 1.2.1 Revisions -| **Ver.** | **Ballot** | **Description** | **Adopted** | **Effective\*** | -|-|-|-----|--|--| -| 1.0.0 | 62 | Version 1.0 of the Baseline Requirements Adopted | 22-Nov-11 | 01-Jul-12 | -| 1.0.1 | 71 | Revised Auditor Qualifications | 08-May-12 | 01-Jan-13 | -| 1.0.2 | 75 | Non-critical Name Constraints allowed as exception to RFC 5280 | 08-Jun-12 | 08-Jun-12 | -| 1.0.3 | 78 | Revised Domain/IP Address Validation, High Risk Requests, and Data Sources | 22-Jun-12 | 22-Jun-12 | -| 1.0.4 | 80 | OCSP responses for non-issued certificates | 02-Aug-12 | 01-Feb-13 01-Aug-13 | -| -- | 83 | Network and Certificate System Security Requirements adopted | 03-Aug-13 | 01-Jan-13 | -| 1.0.5 | 88 | User-assigned country code of XX allowed | 12-Sep-12 | 12-Sep-12 | -| 1.1.0 | -- | Published as Version 1.1 with no changes from 1.0.5 | 14-Sep-12 | 14-Sep-12 | -| 1.1.1 | 93 | Reasons for Revocation and Public Key Parameter checking | 07-Nov-12 | 07-Nov-12 01-Jan-13 | -| 1.1.2 | 96 | Wildcard certificates and new gTLDs | 20-Feb-13 | 20-Feb-13 01-Sep-13 | -| 1.1.3 | 97 | Prevention of Unknown Certificate Contents | 21-Feb-13 | 21-Feb-13 | -| 1.1.4 | 99 | Add DSA Keys (BR v.1.1.4) | 3-May-2013 | 3-May-2013 | -| 1.1.5 | 102 | Revision to subject domainComponent language in Section 9.2.3 | 31-May-2013 | 31-May-2013 | -| 1.1.6 | 105 | Technical Constraints for Subordinate Certificate Authorities | 29-July-2013 | 29-July-2013 | -| 1.1.7 | 112 | Replace Definition of "Internal Server Name" with "Internal Name" | 3-April-2014 | 3-April-2014 | -| 1.1.8 | 120 | Affiliate Authority to Verify Domain | 5-June-2014 | 5-June-2014 | -| 1.1.9 | 129 | Clarification of PSL mentioned in Section 11.1.3 | 4-Aug-2014 | 4-Aug-2014 | -| 1.2.0 | 125 | CAA Records | 14-Oct-2014 | 15-Apr-2015 | -| 1.2.1 | 118 | SHA-1 Sunset | 16-Oct-2014 | 16-Jan-2015 1-Jan-2016 1-Jan-2017 | -| 1.2.2 | 134 | Application of RFC 5280 to Pre-certificates | 16-Oct-2014 | 16-Oct-2014 | -| 1.2.3 | 135 | ETSI Auditor Qualifications | 16-Oct-2014 | 16-Oct-2014 | -| 1.2.4 | 144 | Validation Rules for .onion Names | 18-Feb-2015 | 18-Feb-2015 | -| 1.2.5 | 148 | Issuer Field Correction | 2-April-2015 | 2-April-2015 | -| 1.3.0 | 146 | Convert Baseline Requirements to RFC 3647 Framework | 16-Apr-2015 | 16-Apr-2015 | -| 1.3.1 | 151 | Addition of Optional OIDs for Indicating Level of Validation | 28-Sep-2015 | 28-Sep-2015 | -| 1.3.2 | 156 | Amend Sections 1 and 2 of Baseline Requirements | 3-Dec-2015 | 3-Dec-2016 | -| 1.3.3 | 160 | Amend Section 4 of Baseline Requirements | 4-Feb-2016 | 4-Feb-2016 | -| 1.3.4 | 162 | Sunset of Exceptions | 15-Mar-2016 | 15-Mar-2016 | -| 1.3.5 | 168 | Baseline Requirements Corrections (Revised) | 10-May-2016 | 10-May-2016 | -| 1.3.6 | 171 | Updating ETSI Standards in CABF documents | 1-July-2016 | 1-July-2016 | -| 1.3.7 | 164 | Certificate Serial Number Entropy | 8-July-2016 | 30-Sep-2016 | -| 1.3.8 | 169 | Revised Validation Requirements | 5-Aug-2016 | 1-Mar-2017 | -| 1.3.9 | 174 | Reform of Requirements Relating to Conflicts with Local Law | 29-Aug-2016 | 27-Nov-2016 | -| 1.4.0 | 173 | Removal of requirement to cease use of public key due to incorrect info | 28-July-2016 | 11-Sept-2016 | -| 1.4.1 | 175 | Addition of givenName and surname | 7-Sept-2016 | 7-Sept-2016 | -| 1.4.2 | 181 | Removal of some validation methods listed in Section 3.2.2.4 | 7-Jan-2017 | 7-Jan-2017 | -| 1.4.3 | 187 | Make CAA Checking Mandatory | 8-Mar-2017 | 8-Sep-2017 | -| 1.4.4 | 193 | 825-day Certificate Lifetimes | 17-Mar-2017 | 1-Mar-2018 | -| 1.4.5 | 189 | Amend Section 6.1.7 of Baseline Requirements | 14-Apr-2017 | 14-May-2017 | -| 1.4.6 | 195 | CAA Fixup | 17-Apr-2017 | 18-May-2017 | -| 1.4.7 | 196 | Define "Audit Period" | 17-Apr-2017 | 18-May-2017 | -| 1.4.8 | 199 | Require commonName in Root and Intermediate Certificates | 9-May-2017 | 8-June-2017 | -| 1.4.9 | 204 | Forbid DTPs from doing Domain/IP Ownership | 11-July-2017 | 11-Aug-2017 | -| 1.5.0 | 212 | Canonicalise formal name of the Baseline Requirements | 1-Sept-2017 | 1-Oct-2017 | -| 1.5.1 | 197 | Effective Date of Ballot 193 Provisions | 1-May-2017 | 2-June-2017 | -| 1.5.2 | 190 | Add Validation Methods with Minor Corrections | 19-Sept-2017 | 19-Oct-2017 | -| 1.5.3 | 214 | CAA Discovery CNAME Errata | 27-Sept-2017 | 27-Oct-2017 | -| 1.5.4 | 215 | Fix Ballot 190 Errata | 4‐Oct‐2017 | 5‐Nov‐2017 | -| 1.5.5 | 217 | Sunset RFC 2527 | 21‐Dec‐2017 | 9‐Mar‐2018 | -| 1.5.6 | 218 | Remove validation methods #1 and #5 | 5‐Feb‐2018 | 9‐Mar‐2018 | -| 1.5.7 | 220 | Minor Cleanups (Spring 2018) | 30‐Mar‐2018 | 29‐Apr‐2018 | -| 1.5.8 | 219 | Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag | 10-Apr-2018 | 10-May-2018 | -| 1.5.9 | 223 | Update BR Section 8.4 for CA audit criteria | 15-May-2018 | 14-June-2018 | -| 1.6.0 | 224 | WhoIs and RDAP | 22-May-2018 | 22-June-2018 | -| 1.6.1 | SC6 | Revocation Timeline Extension | 14-Sep-2018 | 14-Oct-2018 | -| 1.6.2 | SC12 | Sunset of Underscores in dNSNames | 9-Nov-2018 | 10-Dec-2018 | -| 1.6.3 | SC13 | CAA Contact Property and Associated E-mail Validation Methods | 25-Dec-2018 | 1-Feb-2019 | -| 1.6.4 | SC14 | Updated Phone Validation Methods | 31-Jan-2019 | 16-Mar-2019 | -| 1.6.4 | SC15 | Remove Validation Method Number 9 | 5-Feb-2019 | 16-Mar-2019 | -| 1.6.4 | SC7 | Update IP Address Validation Methods | 8-Feb-2019 | 16-Mar-2019 | -| 1.6.5 | SC16 | Other Subject Attributes | 15-Mar-2019 | 16-Apr-2019 | -| 1.6.6 | SC19 | Phone Contact with DNS CAA Phone Contact v2 | 20-May-2019 | 9-Sep-2019 | -| 1.6.7 | SC23 | Precertificates | 14-Nov-2019 | 19-Dec-2019 | -| 1.6.7 | SC24 | Fall Cleanup v2 | 12-Nov-2019 | 19-Dec-2019 | -| 1.6.8 | SC25 | Define New HTTP Domain Validation Methods v2 | 31-Jan-2020 | 3-Mar-2020 | -| 1.6.9 | SC27 | Version 3 Onion Certificates | 19-Feb-2020 | 27-Mar-2020 | -| 1.7.0 | SC29 | Pandoc-Friendly Markdown Formatting Changes | 20-Mar-2020 | 4-May-2020 | -| 1.7.1 | SC30 | Disclosure of Registration / Incorporating Agency | 13-Jul-2020 | 20-Aug-2020 | -| 1.7.1 | SC31 | Browser Alignment | 16-Jul-2020 | 20-Aug-2020 | -| 1.7.2 | SC33 | TLS Using ALPN Method | 14-Aug-2020 | 22-Sept-2020 | -| 1.7.3 | SC28 | Logging and Log Retention | 10-Sep-2020 | 19-Oct-2020 | -| 1.7.3 | SC35 | Cleanups and Clarifications | 9-Sep-2020 | 19-Oct-2020 | -| 1.7.4 | SC41 | Reformat the BRs, EVGs, and NCSSRs | 24-Feb-2021 | 5-Apr-2021 | -| 1.7.5 | SC42 | 398-day Re-use Period | 22-Apr-2021 | 2-Jun-2021 | -| 1.7.6 | SC44 | Clarify Acceptable Status Codes | 30-Apr-2021 | 3-Jun-2021 | -| 1.7.7 | SC46 | Sunset the CAA Exception for DNS Operator | 2-Jun-2021 | 12-Jul-2021 | -| 1.7.8 | SC45 | Wildcard Domain Validation | 2-Jun-2021 | 13-Jul-2021 | -| 1.7.9 | SC47 | Sunset subject:organizationalUnitName | 30-Jun-2021 | 16-Aug-2021 | -| 1.8.0 | SC48 | Domain Name and IP Address Encoding | 22-Jul-2021 | 25-Aug-2021 | -| 1.8.1 | SC50 | Remove the requirements of 4.1.1 | 22-Nov-2021 | 23-Dec-2021 | -| 1.8.2 | SC53 | Sunset for SHA-1 OCSP Signing | 26-Jan-2022 | 4-Mar-2022 | -| 1.8.3 | SC51 | Reduce and Clarify Log and Records Archival Retention Requirements | 01-Mar-2022 | 15-Apr-2022 | -| 1.8.4 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | -| 1.8.5 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | -| 1.8.6 | SC58 | Require distributionPoint in sharded CRLs | 7-Nov-2022 | 11-Dec-2022 | -| 1.8.7 | SC61 | New CRL entries must have a Revocation Reason Code | 1-Apr-2023 | 15-Jul-2023 | -| 2.0.0 | SC62 | Certificate Profiles Update | 22-Apr-2023 | 15-Sep-2023 | -| 2.0.1 | SC63 | Make OCSP optional, require CRLs, and incentivize automation | 17-Aug-2023 | 15-Mar-2024 | -| 2.0.2 | SC66 | 2023 Cleanup | 23-Nov-2023 | 8-Jan-2024 | -| 2.0.3 | SC69 | Clarify router and firewall logging requirements | 13-March-2024 | 15-April-2024 | -| 2.0.4 | SC65 | Convert EVGs into RFC 3647 format | 15-March-2024 | 15-May-2024 | -| 2.0.5 | SC73 | Compromised and weak keys | 3-May-2024 | 1-July-2024 | -| 2.0.6 | SC75 | Pre-sign linting | 28-June-2024 | 6-August-2024 | -| 2.0.7 | SC67 | Require Multi-Perspective Issuance Corroboration | 2-August-2024 | 6-September-2024 | -| 2.0.8 | SC77 | Update WebTrust Audit name in Section 8.4 and References | 2-September-2024 | 2-October-2024 | -| 2.0.9 | SC78 | Subject organizationName alignment for DBA / Assumed Name | 2-October-2024 | 8-November-2024 | -| 2.1.0 | SC76 | Clarify and improve OCSP requirements | 14-November-2024 | 15-January-2025 | -| 2.1.1 | SC79 | Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate | 18-November-2024 | 15-January-2025 | - +| **Ver.** | **Ballot** | **Description** | **Adopted** | **Effective\*** | +|----------|------------|----------------------------------------------------------------------------------------|-------------|-----------------------------------| +| 1.0.0 | 62 | Version 1.0 of the Baseline Requirements Adopted | 22-Nov-11 | 01-Jul-12 | +| 1.0.1 | 71 | Revised Auditor Qualifications | 08-May-12 | 01-Jan-13 | +| 1.0.2 | 75 | Non-critical Name Constraints allowed as exception to RFC 5280 | 08-Jun-12 | 08-Jun-12 | +| 1.0.3 | 78 | Revised Domain/IP Address Validation, High Risk Requests, and Data Sources | 22-Jun-12 | 22-Jun-12 | +| 1.0.4 | 80 | OCSP responses for non-issued certificates | 02-Aug-12 | 01-Feb-13 01-Aug-13 | +| -- | 83 | Network and Certificate System Security Requirements adopted | 03-Aug-13 | 01-Jan-13 | +| 1.0.5 | 88 | User-assigned country code of XX allowed | 12-Sep-12 | 12-Sep-12 | +| 1.1.0 | -- | Published as Version 1.1 with no changes from 1.0.5 | 14-Sep-12 | 14-Sep-12 | +| 1.1.1 | 93 | Reasons for Revocation and Public Key Parameter checking | 07-Nov-12 | 07-Nov-12 01-Jan-13 | +| 1.1.2 | 96 | Wildcard certificates and new gTLDs | 20-Feb-13 | 20-Feb-13 01-Sep-13 | +| 1.1.3 | 97 | Prevention of Unknown Certificate Contents | 21-Feb-13 | 21-Feb-13 | +| 1.1.4 | 99 | Add DSA Keys (BR v.1.1.4) | 3-May-2013 | 3-May-2013 | +| 1.1.5 | 102 | Revision to subject domainComponent language in Section 9.2.3 | 31-May-2013 | 31-May-2013 | +| 1.1.6 | 105 | Technical Constraints for Subordinate Certificate Authorities | 29-Jul-2013 | 29-Jul-2013 | +| 1.1.7 | 112 | Replace Definition of "Internal Server Name" with "Internal Name" | 3-Apr-2014 | 3-Apr-2014 | +| 1.1.8 | 120 | Affiliate Authority to Verify Domain | 5-Jun-2014 | 5-Jun-2014 | +| 1.1.9 | 129 | Clarification of PSL mentioned in Section 11.1.3 | 4-Aug-2014 | 4-Aug-2014 | +| 1.2.0 | 125 | CAA Records | 14-Oct-2014 | 15-Apr-2015 | +| 1.2.1 | 118 | SHA-1 Sunset | 16-Oct-2014 | 16-Jan-2015 1-Jan-2016 1-Jan-2017 | +| 1.2.2 | 134 | Application of RFC 5280 to Pre-certificates | 16-Oct-2014 | 16-Oct-2014 | +| 1.2.3 | 135 | ETSI Auditor Qualifications | 16-Oct-2014 | 16-Oct-2014 | +| 1.2.4 | 144 | Validation Rules for .onion Names | 18-Feb-2015 | 18-Feb-2015 | +| 1.2.5 | 148 | Issuer Field Correction | 2-Apr-2015 | 2-Apr-2015 | +| 1.3.0 | 146 | Convert Baseline Requirements to RFC 3647 Framework | 16-Apr-2015 | 16-Apr-2015 | +| 1.3.1 | 151 | Addition of Optional OIDs for Indicating Level of Validation | 28-Sep-2015 | 28-Sep-2015 | +| 1.3.2 | 156 | Amend Sections 1 and 2 of Baseline Requirements | 3-Dec-2015 | 3-Dec-2016 | +| 1.3.3 | 160 | Amend Section 4 of Baseline Requirements | 4-Feb-2016 | 4-Feb-2016 | +| 1.3.4 | 162 | Sunset of Exceptions | 15-Mar-2016 | 15-Mar-2016 | +| 1.3.5 | 168 | Baseline Requirements Corrections (Revised) | 10-May-2016 | 10-May-2016 | +| 1.3.6 | 171 | Updating ETSI Standards in CABF documents | 1-Jul-2016 | 1-Jul-2016 | +| 1.3.7 | 164 | Certificate Serial Number Entropy | 8-Jul-2016 | 30-Sep-2016 | +| 1.3.8 | 169 | Revised Validation Requirements | 5-Aug-2016 | 1-Mar-2017 | +| 1.3.9 | 174 | Reform of Requirements Relating to Conflicts with Local Law | 29-Aug-2016 | 27-Nov-2016 | +| 1.4.0 | 173 | Removal of requirement to cease use of public key due to incorrect info | 28-Jul-2016 | 11-Sep-2016 | +| 1.4.1 | 175 | Addition of givenName and surname | 7-Sep-2016 | 7-Sep-2016 | +| 1.4.2 | 181 | Removal of some validation methods listed in Section 3.2.2.4 | 7-Jan-2017 | 7-Jan-2017 | +| 1.4.3 | 187 | Make CAA Checking Mandatory | 8-Mar-2017 | 8-Sep-2017 | +| 1.4.4 | 193 | 825-day Certificate Lifetimes | 17-Mar-2017 | 1-Mar-2018 | +| 1.4.5 | 189 | Amend Section 6.1.7 of Baseline Requirements | 14-Apr-2017 | 14-May-2017 | +| 1.4.6 | 195 | CAA Fixup | 17-Apr-2017 | 18-May-2017 | +| 1.4.7 | 196 | Define "Audit Period" | 17-Apr-2017 | 18-May-2017 | +| 1.4.8 | 199 | Require commonName in Root and Intermediate Certificates | 9-May-2017 | 8-Jun-2017 | +| 1.4.9 | 204 | Forbid DTPs from doing Domain/IP Ownership | 11-Jul-2017 | 11-Aug-2017 | +| 1.5.0 | 212 | Canonicalise formal name of the Baseline Requirements | 1-Sep-2017 | 1-Oct-2017 | +| 1.5.1 | 197 | Effective Date of Ballot 193 Provisions | 1-May-2017 | 2-Jun-2017 | +| 1.5.2 | 190 | Add Validation Methods with Minor Corrections | 19-Sep-2017 | 19-Oct-2017 | +| 1.5.3 | 214 | CAA Discovery CNAME Errata | 27-Sep-2017 | 27-Oct-2017 | +| 1.5.4 | 215 | Fix Ballot 190 Errata | 4‐Oct‐2017 | 5‐Nov‐2017 | +| 1.5.5 | 217 | Sunset RFC 2527 | 21‐Dec‐2017 | 9‐Mar‐2018 | +| 1.5.6 | 218 | Remove validation methods #1 and #5 | 5‐Feb‐2018 | 9‐Mar‐2018 | +| 1.5.7 | 220 | Minor Cleanups (Spring 2018) | 30‐Mar‐2018 | 29‐Apr‐2018 | +| 1.5.8 | 219 | Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag | 10-Apr-2018 | 10-May-2018 | +| 1.5.9 | 223 | Update BR Section 8.4 for CA audit criteria | 15-May-2018 | 14-June-2018 | +| 1.6.0 | 224 | WhoIs and RDAP | 22-May-2018 | 22-June-2018 | +| 1.6.1 | SC6 | Revocation Timeline Extension | 14-Sep-2018 | 14-Oct-2018 | +| 1.6.2 | SC12 | Sunset of Underscores in dNSNames | 9-Nov-2018 | 10-Dec-2018 | +| 1.6.3 | SC13 | CAA Contact Property and Associated E-mail Validation Methods | 25-Dec-2018 | 1-Feb-2019 | +| 1.6.4 | SC14 | Updated Phone Validation Methods | 31-Jan-2019 | 16-Mar-2019 | +| 1.6.4 | SC15 | Remove Validation Method Number 9 | 5-Feb-2019 | 16-Mar-2019 | +| 1.6.4 | SC7 | Update IP Address Validation Methods | 8-Feb-2019 | 16-Mar-2019 | +| 1.6.5 | SC16 | Other Subject Attributes | 15-Mar-2019 | 16-Apr-2019 | +| 1.6.6 | SC19 | Phone Contact with DNS CAA Phone Contact v2 | 20-May-2019 | 9-Sep-2019 | +| 1.6.7 | SC23 | Precertificates | 14-Nov-2019 | 19-Dec-2019 | +| 1.6.7 | SC24 | Fall Cleanup v2 | 12-Nov-2019 | 19-Dec-2019 | +| 1.6.8 | SC25 | Define New HTTP Domain Validation Methods v2 | 31-Jan-2020 | 3-Mar-2020 | +| 1.6.9 | SC27 | Version 3 Onion Certificates | 19-Feb-2020 | 27-Mar-2020 | +| 1.7.0 | SC29 | Pandoc-Friendly Markdown Formatting Changes | 20-Mar-2020 | 4-May-2020 | +| 1.7.1 | SC30 | Disclosure of Registration / Incorporating Agency | 13-Jul-2020 | 20-Aug-2020 | +| 1.7.1 | SC31 | Browser Alignment | 16-Jul-2020 | 20-Aug-2020 | +| 1.7.2 | SC33 | TLS Using ALPN Method | 14-Aug-2020 | 22-Sept-2020 | +| 1.7.3 | SC28 | Logging and Log Retention | 10-Sep-2020 | 19-Oct-2020 | +| 1.7.3 | SC35 | Cleanups and Clarifications | 9-Sep-2020 | 19-Oct-2020 | +| 1.7.4 | SC41 | Reformat the BRs, EVGs, and NCSSRs | 24-Feb-2021 | 5-Apr-2021 | +| 1.7.5 | SC42 | 398-day Re-use Period | 22-Apr-2021 | 2-Jun-2021 | +| 1.7.6 | SC44 | Clarify Acceptable Status Codes | 30-Apr-2021 | 3-Jun-2021 | +| 1.7.7 | SC46 | Sunset the CAA Exception for DNS Operator | 2-Jun-2021 | 12-Jul-2021 | +| 1.7.8 | SC45 | Wildcard Domain Validation | 2-Jun-2021 | 13-Jul-2021 | +| 1.7.9 | SC47 | Sunset subject:organizationalUnitName | 30-Jun-2021 | 16-Aug-2021 | +| 1.8.0 | SC48 | Domain Name and IP Address Encoding | 22-Jul-2021 | 25-Aug-2021 | +| 1.8.1 | SC50 | Remove the requirements of 4.1.1 | 22-Nov-2021 | 23-Dec-2021 | +| 1.8.2 | SC53 | Sunset for SHA-1 OCSP Signing | 26-Jan-2022 | 4-Mar-2022 | +| 1.8.3 | SC51 | Reduce and Clarify Log and Records Archival Retention Requirements | 01-Mar-2022 | 15-Apr-2022 | +| 1.8.4 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | +| 1.8.5 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | +| 1.8.6 | SC58 | Require distributionPoint in sharded CRLs | 7-Nov-2022 | 11-Dec-2022 | +| 1.8.7 | SC61 | New CRL entries must have a Revocation Reason Code | 1-Apr-2023 | 15-Jul-2023 | +| 2.0.0 | SC62 | Certificate Profiles Update | 22-Apr-2023 | 15-Sep-2023 | +| 2.0.1 | SC63 | Make OCSP optional, require CRLs, and incentivize automation | 17-Aug-2023 | 15-Mar-2024 | +| 2.0.2 | SC66 | 2023 Cleanup | 23-Nov-2023 | 8-Jan-2024 | +| 2.0.3 | SC69 | Clarify router and firewall logging requirements | 13-Mar-2024 | 15-Apr-2024 | +| 2.0.4 | SC65 | Convert EVGs into RFC 3647 format | 15-Mar-2024 | 15-May-2024 | +| 2.0.5 | SC73 | Compromised and weak keys | 3-May-2024 | 1-Jul-2024 | +| 2.0.6 | SC75 | Pre-sign linting | 28-Jun-2024 | 6-Aug-2024 | +| 2.0.7 | SC67 | Require Multi-Perspective Issuance Corroboration | 2-Aug-2024 | 6-Sep-2024 | +| 2.0.8 | SC77 | Update WebTrust Audit name in Section 8.4 and References | 2-Sep-2024 | 2-Oct-2024 | +| 2.0.9 | SC78 | Subject organizationName alignment for DBA / Assumed Name | 2-Oct-2024 | 8-Nov-2024 | +| 2.1.0 | SC76 | Clarify and improve OCSP requirements | 26-Sep-2024 | 14-Nov-2024 | +| 2.1.1 | SC79 | Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate | 30-Sep-2024 | 14-Nov-2024 | +| 2.1.2 | SC80 | Strengthen WHOIS lookups and Sunset Methods 3.2.2.4.2 and 3.2.2.4.15 | 7-Nov-2024 | 16-Dec-2024 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -203,10 +199,12 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2023-09-15 | Section 7 (and others) | CAs MUST use the updated Certificate Profiles passed in Version 2.0.0 | | 2024-03-15 | 4.9.7 | CAs MUST generate and publish CRLs. | 2024-09-15 | 4.3.1.2 | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | -| 2025-01-15 | 4.9.9 | Subscriber Certificate OCSP responses MUST be available 15 minutes after issuance. | +| 2025-01-15 | 4.9.9 | Subscriber Certificate OCSP responses MUST be available 15 minutes after issuance. | +| 2025-01-15 | 3.2.2.4 | CAs MUST NOT rely on HTTPS websites to identify Domain Contact information. CAs MUST rely on IANA resources for identifying Domain Contact information. | | 2025-03-15 | 4.3.1.2 | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | 2025-03-15 | 8.7 | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | -| 2025-03-15 | 3.2.2.9 | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | +| 2025-03-15 | 3.2.2.9 | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | +| 2025-07-15 | 3.2.2.4 | CAs MUST NOT rely on Methods 3.2.2.4.2 and 3.2.2.4.15 to issue Subscriber Certificates. | ## 1.3 PKI Participants @@ -757,6 +755,17 @@ The Random Value SHALL remain valid for use in a confirming response for no more **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. +Effective January 15, 2025: +- When issuing Subscriber Certificates, the CA MUST NOT rely on Domain Contact information obtained using an HTTPS website, regardless of whether previously obtained information is within the allowed reuse period. +- When obtaining Domain Contact information for a requested Domain Name the CA: + - if using the WHOIS protocol (RFC 3912), MUST query IANA's WHOIS server and follow referrals to the appropriate WHOIS server. + - if using the Registry Data Access Protocol (RFC 7482), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. + - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. + +Effective July 15, 2025: +- The CA MUST NOT rely on this method. +- Prior validations using this method and validation data gathered according to this method MUST NOT be used to issue Subscriber Certificates. + ##### 3.2.2.4.3 Phone Contact with Domain Contact This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates. @@ -826,6 +835,13 @@ Confirming the Applicant's control over the FQDN by validating the Applicant is **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. +Effective January 15, 2025: +- When issuing Subscriber Certificates, the CA MUST NOT rely on Domain Contact information obtained using an HTTPS website, regardless of whether previously obtained information is within the allowed reuse period. +- When obtaining Domain Contact information for a requested Domain Name the CA: + - if using the WHOIS protocol (RFC 3912), MUST query IANA's WHOIS server and follow referrals to the appropriate WHOIS server. + - if using the Registry Data Access Protocol (RFC 7482), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. + - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. + ##### 3.2.2.4.13 Email to DNS CAA Contact Confirming the Applicant's control over the FQDN by sending a Random Value via email and then receiving a confirming response utilizing the Random Value. The Random Value MUST be sent to a DNS CAA Email Contact. The relevant CAA Resource Record Set MUST be found using the search algorithm defined in RFC 8659, Section 3. @@ -862,6 +878,17 @@ The Random Value SHALL remain valid for use in a confirming response for no more **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. +Effective January 15, 2025: +- When issuing Subscriber Certificates, the CA MUST NOT rely on Domain Contact information obtained using an HTTPS website, regardless of whether previously obtained information is within the allowed reuse period. +- When obtaining Domain Contact information for a requested Domain Name the CA: + - if using the WHOIS protocol (RFC 3912), MUST query IANA's WHOIS server and follow referrals to the appropriate WHOIS server. + - if using the Registry Data Access Protocol (RFC 7482), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. + - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. + +Effective July 15, 2025: +- The CA MUST NOT rely on this method. +- Prior validations using this method and validation data gathered according to this method MUST NOT be used to issue Subscriber Certificates. + ##### 3.2.2.4.16 Phone Contact with DNS TXT Record Phone Contact Confirm the Applicant's control over the FQDN by calling the DNS TXT Record Phone Contact’s phone number and obtain a confirming response to validate the ADN. Each phone call MAY confirm control of multiple ADNs provided that the same DNS TXT Record Phone Contact phone number is listed for each ADN being verified and they provide a confirming response for each ADN. From 3acd0030135a1134572158c9c08982de20aee89d Mon Sep 17 00:00:00 2001 From: Martijn Katerbarg Date: Mon, 24 Feb 2025 10:37:25 +0100 Subject: [PATCH 16/16] SC083: Winter 2024-2025 Cleanup Ballot (#561) BRs release version 2.1.3 --- docs/BR.md | 113 +++++++++++++++++++++++++++-------------------------- 1 file changed, 58 insertions(+), 55 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 8af1ad23d..c01d966f8 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,14 +1,14 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.1.2 +subtitle: Version 2.1.3 author: - CA/Browser Forum -date: 16-December-2024 +date: 24-February-2025 copyright: | - Copyright 2024 CA/Browser Forum + Copyright 2025 CA/Browser Forum This work is licensed under the Creative Commons Attribution 4.0 International license. --- @@ -146,6 +146,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.1.0 | SC76 | Clarify and improve OCSP requirements | 26-Sep-2024 | 14-Nov-2024 | | 2.1.1 | SC79 | Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate | 30-Sep-2024 | 14-Nov-2024 | | 2.1.2 | SC80 | Strengthen WHOIS lookups and Sunset Methods 3.2.2.4.2 and 3.2.2.4.15 | 7-Nov-2024 | 16-Dec-2024 | +| 2.1.3 | SC83 | Winter 2024-2025 Cleanup Ballot | 23-Jan-2025 | 24-Feb-2025 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -311,7 +312,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Base Domain Name**: The portion of an applied-for FQDN that is the first Domain Name node left of a registry-controlled or public suffix plus the registry-controlled or public suffix (e.g. "example.co.uk" or "example.com"). For FQDNs where the right-most Domain Name node is a gTLD having ICANN Specification 13 in its registry agreement, the gTLD itself may be used as the Base Domain Name. -**CAA**: From RFC 8659 (): "The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain name. CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue." +**CAA**: From RFC 8659 (): "The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain name. CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue." **CA Key Pair**: A Key Pair where the Public Key appears as the Subject Public Key Info in one or more Root CA Certificate(s) and/or Subordinate CA Certificate(s). @@ -353,7 +354,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Domain Contact**: The Domain Name Registrant, technical contact, or administrative contact (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record, or as obtained through direct contact with the Domain Name Registrar. -**Domain Label**: From RFC 8499 (): "An ordered list of zero or more octets that makes up a portion of a domain name. Using graph theory, a label identifies one node in a portion of the graph of all possible domain names." +**Domain Label**: From RFC 8499 (): "An ordered list of zero or more octets that makes up a portion of a domain name. Using graph theory, a label identifies one node in a portion of the graph of all possible domain names." **Domain Name**: An ordered list of one or more Domain Labels assigned to a node in the Domain Name System. @@ -393,7 +394,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Key Pair**: The Private Key and its associated Public Key. -**LDH Label**: From RFC 5890 (): "A string consisting of ASCII letters, digits, and the hyphen with the further restriction that the hyphen cannot appear at the beginning or end of the string. Like all DNS labels, its total length must not exceed 63 octets." +**LDH Label**: From RFC 5890 (): "A string consisting of ASCII letters, digits, and the hyphen with the further restriction that the hyphen cannot appear at the beginning or end of the string. Like all DNS labels, its total length must not exceed 63 octets." **Legal Entity**: An association, corporation, partnership, proprietorship, trust, government entity or other entity with legal standing in a country's legal system. @@ -403,7 +404,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Network Perspective**: Related to Multi-Perspective Issuance Corroboration. A system (e.g., a cloud-hosted server instance) or collection of network components (e.g., a VPN and corresponding infrastructure) for sending outbound Internet traffic associated with a domain control validation method and/or CAA check. The location of a Network Perspective is determined by the point where unencapsulated outbound Internet traffic is typically first handed off to the network infrastructure providing Internet connectivity to that perspective. -**Non-Reserved LDH Label**: From RFC 5890 (): "The set of valid LDH labels that do not have '`--`' in the third and fourth positions." +**Non-Reserved LDH Label**: From RFC 5890 (): "The set of valid LDH labels that do not have '`--`' in the third and fourth positions." **Object Identifier**: A unique alphanumeric or numeric identifier registered under the International Organization for Standardization's applicable standard for a specific object or object class. @@ -494,7 +495,7 @@ The script outputs: **Subject**: The natural person, device, system, unit, or Legal Entity identified in a Certificate as the Subject. The Subject is either the Subscriber or a device under the control and operation of the Subscriber. -**Subject Identity Information**: Information that identifies the Certificate Subject. Subject Identity Information does not include a Domain Name listed in the `subjectAltName` extension or the Subject `commonName` field. +**Subject Identity Information**: Information that identifies the Certificate Subject. Subject Identity Information does not include a Domain Name or an IP Address listed in the `subjectAltName` extension or the Subject `commonName` field. **Subordinate CA**: A Certification Authority whose Certificate is signed by the Root CA, or another Subordinate CA. @@ -518,7 +519,7 @@ The script outputs: **Validation Specialist**: Someone who performs the information verification duties specified by these Requirements. -**Validity Period**: From RFC 5280 (): "The period of time from notBefore through notAfter, inclusive." +**Validity Period**: From RFC 5280 (): "The period of time from notBefore through notAfter, inclusive." **WHOIS**: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in RFC 3912, the Registry Data Access Protocol defined in RFC 7482, or an HTTPS website. @@ -526,7 +527,7 @@ The script outputs: **Wildcard Domain Name**: A string starting with "\*." (U+002A ASTERISK, U+002E FULL STOP) immediately followed by a Fully-Qualified Domain Name. -**XN-Label**: From RFC 5890 (): "The class of labels that begin with the prefix `"xn--"` (case independent), but otherwise conform to the rules for LDH labels." +**XN-Label**: From RFC 5890 (): "The class of labels that begin with the prefix `"xn--"` (case independent), but otherwise conform to the rules for LDH labels." ### 1.6.2 Acronyms @@ -565,15 +566,13 @@ ETSI EN 319 403, Electronic Signatures and Infrastructures (ESI); Trust Service ETSI EN 319 411-1, Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements -ETSI TS 102 042, Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates. - FIPS 140-2, Federal Information Processing Standards Publication - Security Requirements For Cryptographic Modules, Information Technology Laboratory, National Institute of Standards and Technology, May 25, 2001. FIPS 140-3, Federal Information Processing Standards Publication - Security Requirements For Cryptographic Modules, Information Technology Laboratory, National Institute of Standards and Technology, March 22, 2019. -FIPS 186-4, Federal Information Processing Standards Publication - Digital Signature Standard (DSS), Information Technology Laboratory, National Institute of Standards and Technology, July 2013. +FIPS 186-5, Federal Information Processing Standards Publication - Digital Signature Standard (DSS), Information Technology Laboratory, National Institute of Standards and Technology, February 2023. -ISO 21188:2006, Public key infrastructure for financial services -- Practices and policy framework. +ISO 21188:2018, Public key infrastructure for financial services -- Practices and policy framework. Network and Certificate System Security Requirements, Version 1.7, available at @@ -630,7 +629,7 @@ By convention, this document omits time and timezones when listing effective req # 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES -The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements. +The CA SHALL develop, implement, enforce, and at least once every 366 days update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements. ## 2.1 Repositories @@ -644,7 +643,7 @@ The Certificate Policy and/or Certification Practice Statement MUST be structure The CA SHALL publicly give effect to these Requirements and represent that it will adhere to the latest published version. The CA MAY fulfill this requirement by incorporating these Requirements directly into its Certificate Policy and/or Certification Practice Statements or by incorporating them by reference using a clause such as the following (which MUST include a link to the official version of these Requirements): -> [Name of CA] conforms to the current version of the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates published at . In the event of any inconsistency between this document and those Requirements, those Requirements take precedence over this document. +> [Name of CA] conforms to the current version of the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates published at . In the event of any inconsistency between this document and those Requirements, those Requirements take precedence over this document. The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are @@ -798,14 +797,16 @@ This method has been retired and MUST NOT be used. Prior validations using this ##### 3.2.2.4.7 DNS Change -Confirming the Applicant's control over the FQDN by confirming the presence of a Random Value or Request Token for either in a DNS CNAME, TXT or CAA record for either 1) an Authorization Domain Name; or 2) an Authorization Domain Name that is prefixed with a Domain Label that begins with an underscore character. +Confirming the Applicant's control over the FQDN by confirming the presence of a Random Value or Request Token in a DNS CNAME, TXT or CAA record for either + 1. an Authorization Domain Name; or + 2. an Authorization Domain Name that is prefixed with a Domain Label that begins with an underscore character. If a Random Value is used, the CA SHALL provide a Random Value unique to the Certificate request and SHALL not use the Random Value after - i. 30 days or - ii. if the Applicant submitted the Certificate request, the time frame permitted for reuse of validated information relevant to the Certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of these Guidelines or Section 3.2.2.14.3 of the EV Guidelines). + 1. 30 days; or + 2. if the Applicant submitted the Certificate request, the time frame permitted for reuse of validated information relevant to the Certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of these Guidelines or Section 3.2.2.14.3 of the EV Guidelines). -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. @@ -813,9 +814,9 @@ CAs using this method MUST implement Multi-Perspective Issuance Corroboration as Confirming the Applicant's control over the FQDN by confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the FQDN in accordance with [Section 3.2.2.5](#3225-authentication-for-an-ip-address). -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same IP address as the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same IP address as the Primary Network Perspective. -**Note**: Once the FQDN has been validated using this method, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names. +**Note**: Once the FQDN has been validated using this method, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs separate validations for each of those other FQDNs using authorized methods. This method is NOT suitable for validating Wildcard Domain Names. ##### 3.2.2.4.9 Test Certificate @@ -850,7 +851,7 @@ Each email MAY confirm control of multiple FQDNs, provided that each email addre The Random Value SHALL be unique in each email. The email MAY be re-sent in its entirety, including the re-use of the Random Value, provided that its entire contents and recipient(s) SHALL remain unchanged. The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the selected contact address used for domain validation observed by the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same selected contact address used for domain validation as the Primary Network Perspective. **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. @@ -862,7 +863,7 @@ Each email MAY confirm control of multiple FQDNs, provided that each email addre The Random Value SHALL be unique in each email. The email MAY be re-sent in its entirety, including the re-use of the Random Value, provided that its entire contents and recipient(s) SHALL remain unchanged. The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the selected contact address used for domain validation observed by the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same selected contact address used for domain validation as the Primary Network Perspective. **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. @@ -899,7 +900,7 @@ In the event of reaching voicemail, the CA may leave the Random Value and the AD The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the selected contact address used for domain validation observed by the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same selected contact address used for domain validation as the Primary Network Perspective. **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. @@ -913,7 +914,7 @@ In the event of reaching voicemail, the CA may leave the Random Value and the AD The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values. -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the selected contact address used for domain validation observed by the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same selected contact address used for domain validation as the Primary Network Perspective. **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. @@ -944,10 +945,10 @@ If a Random Value is used, then: 1. The CA MUST provide a Random Value unique to the certificate request. 2. The Random Value MUST remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA MUST follow its CPS. -Except for Onion Domain Names, CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. +Except for Onion Domain Names, CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. **Note**: - * The CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names. + * The CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs separate validations for each of those other FQDNs using authorized methods. This method is NOT suitable for validating Wildcard Domain Names. ##### 3.2.2.4.19 Agreed-Upon Change to Website - ACME @@ -965,10 +966,10 @@ If the CA follows redirects, the following apply: 2. Redirects MUST be to resource URLs with either the "http" or "https" scheme. 3. Redirects MUST be to resource URLs accessed via Authorized Ports. -Except for Onion Domain Names, CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. +Except for Onion Domain Names, CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. token) as the Primary Network Perspective. **Note**: - * The CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names. + * The CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs separate validations for each of those other FQDNs using authorized methods. This method is NOT suitable for validating Wildcard Domain Names. ##### 3.2.2.4.20 TLS Using ALPN @@ -976,9 +977,9 @@ Confirming the Applicant's control over a FQDN by validating domain control of t The token (as defined in RFC 8737, Section 3) MUST NOT be used for more than 30 days from its creation. The CPS MAY specify a shorter validity period for the token, in which case the CA MUST follow its CPS. -Except for Onion Domain Names, CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same token as the Primary Network Perspective. +Except for Onion Domain Names, CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. token) as the Primary Network Perspective. -**Note**: Once the FQDN has been validated using this method, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names. +**Note**: Once the FQDN has been validated using this method, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs separate validations for each of those other FQDNs using authorized methods. This method is NOT suitable for validating Wildcard Domain Names. #### 3.2.2.5 Authentication for an IP Address @@ -999,7 +1000,7 @@ If a Random Value is used, the CA SHALL provide a Random Value unique to the cer i. 30 days or ii. if the Applicant submitted the certificate request, the time frame permitted for reuse of validated information relevant to the certificate (such as in [Section 4.2.1](#421-performing-identification-and-authentication-functions) of this document). -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective. ##### 3.2.2.5.2 Email, Fax, SMS, or Postal Mail to IP Address Contact @@ -1019,7 +1020,7 @@ The Random Value SHALL remain valid for use in a confirming response for no more Confirming the Applicant’s control over the IP Address by obtaining a Domain Name associated with the IP Address through a reverse-IP lookup on the IP Address and then verifying control over the FQDN using a method permitted under [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same FQDN as the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same FQDN as the Primary Network Perspective. ##### 3.2.2.5.4 Any Other Method @@ -1041,13 +1042,13 @@ The Random Value SHALL remain valid for use in a confirming response for no more Confirming the Applicant's control over the IP Address by performing the procedure documented for an "http-01" challenge in RFC 8738. -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same token as the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. token) as the Primary Network Perspective. ##### 3.2.2.5.7 ACME "tls-alpn-01" method for IP Addresses Confirming the Applicant's control over the IP Address by performing the procedure documented for a "tls-alpn-01" challenge in RFC 8738. -CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same token as the Primary Network Perspective. +CAs performing validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration). To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. token) as the Primary Network Perspective. #### 3.2.2.6 Wildcard Domain Validation @@ -1056,7 +1057,7 @@ Wildcard Domain Name in the Certificate is "registry-controlled" or is a "public If the FQDN portion of any Wildcard Domain Name is "registry-controlled" or is a "public suffix", CAs MUST refuse issuance unless the Applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue "\*.co.uk" or "\*.local", but MAY issue "\*.example.com" to Example Co.). -Determination of what is "registry-controlled" versus the registerable portion of a Country Code Top-Level Domain Namespace is not standardized at the time of writing and is not a property of the DNS itself. Current best practice is to consult a "public suffix list" such as the [Public Suffix List (PSL)](), and to retrieve a fresh copy regularly. +Determination of what is "registry-controlled" versus the registerable portion of a Country Code Top-Level Domain Namespace is not standardized at the time of writing and is not a property of the DNS itself. Current best practice is to consult a "public suffix list" such as the [Public Suffix List (PSL)](), and to retrieve a fresh copy regularly. If using the PSL, a CA SHOULD consult the "ICANN DOMAINS" section only, not the "PRIVATE DOMAINS" section. The PSL is updated regularly to contain new gTLDs delegated by ICANN, which are listed in the "ICANN DOMAINS" section. A CA is not prohibited from issuing a Wildcard Certificate to the Registrant of an entire gTLD, provided that control of the entire namespace is demonstrated in an appropriate way. @@ -1111,11 +1112,11 @@ The set of responses from the relied upon Network Perspectives MUST provide the Results or information obtained from one Network Perspective MUST NOT be reused or cached when performing validation through subsequent Network Perspectives (e.g., different Network Perspectives cannot rely on a shared DNS cache to prevent an adversary with control of traffic from one Network Perspective from poisoning the DNS cache used by other Network Perspectives). The network infrastructure providing Internet connectivity to a Network Perspective MAY be administered by the same organization providing the computational services required to operate the Network Perspective. All communications between a remote Network Perspective and the CA MUST take place over an authenticated and encrypted channel relying on modern protocols (e.g., over HTTPS). -A Network Perspective MAY use a recursive DNS resolver that is NOT co-located with the Network Perspective. However, the DNS resolver used by the Network Perspective MUST fall within the same Regional Internet Registry service region as the Network Perspective relying upon it. Furthermore, for any pair of DNS resolvers used on a Multi-Perspective Issuance Corroboration attempt, the straight-line distance between the two States, Provinces, or Countries the DNS resolvers reside in MUST be at least 500 km. The location of a DNS resolver is determined by the point where unencapsulated outbound DNS queries are typically first handed off to the network infrastructure providing Internet connectivity to that DNS resolver. +A Network Perspective MAY use a recursive DNS resolver that is NOT co-located with the Network Perspective. However, the DNS resolver used by the Network Perspective MUST fall within the same Regional Internet Registry service region as the Network Perspective relying upon it. Furthermore, for any pair of DNS resolvers used on a Multi-Perspective Issuance Corroboration attempt, the straight-line distance between the two DNS resolvers MUST be at least 500 km. The location of a DNS resolver is determined by the point where unencapsulated outbound DNS queries are typically first handed off to the network infrastructure providing Internet connectivity to that DNS resolver. CAs MAY immediately retry Multi-Perspective Issuance Corroboration using the same validation method or an alternative method (e.g., a CA can immediately retry validation using "Email to DNS TXT Contact" if "Agreed-Upon Change to Website - ACME" does not corroborate the outcome of Multi-Perspective Issuance Corroboration). When retrying Multi-Perspective Issuance Corroboration, CAs MUST NOT rely on corroborations from previous attempts. There is no stipulation regarding the maximum number of validation attempts that may be performed in any period of time. -The "Quorum Requirements" Table describes quorum requirements related to Multi-Perspective Issuance Corroboration. If the CA does NOT rely on the same set of Network Perspectives for both Domain Authorization or Control and CAA Record checks, the quorum requirements MUST be met for both sets of Network Perspectives (i.e.,the Domain Authorization or Control set and the CAA record check set). Network Perspectives are considered distinct when the straight-line distance between the two States, Provinces, or Countries they reside in is at least 500 km. Network Perspectives are considered "remote" when they are distinct from the Primary Network Perspective and the other Network Perspectives represented in a quorum. +The "Quorum Requirements" Table describes quorum requirements related to Multi-Perspective Issuance Corroboration. If the CA does NOT rely on the same set of Network Perspectives for both Domain Authorization or Control and CAA Record checks, the quorum requirements MUST be met for both sets of Network Perspectives (i.e.,the Domain Authorization or Control set and the CAA record check set). Network Perspectives are considered distinct when the straight-line distance between them is at least 500 km. Network Perspectives are considered "remote" when they are distinct from the Primary Network Perspective and the other Network Perspectives represented in a quorum. A CA MAY reuse corroborating evidence for CAA record quorum compliance for a maximum of 398 days. After issuing a Certificate to a domain, remote Network Perspectives MAY omit retrieving and processing CAA records for the same domain or its subdomains in subsequent Certificate requests from the same Applicant for up to a maximum of 398 days. @@ -1156,10 +1157,10 @@ If any of the above considerations are performed by a Delegated Third Party, the Phased Implementation Timeline: - *Effective September 15, 2024*, the CA SHOULD implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. - *Effective March 15, 2025*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. The CA MAY proceed with certificate issuance if the number of remote Network Perspectives that do not corroborate the determinations made by the Primary Network Perspective ("non-corroborations") is greater than allowed in the Quorum Requirements table. -- *Effective September 15, 2025*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table. -- *Effective March 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least three (3) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries. -- *Effective June 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least four (4) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries. -- *Effective December 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least five (5) remote Network Perspectives. The CA MUST NOT proceed with certificate issuance if the number of non-corroborations is greater than allowed in the Quorum Requirements table and if the remote Network Perspectives that do corroborate the determinations made by the Primary Network Perspective do not fall within the service regions of at least two (2) distinct Regional Internet Registries. +- *Effective September 15, 2025*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least two (2) remote Network Perspectives. The CA MUST ensure that the requirements defined in Quorum Requirements Table are satisfied. If the requirements are not satisfied, then the CA MUST NOT proceed with issuance of the Certificate. +- *Effective March 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least three (3) remote Network Perspectives. The CA MUST ensure that the requirements defined in Quorum Requirements Table are satisfied, and the remote Network Perspectives that corroborate the Primary Network Perspective fall within the service regions of at least two (2) distinct Regional Internet Registries. If the requirements are not satisfied, then the CA MUST NOT proceed with issuance of the Certificate. +- *Effective June 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least four (4) remote Network Perspectives. The CA MUST ensure that the requirements defined in Quorum Requirements Table are satisfied, and the remote Network Perspectives that corroborate the Primary Network Perspective fall within the service regions of at least two (2) distinct Regional Internet Registries. If the requirements are not satisfied, then the CA MUST NOT proceed with issuance of the Certificate. +- *Effective December 15, 2026*, the CA MUST implement Multi-Perspective Issuance Corroboration using at least five (5) remote Network Perspectives. The CA MUST ensure that the requirements defined in Quorum Requirements Table are satisfied, and the remote Network Perspectives that corroborate the Primary Network Perspective fall within the service regions of at least two (2) distinct Regional Internet Registries. If the requirements are not satisfied, then the CA MUST NOT proceed with issuance of the Certificate. ### 3.2.3 Authentication of individual identity @@ -1468,7 +1469,7 @@ No stipulation. ### 4.9.7 CRL issuance frequency -CRLs must be available via a publicly-accessible HTTP URL (i.e., "published"). +CRLs MUST be available via a publicly-accessible HTTP URL (i.e., "published"). Within twenty-four (24) hours of issuing its first Certificate, the CA MUST generate and publish either: - a full and complete CRL; OR @@ -1639,7 +1640,7 @@ Based on the Risk Assessment, the CA SHALL develop, implement, and maintain a se ### 5.2.2 Number of Individuals Required per Task -The CA Private Key SHALL be backed up, stored, and recovered only by personnel in trusted roles using, at least, dual control in a physically secured environment. +The CA Private Key SHALL be backed up, stored, and recovered only by personnel in Trusted Roles using, at least, dual control in a physically secured environment. ### 5.2.3 Identification and authentication for each role @@ -1998,7 +1999,7 @@ The CA MAY perform Linting on the corpus of its unexpired, un-revoked Subscriber ## 7.1 Certificate profile -The CA SHALL meet the technical requirements set forth in [Section 2.2 - Publication of Information](#22-publication-of-information), [Section 6.1.5 - Key Sizes](#615-key-sizes), and [Section 6.1.6 - Public Key Parameters Generation and Quality Checking](#616-public-key-parameters-generation-and-quality-checking). +The CA SHALL meet the technical requirements set forth in [Section 6.1.5 - Key Sizes](#615-key-sizes), and [Section 6.1.6 - Public Key Parameters Generation and Quality Checking](#616-public-key-parameters-generation-and-quality-checking). Prior to 2023-09-15, the CA SHALL issue Certificates in accordance with the profile specified in these Requirements or the profile specified in version 1.8.6 of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. Effective 2023-09-15, the CA SHALL issue Certificates in accordance with the profile specified in these Requirements. @@ -2059,7 +2060,7 @@ If the CA asserts compliance with these Baseline Requirements, all certificates | `basicConstraints` | MUST | Y | See [Section 7.1.2.1.4](#71214-root-ca-basic-constraints) | | `keyUsage` | MUST | Y | See [Section 7.1.2.10.7](#712107-ca-certificate-key-usage) | | `subjectKeyIdentifier` | MUST | N | See [Section 7.1.2.11.4](#712114-subject-key-identifier) | -| `extKeyUsage` | MUST NOT | N | - | +| `extKeyUsage` | MUST NOT | - | - | | `certificatePolicies` | NOT RECOMMENDED | N | See [Section 7.1.2.10.5](#712105-ca-certificate-certificate-policies) | | Signed Certificate Timestamp List | MAY | N | See [Section 7.1.2.11.3](#712113-signed-certificate-timestamp-list) | | Any other extension | NOT RECOMMENDED | - | See [Section 7.1.2.11.5](#712115-other-extensions) | @@ -2151,7 +2152,7 @@ Table: Cross-Certified Subordinate CA with Restricted EKU | ---- | - | - | ----- | | `extKeyUsage` | MUST[^eku_ca] | N | See [Section 7.1.2.2.5](#71225-cross-certified-subordinate-ca-extended-key-usage---restricted) | -[^eku_ca]: While [RFC 5280, Section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.13) notes that this extension will generally only appear within end-entity certificates, these Requirements make use of this extension to further protect relying parties by limiting the scope of CA Certificates, as implemented by a number of Application Software Suppliers. +[^eku_ca]: While [RFC 5280, Section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) notes that this extension will generally only appear within end-entity certificates, these Requirements make use of this extension to further protect relying parties by limiting the scope of CA Certificates, as implemented by a number of Application Software Suppliers. [^name_constraints]: See [Section 7.1.2.10.8](#712108-ca-certificate-name-constraints) for further requirements, including regarding criticality of this extension. @@ -2586,7 +2587,7 @@ Table: Organization Validated `subject` Attributes | `countryName` | MUST | The two-letter ISO 3166-1 country code for the country associated with the Subject. If a Country is not represented by an official ISO 3166-1 country code, the CA MUST specify the ISO 3166-1 user-assigned code of `XX`, indicating that an official ISO 3166-1 alpha-2 code has not been assigned. | [Section 3.2.2.1](#3221-identity) | | `stateOrProvinceName` | MUST / MAY | MUST be present if `localityName` is absent, MAY be present otherwise. If present, MUST contain the Subject's state or province information. | [Section 3.2.2.1](#3221-identity) | | `localityName` | MUST / MAY | MUST be present if `stateOrProvinceName` is absent, MAY be present otherwise. If present, MUST contain the Subject's locality information. | [Section 3.2.2.1](#3221-identity) | -| `postalCode` | NOT RECOMMENDED | If present, MUST contain the Subject's zip or postal information. | [Section 3.2.2.1](#3221-identity)) | +| `postalCode` | NOT RECOMMENDED | If present, MUST contain the Subject's zip or postal information. | [Section 3.2.2.1](#3221-identity) | | `streetAddress` | NOT RECOMMENDED | If present, MUST contain the Subject's street address information. Multiple instances MAY be present.| [Section 3.2.2.1](#3221-identity) | | `organizationName` | MUST | The Subject's name and/or DBA/tradename. The CA MAY include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g. if the official record shows "Company Name Incorporated", the CA MAY use "Company Name Inc." or "Company Name". If both are included, the DBA/tradename SHALL appear first, followed by the Subject's name in parentheses. | [Section 3.2.2.2](#3222-dbatradename) | | `surname` | MUST NOT | - | - | @@ -2745,6 +2746,8 @@ Table: `GeneralName` within a `subjectAltName` extension | `iPAddress` | Y | The entry MUST contain the IPv4 or IPv6 address that the CA has confirmed the Applicant controls or has been granted the right to use through a method specified in [Section 3.2.2.5](#3225-authentication-for-an-ip-address). The entry MUST NOT contain a Reserved IP Address. | | `registeredID` | N | - | +**Note**: As an explicit exception from RFC 5280, P-Labels are permitted to not conform to IDNA 2003. These Requirements allow for the inclusion of P-Labels that do not conform with IDNA 2003 to support newer versions of the Unicode character repertoire, among other improvements to the various IDNA standards. + #### 7.1.2.8 OCSP Responder Certificate Profile If the Issuing CA does not directly sign OCSP responses, it MAY make use of an OCSP Authorized Responder, as defined by [RFC 6960](https://tools.ietf.org/html/rfc6960#section-4.2.2.2). The Issuing CA of the Responder MUST be the same as the Issuing CA for the Certificates it provides responses for. @@ -3029,13 +3032,13 @@ Table: Policy Restricted | __Field__ | __Presence__ | __Contents__ | | --- | - | ------ | | `policyIdentifier` | MUST | One of the following policy identifiers: | -|     A [Reserved Certificate Policy Identifier](#7161-reserved-certificate-policy-identifiers) | MUST | The CA MUST include at least one Reserved Certificate Policy Identifier (see [Section 7.1.6.1](#7161-reserved-certificate-policy-identifiers)) associated with the given Subscriber Certificate type (see [Section 7.1.2.7.1](#71271-subscriber-certificate-types)) directly or transitively issued by this Certificate. | +|     A [Reserved Certificate Policy Identifier](#7161-reserved-certificate-policy-identifiers) | MUST | The CA MUST include exactly one Reserved Certificate Policy Identifier (see [Section 7.1.6.1](#7161-reserved-certificate-policy-identifiers)) associated with the given Subscriber Certificate type (see [Section 7.1.2.7.1](#71271-subscriber-certificate-types)) directly or transitively issued by this Certificate. | |     `anyPolicy` | MUST NOT | The `anyPolicy` Policy Identifier MUST NOT be present. | |     Any other identifier | MAY | If present, MUST be defined by the CA and documented by the CA in its Certificate Policy and/or Certification Practice Statement. | | `policyQualifiers` | NOT RECOMMENDED | If present, MUST contain only permitted `policyQualifiers` from the table below. | -This Profile RECOMMENDS that the first `PolicyInformation` value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see [7.1.6.1](#7161-reserved-certificate-policy-identifiers))[^first_policy_note]. Regardless of the order of `PolicyInformation` values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier. +The Policy Restricted profile RECOMMENDS that the first `PolicyInformation` value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see [7.1.6.1](#7161-reserved-certificate-policy-identifiers))[^first_policy_note]. Regardless of the order of `PolicyInformation` values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier. **Note**: policyQualifiers is NOT RECOMMENDED to be present in any Certificate issued under this Certificate Profile because this information increases the size of the Certificate without providing any value to a typical Relying Party, and the information may be obtained by other means when necessary. @@ -3425,7 +3428,7 @@ A full and complete CRL is a CRL whose scope includes all Certificates issued by A partitioned CRL (sometimes referred to as a "sharded CRL") is a CRL with a constrained scope, such as all Certificates issued by the CA during a certain period of time ("temporal sharding"). Aside from the presence of the Issuing Distribution Point extension (OID 2.5.29.28) in partitioned CRLs, both CRL formats are syntactically the same from the perspective of this profile. -Minimally, CAs MUST issue either a "full and complete" CRL or a set of "partitioned" CRLs which cover the complete set of Certificates issued by the CA. In other words, if issuing only partitioned CRLs, the combined scope of those CRLs must be equivalent to that of a full and complete CRL. +Minimally, CAs MUST issue either a "full and complete" CRL or a set of "partitioned" CRLs which cover the complete set of Certificates issued by the CA within 7 days of such CA issuing its first certificate. In other words, if issuing only partitioned CRLs, the combined scope of those CRLs must be equivalent to that of a full and complete CRL. CAs MUST NOT issue indirect CRLs (i.e., the issuer of the CRL is not the issuer of all Certificates that are included in the scope of the CRL). @@ -3533,7 +3536,7 @@ The CA SHALL at all times: 2. Comply with the audit requirements set forth in this section; and 3. Be licensed as a CA in each jurisdiction where it operates, if licensing is required by the law of such jurisdiction for the issuance of Certificates. -**Implementers' Note**: Version 1.1.6 of the SSL Baseline Requirements was published on July 29, 2013. Version 2.0 of WebTrust's Principles and Criteria for Certification Authorities - SSL Baseline with Network Security and ETSI's Electronic Signatures and Infrastructures (ESI) 102 042 incorporate version 1.1.6 of these Baseline Requirements and version 1.0 of the Network and Certificate System Security Requirements. The CA/Browser Forum continues to improve the Baseline Requirements while WebTrust and ETSI also continue to update their audit criteria. We encourage all CAs to conform to each revision herein on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty, and we will respond to implementation questions directed to . Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. +**Implementers' Note**: Version 1.1.6 of the SSL Baseline Requirements was published on July 29, 2013. Version 2.0 of WebTrust's Principles and Criteria for Certification Authorities - SSL Baseline with Network Security and ETSI's Electronic Signatures and Infrastructures (ESI) 319 411-1 incorporate version 1.1.6 of these Baseline Requirements and version 1.0 of the Network and Certificate System Security Requirements. The CA/Browser Forum continues to improve the Baseline Requirements while WebTrust and ETSI also continue to update their audit criteria. We encourage all CAs to conform to each revision herein on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty, and we will respond to implementation questions directed to . Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates. ## 8.1 Frequency or circumstances of assessment @@ -3550,7 +3553,7 @@ If the CA does not have a currently valid Audit Report indicating compliance wit The CA's audit SHALL be performed by a Qualified Auditor. A Qualified Auditor means a natural person, Legal Entity, or group of natural persons or Legal Entities that collectively possess the following qualifications and skills: 1. Independence from the subject of the audit; -2. The ability to conduct an audit that addresses the criteria specified in an Eligible Audit Scheme (see [Section 8.4](#84-topics-covered-by-assessment)); +2. The ability to conduct an audit that addresses the criteria specified in an eligible audit scheme (see [Section 8.4](#84-topics-covered-by-assessment)); 3. Employs individuals who have proficiency in examining Public Key Infrastructure technology, information security tools and techniques, information technology and security auditing, and the third-party attestation function; 4. (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403; 5. (For audits conducted in accordance with the WebTrust standard) licensed by WebTrust; @@ -3580,7 +3583,7 @@ The audit MUST be conducted by a Qualified Auditor, as specified in [Section 8.2 For Delegated Third Parties which are not Enterprise RAs, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in [Section 8.4](#84-topics-covered-by-assessment), that provides an opinion whether the Delegated Third Party's performance complies with either the Delegated Third Party's practice statement or the CA's Certificate Policy and/or Certification Practice Statement. If the opinion is that the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions. -The audit period for the Delegated Third Party SHALL NOT exceed one year (ideally aligned with the CA's audit). However, if the CA or Delegated Third Party is under the operation, control, or supervision of a Government Entity and the audit scheme is completed over multiple years, then the annual audit MUST cover at least the core controls that are required to be audited annually by such scheme plus that portion of all non-core controls that are allowed to be conducted less frequently, but in no case may any non-core control be audited less often than once every three years. +The audit period for the Delegated Third Party SHALL NOT exceed one year (ideally aligned with the CA's audit). ## 8.5 Actions taken as a result of deficiency