• Home
• CA/Browser Forum
• EV SSL Certificates
• Objectives
• Vetting Process
• Certificate Contents
• FAQ

Guidelines Version 1.1 Errata

1. QGIS for place of business address

Replace Section 16a with the following text.

(a) Address of Applicant's Place of Business

(1) Verification Requirements To verify Applicant's physical existence and business presence, the CA MUST verify that the physical address provided by Applicant is an address where Applicant or a Parent/Subsidiary Company conducts business operations (e.g., not a mail drop or P.O. box, or 'care of' (C/O) address, such as an address for an agent of the Organization), and is the address of Applicant's Place of Business.

(2) Acceptable Methods of Verification To verify the address of Applicant's Place of Business:

(A) For Applicants whose Place of Business is in the same country as Applicant's Jurisdiction of Incorporation or Registration:

(1) For Applicants whose Place of Business is in the same country as Applicant's Jurisdiction of Incorporation or Registration and whose Place of Business is NOT the same as that indicated in the relevant Qualified Government Information Source used in Section (14) to verify legal existence:

(1) For Applicants listed at the same Place of Business address in the current version of either at least one Qualified Independent Information Source or a Qualified Governmental Tax Information Source, the CA MUST confirm that Applicant's address as listed in the EV Certificate Request is a valid business address for Applicant or a Parent/Subsidiary Company by reference to such Qualified Independent Information Sources or a Qualified Governmental Tax Information Source, and MAY rely on Applicant's representation that such address is its Place of Business;

(2) For Applicants who are not listed at the same Place of Business address in the current version of either at least one Qualified Independent Information Source or a Qualified Governmental Tax Information Source, the CA MUST confirm that the address provided by Applicant in the EV Certificate Request is in fact Applicant's or a Parent/Subsidiary Company's business address, by obtaining documentation of a site visit to the business address, which MUST be performed by a reliable individual or firm. The documentation of the site visit MUST:
(a) Verify that Applicant's business is located at the exact address stated in the EV Certificate Request (e.g., via permanent signage, employee confirmation, etc.);
(b) Identify the type of facility (e.g., office in a commercial building, private residence, storefront, etc.) and whether it appears to be a permanent business location;
(c) Indicate whether there is a permanent sign (that cannot be moved) that identifies Applicant;
(d) Indicate whether there is evidence that Applicant is conducting ongoing business activities at the site (e.g., that it is not just a mail drop, P.O. box, etc.); and
(e) Include one or more photos of (i) the exterior of the site (showing signage indicating Applicant's name, if present, and showing the street address if possible), and (ii) the interior reception area or workspace

(3) For all Applicants, the CA MAY alternatively rely on a Verified Legal Opinion or a Verified Accountant Letter that indicates the address of Applicant's or a Parent/Subsidiary Company's Place of Business and that business operations are conducted there.

(4) For Government Entity Applicants, the CA MAY rely on the address contained in the records of the QGIS in Applicant's Jurisdiction.

(2) For Applicants whose Place of Business is in the same country as Applicant's Jurisdiction of Incorporation or Registration and where the Qualified Government Information Source used in Section (14) to verify legal existence contains a business address for the Applicant, the CA MAY rely on the Address in the QGIS to confirm the Applicant's or a Parent/Subsidiary Company address as listed in the EV Certificate Request, and MAY rely on Applicant's representation that such address is its Place of Business.

(B) For Applicants whose Place of Business is not in the same country as Applicant's Jurisdiction of Incorporation or Registration, the CA MUST rely on a Verified Legal Opinion that indicates the address of Applicant's Place of Business and that business operations are conducted there.

2. Scope

Replace the following paragraph from Section 1.(b), effective 18 June 2008.

"This version of the Guidelines addresses only requirements for EV Certificates intended to be used for server-authentication SSL/TLS on the Internet. Similar requirements for client-authentication SSL/TLS, S/MIME, code-signing, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions."

With:

"This version of the Guidelines addresses only requirements for EV Certificates intended to be used for SSL/TLS authentication on the Internet and code-signing. Similar requirements for S/MIME, time-stamping, VoIP, IM, Web services, etc. may be covered in future versions."

3. Allowed EKU values

Add the following clause to Appendix B, section 3, effective 18 June 2008.

"(e) extKeyUsage

Either the value id-kp-serverAuth [RFC3280] or id-kp-clientAuth [RFC3280] or both values MUST be present. Other values SHOULD NOT be present."

4. RFC5280

Effective 11 July 2008, replace 'RFC3280' with 'RFC5280' throughout the document.

5. Certificate renewal (same CA)

Effective 25 July 2008.

5.1 Replace this paragraph from Section 8.

8. Maximum Validity Period

(b) For Validated Data the age of validated data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits:
(1) Legal existence and identity - one year;
(2) Assumed name - one year;
(3) Address of Place of Business - one year, but thereafter data MAY be refreshed by checking a Qualified Independent Information Source, even where a site visit was originally required;
(4) Telephone number for Place of Business - one year;
(5) Bank account verification - one year;
(6) Domain name - one year;
(7) Identity and authority of Certificate Approver - one year, unless a contract is in place between the CA and Applicant that specifies a different term, in which case, the term specified in such contract will control. For example, the contract MAY use terms that allow the assignment of roles that are perpetual until revoked, or until the contract expires or is terminated.

With

8. Maximum Validity Period

(b) For Validated Data the age of validated data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits:
(1) Legal existence and identity - thirteen months;
(2) Assumed name - thirteen months;
(3) Address of Place of Business - thirteen months, but thereafter data MAY be refreshed by checking a Qualified Independent Information Source, even where a site visit was originally required;
(4) Telephone number for Place of Business - thirteen months;
(5) Bank account verification - thirteen months;
(6) Domain name - thirteen months;
(7) Identity and authority of Certificate Approver - thirteen months, unless a contract is in place between the CA and Applicant that specifies a different term, in which case, the term specified in such contract will control. For example, the contract MAY use terms that allow the assignment of roles that are perpetual until revoked, or until the contract expires or is terminated.

5.2 Add the following paragraph as Section 22(d)(3)

22(d)(3) - The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if:
1. The domain of the e-mail address is owned by the Applicant and is the Confirming Person's own e-mail address and not a group e-mail alias,
2. The Confirming Person's telephone/fax number is verified by the CA to be a telephone number that is part of the organization's telephone system, and is not the personal phone number for the person.

5.3 Replace this paragraph from Section 25

25. Certificate Renewal Verification Requirements
Before renewing an EV Certificate, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the renewal request is properly authorized by Applicant and that the information in the EV Certificate is still accurate and valid.

With

25. EV Certificate Renewal Verification Requirements

(a) Validation for Renewal Requests. In conjunction with the EV Certificate Renewal process, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the renewal request is properly authorized by Applicant and that the information in the EV Certificate is still accurate and valid.
(b) Exceptions. Notwithstanding the requirements set forth in Section 33(b) (Use of Pre-Existing Information or Documentation) and Section 8 (Maximum Validity Period), a CA, when performing the authentication and verification tasks for EV Certificate Renewal MAY:
(1) EV Certificate previously issued by the CA:

(i) Rely on its prior authentication and verification of:
(a) A Principal Individual of a Business Entity under Section 14(b)(4) if the Principal Individual is the same as the Principal Individual verified by the CA in connection with the previously issued EV Certificate,
(b) Applicant's Place of Business under Section 16(a),
(c) The verification of telephone number of Applicant's Place of Business required by Section 16(b), but still MUST perform the verification required by Section 16(b)(2)(a),
(d) Applicant's Operational Existence under Section 17,
(e) The name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester under Section 19, except where a contract is in place between the CA and Applicant that specifies a specific term for the authority of the Contract Signer, and/or the Certificate Approver, and/or Certificate Requester in which case, the term specified in such contract will control,
(f) The prior verification of the email address used by the CA for independent confirmation from applicant under Section 22(d)(1)(B)(ii).

(ii) Rely on prior Verified Legal/Accountant Opinion that established:
(a) Applicant's exclusive right to use the specified domain name under Section 18 (b)(2)(A)(1) & Section 18 (b)(2)(B)(1), provided that the CA verifies that either:
a. The WHOIS record still shows the same registrant as indicated when the CA received the prior Verified Legal Opinion, or
b. The Applicant establishes domain control via a practical demonstration as detailed in Section 18(b)(2)(B)(2).
(b) Verification that Applicant is aware that it has exclusive control of the domain name, under Section 18 (a)(b)(3).

5.4 Add the following Definition to the Definition section:

EV Certificate Renewal. The process whereby an Applicant who has a valid unexpired and non-revoked EV certificate makes application, to the CA that issued the original certificate, for a newly issued EV certificate for the same organizational and domain name prior to the expiration of the applicant's existing EV Certificate.

Home ¦ CA/Browser Forum ¦ EV SSL Certificates ¦ Objectives ¦ Vetting Process ¦ Certificate Contents¦ Documents
Contact CA/B Forum
Copyright © 2006-2008 All rights reserved.