CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 131 – Update to Verified Method of Communication (passed)

Ballot 131 – Update to Verified Method of Communication (passed)

Voting on Ballot 131 (Update to Verified Method of Communication) closed last Friday. Voting in favor were: Actalis, Buypass, Comodo, DigiCert, Disig, Entrust, GlobalSign, GoDaddy, OpenTrust, QuoVadis, SECOM Trust, SSC, StartCom, Symantec, Trend Micro, Trustwave, Trustis, TURKTRUST, WoSign and Mozilla. There were no votes against and no abstentions. Therefore, Ballot 131 passed.

Ballot 131 – Update to Verified Method of Communication

The EV Guidelines Working Group has revisited Section 11.4 of the EV Guidelines (Applicant’s Physical Existence) and has decided that it is best to split it into two separate sections. Section 11.4.1 would remain as is for “Address of Applicant’s Place of Business.” Section 11.4.2 would be moved to its own section–a new 11.5, and all subsequent section numbers in 11 would be renumbered accordingly. The new Section 11.5 will focus on a verified means for communicating with the organization to be named as the subject in the certificate (to verify the authority of EV roles and ensure that it was appropriately aware of the certificate request).

Cecilia Kam of Symantec made the following motion, and Rich Smith from Comodo and Jeremy Rowley from DigiCert have endorsed it.

Motion Begins

In the Guidelines for the Issuance and Management of Extended Validation Certificates:

  1. DELETE Section 11.4.2 (Telephone Number for Applicant’s Place of Business)

  2. INSERT a new definition – “Verified Method of Communication” – in Section 4 as follows: Verified Method of Communication: The use of a telephone number, a fax number, an email address, or a postal delivery address, confirmed by the CA in accordance with Section 11.5 of the Guidelines as a reliable way of communicating with the Applicant.

  3. In Section 11.1.1, renumber the existing subsection (3) as subsection (4) and INSERT a new subsection (3) as follows: “(3) Verify a reliable means of communication with the entity to be named as the Subject in the Certificate;”

  4. RENUMBER sections 11.5 through 11.13 by increasing them each by .1 and UPDATE all cross-references in the EV Guidelines.

  5. INSERT a new Section 11.5 titled, “Verified Method of Communication” as follows:

11.5 Verified Method of Communication

11.5.1 Verification Requirements

To assist in communicating with the Applicant and confirming that the Applicant is aware of and approves issuance, the CA MUST verify a telephone number, fax number, email address, or postal delivery address as a Verified Method of Communication with the Applicant.

11.5.2 Acceptable Methods of Verification To verify a Verified Method of Communication with the Applicant, the CA MUST:

(A) Verify that the Verified Method of Communication belongs to the Applicant, or a Parent/Subsidiary or Affiliate of the Applicant, by matching it with one of the Applicant’s Parent/Subsidiary or Affiliate’s Places of Business in: (i) records provided by the applicable phone company; (ii) a QGIS, QTIS, or QIIS; or (iii) a Verified Legal Opinion or Verified Accountant Letter; and

(B) Confirm the Verified Method of Communication by using it to obtain an affirmative response sufficient to enable a reasonable person to conclude that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can be contacted reliably by using the Verified Method of Communication.

  1. Amend newly renumbered subsection 11.11.4(1)(A)(i) as follows: “A position within the Applicant’s organization that qualifies as a Confirming Person (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) and is identified by name and title in a current QGIS, QIIS, QTIS, Verified Legal Opinion, Verified Accountant Letter, or by contacting the Applicant using a Verified Method of Communication; or”

  2. REPLACE newly renumbered subsection 11.14.1(1) (D) with “(D) Verified Method of Communication – thirteen months ”

  3. REPLACE newly renumbered subsection 11.14.3(1)(C) with “The Verified Method of Communication required by Section 11.5 but still MUST perform the verification required by Section 11.5.2(B);”

  4. REPLACE newly renumbered subsection 11.8.2(2)(A) with “(A) Contacting the Applicant using a Verified Method of Communication for the Applicant, and obtaining confirmation that the Contract Signer and/or the Certificate Approver, as applicable, is an employee;”

  5. REPLACE newly renumbered subsection 11.9.2(1) with “Contacting the Applicant using a Verified Method of Communication for the Applicant, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant;”

and

REPLACE newly renumbered subsection 11.9.2(2) with “A letter mailed to the Applicant’s or Agent’s address, as verified through independent means in accordance with these Guidelines, for the attention of the Certificate Requester or Contract Signer, as applicable, followed by a response through a Verified Method of Communication from someone who identifies themselves as such person confirming that he/she did sign the applicable document on behalf of the Applicant;”

  1. REPLACE newly renumbered subsection 11.10.2(1) with “Contacting the Certificate Approver using a Verified Method of Communication for the Applicant and obtaining oral or written confirmation that the Certificate Approver has reviewed and approved the EV Certificate Request;”

Motion Ends

The review period for this ballot shall commence at 2200 UTC on Friday, 22 August 2014, and will close at 2200 UTC on Friday, 29 August 2014. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on Friday, 5 September 2014. Votes must be cast by posting an on-list reply to this thread. THE VOTING PERIOD FOR THIS BALLOT HAS BEEN EXTENDED TO 2200 UTC FRIDAY, 12 SEPTEMBER 2014.

A vote in favor of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: /about/membership/members/

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Also, at least seven members must participate in the ballot, either by voting in favor, voting against, or abstaining.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).