What are the validation requirements with EV SSL Certificates?
Posted by Maria Brosnan on 17 June 2016 12:25 PM
The validation requirements for this type of SSL Certificates are very extensive. When submitting an EV SSL Certificate order, both Comodo and Freeparking will validate the following:
- Applicant's Legal Status. This verification will be obtained or verified directly with registration agency. Verification of the legal status depends on the type of organisation.
- Private Organisations -- Incorporated entities with suffixes such as Inc., LLC, (US) Ltd. (UK), Pty. Ltd. (AUS), GmBh (Germany), AS (Norway)
- Government Entities -- Government entities include departments of the government, pubic/state schools, local governments, etc.
- Business Entities – Non-incorporated businesses that are created by filing with a government entity. To qualify for an EV certificate, there must be a registration authority and something equivalent to a business license. General Partnerships and Limited Partnerships generally fall into this category. Some sole proprietors qualify as a Business Entity, but others do not. For example UK sole proprietors do not currently qualify for EV as there is no registration authority for sole proprietors in the UK.
- Non-Commercial Entities -– International organisations that are not specifically tied to one country or government. NATO and the United Nations fall into this category.
- Flagged Entity Check. Comodo checks the organisation against an anti-phishing work group, the US treasury department denied persons and organisations list, and other exclusion lists. Entities found on these lists will either be denied a certificate or require additional validation prior to issuance.
- DBA/Trade Name (if applicable). Trade and DBA names are verified directly with registration agency or through a third party database such as D&B or Hoovers.
- Physical Existence. This information will be confirmed through a third party database such as Dun and Brad Street (D&B).
- Operational Existence. Registration of longer than three years will demonstrate operational existence. Otherwise, the organisation must be verified with a third party database (D&B) or through a bank letter verifying that the organisation has a demand deposit account with a regulated financial institution.
- Phone Number. Phone numbers will be verified through a third party database or through an online source that receives information directly from a telecommunications provider.
- Domain Ownership -- Domain names are verified through the domain registrar. Privacy on domains should be suspended until the validation process is complete.
- Name, Title, and Authority of Contract Signer. If the contract signer’s name is on the registration documents or a third party database (such as D&B), further verification is generally not necessary. If further validation is necessary, a call to HR or another individual listed as a key person within the organisation can be used to verify the name and title of the contract signer. During the phone call, the contract signer can be used to verify the authority of the certificate approver/requester. Having the contract signer, certificate approver, and certificate requester as the same person will help accelerate the process.
- Name, Title, and Authority of Certificate Approver/Requester. Certificate Approver/Requesters are verified by a phone call to either HR or the contract signer.-
- Signature/Approval -- Verified through a phone call to the contract signer.
As an alternative, verification of items 3-9 can be completed using a letter from a CPA, a chartered accountant, or a legal opinion from an attorney.