Minimum Security Requirements for Issuance of Verified

VerifiedMarkCertificateRequirementsv1.4 1

MinimumSecurityRequirementsforIssuance

ofVerifiedMarkCertificatesVersion1.4

Version1.4March31,2022

TABLEOFCONTENTS1. INTRODUCTION ..................................................................................................................................... 7

1.1. Overview ........................................................................................................................................ 7 1.2. Document name and Identification ................................................................................................ 7

1.2.1. Revisions ............................................................................................................................. 8 1.2.2. Verified Mark Certificate OIDs ............................................................................................. 8

1.3. PKI Participants ............................................................................................................................. 8 1.3.1. Certification Authorities ........................................................................................................ 8 1.3.2. Registration Authorities ........................................................................................................ 8 1.3.3. Subscribers .......................................................................................................................... 9 1.3.4. Relying Parties ..................................................................................................................... 9 1.3.5. Other Participants ................................................................................................................ 9

1.4. Certificate Usage ........................................................................................................................... 9 1.4.1. Appropriate Certificate Uses ................................................................................................ 9 1.4.2. Prohibited Certificate Uses .................................................................................................. 9

1.5. Policy administration ...................................................................................................................... 9 1.5.1. Organization Administering the Document .......................................................................... 9 1.5.2. Contact Person .................................................................................................................... 9 1.5.3. Person Determining CPS suitability for the policy ............................................................... 9 1.5.4. CPS approval procedures .................................................................................................. 10

1.6. Definitions and acronyms ............................................................................................................ 10 1.6.1. Definitions .......................................................................................................................... 10 1.6.2. Acronyms ........................................................................................................................... 20 1.6.3. References ......................................................................................................................... 21 1.6.4. Conventions ....................................................................................................................... 22

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES ................................................................... 22 2.1. Repositories ................................................................................................................................. 22 2.2. Publication of information ............................................................................................................ 22 2.3. Time or frequency of publication ................................................................................................. 23 2.4. Access controls on repositories ................................................................................................... 23

3. IDENTIFICATION AND AUTHENTICATION ........................................................................................ 23 3.1. Naming ........................................................................................................................................ 23

3.1.1. Types of names ................................................................................................................. 23 3.1.2. Need for names to be meaningful ...................................................................................... 23 3.1.3. Anonymity or pseudonymity of subscribers ....................................................................... 23 3.1.4. Rules for interpreting various name forms ......................................................................... 23 3.1.5. Uniqueness of names ........................................................................................................ 23 3.1.6. Recognition, authentication, and role of trademarks ......................................................... 23

3.2. Initial identity validation ............................................................................................................... 23 3.2.1. Method to Prove Possession of Private Key ...................................................................... 23 3.2.2. Authentication of Organization and Domain Identity .......................................................... 23 3.2.3. Verification Requirements – Overview ............................................................................... 24 3.2.4. Acceptable Methods of Verification – Overview ................................................................ 25 3.2.5. Verification of Applicant’s Legal Existence and Identity ..................................................... 25 3.2.6. Verification of Applicant’s Legal Existence and Identity – Assumed Name ....................... 28 3.2.7. Verification of Applicant’s Physical Existence .................................................................... 28 3.2.8. Verified Method of Communication .................................................................................... 29 3.2.9. Verification of Applicant’s Operational Existence .............................................................. 29 3.2.10. Verification of Identity and Authority of Contract Signer and Certificate Approver ............ 30 3.2.11. Verification of Signature on Subscriber Agreement and Verified Mark Certificate Requests32 3.2.12. Verification of Approval of Verified Mark Certificate Request ............................................ 33 3.2.13. Verification of Certain Information Sources ....................................................................... 33 3.2.14. Validation of Domain Authorization or Control ................................................................. 37 3.2.15. CAA Records for Verified Mark Certificates ....................................................................... 41 3.2.16. Registered Mark Verification .............................................................................................. 42 3.2.17. Other Verification Requirements ........................................................................................ 44 3.2.18. Final Cross-Correlation and Due Diligence ....................................................................... 45 3.2.19. Criteria for Interoperation or Certification ........................................................................... 46

3.3. Identification and authentication for re-key requests ................................................................... 46 3.3.1. Identification and Authentication for Routine Re-key ......................................................... 46

3.3.2. Identification and Authentication for Re-key After Revocation ........................................... 46 3.4. Identification and authentication for revocation request .............................................................. 46

4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ........................................................ 46 4.1. Certificate Application .................................................................................................................. 46

4.1.1. Who Can Submit a Certificate Application ......................................................................... 46 4.1.2. Enrollment Process and Responsibilities ........................................................................... 46

4.2. Certificate application processing ................................................................................................ 47 4.2.1. Performing Identification and Authentication Functions ..................................................... 47 4.2.2. Approval or Rejection of Certificate Applications ............................................................... 47 4.2.3. Time to Process Certificate Applications ........................................................................... 47

4.3. Certificate issuance ..................................................................................................................... 47 4.3.1. CA Actions during Certificate Issuance ............................................................................. 47 4.3.2. Notification of Certificate Issuance .................................................................................... 48

4.4. Certificate acceptance ................................................................................................................. 48 4.4.1. Conduct constituting certificate acceptance ...................................................................... 48 4.4.2. Publication of the certificate by the CA .............................................................................. 48 4.4.3. Notification of certificate issuance by the CA to other entities ........................................... 48

4.5. Key pair and certificate usage ..................................................................................................... 48 4.5.1. Subscriber private key and certificate usage ..................................................................... 48 4.5.2. Relying party public key and certificate usage ................................................................... 48

4.6. Certificate renewal ....................................................................................................................... 48 4.6.1. Circumstance for certificate renewal .................................................................................. 48 4.6.2. Who may request renewal ................................................................................................. 48 4.6.3. Processing certificate renewal requests ............................................................................ 48 4.6.4. Notification of new certificate issuance to subscriber ........................................................ 48 4.6.5. Conduct constituting acceptance of a renewal certificate .................................................. 48 4.6.6. Publication of the renewal certificate by the CA ................................................................ 49 4.6.7. Notification of certificate issuance by the CA to other entities ........................................... 49

4.7. Certificate re-key ......................................................................................................................... 49 4.7.1. Circumstance for certificate re-key .................................................................................... 49 4.7.2. Who may request certification of a new public key ............................................................ 49 4.7.3. Processing certificate re-keying requests .......................................................................... 49 4.7.4. Notification of new certificate issuance to subscriber ........................................................ 49 4.7.5. Conduct constituting acceptance of a re-keyed certificate ................................................ 49 4.7.6. Publication of the re-keyed certificate by the CA ............................................................... 49 4.7.7. Notification of certificate issuance by the CA to other entities ........................................... 49

4.8. Certificate modification ................................................................................................................ 49 4.8.1. Circumstance for certificate modification ........................................................................... 49 4.8.2. Who may request certificate modification .......................................................................... 49 4.8.3. Processing certificate modification requests ...................................................................... 49 4.8.4. Notification of new certificate issuance to subscriber ........................................................ 49 4.8.5. Conduct constituting acceptance of modified certificate .................................................... 50 4.8.6. Publication of the modified certificate by the CA ............................................................... 50 4.8.7. Notification of certificate issuance by the CA to other entities ........................................... 50

4.9. Certificate revocation and suspension ........................................................................................ 50 4.9.1. Circumstances for Revocation ........................................................................................... 50 4.9.2. Who Can Request Revocation .......................................................................................... 51 4.9.3. Procedure for Revocation Request .................................................................................... 51 4.9.4. Revocation Request Grace Period .................................................................................... 51 4.9.5. Time within which CA Must Process the Revocation Request .......................................... 51 4.9.6. Revocation Checking Requirement for Relying Parties ..................................................... 51 4.9.7. CRL Issuance Frequency .................................................................................................. 51 4.9.8. Maximum Latency for CRLs ............................................................................................... 52 4.9.9. On-line Revocation/Status Checking Availability ............................................................... 52 4.9.10. On-line Revocation Checking Requirements ..................................................................... 52 4.9.11. Other Forms of Revocation Advertisements Available ...................................................... 52 4.9.12. Special Requirements Related to Key Compromise .......................................................... 52 4.9.13. Circumstances for Suspension .......................................................................................... 53 4.9.14. Who Can Request Suspension .......................................................................................... 53 4.9.15. Procedure for Suspension Request ................................................................................... 53 4.9.16. Limits on Suspension Period ............................................................................................. 53

4.10. Certificate status services ............................................................................................................ 53

4.10.1. Operational Characteristics ................................................................................................ 53 4.10.2. Service Availability ............................................................................................................. 53 4.10.3. Optional Features .............................................................................................................. 53

4.11. End of subscription ...................................................................................................................... 53 4.12. Key escrow and recovery ............................................................................................................ 53

4.12.1. Key escrow and recovery policy and practices .................................................................. 53 4.12.2. Session key encapsulation and recovery policy and practices .......................................... 53

5. MANAGEMENT, OPERTIONAL, and Physical CONTROLS ................................................................ 54 5.1. Physical security Controls ........................................................................................................... 54

5.1.1. Site location and construction ............................................................................................ 54 5.1.2. Physical access ................................................................................................................. 54 5.1.3. Power and air conditioning ................................................................................................ 55 5.1.4. Water exposures ................................................................................................................ 55 5.1.5. Fire prevention and protection ........................................................................................... 55 5.1.6. Media storage .................................................................................................................... 55 5.1.7. Waste disposal ................................................................................................................... 55 5.1.8. Off-site backup ................................................................................................................... 55

5.2. Procedural controls ...................................................................................................................... 55 5.2.1. Trusted Roles ..................................................................................................................... 55 5.2.2. Number of Individuals Required per Task ......................................................................... 55 5.2.3. Identification and Authentication for Trusted Roles ........................................................... 55 5.2.4. Roles Requiring Separation of Duties ................................................................................ 55

5.3. Personnel controls ....................................................................................................................... 55 5.3.1. Qualifications, Experience, and Clearance Requirements ................................................ 55 5.3.2. Background Check Procedures ......................................................................................... 55 5.3.3. Training Requirements and Procedures ............................................................................ 55 5.3.4. Retraining Frequency and Requirements .......................................................................... 56 5.3.5. Job Rotation Frequency and Sequence ............................................................................ 56 5.3.6. Sanctions for Unauthorized Actions ................................................................................... 56 5.3.7. Independent Contractor Controls ....................................................................................... 56 5.3.8. Documentation Supplied to Personnel .............................................................................. 56

5.4. Audit logging procedures ............................................................................................................. 56 5.4.1. Types of Events Recorded ................................................................................................ 56 5.4.2. Frequency for Processing and Archiving Audit Logs ......................................................... 57 5.4.3. Retention Period for Audit Logs ......................................................................................... 57 5.4.4. Protection of Audit Log ...................................................................................................... 57 5.4.5. Audit Log Backup Procedures ........................................................................................... 57 5.4.6. Audit Log Accumulation System (internal vs. external) ..................................................... 57 5.4.7. Notification to Event-Causing Subject ............................................................................... 57 5.4.8. Vulnerability Assessments ................................................................................................. 57

5.5. Records archival .......................................................................................................................... 58 5.5.1. Types of Records Archived ................................................................................................ 58 5.5.2. Retention Period for Archive .............................................................................................. 58 5.5.3. Protection of Archive .......................................................................................................... 58 5.5.4. Archive Backup Procedures .............................................................................................. 58 5.5.5. Requirements for Time-stamping of Records .................................................................... 58 5.5.6. Archive Collection System (internal or external) ................................................................ 58 5.5.7. Procedures to Obtain and Verify Archive Information ........................................................ 58

5.6. Key changeover .......................................................................................................................... 58 5.7. Compromise and disaster recovery ............................................................................................. 58

5.7.1. Incident and Compromise Handling Procedures ............................................................... 58 5.7.2. Recovery Procedures if Computing Resources, Software, and/or Data Are Corrupted .... 59 5.7.3. Recovery Procedures After Key Compromise ................................................................... 59 5.7.4. Business Continuity Capabilities after a Disaster .............................................................. 59

5.8. CA or RA termination ................................................................................................................... 59 6. TECHNICAL SECURITY CONTROLS .................................................................................................. 59

6.1. Key pair generation and installation ............................................................................................ 59 6.1.1. Key Pair Generation........................................................................................................... 59 6.1.2. Private Key Delivery to Subscriber .................................................................................... 60 6.1.3. Public Key Delivery to Certificate Issuer ............................................................................ 60 6.1.4. CA Public Key Delivery to Relying Parties ......................................................................... 60 6.1.5. Algorithm type and key sizes ............................................................................................. 60

6.1.6. Public Key Parameters Generation and Quality Checking ................................................ 61 6.1.7. Key Usage Purposes ......................................................................................................... 61

6.2. Private Key Protection and Cryptographic Module Engineering Controls ................................... 61 6.2.1. Cryptographic Module Standards and Controls ................................................................. 61 6.2.2. Private Key (n out of m) Multi-person Control .................................................................... 61 6.2.3. Private Key Escrow ............................................................................................................ 61 6.2.4. Private Key Backup ............................................................................................................ 61 6.2.5. Private Key Archival ........................................................................................................... 62 6.2.6. Private Key Transfer into or from a Cryptographic Module ................................................ 62 6.2.7. Private Key Storage on Cryptographic Module .................................................................. 62 6.2.8. Activating Private Keys ...................................................................................................... 62 6.2.9. Deactivating Private Keys .................................................................................................. 62 6.2.10. Destroying Private Keys ..................................................................................................... 62 6.2.11. Cryptographic Module Capabilities .................................................................................... 62

6.3. Other aspects of key pair management ...................................................................................... 62 6.3.1. Public Key Archival ............................................................................................................ 62 6.3.2. Certificate Operational Periods and Key Pair Usage Periods ............................................ 62

6.4. Activation data ............................................................................................................................. 62 6.4.1. Activation data generation and installation ........................................................................ 62 6.4.2. Activation data protection .................................................................................................. 62 6.4.3. Other aspects of activation data ........................................................................................ 63

6.5. Computer security controls .......................................................................................................... 63 6.5.1. Specific Computer Security Technical Requirements ........................................................ 63 6.5.2. Computer Security Rating .................................................................................................. 63

6.6. Life cycle technical controls ......................................................................................................... 63 6.6.1. System development controls ............................................................................................ 63 6.6.2. Security management controls .......................................................................................... 63 6.6.3. Life cycle security controls ................................................................................................. 63

6.7. Network security controls ............................................................................................................ 63 6.8. Time-stamping ............................................................................................................................. 63

7. CERTIFICATE, CRL, AND OCSP PROFILES ...................................................................................... 63 7.1. Certificate profile .......................................................................................................................... 63

7.1.1. Version Number(s) ............................................................................................................. 64 7.1.2. Certificate Content and Extensions; Application of RFC 5280 .......................................... 64 7.1.3. Algorithm Object Identifiers ................................................................................................ 67 7.1.4. Name Forms ...................................................................................................................... 67 7.1.5. Name Constraints .............................................................................................................. 73 7.1.6. Certificate Policy Object Identifier ...................................................................................... 73 7.1.7. Usage of Policy Constraints Extension .............................................................................. 73 7.1.8. Policy Qualifiers Syntax and Semantics ............................................................................ 73 7.1.9. Processing Semantics for the Critical Certificate Policies Extension ................................. 73

7.2. CRL profile ................................................................................................................................... 73 7.2.1. Version number(s) ............................................................................................................. 73 7.2.2. CRL and CRL entry extensions ......................................................................................... 73

7.3. OCSP profile ................................................................................................................................ 73 7.3.1. Version number(s) ............................................................................................................. 73 7.3.2. OCSP extensions ............................................................................................................... 73

8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS ........................................................................ 73 8.1. Frequency or circumstances of assessment ............................................................................... 74 8.2. Identity/qualifications of assessor ................................................................................................ 74 8.3. Assessor's relationship to assessed entity .................................................................................. 74 8.4. Topics covered by assessment ................................................................................................... 74 8.5. Actions taken as a result of deficiency ........................................................................................ 74 8.6. Communication of results ............................................................................................................ 74 8.7. Self-Audits ................................................................................................................................... 75

9. OTHER BUSINESS AND LEGAL MATTERS ....................................................................................... 75 9.1. Fees ............................................................................................................................................. 75

9.1.1. Certificate issuance or renewal fees .................................................................................. 75 9.1.2. Certificate access fees ....................................................................................................... 75 9.1.3. Revocation or status information access fees ................................................................... 75 9.1.4. Fees for other services ...................................................................................................... 75 9.1.5. Refund policy ..................................................................................................................... 75

9.2. Financial responsibility ................................................................................................................ 75 9.2.1. Insurance coverage ........................................................................................................... 75 9.2.2. Other assets ....................................................................................................................... 75 9.2.3. Insurance or warranty coverage for end-entities ............................................................... 75

9.3. Confidentiality of business information ........................................................................................ 75 9.3.1. Scope of confidential information ....................................................................................... 75 9.3.2. Information not within the scope of confidential information .............................................. 75 9.3.3. Responsibility to protect confidential information ............................................................... 76

9.4. Privacy of personal information ................................................................................................... 76 9.4.1. Privacy plan ....................................................................................................................... 76 9.4.2. Information treated as private ............................................................................................ 76 9.4.3. Information not deemed private ......................................................................................... 76 9.4.4. Responsibility to protect private information ...................................................................... 76 9.4.5. Notice and consent to use private information ................................................................... 76 9.4.6. Disclosure pursuant to judicial or administrative process .................................................. 76 9.4.7. Other information disclosure circumstances ...................................................................... 76

9.5. Intellectual property rights ........................................................................................................... 76 9.6. Representations and warranties .................................................................................................. 76

9.6.1. CA Representations and Warranties ................................................................................. 76 9.6.2. RA Representations and Warranties ................................................................................. 77 9.6.3. Subscriber Representations and Warranties ..................................................................... 77 9.6.4. Relying Party Representations and Warranties ................................................................. 78 9.6.5. Representations and Warranties of Other Participants ..................................................... 78

9.7. Disclaimers of warranties ............................................................................................................ 78 9.8. Limitations of liability .................................................................................................................... 78 9.9. Indemnities .................................................................................................................................. 78

9.9.1. Indemnification by CAs ...................................................................................................... 78 9.9.2. Indemnification by Subscribers .......................................................................................... 79 9.9.3. Indemnification by Relying Parties ..................................................................................... 79

9.10. Term and termination .................................................................................................................. 79 9.10.1. Term ................................................................................................................................... 79 9.10.2. Termination ........................................................................................................................ 79 9.10.3. Effect of termination and survival ....................................................................................... 79

9.11. Individual notices and communications with participants ............................................................ 79 9.12. Amendments ............................................................................................................................... 79

9.12.1. Procedure for amendment ................................................................................................. 79 9.12.2. Notification mechanism and period .................................................................................... 79 9.12.3. Circumstances under which OID must be changed ........................................................... 79

9.13. Dispute resolution provisions ...................................................................................................... 79 9.14. Governing law .............................................................................................................................. 79 9.15. Compliance with applicable law .................................................................................................. 79 9.16. Miscellaneous provisions ............................................................................................................ 79

9.16.1. Entire Agreement ............................................................................................................... 79 9.16.2. Assignment ........................................................................................................................ 80 9.16.3. Severability ........................................................................................................................ 80 9.16.4. Enforcement (attorneys' fees and waiver of rights) ............................................................ 80 9.16.5. Force Majeure .................................................................................................................... 80

9.17. Other provisions .......................................................................................................................... 80 APPENDIX A – DNS Contact Properties ................................................................................................... 81 APPENDIX B – Mapping of Combined, Design, and Word Mark Terminology to Terminology of Authorized Trademark Offices 83 APPENDIX C – Authorized Trademark Offices for VMCs ......................................................................... 86 APPENDIX D - VMC Terms of Use (“VMC Terms”) .................................................................................. 87 APPENDIX E - Optional Rules for Matching Mark Representation Submitted by Subscriber with Registered Mark Verified by CA ............................................................................................................................................ 89 APPENDIX F - CT Logs Approved by Authindicators Working Group ...................................................... 90 APPENDIX G – Additional F2F Verification Requirements ....................................................................... 91 APPENDIX H - Country-Specific Interpretative Guidelines (Normative) .................................................... 95 APPENDIX I – Abstract Syntax Notation One module for EV certificates ................................................. 97 APPENDIX J – Registration Schemes ....................................................................................................... 98

1. INTRODUCTION

1.1. OVERVIEW

Thisdocumentdescribesanintegratedsetoftechnologies,protocols,andidentityandmarkproofingrequirementsthatarenecessaryfortheissuanceandmanagementofVerifiedMarkCertificates(VMCs)-certificatesthataretrustedbyConsumingEntities.Uponadoption,theyaremandatoryforCertificationAuthoritieswhoissueorplantoissueVerifiedMarkCertificates.VMCsassertacryptographicallyverifiableandauditablebindingbetweenanidentity,alogo,andadomain.ThekeypairofanendentityVMCisunused,andtherearenorequirementsaroundthegeneration,storage,andprotectionofsuchkeypairs.Inparticular,CertificationAuthoritiesMAYgeneratesuchkeypairsonbehalfoftheircustomers,andVMCsneednotberevokediftheunusedkeypairiscompromised.VMCspresentConsumingEntitiesandRelyingPartieswithinformationaboutandmarksassertedbytheMarkAssertingEntity,someofwhichisgatheredfromlegaldocumentsandgovernmentregistries(includingtrademarkregistries).WhenMarkVerifyingAuthoritiesverifymarkspresentedbyaMarkAssertingEntityforinclusioninaVMC,orwhenMarkVerifyingAuthoritiespresentVMCsandtheinformationormarkstheycontaintoConsumingEntities,orwhenConsumingEntitiespresentVMCsandtheinformationormarkstheycontaintoRelyingParties,theyarenotprovidinglegaladvicetoanyparty.InadoptingtheseVerifiedMarkCertificateRequirements(VMCR),theAuthindicatorsWorkingGroupisnotprovidinglegaladvicetoanyparty.Allparties(MarkAssertingEntities,MarkVerifyingAuthorities,ConsumingEntitiesandRelyingParties)areadvisedtoconsulttheirownlegalcounselonallmatters.MarkVerifyingAuthoritieshavenolegalobligationtoissueVMCstoanyMarkAssertingEntity.ConsumingEntitieshavenolegalobligationtouseordisplayVMCsortheinformationormarkstheycontaintoanyRelyingParty,andmaychooseattheirsolediscretionnottouseordisplayVMCs(orgroupsorcategoriesofVMCs)ortheinformationormarkstheycontaintoRelyingPartiesortoanysubsetofRelyingPartiestheymaychoose.VerifiedMarkCertificatesmaybeissuedwithrespecttomarksaccreditedbylegislation(suchasRegisteredMarksthatareingoodstandingwithaTrademarkOffice)andwhichareownedbyorlicensedtotheApplicant.CAsmayissueVerifiedMarkCertificatesprovidedthattheCAsatisfiestherequirementsinthisdocument.AllSubscribers/MarkAssertingEntities,ConsumingEntities,andRelyingPartiesareboundbytheVMCTermsattachedasAppendixDaccordingtotheirterms.CAswhoissueVerifiedMarkCertificatesSHALLincludetheVMCTermsintheirapplicableCertificationPracticeStatement.RelevantsectionsoftheseVMCRshavebeensynchronizedwiththefollowingversionsoftheCA/BrowserForumstandards:

• BaselineRequirementsfortheIssuanceandManagementofPublicly-TrustedCertificatesv1.7.0• GuidelinesForTheIssuanceAndManagementOfExtendedValidationCertificatesv1.7.2

ThisdocumentmaybesynchronizedfromtimetotimewithfutureversionsoftheCA/BrowserForumdocumentsatthesolediscretionoftheAuthindicatorsWorkingGroup.However,thisdocumentisindependentofanyactionsoftheCA/BrowserForumorofitsdocuments.

1.2. DOCUMENTNAMEANDIDENTIFICATION

ThisdocumentSHALLbeknownastheVerifiedMarkCertificateRequirements(or“VMCRequirements”orsimply“VMCR”).TheseVMCRequirementsSHALLtakeeffectuponpublicadoptionbyoneormore

CertificationAuthorities(CAs)thatofferVerifiedMarkCertificatestoSubscribersandbyoneormoreConsumingEntitiesthatrecognizeandutilizetheVerifiedMarkCertificates.

1.2.1. RevisionsVersion Adopted Effective0.97 12-19-2019 12-19-20190.984 06-24-2019 06-24-20190.985 05-26-2020 05-26-20200.986 02-05-2021 02-05-20211.0 07-09-2021 07-09-20211.1 09-10-2021 09-10-20211.2 11-28-2021 11-28-20211.3 01-31-2022 01-31-20221.4 03-31-2022 03-XX-2022

1.2.2. VerifiedMarkCertificateOIDsCertificatesadheringtotheseVMCRequirementsSHALLbeidentifiedbythepresenceoftheVMCpolicyOIDintheCertificatePoliciesExtensionasdescribedinsection7.1.6.

1.3. PKIPARTICIPANTS

TheAuthindicatorsWorkingGroupisavoluntaryorganizationthatmaintainstheseVMCRequirements.Thesewillbepublishedatwww.bimigroup.org.

1.3.1. CertificationAuthoritiesCertificationAuthority(CA),alsoknownasMarkVerifyingAuthority,isdefinedinSection1.6.1.

1.3.2. RegistrationAuthoritiesWiththeexceptionofsection3.2.14,theCAMAYdelegatetheperformanceofall,oranypart,ofSection3.2requirementstoaDelegatedThirdParty,providedthattheprocessasawholefulfillsalloftherequirementsofSection3.2.BeforetheCAauthorizesaDelegatedThirdPartytoperformadelegatedfunction,theCASHALLcontractuallyrequiretheDelegatedThirdPartyto:(1)MeetthequalificationrequirementsofSection5.3.1,whenapplicabletothedelegatedfunction;(2)RetaindocumentationinaccordancewithSection5.5.2;(3)AbidebytheotherprovisionsoftheseRequirementsthatareapplicabletothedelegatedfunction;and(4)Complywith(a)theCA’sCertificatePolicy/CertificationPracticeStatementor(b)theDelegatedThirdParty’spracticestatementthattheCAhasverifiedcomplieswiththeseRequirements.TheCAMAYdesignateanEnterpriseRAtoverifycertificaterequestsfromtheEnterpriseRA’sownorganization.TheCASHALLNOTacceptcertificaterequestsauthorizedbyanEnterpriseRAunlessthefollowingrequirementsaresatisfied:1.TheCASHALLconfirmthattherequestedFully-QualifiedDomainName(s)arewithintheEnterpriseRA’sverifiedDomainNamespace.2.IfthecertificaterequestincludesaSubjectnameofatypeotherthanaFully-QualifiedDomainName,theCASHALLconfirmthatthenameiseitherthatofthedelegatedenterprise,oranAffiliateofthedelegatedenterprise,orthatthedelegatedenterpriseisanagentofthenamedSubject.Forexample,theCASHALLNOT

issueaCertificatecontainingtheSubjectname“XYZCo.”ontheauthorityofEnterpriseRA“ABCCo.”,unlessthetwocompaniesareaffiliated(seeSection3.2)or“ABCCo.”istheagentof“XYZCo”.ThisrequirementappliesregardlessofwhethertheaccompanyingrequestedSubjectFQDNfallswithintheDomainNamespaceofABCCo.’sRegisteredDomainName.TheCASHALLimposetheselimitationsasacontractualrequirementontheEnterpriseRAandmonitorcompliancebytheEnterpriseRA.

1.3.3. SubscribersSubscribersmayalsobeknownasMarkAssertingEntities.BothareasdefinedinSection1.6.1.

1.3.4. RelyingParties“RelyingParty”and“ApplicationSoftwareSupplier”and“ConsumingEntities”aredefinedinSection1.6.1.

1.3.5. OtherParticipantsOthergroupsthathaveparticipatedinthedevelopmentoftheseRequirementsincludetheCPACanadaWebTrustforCertificationAuthoritiestaskforce.ParticipationbyCPACanadadoesnotimplyitsendorsement,recommendation,orapprovalofthefinalproduct.

1.4. CERTIFICATEUSAGE

1.4.1. AppropriateCertificateUsesTheprimarygoaloftheseRequirementsistoenableefficientandsecureelectroniccommunication,whileaddressinguserconcernsaboutthetrustworthinessofCertificatesandVerifiedMarks.TheseRequirementsalsoservetoinformusersandhelpthemtomakeinformeddecisionswhenrelyingonCertificatesandVerifiedMarks.

1.4.2. ProhibitedCertificateUsesNoStipulation.

1.5. POLICYADMINISTRATION

TheVerifiedMarkCertificateRequirementspresentcriteriaestablishedbytheAuthindicatorsWorkingGroupforusebyCertificationAuthoritieswhenissuing,maintaining,andrevokingVerifiedMarkCertificates.Thisdocumentmayberevisedfromtimetotime,asappropriate,inaccordancewithproceduresadoptedbytheAuthindicatorsWorkingGroup.Becauseoneoftheprimarybeneficiariesofthisdocumentistheenduser,theAuthindicatorsWorkingGroupopenlyinvitesanyonetomakerecommendationsandsuggestionsbyemailtohttps://bimigroup.org/contact-us/.AuthindicatorsWorkingGroupmembersvalueallinput,regardlessofsource,andwillseriouslyconsiderallsuchinput.

1.5.1. OrganizationAdministeringtheDocumentAuthindicatorsWorkingGrouphttps://bimigroup.org/.

1.5.2. ContactPersonContactinformationforAuthindicatorsWorkingGroupisavailablehere:https://bimigroup.org/contact-us/InthissectionofaCA’sCertificationPracticeStatement(CPS),theCASHALLprovidealinktoawebpageoranemailaddressforcontactingthepersonorpersonsresponsibleforoperationoftheCA.

1.5.3. PersonDeterminingCPSsuitabilityforthepolicy

Nostipulation.

1.5.4. CPSapprovalproceduresNostipulation.

1.6. DEFINITIONSANDACRONYMS

1.6.1. DefinitionsAccountingPractitioner:Acertifiedpublicaccountant,charteredaccountant,orapersonwithanequivalentlicensewithinthecountryoftheApplicant’sJurisdictionofIncorporationorRegistrationoranyjurisdictionwheretheApplicantmaintainsanofficeorphysicalfacility;providedthatanaccountingstandardsbodyinthejurisdictionmaintainsfull(not“suspended”or“associate”)membershipstatuswiththeInternationalFederationofAccountants.Affiliate:Acorporation,partnership,jointventureorotherentitycontrolling,controlledby,orundercommoncontrolwithanotherentity,oranagency,department,politicalsubdivision,oranyentityoperatingunderthedirectcontrolofaGovernmentEntity.Applicant:Aperson,entity,ororganizationapplyingforaVerifiedMarkCertificate,butwhichhasnotyetbeenissuedaVerifiedMarkCertificate,oraperson,entity,ororganizationthatcurrentlyhasaVerifiedMarkCertificateorCertificatesandthatisapplyingforrenewalofsuchVerifiedMarkCertificateorCertificatesorforanadditionalVerifiedMarkCertificateorCertificates.ApplicantRepresentative:AnaturalpersonorhumansponsorwhoiseithertheApplicant,employedbytheApplicant,oranauthorizedagentwhohasexpressauthoritytorepresenttheApplicant:(i)whosignsandsubmits,orapprovesacertificaterequestonbehalfoftheApplicant,and/or(ii)whosignsandsubmitsaSubscriberAgreementonbehalfoftheApplicant,and/or(iii)whoacknowledgestheTermsofUseonbehalfoftheApplicantwhentheApplicantisanAffiliateoftheCAoristheCA.ApplicationSoftwareSupplier:Asupplierofrelying-partyapplicationsoftwarethatdisplaysorusesVerifiedMarkCertificatesandincorporatesRootCertificates.AttestationLetter:AletterattestingthatSubjectInformationiscorrectwrittenbyanaccountant,lawyer,governmentofficial,orotherreliablethirdpartycustomarilyrelieduponforsuchinformation.AuditPeriod:Inaperiod-of-timeaudit,theperiodbetweenthefirstday(start)andthelastdayofoperations(end)coveredbytheauditorsintheirengagement.(Thisisnotthesameastheperiodoftimewhentheauditorsareon-siteattheCA.)Thecoveragerulesandmaximumlengthofauditperiodsaredefinedinsection8.1.AuditReport:AreportfromaQualifiedPractitionerstatingtheQualifiedPractitioner’sopiniononwhetheranentity’sprocessesandcontrolscomplywiththemandatoryprovisionsoftheseRequirements.AuthorizationDomainName:TheDomainNameusedtoobtainauthorizationforcertificateissuanceforagivenFQDN.TheCAmayusetheFQDNreturnedfromaDNSCNAMElookupastheFQDNforthepurposesofdomainvalidation.TheCAmayprunezeroormorelabelsfromlefttorightuntilencounteringaBaseDomainNameandmayuseanyoneoftheintermediatevaluesforthepurposeofdomainvalidation.AuthorizedPorts:Oneofthefollowingports:80(http),443(https),25(smtp),22(ssh).BaseDomainName:Theportionofanapplied-forFQDNthatisthefirstdomainnamenodeleftofaregistry-controlledorpublicsuffixplustheregistry-controlledorpublicsuffix(e.g."example.co.uk"or

"example.com").ForFQDNswheretheright-mostdomainnamenodeisagTLDhavingICANNSpecification13initsregistryagreement,thegTLDitselfmaybeusedastheBaseDomainName.BusinessEntity:AnyentitythatisnotaPrivateOrganization,GovernmentEntity,orNon-CommercialEntityasdefinedherein.Examplesinclude,butarenotlimitedto,generalpartnerships,unincorporatedassociations,soleproprietorships,etc.CA:TheCertificationAuthoritythatissuesaVerifiedMarkCertificate.AlsoknownasaMarkVerifyingAuthority.CAA:FromRFC8659(https://tools.ietf.org/html/rfc8659):“TheCertificationAuthorityAuthorization(CAA)DNSResourceRecordallowsaDNSdomainnameholdertospecifyoneormoreCertificationAuthorities(CAs)authorizedtoissuecertificatesforthatdomainname.CAAResourceRecordsallowapublicCAtoimplementadditionalcontrolstoreducetheriskofunintendedcertificatemis-issue.”Certificate:AVerifiedMarkCertificate.CertificateApprover:AnaturalpersonwhoiseithertheApplicant,employedbytheApplicant,oranauthorizedagentwhohasexpressauthoritytorepresenttheApplicantto(i)actasaCertificateRequesterandtoauthorizeotheremployeesorthirdpartiestoactasaCertificateRequester,and(ii)toapproveVMCRequestssubmittedbyotherCertificateRequesters.TheCertificateApprovermayalsoserveastheDesignatedIndividualduringtheF2FVerificationProcedure.CertificateData:Certificaterequestsanddatarelatedthereto(whetherobtainedfromtheApplicantorotherwise)intheCA’spossessionorcontrolortowhichtheCAhasaccess.CertificateManagementProcess:Processes,practices,andproceduresassociatedwiththeuseofkeys,software,andhardware,bywhichtheCAverifiesCertificateData,issuesCertificates,maintainsaRepository,andrevokesCertificates.CertificatePolicy:AsetofrulesthatindicatestheapplicabilityofanamedCertificatetoaparticularcommunityand/orPKIimplementationwithcommonsecurityrequirements.CertificateProblemReport:ComplaintofCertificatemisissuance,Certificatemisuse,orothertypesoffraud,compromise,misuse,orinappropriateconductrelatedtoCertificates.CertificateProfile:AsetofdocumentsorfilesthatdefinesrequirementsforCertificatecontentandCertificateextensionsinaccordancewithSection7oftheseRequirements,e.g.,aSectioninaCA’sCPSoracertificatetemplatefileusedbyCAsoftware.CertificateRequester:AnaturalpersonwhoiseithertheApplicant,employedbytheApplicant,anauthorizedagentwhohasexpressauthoritytorepresenttheApplicant,orathirdparty(suchasanISPorhostingcompany)thatcompletesandsubmitsaVMCCertificateRequestonbehalfoftheApplicant.CertificateRevocationList:Aregularlyupdatedtime-stampedlistofrevokedCertificatesthatiscreatedanddigitallysignedbytheCAthatissuedtheCertificates.CertificationAuthority:Anorganizationthatisresponsibleforthecreation,issuance,revocation,andmanagementofCertificates,alsoknownasaMarkVerifyingAuthority.ThetermappliesequallytobothRootsCAsandSubordinateCAs.CertificationPracticeStatement:OneofseveraldocumentsformingthegovernanceframeworkinwhichCertificatesarecreated,issued,managed,andused.

CombinedMark:Amarkconsistingofagraphicdesign,stylizedlogo,orimage,withwordsand/orlettershavingaparticularstylizedappearance.Forgreatercertainty,a“CombinedMark”includesmarksmadeupofbothwordanddesignelements.SeeAppendixBformappingofthenamesusedbydifferenttrademarksofficestothedefinitionofCombinedMark.ConfirmationRequest:Anappropriateout-of-bandcommunicationrequestingverificationorconfirmationoftheparticularfactatissue.ConfirmingPerson:ApositionwithinanApplicant’sorganizationthatconfirmstheparticularfactatissue.ConsumingEntity(”CE”):AnentitythatincorporatesandusestheMarkRepresentationandrelateddatacontainedinaVerifiedMarkCertificateinitsproductsandservicesinaccordancewiththeVMCTerms.ConsumingEntitiesincludemailboxproviders.ContractSigner:AnaturalpersonwhoiseithertheApplicant,employedbytheApplicant,oranauthorizedagentwhohasexpressauthoritytorepresenttheApplicant,andwhohasauthorityonbehalfoftheApplicanttosignSubscriberAgreements.TheContractSignermayalsoserveastheDesignatedIndividualduringtheF2FVerificationProcedure.Control:“Control”(anditscorrelativemeanings,“controlledby”and“undercommoncontrolwith”)meanspossession,directlyorindirectly,ofthepowerto:(1)directthemanagement,personnel,finances,orplansofsuchentity;(2)controltheelectionofamajorityofthedirectors;or(3)votethatportionofvotingsharesrequiredfor“control”underthelawoftheentity’sJurisdictionofIncorporationorRegistrationbutinnocaselessthan10%.Country:EitheramemberoftheUnitedNationsORageographicregionrecognizedasaSovereignStatebyatleasttwoUNmembernations.CRL:CertificateRevocationListasdefinedinRFC5280.ACRLisalistidentifyingwhichcertificatesarerevokedmeaninginvalid,publishedperiodicallybyCAs.CrossCertificate:AcertificatethatisusedtoestablishatrustrelationshipbetweentwoRootCAs.CSPRNG:Arandomnumbergeneratorintendedforuseincryptographicsystem.DelegatedThirdParty:AnaturalpersonorLegalEntitythatisnottheCA,andwhoseactivitiesarenotwithinthescopeoftheappropriateCAaudits,butisauthorizedbytheCAtoassistintheCertificateManagementProcessbyperformingorfulfillingoneormoreoftheCArequirementsfoundherein.DemandDepositAccount:Adepositaccountheldatabankorotherfinancialinstitution,thefundsdepositedinwhicharepayableondemand.Theprimarypurposeofdemandaccountsistofacilitatecashlesspaymentsbymeansofcheck,bankdraft,directdebit,electronicfundstransfer,etc.Usagevariesamongcountries,butademanddepositaccountiscommonlyknownasasharedraftaccount,acurrentaccount,oracheckingaccount.DesignMark:Amarkconsistingofagraphicdesign,stylizedlogo,orimage,withoutwordsand/orletters.Forgreatercertainty,a“DesignMark”includesmarksmadeupsolelyofdesignelements.ForRegisteredMarks,seeAppendixBformappingofthenamesusedbydifferenttrademarksofficestothedefinitionofDesignMark.DesignatedIndividual:ThepersonwhocompletestheF2FVerificationProcedureundertheprovisionsofAppendixG,Section1orSection2.DNSCAAEmailContact:TheemailaddressdefinedinsectionA.1.1.

DNSCAAPhoneContact:ThephonenumberdefinedinsectionA.1.2.DNSTXTRecordEmailContact:TheemailaddressdefinedinsectionA.2.1.DNSTXTRecordPhoneContact:ThephonenumberdefinedinsectionA.2.2.DomainAuthorizationDocument:Documentationprovidedby,oraCA’sdocumentationofacommunicationwith,aDomainNameRegistrar,theDomainNameRegistrant,orthepersonorentitylistedinWHOISastheDomainNameRegistrant(includinganyprivate,anonymous,orproxyregistrationservice)attestingtotheauthorityofanApplicanttorequestaCertificateforaspecificDomainNamespace.DomainContact:TheDomainNameRegistrant,technicalcontact,oradministrativecontact(ortheequivalentunderaccTLD)aslistedintheWHOISrecordoftheBaseDomainNameorinaDNSSOArecord,orasobtainedthroughdirectcontactwiththeDomainNameRegistrar.DomainName:ThelabelassignedtoanodeintheDomainNameSystem.DomainNamespace:ThesetofallpossibleDomainNamesthataresubordinatetoasinglenodeintheDomainNameSystem.DomainNameRegistrant:Sometimesreferredtoasthe“owner”ofaDomainName,butmoreproperlytheperson(s)orentity(ies)registeredwithaDomainNameRegistrarashavingtherighttocontrolhowaDomainNameisused,suchasthenaturalpersonorLegalEntitythatislistedasthe“Registrant”byWHOISortheDomainNameRegistrar.DomainNameRegistrar:ApersonorentitythatregistersDomainNamesundertheauspicesoforbyagreementwith:(i)theInternetCorporationforAssignedNamesandNumbers(ICANN),(ii)anationalDomainNameauthority/registry,or(iii)aNetworkInformationCenter(includingtheiraffiliates,contractors,delegates,successors,orassignees).ExpiryDate:The“NotAfter”dateinaCertificatethatdefinestheendofaCertificate’svalidityperiod.F2FVerificationProcedure:EithertheNotarizationprocessasspecifiedatAppendixG,Section1,orthewebbasedF2FsessionasspecifiedatAppendixG,Section2,aschosenbytheCA.Fully-QualifiedDomainName:ADomainNamethatincludesthelabelsofallsuperiornodesintheInternetDomainNameSystem.GlobalLegalEntityIdentifierFoundation(GLEIF):TheorganizationestablishedbytheFinancialStabilityBoardtosupporttheimplementationanduseoftheLegalEntityIdentifier(LEI).Seewww.gleif.org.

GlobalLegalEntityIdentifierIndex:TheGLEIFpublicindexofLEIrecordsforthoselegalentitiesidentifiablewithanLEI.GovernmentAgency:InthecontextofaPrivateOrganization,thegovernmentagencyintheJurisdictionofIncorporationunderwhoseauthoritythelegalexistenceofPrivateOrganizationsisestablished(e.g.,thegovernmentagencythatissuedtheCertificateofIncorporation).InthecontextofBusinessEntities,thegovernmentagencyinthejurisdictionofoperationthatregistersbusinessentities.InthecaseofaGovernmentEntity,theentitythatenactslaw,regulations,ordecreesestablishingthelegalexistenceofGovernmentEntities.GovernmentEntity:Agovernment-operatedlegalentity,agency,department,ministry,branch,orsimilarelementofthegovernmentofacountry,orpoliticalsubdivisionwithinsuchcountry(suchasastate,province,city,county,etc.).

GovernmentMark:AMarkorequivalentgrantedtoorclaimedbyagovernmentorganization(orgrantedtoaprivateorganizationorotherorganization)throughofficialstatute,regulation,treaty,orgovernmentactionasitappearsorisdescribedinthestatute,regulation,treaty,orgovernmentactionandconfirmedbyaMarkVerifyingAuthorityusingtheproceduresprescribedinSection3.2.16.2.AMarkthathasbeenregisteredbyaGovernmentEntityasatrademarkwithaTrademarkOfficeisnotconsidereda“GovernmentMark”.IncorporatingAgency:InthecontextofaPrivateOrganization,thegovernmentagencyintheJurisdictionofIncorporationunderwhoseauthoritythelegalexistenceoftheentityisregistered(e.g.,thegovernmentagencythatissuescertificatesofformationorincorporation).InthecontextofaGovernmentEntity,theentitythatenactslaw,regulations,ordecreesestablishingthelegalexistenceofGovernmentEntities.IndependentConfirmationFromApplicant:ConfirmationofaparticularfactreceivedbytheCApursuanttotheprovisionsoftheRequirementsorbindingupontheApplicant.InternalName:Astringofcharacters(notanIPaddress)inaCommonNameorSubjectAlternativeNamefieldofaCertificatethatcannotbeverifiedasgloballyuniquewithinthepublicDNSatthetimeofcertificateissuancebecauseitdoesnotendwithaTopLevelDomainregisteredinIANA’sRootZoneDatabase.InternationalOrganization:Anorganizationfoundedbyaconstituentdocument,e.g.,acharter,treaty,conventionorsimilardocument,signedby,oronbehalfof,aminimumoftwoSovereignStategovernments.IssuingCA:InrelationtoaparticularCertificate,theCAthatissuedtheCertificate.ThiscouldbeeitheraRootCAoraSubordinateCA.JurisdictionofIncorporation:InthecontextofaPrivateOrganization,thecountryand(whereapplicable)thestateorprovinceorlocalitywheretheorganization’slegalexistencewasestablishedbyafilingwith(oranactof)anappropriategovernmentagencyorentity(e.g.,whereitwasincorporated).InthecontextofaGovernmentEntity,thecountryand(whereapplicable)thestateorprovincewheretheEntity’slegalexistencewascreatedbylaw.JurisdictionofRegistration:InthecaseofaBusinessEntity,thestate,province,orlocalitywheretheorganizationhasregistereditsbusinesspresencebymeansoffilingsbyaPrincipalIndividualinvolvedinthebusiness.KeyGenerationScript:AdocumentedplanofproceduresforthegenerationofaCAKeyPair.KeyPair:ThePrivateKeyanditsassociatedPublicKey.LatinNotary:Apersonwithlegaltrainingwhosecommissionunderapplicablelawnotonlyincludesauthoritytoauthenticatetheexecutionofasignatureonadocumentbutalsoresponsibilityforthecorrectnessandcontentofthedocument.ALatinNotaryissometimesreferredtoasaCivilLawNotary.LegalEntity:APrivateOrganization,GovernmentEntity,BusinessEntity,orNon-CommercialEntity.LegalExistence:APrivateOrganization,GovernmentEntity,orBusinessEntityhasLegalExistenceifithasbeenvalidlyformedandnototherwiseterminated,dissolved,orabandoned.LegalPractitioner:ApersonwhoiseitheralawyeroraLatinNotaryasdescribedintheseRequirementsandcompetenttorenderanopiniononfactualclaimsoftheApplicant.LegalEntityIdentifier(“LEI”):LEIisspecifiedintheISO17442andnameslegalentitiesintheGlobalLegalEntityIdentifierIndex.Mark:ACombinedMark,DesignMark,orWordMark.MarksmayeitherberegisteredwithaTrademarkOffice(RegisteredMark)orcreatedthroughgovernmentaction(GovernmentMark).

MarkAssertingEntity(“MAE”):AnApplicantfor/SubscriberofaVerifiedMarkCertificate.MaybethesameastheApplicantand/orSubscriber.MarkRepresentation:AdigitalrepresentationofaCombinedMark,DesignMark,orWordMarksuchasadigitalorcomputerfile,containingstructuredbinaryortextualdatawhichcanbeinterpretedtorecreate(render)avisualrepresentationofthemarksothatitcanbeseen.TheMarkRepresentationwillbeusedastheLogotypeExtensionunderSection7.1.2.3.MarkVerifyingAuthority(“MVA”):TheauthoritywhoissuesaVerifiedMarkCertificate.AlsoreferredtoasaCertificationAuthorityorCA.MaximumValidityPeriod:1.ThemaximumtimeperiodforwhichtheissuedVMCisvalid.2.ThemaximumperiodaftervalidationbytheCAthatcertainApplicantinformationmayberelieduponinissuingaVMCpursuanttotheseRequirements.Notary:Anotary(orlegalequivalentintheapplicablejurisdiction),LatinNotary,lawyer,solicitor,orotherpersonororganizationinthejurisdictionwheretheContractSignerorCertificateApprover(alsoknownasthe“DesignatedIndividual”)willbeverifiedwhosecommissionunderapplicablelawincludesauthoritytoauthenticatetheexecutionofasignatureonadocument.“Notarize”includesRemoteNotarization.Notarize:TheprocessbywhichtheNotaryverifiestheidentityoftheContractSignerorCertificateApproverbymeansofagovernment-issuedphotoID,observestheContractSignerorCertificateApproversignaVerificationDocumentpreparedbytheCA,andsignsandaffixestheNotary’snotarizationsealorotherequivalentmethodtotheVerificationDocumenttoindicatetheNotarizationprocesshasbeencompletedbytheNotary.ObjectIdentifier:AuniquealphanumericornumericidentifierregisteredundertheInternationalOrganizationforStandardization’sapplicablestandardforaspecificobjectorobjectclass.OCSPResponder:AnonlineserveroperatedundertheauthorityoftheCAandconnectedtoitsRepositoryforprocessingCertificatestatusrequests.Seealso,OnlineCertificateStatusProtocol.OnlineCertificateStatusProtocol:AnonlineCertificate-checkingprotocolasdefinedinRFC6960thatenablesRelyingPartiesandrelying-partyapplicationsoftwaretodeterminethestatusofanidentifiedCertificate.SeealsoOCSPResponder.ParentCompany:AcompanythatControlsaSubsidiaryCompany.PrivateKey:ThekeyofaKeyPairthatcorrespondstothePublicKeyusedbytheSubscribertosignaVMCcertificaterequest.OncethePrivateKey-PublicKeypairhasbeengenerated,thePrivateKeyisnotusedandmaybediscarded.PlaceofBusiness:Thelocationofanyfacility(suchasafactory,retailstore,warehouse,etc)wheretheApplicant’sbusinessisconducted.PrincipalIndividual:AnindividualofaPrivateOrganization,GovernmentEntity,orBusinessEntitythatiseitheranowner,partner,managingmember,director,orofficer,asidentifiedbytheirtitleofemployment,oranemployee,contractororagentauthorizedbysuchentityororganizationtoconductbusinessrelatedtotherequest,issuance,anduseofVerifiedMarkCertificates.PrivateOrganization:Anon-governmentallegalentity(whetherownershipinterestsareprivatelyheldorpubliclytraded)whoseexistencewascreatedbyafilingwith(oranactof)theIncorporatingAgencyorequivalentinitsJurisdictionofIncorporation.

PublicKey:ThekeyofaKeyPairthatmaybepubliclydisclosedbytheholderofthecorrespondingPrivateKeyandthatisusedtogenerateVMCsigningrequestsfortheCAonbehalfoftheSubscriber.PublicKeyInfrastructure:Asetofhardware,software,people,procedures,rules,policies,andobligationsusedtofacilitatethetrustworthycreation,issuance,management,anduseofCertificatesandkeysbasedonPublicKeyCryptography.Publicly-TrustedCertificate:ACertificatethatistrustedbyvirtueofthefactthatitscorrespondingRootCertificateisdistributedasatrustanchorinwidely-availableapplicationsoftware.QualifiedPractitioner:AnaturalpersonorLegalEntitythatmeetstherequirementsofSection8.2.QualifiedGovernmentInformationSource:AdatabasemaintainedbyaGovernmentEntity(e.g.SECfilings)thatmeetstherequirementsofSection3.2.13.4.QualifiedGovernmentTaxInformationSource:AQualifiedGovernmentalInformationSourcethatspecificallycontainstaxinformationrelatingtoPrivateOrganizations,BusinessEntities,orIndividuals.QualifiedIndependentInformationSource:Aregularly-updatedandcurrent,publiclyavailable,databasedesignedforthepurposeofaccuratelyprovidingtheinformationforwhichitisconsulted,andwhichisgenerallyrecognizedasadependablesourceofsuchinformation.RandomValue:AvaluespecifiedbyaCAtotheApplicantthatexhibitsatleast112bitsofentropy.RegisteredDomainName:ADomainNamethathasbeenregisteredwithaDomainNameRegistrar.ARegisteredDomainNamemayalsobecalledanOrganizationalDomain.RegisteredAgent:Anindividualorentitythatis:(i)authorizedbytheApplicanttoreceiveserviceofprocessandbusinesscommunicationsonbehalfoftheApplicant;and(ii)listedintheofficialrecordsoftheApplicant’sJurisdictionofIncorporationasactingintherolespecifiedin(i)above.RegisteredOffice:Theofficialaddressofacompany,asrecordedwiththeIncorporatingAgency,towhichofficialdocumentsaresentandatwhichlegalnoticesarereceived.RegisteredMark:AMarkthathasbeenregisteredasatrademarkwithaTrademarkOffice,andinparticular,astheMarkappearsintheofficialdatabaseoftheapplicableTrademarkOffice.RegisteredMarkProfile:VerifiedMarkCertificatesthathavebeenissuedfollowingthevalidationproceduresinsection3.2.16anddesignatedbyaCertificateGeneralPolicyIdentifierOID(1.3.6.1.4.1.53087.1.1)asdescribedunderSection7.1.2.2and7.1.2.3.TheseVMCshaveaSVGinthelogotypeextensionthatcontainsregisteredmarkandotherdistinguishingfieldsnotedelsewhere.RegistrationAuthority(RA):AnyLegalEntitythatisresponsibleforidentificationandauthenticationofsubjectsofCertificates,butisnotaCA,andhencedoesnotsignorissueCertificates.AnRAmayassistinthecertificateapplicationprocessorrevocationprocessorboth.When“RA”isusedasanadjectivetodescribearoleorfunction,itdoesnotnecessarilyimplyaseparatebody,butcanbepartoftheCAasstipulatedinSection1.3.2.RegistrationAgency:AGovernmentalAgencythatregistersbusinessinformationinconnectionwithanentity’sbusinessformationorauthorizationtoconductbusinessunderalicense,charterorothercertification.ARegistrationAgencyMAYinclude,butisnotlimitedto(i)aStateDepartmentofCorporationsoraSecretaryofState;(ii)alicensingagency,suchasaStateDepartmentofInsurance;or(iii)acharteringagency,suchasastateofficeordepartmentoffinancialregulation,bankingorfinance,orafederalagencysuchastheOfficeoftheComptrolleroftheCurrencyorOfficeofThriftSupervision.

RegistrationNumber:TheuniquenumberassignedtoaPrivateOrganizationbytheIncorporatingAgencyinsuchentity’sJurisdictionofIncorporationRegistrationReference:AuniqueidentifierassignedtoaLegalEntity.RegulatedFinancialInstitution:Afinancialinstitutionthatisregulated,supervised,andexaminedbygovernmental,national,stateorprovincial,orlocalauthorities.RelyingParty:AnynaturalorlegalpersonthatreliesonaVMCortheinformationorMarkscontainedinaVMCordisplayedtothepersonbyaConsumingEntity.AnApplicationSoftwareSupplierisnotconsideredaRelyingPartywhensoftwaredistributedbysuchSuppliermerelydisplaysinformationrelatingtoaCertificate.RemoteNotarization:TheprocessbywhichaNotaryNotarizesadocumentoveralivevideo/audiolinkwhiletheNotaryandtheContractSignerorCertificateApproverarephysicallyindifferentlocations.Repository:Anonlinedatabasecontainingpublicly-disclosedVMCgovernancedocuments(suchasCertificationPracticeStatements)andCertificatestatusinformation,eitherintheformofaCRLoranOCSPresponse.RequestToken:Avalue,derivedinamethodspecifiedbytheCAwhichbindsthisdemonstrationofcontroltothecertificaterequest.TheCASHOULDdefinewithinitsCPS(oradocumentclearlyreferencedbytheCPS)theformatandmethodofRequestTokensitaccepts.TheRequestTokenSHALLincorporatethekeyusedinthecertificaterequest.ARequestTokenMAYincludeatimestamptoindicatewhenitwascreated.ARequestTokenMAYincludeotherinformationtoensureitsuniqueness.ARequestTokenthatincludesatimestampSHALLremainvalidfornomorethan30daysfromthetimeofcreation.ARequestTokenthatincludesatimestampSHALLbetreatedasinvalidifitstimestampisinthefuture.ARequestTokenthatdoesnotincludeatimestampisvalidforasingleuseandtheCASHALLNOTre-useitforasubsequentvalidation.ThebindingSHALLuseadigitalsignaturealgorithmoracryptographichashalgorithmatleastasstrongasthattobeusedinsigningthecertificaterequest.Note:ExamplesofRequestTokensinclude,butarenotlimitedto:(i)ahashofthepublickey;or(ii)ahashoftheSubjectPublicKeyInfo[X.509];or(iii)ahashofaPKCS#10CSR.ARequestTokenmayalsobeconcatenatedwithatimestamporotherdata.IfaCAwantedtoalwaysuseahashofaPKCS#10CSRasaRequestTokenanddidnotwanttoincorporateatimestampanddidwanttoallowcertificatekeyre-usethentheapplicantmightusethechallengepasswordinthecreationofaCSRwithOpenSSLtoensureuniquenessevenifthesubjectandkeyareidenticalbetweensubsequentrequests.Note:ThissimplisticshellcommandproducesaRequestTokenwhichhasatimestampandahashofaCSR.echo`date-u+%Y%m%d%H%M``sha256sum<r2.csr`\|sed"s/[-]//g"

Thescriptoutputs:201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14fRequiredWebsiteContent:EitheraRandomValueoraRequestToken,togetherwithadditionalinformationthatuniquelyidentifiestheSubscriber,asspecifiedbytheCA.Requirements:TheVMCRequirementsfoundinthisdocument.RootCA:ThetoplevelCertificationAuthoritywhoseRootCertificateisdistributedbyApplicationSoftwareSuppliersandthatissuesSubordinateCACertificates.RootCertificate:Theself-signedCertificateissuedbytheRootCAtoidentifyitselfandtofacilitateverificationofCertificatesissuedtoitsSubordinateCAs.SovereignState:Astateorcountrythatadministersitsowngovernment,andisnotdependentupon,orsubjectto,anotherpower.Subscriber:Aperson,entity,ororganizationthathasappliedforandhasbeenissuedaVerifiedMarkCertificate.Subject:Thenaturalperson,device,system,unit,orLegalEntityidentifiedinaCertificateastheSubject.TheSubjectistheSubscriber.SubjectIdentityInformation:InformationthatidentifiestheCertificateSubject.SubjectIdentityInformationdoesnotincludeadomainnamelistedinthesubjectAltNameextensionortheSubjectcommonNamefield.SubordinateCA:ACertificationAuthoritywhoseCertificateissignedbytheRootCA,oranotherSubordinateCA.Subscriber:AnaturalpersonorLegalEntitytowhomaCertificateisissuedandwhoislegallyboundbyaSubscriberAgreementorTermsofUse.SubscriberAgreement:AnagreementbetweentheCAandtheApplicant/Subscriberthatspecifiestherightsandresponsibilitiesoftheparties.SubsidiaryCompany:AcompanythatiscontrolledbyaParentCompany.SuperiorGovernmentEntity:Basedonthestructureofgovernmentinapoliticalsubdivision,theGovernmentEntityorEntitiesthathavetheabilitytomanage,directandcontroltheactivitiesoftheApplicant.SVGGuidelines:Thedraft-svg-tiny-ps-abrotman-01versionoftheSVGTinyPortable/Secure(SVGTinyPS)GuidelinesdocumentlocatedatthisURL:https://bimigroup.org/resources/RFC_SVG_PS.txtaswellasaRNCvalidatorlocatedatthisURL:http://bimigroup.org/resources/SVG_PS-latest.rnc.txtBotharepublishedbytheAuthindicatorsWorkingGroup.TermsofUse:ProvisionsregardingthesafekeepingandacceptableusesofaCertificateissuedinaccordancewiththeseRequirementswhentheApplicant/SubscriberisanAffiliateoftheCAoristheCA.Third-PartyValidator:ApersonororganizationwhoperformstheF2FVerificationProcedureoftheContractSignerorCertificateApproverusingtheNotarizationprocessunderAppendixG,Section1.

TrademarkOffice:AnintellectualpropertyofficerecognizedbytheWorldIntellectualPropertyOrganizationforregistrationoftrademarks(seenamesofintellectualpropertyofficesaslistedinthecolumn“Office”athttps://www.wipo.int/directory/en/urls.jsp).Translator:AnindividualorBusinessEntitythatpossessestherequisiteknowledgeandexpertisetoaccuratelytranslatethewordsofadocumentwritteninonelanguagetothenativelanguageoftheCA.TrustworthySystem:Computerhardware,software,andproceduresthatare:reasonablysecurefromintrusionandmisuse;provideareasonablelevelofavailability,reliability,andcorrectoperation;arereasonablysuitedtoperformingtheirintendedfunctions;andenforcetheapplicablesecuritypolicy.ValidCertificate:ACertificatethatpassesthevalidationprocedurespecifiedinRFC5280.ValidationSpecialists:SomeonewhoperformstheinformationverificationdutiesspecifiedbytheseRequirements.ValidityPeriod:TheperiodoftimemeasuredfromthedatewhentheCertificateisissueduntiltheExpiryDate.VerificationDocument:AdocumentusedtoverifytheidentityandrelevantinformationoftheContractSignerorCertificateApprover(actingastheDesignatedIndividual)thatisNotarizedbyaNotary.TheVerificationDocumentshould:

(1)ListtheContractSignerorCertificateApprover’snameandtheaddresswheretheContractSignerorCertificateApproverislocatedwhentheNotarizationprocedureoccurs,(2)ContainlanguagethattheContractSignerorCertificateApproverconfirmstheinformationlistedin(1)iscorrectandaplacefortheContractSignerorCertificateApprovertosignthedocument,and(3)ContainappropriatetextfortheNotarytosignandaffixaseal(asappropriateinthejurisdiction)toindicatetheVerificationDocumentwasNotarizedbytheNotary.

VerifiedAccountantLetter:AdocumentmeetingtherequirementsspecifiedinSection3.2.13.2oftheseRequirementsVerifiedLegalOpinion:AdocumentmeetingtherequirementsspecifiedinSection3.2.13.1oftheseRequirements.VerifiedMarkCertificate:AcertificatethatcontainssubjectinformationandextensionsspecifiedintheseVMCRequirementsandthathasbeenverifiedandissuedbyaCAinaccordancewiththeseVMCRequirements.VerifiedMethodofCommunication:Theuseofatelephonenumber,afaxnumber,anemailaddress,orpostaldeliveryaddress,confirmedbytheCAinaccordancewithSection3.2.8oftheRequirementsasareliablewayofcommunicatingwiththeApplicant.VerifiedProfessionalLetter:AVerifiedAccountantLetterorVerifiedLegalOpinion.VMCAuthority:AsourceotherthantheCertificateApprover,throughwhichverificationoccursthattheCertificateApproverisexpresslyauthorizedbytheApplicant,asofthedateoftheVMCCertificateRequest,totaketheRequestactionsdescribedintheseRequirements.VMCCertificateRequest:ArequestfromanApplicanttotheCArequestingthattheCAissueaVMCCertificatetotheApplicant,whichrequestisvalidlyauthorizedbytheApplicantandsignedbytheCertificateApprover.

VMCMark:TheMarkRepresentationandWordMark,ifany,containedinaMAE’sVerifiedMarkCertificateapplication.VMCR:TheseVMCRequirementsVMCTerms:ThetermsofusethatapplytoaVMCCertificateandtotheMarkRepresentationandrelateddatacontainedinaVerifiedMarkCertificate,assetoutinAppendixDtotheseVMCRequirements.WHOIS:InformationretrieveddirectlyfromtheDomainNameRegistrarorregistryoperatorviatheprotocoldefinedinRFC3912,theRegistryDataAccessProtocoldefinedinRFC7482,oranHTTPSwebsite.WordMark:Amarkconsistingexclusivelyoftextexpressedwithoutregardtothefont,style,sizeorcolor.ForRegisteredMarks,seeAppendixBformappingofthenamesusedbydifferenttrademarksofficestothedefinitionofWordMark.

1.6.2. AcronymsAICPA AmericanInstituteofCertifiedPublicAccountantsADN AuthorizationDomainNameCA CertificationAuthorityCAA CertificationAuthorityAuthorizationccTLD CountryCodeTop-LevelDomainCP CertificatePolicyCPS CertificationPracticeStatementCRL CertificateRevocationListDBA DoingBusinessAsDNS DomainNameSystemFIPS (USGovernment)FederalInformationProcessingStandardFQDN FullyQualifiedDomainNameIM InstantMessagingIANA InternetAssignedNumbersAuthorityICANN InternetCorporationforAssignedNamesandNumbersISO InternationalOrganizationforStandardizationNIST (USGovernment)NationalInstituteofStandardsandTechnologyOCSP OnlineCertificateStatusProtocolOID ObjectIdentifierPKI PublicKeyInfrastructureRA RegistrationAuthorityS/MIME SecureMIME(MultipurposeInternetMailExtensions)SSL SecureSocketsLayerTLD Top-LevelDomainTLS TransportLayerSecurityVoIP VoiceOverInternetProtocolBIPM InternationalBureauofWeightsandMeasuresBIS (USGovernment)BureauofIndustryandSecurityCEO ChiefExecutiveOfficerCFO ChiefFinancialOfficerCIO ChiefInformationOfficerCISO ChiefInformationSecurityOfficerCOO ChiefOperatingOfficerCPA CharteredProfessionalAccountantCSO ChiefSecurityOfficerEV ExtendedValidationgTLD GenericTop-LevelDomainIFAC InternationalFederationofAccountants

IRS InternalRevenueServiceISP InternetServiceProviderQGIS QualifiedGovernmentInformationSourceQTIS QualifiedGovernmentTaxInformationSourceQIIS QualifiedIndependentInformationSourceSEC (USGovernment)SecuritiesandExchangeCommissionUTC(k) NationalrealizationofCoordinatedUniversalTime

1.6.3. ReferencesETSIEN319403,ElectronicSignaturesandInfrastructures(ESI);TrustServiceProviderConformityAssessment-RequirementsforconformityassessmentbodiesassessingTrustServiceProviders.ETSIEN319411-1,ElectronicSignaturesandInfrastructures(ESI);PolicyandsecurityrequirementsforTrustServiceProvidersissuingcertificates;Part1:Generalrequirements.ETSITS102042,ElectronicSignaturesandInfrastructures(ESI);Policyrequirementsforcertificationauthoritiesissuingpublickeycertificates.FIPS140-2,FederalInformationProcessingStandardsPublication-SecurityRequirementsForCryptographicModules,InformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,May25,2001.FIPS186-4,FederalInformationProcessingStandardsPublication-DigitalSignatureStandard(DSS),InformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,July2013.ISO21188:2006,Publickeyinfrastructureforfinancialservices--Practicesandpolicyframework.NetworkandCertificateSystemSecurityRequirements,v1.7,4/5/2021.NISTSP800-89,RecommendationforObtainingAssurancesforDigitalSignatureApplications,http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf.RFC2119,RequestforComments:2119,KeywordsforuseinRFCstoIndicateRequirementLevels,Bradner,March1997.RFC2527,RequestforComments:2527,InternetX.509PublicKeyInfrastructure:CertificatePolicyandCertificationPracticesFramework,Chokhani,etal,March1999.RFC3647,RequestforComments:3647,InternetX.509PublicKeyInfrastructure:CertificatePolicyandCertificationPracticesFramework,Chokhani,etal,November2003.RFC3912,RequestforComments:3912,WHOISProtocolSpecification,Daigle,September2004.RFC4366,RequestforComments:4366,TransportLayerSecurity(TLS)Extensions,Blake-Wilson,etal,April2006.RFC5019,RequestforComments:5019,TheLightweightOnlineCertificateStatusProtocol(OCSP)ProfileforHigh-VolumeEnvironments,A.Deacon,etal,September2007.RFC5280,RequestforComments:5280,InternetX.509PublicKeyInfrastructure:CertificateandCertificateRevocationList(CRL)Profile,Cooperetal,May2008.RFC6960,RequestforComments:6960,X.509InternetPublicKeyInfrastructureOnlineCertificateStatusProtocol-OCSP.Santesson,Myers,Ankney,Malpani,Galperin,Adams,June2013.

RFC6962,RequestforComments:6962,CertificateTransparency.B.Laurie,A.Langley,E.Kasper.June2013.RFC7482,RequestforComments:7482,RegistrationDataAccessProtocol(RDAP)QueryFormat,Newton,etal,March2015.WebTrustforCertificationAuthorities,SSLBaselinewithNetworkSecurity,Version2.0,availableathttp://www.webtrust.org/homepage-documents/item79806.pdf.RFC8659,RequestforComments:8659,DNSCertificationAuthorityAuthorization(CAA)ResourceRecord,Hallam-Baker,Stradling,Hoffman-Andrews,November2019.X.509,RecommendationITU-TX.509(10/2012)|ISO/IEC9594-8:2014(E),Informationtechnology–OpenSystemsInterconnection–TheDirectory:Public-keyandattributecertificateframeworks.

1.6.4. ConventionsThekeywords“MUST”,“MUSTNOT”,"REQUIRED","SHALL","SHALLNOT","SHOULD","SHOULDNOT","RECOMMENDED","MAY",and"OPTIONAL"intheseRequirementsshallbeinterpretedinaccordancewithRFC2119.

2. PUBLICATIONANDREPOSITORYRESPONSIBILITIESTheCASHALLdevelop,implement,enforce,andannuallyupdateaCertificatePolicyand/orCertificationPracticeStatementthatdescribesindetailhowtheCAimplementsthelatestversionoftheseRequirements.

2.1. REPOSITORIES

TheCASHALLmakerevocationinformationforSubordinateCertificatesandSubscriberCertificatesavailableinaccordancewiththisPolicy.

2.2. PUBLICATIONOFINFORMATION

TheCASHALLpubliclydiscloseitsCertificatePolicyand/orCertificationPracticeStatementthroughanappropriateandreadilyaccessibleonlinemeansthatisavailableona24x7basis.TheCASHALLpubliclydiscloseitsCAbusinesspracticestotheextentrequiredbytheCA'sselectedauditscheme(seeSection8.1).TheCertificatePolicyand/orCertificationPracticeStatementMUSTbestructuredinaccordancewithRFC3647andMUSTincludeallmaterialrequiredbyRFC3647.Section4.2ofaCA'sCertificatePolicyand/orCertificationPracticeStatementSHALLstatetheCA'spolicyorpracticeonprocessingCAARecordsforFullyQualifiedDomainNames;thatpolicySHALLbeconsistentwiththeseRequirements.ItSHALLclearlyspecifythesetofIssuerDomainNamesthattheCArecognizesinCAA"issuevmc"recordsaspermittingittoissue.TheCASHALLlogallactionstaken,ifany,consistentwithitsprocessingpractice.TheCASHALLpubliclygiveeffecttotheseRequirementsandrepresentthatitwilladheretothelatestpublishedversion.TheCAMAYfulfillthisrequirementbyincorporatingtheseRequirementsdirectlyintoitsCertificatePolicyand/orCertificationPracticeStatementsorbyincorporatingthembyreferenceusingaclausesuchasthefollowing(whichMUSTincludealinktotheofficialversionoftheseRequirements):

[NameofCA]conformstothecurrentversionoftheVerifiedMarkCertificateRequirementspublishedathttps://bimigroup.org.IntheeventofanyinconsistencybetweenthisdocumentandthoseRequirements,thoserequirementstakeprecedenceoverthisdocument.

2.3. TIMEORFREQUENCYOFPUBLICATION

TheCASHALLdevelop,implement,enforce,andannuallyupdateaCertificatePolicyand/orCertificationPracticeStatementthatdescribesindetailhowtheCAimplementsthelatestversionoftheseRequirements.

2.4. ACCESSCONTROLSONREPOSITORIES

TheCASHALLmakeitsRepositorypubliclyavailableinaread-onlymanner.

3. IDENTIFICATIONANDAUTHENTICATION

3.1. NAMING

3.1.1. TypesofnamesNostipulation.

3.1.2. NeedfornamestobemeaningfulNostipulation.

3.1.3. AnonymityorpseudonymityofsubscribersNostipulation.

3.1.4. RulesforinterpretingvariousnameformsNostipulation.

3.1.5. UniquenessofnamesNostipulation.

3.1.6. Recognition,authentication,androleoftrademarksNostipulation.

3.2. INITIALIDENTITYVALIDATION

3.2.1. MethodtoProvePossessionofPrivateKeyThePublicKeycontainedinVerifiedMarkCertificatesisnotused,soCAsarenotrequiredtoprovepossessionoftheassociatedPrivateKey.

3.2.2. AuthenticationofOrganizationandDomainIdentityTheCAMAYonlyissueVMCCertificatestoApplicantsthatmeetthePrivateOrganization,GovernmentEntity,BusinessEntityandNon-CommercialEntityrequirementsspecifiedbelow.

3.2.2.1. PrivateOrganizationSubjectsAnApplicantqualifiesasaPrivateOrganizationif:(1) Theentity’slegalexistenceiscreatedorrecognizedbyafilingwith(oranactof)theIncorporatingor

RegistrationAgencyinitsJurisdictionofIncorporationorRegistration(e.g.,byissuanceofacertificateofincorporation,registrationnumber,etc.)orcreatedorrecognizedbyaGovernmentAgency(e.g.underacharter,treaty,convention,orequivalentrecognitioninstrument);

(2) TheentitydesignatedwiththeIncorporatingorRegistrationAgencyaRegisteredAgent,aRegisteredOffice(asrequiredunderthelawsoftheJurisdictionofIncorporationorRegistration),oranequivalentfacility;

(3) TheentityisnotdesignatedontherecordsoftheIncorporatingorRegistrationAgencybylabelssuchas“inactive,”“invalid,”“notcurrent,”ortheequivalent;

(4) Theentityhasaverifiablephysicalexistenceandbusinesspresence;(5) Theentity’sJurisdictionofIncorporation,Registration,Charter,orLicense,and/oritsPlaceofBusinessis

notinanycountrywheretheCAisprohibitedfromdoingbusinessorissuingacertificatebythelawsoftheCA’sjurisdiction;and

(6) Theentityisnotlistedonanygovernmentdeniallistorprohibitedlist(e.g.,tradeembargo)underthelawsoftheCA’sjurisdiction.

3.2.2.2. GovernmentEntitySubjectsAnApplicantqualifiesasaGovernmentEntityif:(1)Theentity’slegalexistencewasestablishedbythepoliticalsubdivisioninwhichtheentityoperates;(2) TheentityisnotinanycountrywheretheCAisprohibitedfromdoingbusinessorissuingacertificateby

thelawsoftheCA’sjurisdiction;and(3) Theentityisnotlistedonanygovernmentdeniallistorprohibitedlist(e.g.,tradeembargo)underthe

lawsoftheCA’sjurisdiction.

3.2.2.3. BusinessEntitySubjectsAnApplicantqualifiesasaBusinessEntityif:(1) TheentityisalegallyrecognizedentitythatfiledcertainformswithaRegistrationAgencyinits

jurisdiction,theRegistrationAgencyissuedorapprovedtheentity’scharter,certificate,orlicense,andtheentity’sexistencecanbeverifiedwiththatRegistrationAgency;

(2) Theentityhasaverifiablephysicalexistenceandbusinesspresence;(3) AtleastonePrincipalIndividualassociatedwiththeentityisidentifiedandvalidatedbytheCA;(4) TheidentifiedPrincipalIndividualatteststotherepresentationsmadeintheSubscriberAgreement;(5) TheentityandtheidentifiedPrincipalIndividualassociatedwiththeentityarenotlocatedorresidingin

anycountrywheretheCAisprohibitedfromdoingbusinessorissuingacertificatebythelawsoftheCA’sjurisdiction;and

(6) TheentityandtheidentifiedPrincipalIndividualassociatedwiththeentityarenotlistedonanygovernmentdeniallistorprohibitedlist(e.g.,tradeembargo)underthelawsoftheCA’sjurisdiction.

3.2.2.4. Non-CommercialEntitySubjectsAnApplicantqualifiesasaNon-CommercialEntityif:

(A)TheApplicantisanInternationalOrganizationEntity,createdunderacharter,treaty,conventionorequivalentinstrumentthatwassignedby,oronbehalfof,morethanonecountry'sgovernment.TheCA/BrowserForummaypublishalistingofApplicantswhoqualifyasanInternationalOrganizationforVerifiedMarkeligibility;and

(B)TheApplicantisnotheadquarteredinanycountrywheretheCAisprohibitedfromdoingbusinessorissuingacertificatebythelawsoftheCA'sjurisdiction;and

(C)TheApplicantisnotlistedonanygovernmentdeniallistorprohibitedlist(e.g.,tradeembargo)underthelawsoftheCA'sjurisdiction.

SubsidiaryorganizationsoragenciesofanentitythatqualifiesasaNon-CommercialEntityalsoqualifiesforVerifiedMarkCertificatesasaNon-CommercialEntity.

3.2.3. VerificationRequirements–OverviewBeforeissuinganVerifiedMarkCertificate,theCAMUSTensurethatallSubjectorganizationinformationtobeincludedintheVMCconformstotherequirementsof,andisverifiedinaccordancewith,theseRequirementsandmatchestheinformationconfirmedanddocumentedbytheCApursuanttoitsverificationprocesses.Suchverificationprocessesareintendedtoaccomplishthefollowing: VerifyApplicant’sexistenceandidentity,including;

(A) VerifytheApplicant’slegalexistenceandidentity(asmorefullysetforthinSection3.2herein),(B) VerifytheApplicant’sphysicalexistence(businesspresenceataphysicaladdress),and

(C) VerifytheApplicant’soperationalexistence(businessactivity). VerifytheApplicantisaregisteredholder,orhascontrol,oftheDomainName(s)tobeincludedinthe

VerifiedMarkCertificate;(3)VerifyareliablemeansofcommunicationwiththeentitytobenamedastheSubjectintheCertificate; VerifytheApplicant’sauthorizationfortheVerifiedMarkCertificate,including;

(A) Verifythename,title,andauthorityoftheContractSigner,CertificateApprover,andCertificateRequester,

(B) VerifythataContractSignersignedtheSubscriberAgreementorthatadulyauthorizedindividualacknowledgedandagreedtotheTermsofUse;and

(C) VerifythataCertificateApproverhassignedorotherwiseapprovedtheVerifiedMarkCertificateRequest.

3.2.4. AcceptableMethodsofVerification–OverviewAsageneralrule,theCAisresponsiblefortakingallverificationstepsreasonablynecessarytosatisfyeachoftheVerificationRequirementssetforthinthesubsectionsbelow.TheAcceptableMethodsofVerificationsetforthineachofSections3.2.5through3.2.18(whichusuallyincludealternatives)areconsideredtobetheminimumacceptablelevelofverificationrequiredoftheCA.Inallcases,however,theCAisresponsiblefortakinganyadditionalverificationstepsthatmaybereasonablynecessaryunderthecircumstancestosatisfytheapplicableVerificationRequirement.

3.2.5. VerificationofApplicant’sLegalExistenceandIdentity3.2.5.1. VerificationRequirementsToverifytheApplicant’slegalexistenceandidentity,theCAMUSTdothefollowing.(1) PrivateOrganizationSubjects

(A) LegalExistence:VerifythattheApplicantisalegallyrecognizedentity,inexistenceandvalidlyformed(e.g.,incorporated)withtheIncorporatingorRegistrationAgencyintheApplicant’sJurisdictionofIncorporationorRegistration,andnotdesignatedontherecordsoftheIncorporatingorRegistrationAgencybylabelssuchas“inactive”,“invalid”,“notcurrent”,ortheequivalent.(B)OrganizationName:VerifythattheApplicant’sformallegalnameasrecordedwiththeIncorporatingorRegistrationAgencyintheApplicant’sJurisdictionofIncorporationorRegistrationmatchestheApplicant’snameintheVerifiedMarkCertificateRequest.(C) RegistrationNumber:ObtainthespecificRegistrationNumberassignedtotheApplicantbytheIncorporatingorRegistrationAgencyintheApplicant’sJurisdictionofIncorporationorRegistration.WheretheIncorporatingorRegistrationAgencydoesnotassignaRegistrationNumber,theCASHALLobtaintheApplicant’sdateofIncorporationorRegistration.(D)RegisteredAgent:ObtaintheidentityandaddressoftheApplicant’sRegisteredAgentorRegisteredOffice(asapplicableintheApplicant’sJurisdictionofIncorporationorRegistration).

(2) GovernmentEntitySubjects(A) LegalExistence:VerifythattheApplicantisalegallyrecognizedGovernmentEntity,inexistenceinthepoliticalsubdivisioninwhichsuchGovernmentEntityoperates.(B) EntityName:VerifythattheApplicant’sformallegalnamematchestheApplicant’snameintheVerifiedMarkCertificateRequest.(C) RegistrationNumber:TheCAMUSTattempttoobtaintheApplicant’sdateofincorporation,registration,orformation,ortheidentifierforthelegislativeactthatcreatedtheGovernmentEntity.Incircumstanceswherethisinformationisnotavailable,theCAMUSTenterappropriatelanguagetoindicatethattheSubjectisaGovernmentEntity.

(3) BusinessEntitySubjects(A) LegalExistence:VerifythattheApplicantisengagedinbusinessunderthenamesubmittedbytheApplicantintheApplication.(B)OrganizationName:VerifythattheApplicant’sformallegalnameasrecognizedbytheRegistrationAgencyintheApplicant’sJurisdictionofRegistrationmatchestheApplicant’snameintheVerifiedMarkCertificateRequest.

(C) RegistrationNumber:AttempttoobtainthespecificuniqueRegistrationNumberassignedtotheApplicantbytheRegistrationAgencyintheApplicant’sJurisdictionofRegistration.WheretheRegistrationAgencydoesnotassignaRegistrationNumber,theCASHALLobtaintheApplicant’sdateofRegistration.(D)PrincipalIndividual:VerifytheidentityoftheidentifiedPrincipalIndividual.

(4)Non-CommercialEntitySubjects(InternationalOrganizations)(A) LegalExistence:VerifythattheApplicantisalegallyrecognizedInternationalOrganizationEntity.(B) EntityName:VerifythattheApplicant'sformallegalnamematchestheApplicant'snameintheVerifiedMarkCertificateRequest.(C) RegistrationNumber:TheCAMUSTattempttoobtaintheApplicant'sdateofformation,ortheidentifierforthelegislativeactthatcreatedtheInternationalOrganizationEntity.Incircumstanceswherethisinformationisnotavailable,theCAMUSTenterappropriatelanguagetoindicatethattheSubjectisanInternationalOrganizationEntity.

3.2.5.2. AcceptableMethodofVerification(1) PrivateOrganizationSubjects:AllitemslistedinSection3.2.5.1(1)MUSTbeverifieddirectlywith,or

obtaineddirectlyfrom,theIncorporatingorRegistrationAgencyintheApplicant'sJurisdictionofIncorporationorRegistration.SuchverificationMAYbethroughuseofaQualifiedGovernmentInformationSourceoperatedby,oronbehalfof,theIncorporatingorRegistrationAgency,orbydirectcontactwiththeIncorporatingorRegistrationAgencyinpersonorviamail,e-mail,Webaddress,ortelephone,usinganaddressorphonenumberobtaineddirectlyfromtheQualifiedGovernmentInformationSource,IncorporatingorRegistrationAgency,orfromaQualifiedIndependentInformationSource.

(2) GovernmentEntitySubjects:AllitemslistedinSection3.2.5.1(2)MUSTeitherbeverifieddirectlywith,orobtaineddirectlyfrom,oneofthefollowing:(i)aQualifiedGovernmentInformationSourceinthepoliticalsubdivisioninwhichsuchGovernmentEntityoperates;(ii)asuperiorgoverningGovernmentEntityinthesamepoliticalsubdivisionastheApplicant(e.g.aSecretaryofStatemayverifythelegalexistenceofaspecificStateDepartment)SuchverificationMAYbebydirectcontactwiththeappropriateGovernmentEntityinpersonorviamail,e-mail,Webaddress,ortelephone,usinganaddressorphonenumberobtainedfromaQualifiedIndependentInformationSource.

(3) BusinessEntitySubjects:ItemslistedinSection3.2.5.1(3)(A)through(C)above,MUSTbeverifieddirectlywith,orobtaineddirectlyfrom,theRegistrationAgencyintheApplicant'sJurisdictionofRegistration.SuchverificationMAYbeperformedbymeansofaQualifiedGovernmentInformationSource,aQualifiedGovernmentalTaxInformationSource,orbydirectcontactwiththeRegistrationAgencyinpersonorviamail,e-mail,Webaddress,ortelephone,usinganaddressorphonenumberobtaineddirectlyfromtheQualifiedGovernmentInformationSource,QualifiedGovernmentalTaxInformationSourceorRegistrationAgency,orfromaQualifiedIndependentInformationSource.Inaddition,theCAMUSTvalidateaPrincipalIndividualassociatedwiththeBusinessEntitypursuanttotherequirementsinsubsection(4),below.

(4) PrincipalIndividual:APrincipalIndividualassociatedwiththeBusinessEntityMUSTbevalidatedinaface-to-facesetting.TheCAMAYrelyuponaface-to-facevalidationofthePrincipalIndividualperformedbytheRegistrationAgency,providedthattheCAhasevaluatedthevalidationprocedureandconcludedthatitsatisfiestherequirementsoftheRequirementsforface-to-facevalidationprocedures.Wherenoface-to-facevalidationwasconductedbytheRegistrationAgency,ortheRegistrationAgency’sface-to-facevalidationproceduredoesnotsatisfytherequirementsoftheRequirements,theCASHALLperformface-to-facevalidation.(A)Face-To-FaceValidation:Theface-to-facevalidationMUSTbeconductedbeforeeitheranemployee

oftheCA,aLatinNotary,aNotary(orequivalentintheApplicant’sjurisdiction),aLawyer,orAccountant(Third-PartyValidator).Inallcases,theThird-PartyValidatormustbeworkingonbehalfoftheCA.ThePrincipalIndividual(s)MUSTpresentthefollowingdocumentation(VettingDocuments)directlytotheThird-PartyValidator:(i)APersonalStatementthatincludesthefollowinginformation:

1.Fullnameornamesbywhichapersonis,orhasbeen,known(includingallothernamesused);

2.ResidentialAddressatwhichhe/shecanbelocated;3.Dateofbirth;and4.AnaffirmationthatalloftheinformationcontainedintheCertificateRequestistrueand

correct.(ii)Acurrentsignedgovernment-issuedidentificationdocumentthatincludesaphotoofthe

IndividualandissignedbytheIndividualsuchas:1.Apassport;2.Adriver’slicense;3.Apersonalidentificationcard;4.Aconcealedweaponspermit;or5.AmilitaryID.

(iii)Atleasttwosecondarydocumentaryevidencestoestablishhis/heridentitythatincludethenameoftheIndividual,oneofwhichMUSTbefromafinancialinstitution.1.Acceptablefinancialinstitutiondocumentsinclude:

a.Amajorcreditcard,providedthatitcontainsanexpirationdateandithasnotexpired'b.Adebitcardfromaregulatedfinancialinstitution,providedthatitcontainsanexpirationdateandithasnotexpired,c.Amortgagestatementfromarecognizablelenderthatislessthansixmonthsold,d.Abankstatementfromaregulatedfinancialinstitutionthatislessthansixmonthsold.

2.Acceptablenon-financialdocumentsinclude:a.Recentoriginalutilitybillsorcertificatesfromautilitycompanyconfirmingthearrangementtopayfortheservicesatafixedaddress(notamobile/cellulartelephonebill),b.Acopyofastatementforpaymentofalease,providedthatthestatementisdatedwithinthepastsixmonths,c.Acertifiedcopyofabirthcertificate,d.Alocalauthoritytaxbillforthecurrentyear,e.Acertifiedcopyofacourtorder,suchasadivorcecertificate,annulmentpapers,oradoptionpapers.

TheThird-PartyValidatorperformingtheface-to-facevalidationMUST:(i) AttesttothesigningofthePersonalStatementandtheidentityofthesigner;and(ii) IdentifytheoriginalVettingDocumentsusedtoperformtheidentification.Inaddition,the

Third-PartyValidatorMUSTattestonacopyofthecurrentsignedgovernment-issuedphotoidentificationdocumentthatitisafull,true,andaccuratereproductionoftheoriginal.

(B)VerificationofThird-PartyValidator:TheCAMUSTindependentlyverifythattheThird-Party

Validatorisalegally-qualifiedLatinNotaryorNotary(orlegalequivalentintheApplicant’sjurisdiction),lawyer,oraccountantinthejurisdictionoftheIndividual’sresidency,andthattheThird-PartyValidatoractuallydidperformtheservicesanddidattesttothesignatureoftheIndividual.

(C)Cross-checkingofInformation:TheCAMUSTobtainthesignedandattestedPersonalStatement

togetherwiththeattestedcopyofthecurrentsignedgovernment-issuedphotoidentificationdocument.TheCAMUSTreviewthedocumentationtodeterminethattheinformationisconsistent,matchestheinformationintheapplication,andidentifiestheIndividual.TheCAMAYrelyonelectroniccopiesofthisdocumentation,providedthat:

(i)theCAconfirmstheirauthenticity(notimproperlymodifiedwhencomparedwiththeunderlyingoriginal)withtheThird-PartyValidator;and

(ii)electroniccopiesofsimilarkindsofdocumentsarerecognizedaslegalsubstitutesfororiginalsunderthelawsoftheCA’sjurisdiction.

(5)Non-CommercialEntitySubjects(InternationalOrganization):Unlessverifiedundersubsection(6),allitemslistedinSection3.3.1(4)MUSTbeverifiedeither:

(A)WithreferencetotheconstituentdocumentunderwhichtheInternationalOrganizationwasformed;or

(B)Directlywithasignatorycountry'sgovernmentinwhichtheCAispermittedtodobusiness.Suchverificationmaybeobtainedfromanappropriategovernmentagencyorfromthelawsofthatcountry,orbyverifyingthatthecountry'sgovernmenthasamissiontorepresentitattheInternationalOrganization;or

(C)DirectlyagainstanycurrentlistofqualifiedentitiesthattheAuthindicators/BIMIGroupmaymaintainathttps://bimigroup.org.

(D)IncaseswheretheInternationalOrganizationapplyingfortheVMCisanorganoragency-includinganon-governmentalorganizationofaverifiedInternationalOrganization,thentheCAmayverifytheInternationalOrganizationApplicantdirectlywiththeverifiedumbrellaInternationalOrganizationofwhichtheApplicantisanorganoragency.

3.2.6. VerificationofApplicant’sLegalExistenceandIdentity–AssumedName3.2.6.1. VerificationRequirementsIf,inadditiontotheApplicant’sformallegalname,asrecordedwiththeapplicableIncorporatingAgencyorRegistrationAgencyintheApplicant’sJurisdictionofIncorporationorRegistration,theApplicant’sidentity,asassertedintheVerifiedMarkCertificate,istocontainanyassumedname(alsoknownas“doingbusinessas”,“DBA”,or“d/b/a”intheUS,and“tradingas”intheUK)underwhichtheApplicantconductsbusiness,theCAMUSTverifythat:(i)theApplicanthasregistereditsuseoftheassumednamewiththeappropriategovernmentagencyforsuchfilingsinthejurisdictionofitsPlaceofBusiness(asverifiedinaccordancewiththeseGuidelines),and(ii)thatsuchfilingcontinuestobevalid.

3.2.6.2. AcceptableMethodofVerificationToverifyanyassumednameunderwhichtheApplicantconductsbusiness:

(1) TheCAMAYverifytheassumednamethroughuseofaQualifiedGovernmentInformationSourceoperatedby,oronbehalfof,anappropriategovernmentagencyinthejurisdictionoftheApplicant’sPlaceofBusiness,orbydirectcontactwithsuchgovernmentagencyinpersonorviamail,e-mail,Webaddress,ortelephone;or

(2) TheCAMAYverifytheassumednamethroughuseofaQualifiedIndependentInformationSourceprovidedthattheQIIShasverifiedtheassumednamewiththeappropriategovernmentagency.

(3) TheCAMAYrelyonaVerifiedProfessionalLetterthatindicatestheassumednameunderwhichtheApplicantconductsbusiness,thegovernmentagencywithwhichtheassumednameisregistered,andthatsuchfilingcontinuestobevalid.

3.2.7. VerificationofApplicant’sPhysicalExistence3.2.7.1. AddressofApplicant’sPlaceofBusiness(1) VerificationRequirements:ToverifytheApplicant'sphysicalexistenceandbusinesspresence,theCA

MUSTverifythatthephysicaladdressprovidedbytheApplicantisanaddresswheretheApplicantoraParent/SubsidiaryCompanyconductsbusinessoperations(not,forexample,amaildroporP.O.box,or'careof'(C/O)address,suchasanaddressforanagentoftheOrganization),andistheaddressoftheApplicant'sPlaceofBusiness.

(2)AcceptableMethodsofVerification(A)PlaceofBusinessintheCountryofIncorporationorRegistration

(i) ForApplicantswhosePlaceofBusinessisinthesamecountryastheApplicant'sJurisdictionofIncorporationorRegistrationandwhosePlaceofBusinessisNOTthesameasthatindicatedintherelevantQualifiedGovernmentInformationSourceusedinSection3.2.5toverifylegalexistence:(1)ForApplicantslistedatthesamePlaceofBusinessaddressinthecurrentversionofeitheratleastoneQGIS(otherthanthatusedtoverifylegalexistence),QIISorQTIS,theCAMUSTconfirmthattheApplicant'saddress,aslistedintheVerifiedMarkCertificateRequest,isavalidbusinessaddressfortheApplicantoraParent/SubsidiaryCompanybyreferencetosuchQGIS,QIIS,orQTIS,andMAYrelyontheApplicant'srepresentationthatsuchaddressisitsPlaceofBusiness;

(2)ForApplicantswhoarenotlistedatthesamePlaceofBusinessaddressinthecurrentversionofeitheratleastoneQIISorQTIS,theCAMUSTconfirmthattheaddressprovidedbytheApplicantintheVerifiedMarkCertificateRequestistheApplicant'soraParent/SubsidiaryCompany'sbusinessaddress,byobtainingdocumentationofasitevisittothebusinessaddress,whichMUSTbeperformedbyareliableindividualorfirm.ThedocumentationofthesitevisitMUST:(a)VerifythattheApplicant'sbusinessislocatedattheexactaddressstatedintheVerifiedMark

CertificateRequest(e.g.,viapermanentsignage,employeeconfirmation,etc.),(b)Identifythetypeoffacility(e.g.,officeinacommercialbuilding,privateresidence,storefront,

etc.)andwhetheritappearstobeapermanentbusinesslocation,(c)Indicatewhetherthereisapermanentsign(thatcannotbemoved)thatidentifiesthe

Applicant,(d)IndicatewhetherthereisevidencethattheApplicantisconductingongoingbusiness

activitiesatthesite(notthatitisjust,forexample,amaildrop,P.O.box,etc.),and(e)Includeoneormorephotosof(i)theexteriorofthesite(showingsignageindicatingthe

Applicant'sname,ifpresent,andshowingthestreetaddressifpossible),and(ii)theinteriorreceptionareaorworkspace.

(3)ForallApplicants,theCAMAYalternativelyrelyonaVerifiedProfessionalLetterthatindicatestheaddressoftheApplicant'soraParent/SubsidiaryCompany'sPlaceofBusinessandthatbusinessoperationsareconductedthere.

(4)ForGovernmentEntityApplicants,theCAMAYrelyontheaddresscontainedintherecordsoftheQGISintheApplicant'sjurisdiction.

(5)ForApplicantswhosePlaceofBusinessisinthesamecountryastheApplicant'sJurisdictionofIncorporationorRegistrationandwheretheQGISusedinSection3.2.5toverifylegalexistencecontainsabusinessaddressfortheApplicant,theCAMAYrelyontheaddressintheQGIStoconfirmtheApplicant'soraParent/SubsidiaryCompany'saddressaslistedintheVerifiedMarkCertificateRequest,andMAYrelyontheApplicant'srepresentationthatsuchaddressisitsPlaceofBusiness.

(B)PlaceofBusinessnotintheCountryofIncorporationorRegistration:TheCAMUSTrelyonaVerifiedProfessionalLetterthatindicatestheaddressoftheApplicant'sPlaceofBusinessandthatbusinessoperationsareconductedthere.

3.2.8. VerifiedMethodofCommunication3.2.8.1. VerificationRequirementsToassistincommunicatingwiththeApplicantandconfirmingthattheApplicantisawareofandapprovesissuance,theCAMUSTverifyatelephonenumber,faxnumber,emailaddress,orpostaldeliveryaddressasaVerifiedMethodofCommunicationwiththeApplicant.

3.2.8.2. AcceptableMethodsofVerificationToverifyaVerifiedMethodofCommunicationwiththeApplicant,theCAMUST:

(A)VerifythattheVerifiedMethodofCommunicationbelongstotheApplicant,oraParent/SubsidiaryorAffiliateoftheApplicant,bymatchingitwithoneoftheApplicant'sParent/SubsidiaryorAffiliate'sPlacesofBusinessin:(i)recordsprovidedbytheapplicablephonecompany;(ii)aQGIS,QTIS,orQIIS;or(iii)aVerifiedProfessionalLetter;and

(B)ConfirmtheVerifiedMethodofCommunicationbyusingittoobtainanaffirmativeresponsesufficienttoenableareasonablepersontoconcludethattheApplicant,oraParent/SubsidiaryorAffiliateofApplicant,canbecontactedreliablybyusingtheVerifiedMethodofCommunication.

3.2.9. VerificationofApplicant’sOperationalExistence3.2.9.1. VerificationRequirementsTheCAMUSTverifythattheApplicanthastheabilitytoengageinbusinessbyverifyingtheApplicant's,orAffiliate/Parent/SubsidiaryCompany's,operationalexistence.TheCAMAYrelyonitsverificationofaGovernmentEntity’slegalexistenceunderSection3.3asverificationofaGovernmentEntity’soperationalexistence.

3.2.9.2. AcceptableMethodsofVerificationToverifytheApplicant’sabilitytoengageinbusiness,theCAMUSTverifytheoperationalexistenceoftheApplicant,oritsAffiliate/Parent/SubsidiaryCompany,by:(1) VerifyingthattheApplicant,Affiliate,ParentCompany,orSubsidiaryCompanyhasbeeninexistencefor

atleastthreeyears,asindicatedbytherecordsofanIncorporatingAgencyorRegistrationAgency;(2) VerifyingthattheApplicant,Affiliate,ParentCompany,orSubsidiaryCompanyislistedineitheracurrent

QIISorQTIS;(3) VerifyingthattheApplicant,Affiliate,ParentCompany,orSubsidiaryCompanyhasanactivecurrent

DemandDepositAccountwithaRegulatedFinancialInstitutionbyreceivingauthenticateddocumentationoftheApplicant's,Affiliate's,ParentCompany's,orSubsidiaryCompany'sDemandDepositAccountdirectlyfromaRegulatedFinancialInstitution;or

(4) RelyingonaVerifiedProfessionalLettertotheeffectthattheApplicanthasanactivecurrentDemandDepositAccountwithaRegulatedFinancialInstitution.

3.2.10. VerificationofIdentityandAuthorityofContractSignerandCertificateApprover

3.2.10.1. VerificationRequirementsForboththeContractSignerandtheCertificateApprover,theCAMUSTverifythefollowing.(1) Name,TitleandAgency:TheCAMUSTverifythenameandtitleoftheContractSignerandthe

CertificateApprover,asapplicable.TheCAMUSTalsoverifythattheContractSignerandtheCertificateApproverareagentsrepresentingtheApplicant.

(2) SigningAuthorityofContractSigner:TheCAMUSTverifythattheContractSignerisauthorizedbytheApplicanttoenterintotheSubscriberAgreement(andanyotherrelevantcontractualobligations)onbehalfoftheApplicant,includingacontractthatdesignatesoneormoreCertificateApproversonbehalfoftheApplicant.

(3) VMCAuthorityofCertificateApprover:TheCAMUSTverify,throughasourceotherthantheCertificateApproverhim-orherself,thattheCertificateApproverisexpresslyauthorizedbytheApplicanttodothefollowing,asofthedateoftheVerifiedMarkCertificateRequest:(A) Submit,and,ifapplicable,authorizeaCertificateRequestertosubmit,theVerifiedMarkCertificate

RequestonbehalfoftheApplicant;and(B) Provide,and,ifapplicable,authorizeaCertificateRequestertoprovide,theinformationrequested

fromtheApplicantbytheCAforissuanceoftheVerifiedMarkCertificate;and(C) ApproveVerifiedMarkCertificateRequestssubmittedbyaCertificateRequester.

(4)F2FVerificationProcedure:TheCAmustconductaF2FVerificationProcedureoftheContractSignerorCertificateApproverfortheApplicantfollowingtheverificationstepsdescribedinAppendixG,Section1orSection2.IftheNotarizationprocessofSection1isused,theCAmustverifythatthevalidatorisalegally-qualifiedNotary(orlegalequivalentintheContractSignerorCertificateApprover’sjurisdiction),LatinNotary,lawyer,orsolicitor(collectively,“Notary”)inthejurisdictionwheretheContractSignerorCertificateApproverisverified.

3.2.10.2. AcceptableMethodsofVerification–Name,TitleandAgencyAcceptablemethodsofverificationofthename,title,andagencystatusoftheContractSignerandtheCertificateApproverincludethefollowing.(1) NameandTitle:TheCAMAYverifythenameandtitleoftheContractSignerandtheCertificate

Approverbyanyappropriatemethoddesignedtoprovidereasonableassurancethatapersonclaimingtoactinsucharoleisinfactthenamedpersondesignatedtoactinsuchrole.

(2) Agency:TheCAMAYverifytheagencyoftheContractSignerandtheCertificateApproverby:(A) ContactingtheApplicantusingaVerifiedMethodofCommunicationfortheApplicant,andobtaining

confirmationthattheContractSignerand/ortheCertificateApprover,asapplicable,isanemployee;(B) ObtaininganIndependentConfirmationFromtheApplicant(asdescribedinSection3.2.13.4),oraVerifiedProfessionalLetterverifyingthattheContractSignerand/ortheCertificate

Approver,asapplicable,iseitheranemployeeorhasotherwisebeenappointedasanagentoftheApplicant;or

(C)ObtainingconfirmationfromaQIISorQGISthattheContractSignerand/orCertificateApproverisanemployeeoftheApplicant.

TheCAMAYalsoverifytheagencyoftheCertificateApproverviaacertificationfromtheContractSigner(includinginacontractbetweentheCAandtheApplicantsignedbytheContractSigner),providedthattheemploymentoragencystatusandSigningAuthorityoftheContractSignerhasbeenverified.

3.2.10.3. AcceptableMethodsofVerification–AuthorityAcceptablemethodsofverificationoftheSigningAuthorityoftheContractSigner,andtheVMCAuthorityoftheCertificateApprover,asapplicable,include:(1) CorporateResolution:TheSigningAuthorityoftheContractSigner,and/ortheVMCAuthorityofthe

CertificateApprover,MAYbeverifiedbyrelianceonaproperlyauthenticatedcorporateresolutionthatconfirmsthatthepersonhasbeengrantedsuchSigningAuthority,providedthatsuchresolutionis(i)certifiedbytheappropriatecorporateofficer(e.g.,secretary),and(ii)theCAcanreliablyverifythatthecertificationwasvalidlysignedbysuchperson,andthatsuchpersondoeshavetherequisiteauthoritytoprovidesuchcertification;

(2) IndependentConfirmationfromApplicant:TheSigningAuthorityoftheContractSigner,and/ortheVMCAuthorityoftheCertificateApprover,MAYbeverifiedbyobtaininganIndependentConfirmationfromtheApplicant(asdescribedinSection3.2.13.1);

(3) ContractbetweenCAandApplicant:TheVMCAuthorityoftheCertificateApproverMAYbeverifiedbyrelianceonacontractbetweentheCAandtheApplicantthatdesignatestheCertificateApproverwithsuchVMCAuthority,providedthatthecontractissignedbytheContractSignerandprovidedthattheagencyandSigningAuthorityoftheContractSignerhavebeenverified;

(5) PriorEquivalentAuthority:ThesigningauthorityoftheContractSigner,and/ortheVMCAuthorityoftheCertificateApprover,MAYbeverifiedbyrelyingonademonstrationofPriorEquivalentAuthority.(A) PriorEquivalentAuthorityofaContractSignerMAYberelieduponforconfirmationorverificationof

thesigningauthorityoftheContractSignerwhentheContractSignerhasexecutedabindingcontractbetweentheCAandtheApplicantwithalegallyvalidandenforceablesealorhandwrittensignatureandonlywhenthecontractwasexecutedmorethan90dayspriortotheVerifiedMarkCertificateapplication.TheCAMUSTrecordsufficientdetailsofthepreviousagreementtocorrectlyidentifyitandassociateitwiththeVerifiedMarkapplication.SuchdetailsMAYincludeanyofthefollowing:(i) Agreementtitle,(ii) DateofContractSigner’ssignature,(iii)Contractreferencenumber,and(iv)Filinglocation.

(B) PriorEquivalentAuthorityofaCertificateApproverMAYberelieduponforconfirmationorverificationoftheVMCAuthorityoftheCertificateApproverwhentheCertificateApproverhasperformedoneormoreofthefollowing:(i) UndercontracttotheCA,hasserved(orisserving)asanEnterpriseRAfortheApplicant,or(ii) Hasparticipatedintheapprovalofoneormorecertificaterequests,forcertificatesissuedbythe

CAandwhicharecurrentlyandverifiablyinusebytheApplicant.InthiscasetheCAMUSThavecontactedtheCertificateApproverbyphoneatapreviouslyvalidatedphonenumberorhaveacceptedasignedandnotarizedletterapprovingthecertificaterequest.

(6)QIISorQGIS:TheSigningAuthorityoftheContractSigner,and/ortheVMCAuthorityoftheCertificateApprover,MAYbeverifiedbyaQIISorQGISthatidentifiestheContractSignerand/ortheCertificateApproverasacorporateofficer,soleproprietor,orotherseniorofficialoftheApplicant.

(7)ContractSigner’sRepresentation/Warranty:ProvidedthattheCAverifiesthattheContractSignerisanemployeeoragentoftheApplicant,theCAMAYrelyonthesigningauthorityoftheContractSignerbyobtainingadulyexecutedrepresentationorwarrantyfromtheContractSignerthatincludesthefollowingacknowledgments:(A)ThattheApplicantauthorizestheContractSignertosigntheSubscriberAgreementonthe

Applicant'sbehalf,(B)ThattheSubscriberAgreementisalegallyvalidandenforceableagreement,

(C)That,uponexecutionoftheSubscriberAgreement,theApplicantwillbeboundbyallofitstermsandconditions,

(D)ThatseriousconsequencesattachtothemisuseofanVerifiedMarkcertificate,and(E)Thecontractsignerhastheauthoritytoobtainthedigitalequivalentofacorporateseal,stampor

officer'ssignaturetoestablishtheauthenticityofthecompany'sWebsite.

3.2.10.4. Pre-AuthorizedCertificateApproverWheretheCAandApplicantcontemplatethesubmissionofmultiplefutureVerifiedMarkCertificateRequests,then,aftertheCA:

• HasverifiedthenameandtitleoftheContractSignerandthathe/sheisanemployeeoragentoftheApplicant;and

• HasverifiedtheSigningAuthorityofsuchContractSignerinaccordancewithoneoftheproceduresinSection3.2.10.

TheCAandtheApplicantMAYenterintoawrittenagreement,signedbytheContractSigneronbehalfoftheApplicant,whereby,foraspecifiedterm,theApplicantexpresslyauthorizesoneormoreCertificateApprover(s)designatedinsuchagreementtoexerciseVMCAuthoritywithrespecttoeachfutureVerifiedMarkCertificateRequestsubmittedonbehalfoftheApplicantandproperlyauthenticatedasoriginatingwith,orotherwisebeingapprovedby,suchCertificateApprover(s).SuchanagreementMUSTprovidethattheApplicantSHALLbeobligatedundertheSubscriberAgreementforallVerifiedMarkCertificatesissuedattherequestof,orapprovedby,suchCertificateApprover(s)untilsuchVMCAuthorityisrevoked,andMUSTincludemutuallyagreed-uponprovisionsfor(i)authenticatingtheCertificateApproverwhenVerifiedMarkCertificateRequestsareapproved,(ii)periodicre-confirmationoftheVMCAuthorityoftheCertificateApprover,(iii)secureproceduresbywhichtheApplicantcannotifytheCAthattheVMCAuthorityofanysuchCertificateApproverisrevoked,and(iv)suchotherappropriateprecautionsasarereasonablynecessary.

3.2.11. VerificationofSignatureonSubscriberAgreementandVerifiedMarkCertificateRequests

BoththeSubscriberAgreementandeachnon-pre-authorizedVerifiedMarkCertificateRequestMUSTbesigned.TheSubscriberAgreementMUSTbesignedbyanauthorizedContractSigner.TheVerifiedMarkCertificateRequestMUSTbesignedbytheCertificateRequestersubmittingthedocument,unlesstheCertificateRequesthasbeenpre-authorizedinlinewithSection3.2.10.4oftheseRequirements.IftheCertificateRequesterisnotalsoanauthorizedCertificateApprover,thenanauthorizedCertificateApproverMUSTindependentlyapprovetheVerifiedMarkCertificateRequest.Inallcases,applicablesignaturesMUSTbealegallyvalidandcontainanenforceablesealorhandwrittensignature(forapaperSubscriberAgreementand/orVerifiedMarkCertificateRequest),oralegallyvalidandenforceableelectronicsignature(foranelectronicSubscriberAgreementand/orVerifiedMarkCertificateRequest),thatbindstheApplicanttothetermsofeachrespectivedocument.

3.2.11.1. VerificationRequirements(1) Signature:TheCAMUSTauthenticatethesignatureoftheContractSignerontheSubscriberAgreement

andthesignatureoftheCertificateRequesteroneachVerifiedMarkCertificateRequestinamannerthatmakesitreasonablycertainthatthepersonnamedasthesignerintheapplicabledocumentis,infact,thepersonwhosignedthedocumentonbehalfoftheApplicant.

(2) ApprovalAlternative:IncaseswhereanVerifiedMarkCertificateRequestissignedandsubmittedbyaCertificateRequesterwhodoesnotalsofunctionasaCertificateApprover,approvalandadoptionoftheVerifiedMarkCertificateRequestbyaCertificateApproverinaccordancewiththerequirementsofSection3.2.12cansubstituteforauthenticationofthesignatureoftheCertificateRequesteronsuchVerifiedMarkCertificateRequest.

3.2.11.2. AcceptableMethodsofSignatureVerificationAcceptablemethodsofauthenticatingthesignatureoftheCertificateRequesterorContractSignerincludethefollowing:(1) ContactingtheApplicantusingaVerifiedMethodofCommunicationfortheApplicant,fortheattentionof

theCertificateRequesterorContractSigner,asapplicable,followedbyaresponsefromsomeonewho

identifiesthemselvesassuchpersonconfirmingthathe/shedidsigntheapplicabledocumentonbehalfoftheApplicant;

(2) AlettermailedtotheApplicant’sorAgent’saddress,asverifiedthroughindependentmeansinaccordancewiththeseRequirements,fortheattentionoftheCertificateRequesterorContractSigner,asapplicable,followedbyaresponsethroughaVerifiedMethodofCommunicationfromsomeonewhoidentifiesthemselvesassuchpersonconfirmingthathe/shedidsigntheapplicabledocumentonbehalfoftheApplicant;

(3) Useofasignatureprocessthatestablishesthenameandtitleofthesignerinasecuremanner,suchasthroughuseofanappropriatelysecureloginprocessthatidentifiesthesignerbeforesigning,orthroughuseofadigitalsignaturemadewithreferencetoanappropriatelyverifiedcertificate;or

(4) Notarizationbyanotary,providedthattheCAindependentlyverifiesthatsuchnotaryisalegallyqualifiednotaryinthejurisdictionoftheCertificateRequesterorContractSigner.

3.2.12. VerificationofApprovalofVerifiedMarkCertificateRequest3.2.12.1. VerificationRequirementsIncaseswhereanVerifiedMarkCertificateRequestissubmittedbyaCertificateRequester,beforetheCAissuestherequestedVerifiedMarkCertificate,theCAMUSTverifythatanauthorizedCertificateApproverreviewedandapprovedtheVerifiedMarkCertificateRequest.

3.2.12.2. AcceptableMethodsofVerificationAcceptablemethodsofverifyingtheCertificateApprover’sapprovalofaVerifiedMarkCertificateRequestinclude:(1) ContactingtheCertificateApproverusingaVerifiedMethodofCommunicationfortheApplicantand

obtainingoralorwrittenconfirmationthattheCertificateApproverhasreviewedandapprovedtheVerifiedMarkCertificateRequest;

(2) NotifyingtheCertificateApproverthatoneormorenewVerifiedMarkCertificateRequestsareavailableforreviewandapprovalatadesignatedaccess-controlledandsecureWebsite,followedbyaloginby,andanindicationofapprovalfrom,theCertificateApproverinthemannerrequiredbytheWebsite;or

(3) VerifyingthesignatureoftheCertificateApproverontheVerifiedMarkCertificateRequestinaccordancewithSection3.2.11oftheseRequirements.

3.2.13. VerificationofCertainInformationSources3.2.13.1. VerifiedLegalOpinion(1) VerificationRequirements:BeforerelyingonalegalopinionsubmittedtotheCA,theCAMUSTverify

thatsuchlegalopinionmeetsthefollowingrequirements:(A) StatusofAuthor:TheCAMUSTverifythatthelegalopinionisauthoredbyanindependentlegal

practitionerretainedbyandrepresentingtheApplicant(oranin-houselegalpractitioneremployedbytheApplicant)(LegalPractitioner)whoiseither:(i) Alawyer(orsolicitor,barrister,advocate,orequivalent)licensedtopracticelawinthecountry

oftheApplicant’sJurisdictionofIncorporationorRegistrationoranyjurisdictionwheretheApplicantmaintainsanofficeorphysicalfacility,or

(ii) ALatinNotarywhoiscurrentlycommissionedorlicensedtopracticeinthecountryoftheApplicant’sJurisdictionofIncorporationorRegistrationoranyjurisdictionwheretheApplicantmaintainsanofficeorphysicalfacility(andthatsuchjurisdictionrecognizestheroleoftheLatinNotary);

(B) BasisofOpinion:TheCAMUSTverifythattheLegalPractitionerisactingonbehalfoftheApplicantandthattheconclusionsoftheVerifiedLegalOpinionarebasedontheLegalPractitioner’sstatedfamiliaritywiththerelevantfactsandtheexerciseoftheLegalPractitioner’sprofessionaljudgmentandexpertise;

(C) Authenticity:TheCAMUSTconfirmtheauthenticityoftheVerifiedLegalOpinion.(2) AcceptableMethodsofVerification:Acceptablemethodsofestablishingtheforegoingrequirements

foraVerifiedLegalOpinionare:

(A) StatusofAuthor:TheCAMUSTverifytheprofessionalstatusoftheauthorofthelegalopinionbydirectlycontactingtheauthorityresponsibleforregisteringorlicensingsuchLegalPractitioner(s)intheapplicablejurisdiction;

(B) BasisofOpinion:ThetextofthelegalopinionMUSTmakeitclearthattheLegalPractitionerisactingonbehalfoftheApplicantandthattheconclusionsofthelegalopinionarebasedontheLegalPractitioner’sstatedfamiliaritywiththerelevantfactsandtheexerciseofthepractitioner’sprofessionaljudgmentandexpertise.ThelegalopinionMAYalsoincludedisclaimersandotherlimitationscustomaryintheLegalPractitioner’sjurisdiction,providedthatthescopeofthedisclaimedresponsibilityisnotsogreatastoeliminateanysubstantialrisk(financial,professional,and/orreputational)totheLegalPractitioner,shouldthelegalopinionprovetobeerroneous;

(C) Authenticity:Toconfirmtheauthenticityofthelegalopinion,theCAMUSTmakeatelephonecallorsendacopyofthelegalopinionbacktotheLegalPractitionerattheaddress,phonenumber,facsimile,or(ifavailable)e-mailaddressfortheLegalPractitionerlistedwiththeauthorityresponsibleforregisteringorlicensingsuchLegalPractitioner,andobtainconfirmationfromtheLegalPractitionerortheLegalPractitioner’sassistantthatthelegalopinionisauthentic.Ifaphonenumberisnotavailablefromthelicensingauthority,theCAMAYusethenumberlistedfortheLegalPractitionerinrecordsprovidedbytheapplicablephonecompany,QGIS,orQIIS.Incircumstanceswheretheopinionisdigitallysigned,inamannerthatconfirmstheauthenticityofthedocumentandtheidentityofthesigner,asverifiedbytheCAinSection3.2.13.1(2)(A),nofurtherverificationofauthenticityisrequired.

3.2.13.2. VerifiedAccountantLetter(1) VerificationRequirements:BeforerelyingonanaccountantlettersubmittedtotheCA,theCAMUST

verifythatsuchaccountantlettermeetsthefollowingrequirements:(A)StatusofAuthor:TheCAMUSTverifythattheaccountantletterisauthoredbyanAccounting

PractitionerretainedoremployedbytheApplicantandlicensedwithinthecountryoftheApplicant’sJurisdictionofIncorporation,JurisdictionofRegistration,orcountrywheretheApplicantmaintainsanofficeorphysicalfacility.VerificationoflicenseMUSTbethroughthememberorganizationorregulatoryorganizationintheAccountingPractitioner’scountryorjurisdictionthatisappropriatetocontactwhenverifyinganaccountant’slicensetopracticeinthatcountryorjurisdiction.SuchcountryorjurisdictionmusthaveanaccountingstandardsbodythatmaintainsfullmembershipstatuswiththeInternationalFederationofAccountants.

(B)BasisofOpinion:TheCAMUSTverifythattheAccountingPractitionerisactingonbehalfoftheApplicantandthattheconclusionsoftheVerifiedAccountantLetterarebasedontheAccountingPractitioner’sstatedfamiliaritywiththerelevantfactsandtheexerciseoftheAccountingPractitioner’sprofessionaljudgmentandexpertise;

(C) Authenticity:TheCAMUSTconfirmtheauthenticityoftheVerifiedAccountantLetter.(2) AcceptableMethodsofVerification:Acceptablemethodsofestablishingtheforegoingrequirements

foraVerifiedAccountantLetterarelistedhere.(A) StatusofAuthor:TheCAMUSTverifytheprofessionalstatusoftheauthoroftheaccountantletter

bydirectlycontactingtheauthorityresponsibleforregisteringorlicensingsuchAccountingPractitionersintheapplicablejurisdiction.

(B) BasisofOpinion:ThetextoftheVerifiedAccountantLetterMUSTmakeclearthattheAccountingPractitionerisactingonbehalfoftheApplicantandthattheinformationintheletterisbasedontheAccountingPractitioner’sstatedfamiliaritywiththerelevantfactsandtheexerciseofthepractitioner’sprofessionaljudgmentandexpertise.TheVerifiedAccountantLetterMAYalsoincludedisclaimersandotherlimitationscustomaryintheAccountingPractitioner’sjurisdiction,providedthatthescopeofthedisclaimedresponsibilityisnotsogreatastoeliminateanysubstantialrisk(financial,professional,and/orreputational)totheAccountingPractitioner,shouldtheVerifiedAccountantLetterprovetobeerroneous.

(C) Authenticity:Toconfirmtheauthenticityoftheaccountant’sopinion,theCAMUSTmakeatelephonecallorsendacopyoftheVerifiedAccountantLetterbacktotheAccountingPractitionerattheaddress,phonenumber,facsimile,or(ifavailable)e-mailaddressfortheAccountingPractitionerlistedwiththeauthorityresponsibleforregisteringorlicensingsuchAccountingPractitionersandobtainconfirmationfromtheAccountingPractitionerortheAccountingPractitioner’sassistantthat

theaccountantletterisauthentic.Ifaphonenumberisnotavailablefromthelicensingauthority,theCAMAYusethenumberlistedfortheAccountantinrecordsprovidedbytheapplicablephonecompany,QGIS,orQIIS.Incircumstanceswheretheopinionisdigitallysigned,inamannerthatconfirmstheauthenticityofthedocumentandtheidentityofthesigner,asverifiedbytheCAinSection3.2.13.2(2)(A),nofurtherverificationofauthenticityisrequired.

3.2.13.3. Face-to-FaceValidationusingtheNotarizationprocess(1) VerificationRequirements:BeforerelyingonF2FVerificationProceduredocumentsusingthe

NotarizationprocessunderAppendixG,Section1thataresubmittedtotheCA,theCAMUSTverifythattheThird-PartyValidatormeetsthefollowingrequirements:(A)QualificationofThird-PartyValidator:TheCAMUSTindependentlyverifythattheThird-Party

Validatorisalegally-qualifiedLatinNotaryorNotary(orlegalequivalentintheApplicant’sjurisdiction),Lawyer,orAccountantinthejurisdictionoftheindividual’sresidency;

(B)DocumentChainofCustody:TheCAMUSTverifythattheThird-PartyValidatorviewedtheVettingDocumentsinaface-to-facemeetingwiththeindividualbeingvalidated;

(C) VerificationofAttestation:IftheThird-PartyValidatorisnotaLatinNotary,thentheCAMUSTconfirmtheauthenticityoftheattestationandvettingdocuments.

(2) AcceptableMethodsofVerification:Acceptablemethodsofestablishingtheforegoingrequirementsforvettingdocumentsare:(A)QualificationofThird-PartyValidator:TheCAMUSTverifytheprofessionalstatusoftheThird-

PartyValidatorbydirectlycontactingtheauthorityresponsibleforregisteringorlicensingsuchThird-PartyValidatorsintheapplicablejurisdiction;

(B)DocumentChainofCustody:TheThird-PartyValidatorMUSTsubmitastatementtotheCAwhichatteststhattheyobtainedtheVettingDocumentssubmittedtotheCAfortheindividualduringaface-to-facemeetingwiththeindividual;

(C) VerificationofAttestation:IftheThird-PartyValidatorisnotaLatinNotary,thentheCAMUSTconfirmtheauthenticityofthevettingdocumentsreceivedfromtheThird-PartyValidator.TheCAMUSTmakeatelephonecalltotheThird-PartyValidatorandobtainconfirmationfromthemortheirassistantthattheyperformedtheface-to-facevalidation.TheCAMAYrelyuponself-reportedinformationobtainedfromtheThird-PartyValidatorforthesolepurposeofperformingthisverificationprocess.Incircumstanceswheretheattestationisdigitallysigned,inamannerthatconfirmstheauthenticityofthedocuments,andtheidentityofthesignerasverifiedbytheCAinSection3.2.13.1(1)(A),nofurtherverificationofauthenticityisrequired.

3.2.13.4. IndependentConfirmationFromApplicantAnIndependentConfirmationfromtheApplicantisaconfirmationofaparticularfact(e.g.,confirmationoftheemployeeoragencystatusofaContractSignerorCertificateApprover,confirmationoftheVMCAuthorityofaCertificateApprover,etc.)thatis:

(A) ReceivedbytheCAfromaConfirmingPerson(someoneotherthanthepersonwhoisthesubjectoftheinquiry)thathastheappropriateauthoritytoconfirmsuchafact,andwhorepresentsthathe/shehasconfirmedsuchfact;

(B) ReceivedbytheCAinamannerthatauthenticatesandverifiesthesourceoftheconfirmation;and(C) BindingontheApplicant.

AnIndependentConfirmationfromtheApplicantMAYbeobtainedviathefollowingprocedure:(1) ConfirmationRequest:TheCAMUSTinitiateaConfirmationRequestviaanappropriateout-of-band

communication,requestingverificationorconfirmationoftheparticularfactatissueasfollows:(A)Addressee:TheConfirmationRequestMUSTbedirectedto:

(i) ApositionwithintheApplicant’sorganizationthatqualifiesasaConfirmingPerson(e.g.,Secretary,President,CEO,CFO,COO,CIO,CSO,Director,etc.)andisidentifiedbynameandtitleinacurrentQGIS,QIIS,QTIS,VerifiedLegalOpinion,VerifiedAccountantLetter,orbycontactingtheApplicantusingaVerifiedMethodofCommunication;or

(ii) TheApplicant’sRegisteredAgentorRegisteredOfficeintheJurisdictionofIncorporationaslistedintheofficialrecordsoftheIncorporatingAgency,withinstructionsthatitbeforwardedtoanappropriateConfirmingPerson;or

(iii)AnamedindividualverifiedtobeinthedirectlineofmanagementabovetheContractSignerorCertificateApproverbycontactingtheApplicant’sHumanResourcesDepartmentbyphoneormail(atthephonenumberoraddressfortheApplicant’sPlaceofBusiness,verifiedinaccordancewiththeseRequirements).

(B)MeansofCommunication:TheConfirmationRequestMUSTbedirectedtotheConfirmingPersoninamannerreasonablylikelytoreachsuchperson.Thefollowingoptionsareacceptable:(i) BypapermailaddressedtotheConfirmingPersonat:

(1) TheaddressoftheApplicant’sPlaceofBusinessasverifiedbytheCAinaccordancewiththeseRequirements,or

(2) ThebusinessaddressforsuchConfirmingPersonspecifiedinacurrentQGIS,QTIS,QIIS,VerifiedProfessionalLetter,or

(3) TheaddressoftheApplicant’sRegisteredAgentorRegisteredOfficelistedintheofficialrecordsoftheJurisdictionofIncorporation,or

(ii) Bye-mailaddressedtotheConfirmingPersonatthebusinesse-mailaddressforsuchpersonlistedinacurrentQGIS,QTIS,orQIIS,VerifiedLegalOpinion,orVerifiedAccountantLetter;or

(iii)BytelephonecalltotheConfirmingPerson,wheresuchpersoniscontactedbycallingthemainphonenumberoftheApplicant’sPlaceofBusiness(verifiedinaccordancewiththeseRequirements)andaskingtospeaktosuchperson,andapersontakingthecallidentifieshim-orherselfassuchperson;or

(iv)ByfacsimiletotheConfirmingPersonatthePlaceofBusiness.ThefacsimilenumbermustbelistedinacurrentQGIS,QTIS,orQIIS,VerifiedLegalOpinion,orVerifiedAccountantLetter.ThecoverpagemustbeclearlyaddressedtotheConfirmingPerson.

(2) ConfirmationResponse:TheCAMUSTreceivearesponsetotheConfirmationRequestfromaConfirmingPersonthatconfirmstheparticularfactatissue.SuchresponseMAYbeprovidedtotheCAbytelephone,bye-mail,orbypapermail,solongastheCAcanreliablyverifythatitwasprovidedbyaConfirmingPersoninresponsetotheConfirmationRequest.

(3)TheCAMAYrelyonaverifiedConfirmingPersontoconfirmtheirowncontactinformation:emailaddress,telephonenumber,andfacsimilenumber.TheCAMAYrelyonthisverifiedcontactinformationforfuturecorrespondencewiththeConfirmingPersonif:(A)Thedomainofthee-mailaddressisownedbytheApplicantandistheConfirmingPerson’sowne-

mailaddressandnotagroupe-mailalias;(B)TheConfirmingPerson’stelephone/faxnumberisverifiedbytheCAtobeatelephonenumberthatis

partoftheorganization’stelephonesystem,andisnotthepersonalphonenumberfortheperson.

3.2.13.5. QualifiedIndependentInformationSourceAQualifiedIndependentInformationSource(QIIS)isaregularly-updatedandpubliclyavailabledatabasethatisgenerallyrecognizedasadependablesourceforcertaininformation.AdatabasequalifiesasaQIISiftheCAdeterminesthat:(1) Industriesotherthanthecertificateindustryrelyonthedatabaseforaccuratelocation,contact,orother

information;and(2) Thedatabaseproviderupdatesitsdataonatleastanannualbasis.TheCASHALLuseadocumentedprocesstochecktheaccuracyofthedatabaseandensureitsdataisacceptable,includingreviewingthedatabaseprovider’stermsofuse.TheCASHALLNOTuseanydatainaQIISthattheCAknowsis(i)self-reportedand(ii)notverifiedbytheQIISasaccurate.DatabasesinwhichtheCAoritsownersoraffiliatedcompaniesmaintainacontrollinginterest,orinwhichanyRegistrationAuthoritiesorsubcontractorstowhomtheCAhasoutsourcedanyportionofthevettingprocess(ortheirownersoraffiliatedcompanies)maintainanyownershiporbeneficialinterest,donotqualifyasaQIIS.

3.2.13.6. QualifiedGovernmentInformationSourceAQualifiedGovernmentInformationSource(QGIS)isaregularly-updatedandcurrent,publiclyavailable,databasedesignedforthepurposeofaccuratelyprovidingtheinformationforwhichitisconsulted,andwhichisgenerallyrecognizedasadependablesourceofsuchinformationprovidedthatitismaintainedbyaGovernmentEntity,thereportingofdataisrequiredbylaw,andfalseormisleadingreportingispunishablewithcriminalorcivilpenalties.NothingintheseRequirementsSHALLprohibittheuseofthird-partyvendorstoobtaintheinformationfromtheGovernmentEntityprovidedthatthethirdpartyobtainstheinformationdirectlyfromtheGovernmentEntity.

3.2.13.7. QualifiedGovernmentTaxInformationSourceAQualifiedGovernmentTaxInformationSourceisaQualifiedGovernmentInformationSourcethatspecificallycontainstaxinformationrelatingtoPrivateOrganizations,BusinessEntitiesorIndividuals(e.g.,theIRSintheUnitedStates).

3.2.14. ValidationofDomainAuthorizationorControlThissectiondefinesthepermittedprocessesandproceduresforvalidatingtheApplicant'sownershiporcontrolofthedomain.TheCASHALLconfirmthatpriortoissuance,theCAhasvalidatedeachFully-QualifiedDomainName(FQDN)listedintheCertificateusingatleastoneofthemethodslistedbelow.CompletedvalidationsofApplicantauthoritymaybevalidfortheissuanceofmultipleCertificatesovertime.Inallcases,thevalidationmusthavebeeninitiatedwithinthetimeperiodspecifiedintherelevantrequirement(suchasSection4.2.1ofthisdocument)priortoCertificateissuance.Forpurposesofdomainvalidation,thetermApplicantincludestheApplicant'sParentCompany,SubsidiaryCompany,orAffiliate.CAsSHALLmaintainarecordofwhichdomainvalidationmethod,includingrelevantVMCRequirementsversionnumber,theyusedtovalidateeverydomain.Note:FQDNsmaybelistedinSubscriberCertificatesusingdNSNamesinthesubjectAltNameextensionorinSubordinateCACertificatesviadNSNamesinpermittedSubtreeswithintheNameConstraintsextension.

3.2.14.1. ValidatingtheApplicantasaDomainContactThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.2. Email,Fax,SMS,orPostalMailtoDomainContactConfirmingtheApplicant'scontrolovertheFQDNbysendingaRandomValueviaemail,fax,SMS,orpostalmailandthenreceivingaconfirmingresponseutilizingtheRandomValue.TheRandomValueMUSTbesenttoanemailaddress,fax/SMSnumber,orpostalmailaddressidentifiedasaDomainContact.Eachemail,fax,SMS,orpostalmailMAYconfirmcontrolofmultipleAuthorizationDomainNames.TheCAMAYsendtheemail,fax,SMS,orpostalmailidentifiedunderthissectiontomorethanonerecipientprovidedthateveryrecipientisidentifiedbytheDomainNameRegistrarasrepresentingtheDomainNameRegistrantforeveryFQDNbeingverifiedusingtheemail,fax,SMS,orpostalmail.TheRandomValueSHALLbeuniqueineachemail,fax,SMS,orpostalmail.TheCAMAYresendtheemail,fax,SMS,orpostalmailinitsentirety,includingre-useoftheRandomValue,providedthatthecommunication'sentirecontentsandrecipient(s)remainunchanged.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues,inwhichcasetheCAMUSTfollowitsCPS.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.3. PhoneContactwithDomainContactThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.4. ConstructedEmailtoDomainContactConfirmtheApplicant'scontrolovertheFQDNby

1. sendinganemailtooneormoreaddressescreatedbyusing'admin','administrator','webmaster','hostmaster',or'postmaster'asthelocalpart,followedbytheat-sign("@"),followedbyanAuthorizationDomainName,

2. includingaRandomValueintheemail,and3. receivingaconfirmingresponseutilizingtheRandomValue.

EachemailMAYconfirmcontrolofmultipleFQDNs,providedtheAuthorizationDomainNameusedintheemailisanAuthorizationDomainNameforeachFQDNbeingconfirmed.TheRandomValueSHALLbeuniqueineachemail.TheemailMAYbere-sentinitsentirety,includingthere-useoftheRandomValue,providedthatitsentirecontentsandrecipientSHALLremainunchanged.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.5. DomainAuthorizationDocumentThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.6. Agreed-UponChangetoWebsiteThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.7. DNSChangeConfirmingtheApplicant'scontrolovertheFQDNbyconfirmingthepresenceofaRandomValueorRequestTokenforeitherinaDNSCNAME,TXTorCAArecordforeither1)anAuthorizationDomainName;or2)anAuthorizationDomainNamethatisprefixedwithalabelthatbeginswithanunderscorecharacter.IfaRandomValueisused,theCASHALLprovideaRandomValueuniquetotheCertificaterequestandSHALLnotusetheRandomValueafter(i)30daysor(ii)iftheApplicantsubmittedtheCertificaterequest,thetimeframepermittedforreuseofvalidatedinformationrelevanttotheCertificate(suchasinSection4.2.1oftheseRequirements).Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.8. IPAddressThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.9. TestCertificateThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.10. TLSUsingaRandomNumberThismethodhasbeenretiredandMUSTNOTbeused.PriorvalidationsusingthismethodandvalidationdatagatheredaccordingtothismethodSHALLNOTbeusedtoissuecertificates.

3.2.14.11. AnyOtherMethodThismethodhasbeenretiredandMUSTNOTbeused.

3.2.14.12. ValidatingApplicantasaDomainContactConfirmingtheApplicant'scontrolovertheFQDNbyvalidatingtheApplicantistheDomainContact.ThismethodmayonlybeusediftheCAisalsotheDomainNameRegistrar,oranAffiliateoftheRegistrar,oftheBaseDomainName.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.13. EmailtoDNSCAAContactConfirmingtheApplicant'scontrolovertheFQDNbysendingaRandomValueviaemailandthenreceivingaconfirmingresponseutilizingtheRandomValue.TheRandomValueMUSTbesenttoaDNSCAAEmailContact.TherelevantCAAResourceRecordSetMUSTbefoundusingthesearchalgorithmdefinedinRFC8659.EachemailMAYconfirmcontrolofmultipleFQDNs,providedthateachemailaddressisaDNSCAAEmailContactforeachAuthorizationDomainNamebeingvalidated.ThesameemailMAYbesenttomultiplerecipientsaslongasallrecipientsareDNSCAAEmailContactsforeachAuthorizationDomainNamebeingvalidated.TheRandomValueSHALLbeuniqueineachemail.TheemailMAYbere-sentinitsentirety,includingthere-useoftheRandomValue,providedthatitsentirecontentsandrecipient(s)SHALLremainunchanged.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.14. EmailtoDNSTXTContactConfirmingtheApplicant'scontrolovertheFQDNbysendingaRandomValueviaemailandthenreceivingaconfirmingresponseutilizingtheRandomValue.TheRandomValueMUSTbesenttoaDNSTXTRecordEmailContactfortheAuthorizationDomainNameselectedtovalidatetheFQDN.EachemailMAYconfirmcontrolofmultipleFQDNs,providedthateachemailaddressisDNSTXTRecordEmailContactforeachAuthorizationDomainNamebeingvalidated.ThesameemailMAYbesenttomultiplerecipientsaslongasallrecipientsareDNSTXTRecordEmailContactsforeachAuthorizationDomainNamebeingvalidated.TheRandomValueSHALLbeuniqueineachemail.TheemailMAYbere-sentinitsentirety,includingthere-useoftheRandomValue,providedthatitsentirecontentsandrecipient(s)SHALLremainunchanged.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.15. PhoneContactwithDomainContactConfirmtheApplicant'scontrolovertheFQDNbycallingtheDomainContact’sphonenumberandobtainaconfirmingresponsetovalidatetheADN.EachphonecallMAYconfirmcontrolofmultipleADNsprovidedthatthesameDomainContactphonenumberislistedforeachADNbeingverifiedandtheyprovideaconfirmingresponseforeachADN.IntheeventthatsomeoneotherthanaDomainContactisreached,theCAMAYrequesttobetransferredtotheDomainContact.Intheeventofreachingvoicemail,theCAmayleavetheRandomValueandtheADN(s)beingvalidated.TheRandomValueMUSTbereturnedtotheCAtoapprovetherequest.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.16. PhoneContactwithDNSTXTRecordPhoneContactConfirmtheApplicant'scontrolovertheFQDNbycallingtheDNSTXTRecordPhoneContact’sphonenumberandobtainaconfirmingresponsetovalidatetheADN.EachphonecallMAYconfirmcontrolofmultipleADNsprovidedthatthesameDNSTXTRecordPhoneContactphonenumberislistedforeachADNbeingverifiedandtheyprovideaconfirmingresponseforeachADN.TheCAMAYNOTknowinglybetransferredorrequesttobetransferredasthisphonenumberhasbeenspecificallylistedforthepurposesofDomainValidation.

Intheeventofreachingvoicemail,theCAmayleavetheRandomValueandtheADN(s)beingvalidated.TheRandomValueMUSTbereturnedtotheCAtoapprovetherequest.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.17. PhoneContactwithDNSCAAPhoneContactConfirmtheApplicant'scontrolovertheFQDNbycallingtheDNSCAAPhoneContact’sphonenumberandobtainaconfirmingresponsetovalidatetheADN.EachphonecallMAYconfirmcontrolofmultipleADNsprovidedthatthesameDNSCAAPhoneContactphonenumberislistedforeachADNbeingverifiedandtheyprovideaconfirmingresponseforeachADN.TherelevantCAAResourceRecordSetMUSTbefoundusingthesearchalgorithmdefinedinRFC8659.TheCAMUSTNOTbetransferredorrequesttobetransferredasthisphonenumberhasbeenspecificallylistedforthepurposesofDomainValidation.Intheeventofreachingvoicemail,theCAmayleavetheRandomValueandtheADN(s)beingvalidated.TheRandomValueMUSTbereturnedtotheCAtoapprovetherequest.TheRandomValueSHALLremainvalidforuseinaconfirmingresponsefornomorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues.Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.18. Agreed-UponChangetoWebsitev2ConfirmingtheApplicant'scontrolovertheFQDNbyverifyingthattheRequestTokenorRandomValueiscontainedinthecontentsofafile.

1. TheentireRequestTokenorRandomValueMUSTNOTappearintherequestusedtoretrievethefile,and

2. theCAMUSTreceiveasuccessfulHTTPresponsefromtherequest(meaninga2xxHTTPstatuscodemustbereceived).

ThefilecontainingtheRequestTokenorRandomNumber:1. MUSTbelocatedontheAuthorizationDomainName,and2. MUSTbelocatedunderthe"/.well-known/pki-validation"directory,and3. MUSTberetrievedviaeitherthe"http"or"https"scheme,and4. MUSTbeaccessedoveranAuthorizedPort.

IftheCAfollowsredirectsthefollowingapply:1. RedirectsMUSTbeinitiatedattheHTTPprotocollayer(e.g.usinga3xxstatuscode).2. RedirectsMUSTbetheresultofanHTTPstatuscoderesultwithinthe3xxRedirectionclassofstatus

codes,asdefinedinRFC7231,Section6.4.3. RedirectsMUSTbetoresourceURLswitheitherviathe"http"or"https"scheme.4. RedirectsMUSTbetoresourceURLsaccessedviaAuthorizedPorts.

IfaRandomValueisused,then:1. TheCAMUSTprovideaRandomValueuniquetothecertificaterequest.2. TheRandomValueMUSTremainvalidforuseinaconfirmingresponsefornomorethan30days

fromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues,inwhichcasetheCAMUSTfollowitsCPS.

Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.19. Agreed-UponChangetoWebsite-ACMEConfirmingtheApplicant'scontroloveraFQDNbyvalidatingdomaincontroloftheFQDNusingtheACMEHTTPChallengemethoddefinedinsection8.3ofRFC8555.ThefollowingareadditiverequirementstoRFC8555.

TheCAMUSTreceiveasuccessfulHTTPresponsefromtherequest(meaninga2xxHTTPstatuscodemustbereceived).Thetoken(asdefinedinRFC8555,section8.3)MUSTNOTbeusedformorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforRandomValues,inwhichcasetheCAMUSTfollowitsCPS.IftheCAfollowsredirects:

1. RedirectsMUSTbeinitiatedattheHTTPprotocollayer(e.g.usinga3xxstatuscode).2. RedirectsMUSTbetheresultofanHTTPstatuscoderesultwithinthe3xxRedirectionclassofstatus

codes,asdefinedinRFC7231,Section6.4.3. RedirectsMUSTbetoresourceURLswitheitherviathe"http"or"https"scheme.4. RedirectsMUSTbetoresourceURLsaccessedviaAuthorizedPorts.

Note:OncetheFQDNhasbeenvalidatedusingthismethod,theCAMAYalsoissueCertificatesforotherFQDNsthatendwithallthelabelsofthevalidatedFQDN.

3.2.14.20. TLSUsingALPNConfirmingtheApplicant’scontroloveraFQDNbyvalidatingdomaincontroloftheFQDNbynegotiatinganewapplicationlayerprotocolusingtheTLSApplication-LayerProtocolNegotiation(ALPN)Extension[RFC7301]asdefinedinRFC8737.ThefollowingareadditiverequirementstoRFC8737.Thetoken(asdefinedinRFC8737,section3)MUSTNOTbeusedformorethan30daysfromitscreation.TheCPSMAYspecifyashortervalidityperiodforthetoken,inwhichcasetheCAMUSTfollowitsCPS.

3.2.15. CAARecordsforVerifiedMarkCertificates(1) Aspartoftheissuanceprocess,theCAMUSTcheckforCAArecordsandfollowtheprocessing

instructionsfound,foreachdNSNameinthesubjectAltNameextensionofthecertificatetobeissued,asspecifiedinSubsection(2).IftheCAissues,theyMUSTdosowithintheTTLoftheCAArecord,or8hours,whicheverisgreater.CAAcheckingisoptionalforVMCsissuedbeforeJanuary1,2021,butMUSTbedoneforVMCsissuedonorafterJanuary1,2022.ThisstipulationdoesnotpreventtheCAfromcheckingCAArecordsatanyothertime.RFC8659requiresthatCAs"MUSTNOTissueacertificateunlesseither(1)thecertificaterequestisconsistentwiththeapplicableCAAResourceRecordsetor(2)anexceptionspecifiedintherelevantCertificatePolicyorCertificationPracticesStatementapplies."ForissuancesconformingtotheseRequirements,CAsMUSTNOTrelyonanyexceptionsspecifiedintheirCPorCPSunlesstheyareoneofthefollowing:

• CAAcheckingisoptionalforcertificatesforwhichaCertificateTransparencypre-certificatewascreatedandloggedinatleastonepublicloglistedinAppendixF,andforwhichCAAwaschecked.

• CAAcheckingisoptionaliftheCAoranAffiliateoftheCAistheDNSOperator(asdefinedinRFC7719)ofthedomain'sDNS.

CAsarepermittedtotreatarecordlookupfailureaspermissiontoissueif:

• thefailureisoutsidetheCA'sinfrastructure;and• thelookuphasbeenretriedatleastonce;and• thedomain'szonedoesnothaveaDNSSECvalidationchaintotheICANNroot.

CAsMUSTdocumentpotentialissuancesthatwerepreventedbyaCAArecordandSHOULDdispatchreportsofsuchissuancerequeststothecontact(s)stipulatedintheCAAiodefrecord(s),Ifpresent.CAsarenotexpectedtosupportURLschemesintheiodefrecordotherthanmailto:orhttps:.

(2) PriortotheissuanceofVerifiedMarkCertificates,theCAMUSTcheckforthepublicationofaRelevantRRSetforeachFQDNtobeincludedinadNSNamewithintheVerifiedMarkCertificate’s

subjectAlternativeNameextension.TheRelevantRRSetforeachFQDNmustbedeterminedusingthealgorithmdefinedinsection3ofRFC8659.ForeachFQDN,ifaRelevantRRSetexists,theCAMUSTNOTissuetheCertificateunlesstheCAdeterminesthatthecertificaterequestisconsistentwiththeRelevantRRSet.IftheRelevantRRSetforanFQDNdoesnotcontainanyPropertyTagsthatrestrictissuanceofaVerifiedMarkCertificateanddoesnotcontainanyunrecognizedPropertyTagsthataremarkedcritical,thentheRelevantRRSetdoesnotrestrictissuanceofaVerifiedMarkCertificatecontainingthegivenFQDN.Inparticular,CAArecordswith“issue”and“issuewild”PropertyTagsdonotrestricttheissuanceofVerifiedMarkCertificates.IfaCAArecordwiththe“issuevmc”PropertyTagispresentintheRelevantRRsetforanFQDN,itisarequestthattheCA:

1. PerformCAAissuerestrictionprocessingfortheFQDN,and2. GrantauthorizationtoissueVerifiedMarkCertificatescontainingthatFQDNtotheholderoftheissuer-domain-nameorapartyactingundertheexplicitauthorityoftheholderoftheissuer-domain-name.

Thesub-syntaxofthe“issuevmc”PropertyTagvalueisthesameasthe“issue”PropertyTagasdefinedinsection4.2ofRFC8659.Thesemanticsofthe“issuevmc”PropertyTagaresimilartothe“issue”PropertyTag,withtheonlydifferencebeingthatthe“issuevmc”PropertyTagrestrictsissuanceofVerifiedMarkCertificatesasopposedtoTLSServerAuthenticationCertificates.

3.2.16. RegisteredMarkVerificationInadditiontotheidentityanddomainverificationrequiredbySection3.1,CAsissuingVerifiedMarkCertificatesSHALLperformverificationofthesubmittedRegisteredMarkasfollows:

3.2.16.1. RegisteredMarkVerification

3.2.16.1.1. VerificationofMarkwithTrademarkOfficeTheSubscriberwillprovidetheCAwith(a)theRegisteredMark’strademarkregistrationnumberandnameoftheTrademarkOfficethatgrantedthetrademarkregistration,and(b)theMarkRepresentationinSVGformatthattheApplicantwishestoincludeintheVerifiedMarkCertificate.RegisteredMarksmustbeingoodstandingandMUSTbeverifiedthroughconsultationwiththeofficialdatabaseoftheapplicableTrademarkOffice,tobeeligibleforinclusionwithinaVerifiedMarkCertificate.Inaddition,onlyRegisteredMarksareeligibleforinclusionwithinthelogotype(asdefinedinRFC3709).Forclarityandwithoutlimitation,unregisteredmarksarenoteligibleasalogotypeintheregisteredmarkprofile.Inthealternative,theCAmayverifytheRegisteredMarkthroughtheWIPOGlobalBrandDatabaseathttps://www3.wipo.int/branddb/en/TheCASHALLconfirmthattheMarkRepresentationsubmittedbytheSubjectorganizationmatchestheRegisteredMarkasitappearsintheofficialdatabaseoftheapplicableTrademarkOfficeortheWIPOGlobalBrandDatabase.IndeterminingwhethertheMarkRepresentationmatchestheRegisteredMark,theCASHALLmaintainarecordofitsdecisionsandreasonstherefor.TheCAmay,butisnotrequiredto,followtheguidelinesinAppendixEforcomparisonoftheRegisteredTrademarkwiththeMarkRepresentation.TheCASHALLalsoretainascreenshotorotherrecordoftheMarkRepresentationprovidedbytheApplicantandallinformationabouttheRegisteredMarkobtainedfromtheapplicableTrademarkOfficeaswellasallothersupportingdatathattheCAreliesuponinissuingtheVerifiedMarkCertificate.

3.2.16.1.2. VerificationofRegisteredMarkOwnershiporLicenseTheCASHALLconfirmthattheowneroftheRegisteredMarkidentifiedintheofficialdatabaseoftheapplicableTrademarkOfficeortheWIPOGlobalBrandDatabaseisthesameSubjectorganizationverifiedbytheVerifiedMarkvettingprocessunderSection3.2(ortoaParent,Subsidiary,orAffiliateoftheorganizationasconfirmedinaccordancewiththeVerifiedMarkRequirements),oriftheowneroftheRegisteredMarkisnotthesameorganization,thattheSubjectorganizationhasobtainedtherighttousetheRegisteredMarkthroughamutuallyagreed-uponlicensefromtheentitywhoistheownerofrecordoftheRegisteredMark(oraParent,Subsidiary,orAffiliateoftheowner).IftheownerofaRegisteredMarkisnottheApplicant,theApplicantmayonlyusetheRegisteredMarkiftheCAobtainsanauthorizationletterfromtheownerofrecordoftheRegisteredMark.IndeterminingwhethertheApplicantistheowneroralicenseeoftheRegisteredMarkcorrespondingtotheMarkRepresentation,theCASHALLmaintainarecordofitsdecisionsandreasonsthereforintheCA’srecordsrequiredinsection3.2.1.

3.2.16.1.3. ColorRestrictionsMarkRepresentationsinVerifiedMarkCertificatesforCombinedMarksandDesignMarksSHALLonlybeincolorsaspermittedfortheRegisteredMarkbytheapplicableTrademarkOffice.TheCASHALLexaminetheRegisteredMarktodeterminewhatrights,ifany,theSubjectorganizationhastouseoftheRegisteredMarkinthecolorsoftheMarkRepresentationsubmittedbytheSubscriber.IndeterminingwhetherthecolorsintheMarkRepresentationsubmittedbytheSubscribermatchthecolorspermittedbytheRegisteredMarkregistration,theCASHALLmaintainarecordofitsdecisionandreasonsthereforintheCA’srecordsrequiredinsection3.2.1.

3.2.16.2. GovernmentMarkVerificationVMCsmaybeissuedtoGovernmentEntitiesforGovernmentMarksundertheRegisteredMarkProfiledesignatedbyaCertificateGeneralPolicyIdentifierOID(1.3.6.1.4.1.53087.1.1)asdescribedunderSection7.1.2.2and7.1.2.3.TheCASHALLconfirmthataMarkorequivalentwasgrantedtoorclaimedbyaGovernmentEntityorNon-CommercialEntity(InternationalOrganization)(orgrantedtoaprivateorganizationorotherorganizationbyaGovernmentEntityorNon-CommercialEntity[InternationalOrganization]throughofficialstatute,regulation,treaty,orgovernmentaction)asitappearsorisdescribedinthestatute,regulation,treaty,orgovernmentactionandconfirmedbyaMarkVerifyingAuthority.InadditiontotheidentityanddomainverificationrequiredbySection3.2,CAsissuingVerifiedMarkCertificatesSHALLperformverificationofthesubmittedGovernmentMarkasfollows:

3.2.16.2.1. VerificationofStatute,Regulation,Treaty,orActionTheCASHALLconfirmthattheGovernmentMarkwasgrantedtoorclaimedbyaGovernmentEntityorNon-CommercialEntity(InternationalOrganization)(orgrantedtoaprivateorganizationorotherorganizationbyaGovernmentEntityorNon-CommercialEntity(InternationalOrganization)throughofficialstatute,regulation,treaty,orgovernmentactionbyconfirmingthegrantorclaiminpubliclyavailablerecordsofthestatute,regulation,treaty,orgovernmentaction.TheCAshallmaintainacopyofthestatute,regulation,treaty,orgovernmentactionincludingallofficialreferences(e.g.,statuteorregulationnumberandjurisdiction)andacopyoftheMarkimageascontainedinorreferencedbythestatuteorregulation.Example:USDepartmentoftheTreasury-TreasuryOrder100-01approvingthedesignoftheTreasurysealwhichaccompaniestheOrder,pursuantto31U.S.C.§301(g).

TheCASHALLalsoretainascreenshotorotherrecordoftheMarkRepresentationprovidedbytheApplicantandallinformationsupportingtheverificationoftheGovernmentMarkobtainedfromtheapplicablestatute,regulation,treaty,orgovernmentaction.

3.2.16.2.2. VerificationofGovernmentMarkOwnershiporLicenseTheCASHALLconfirmthattheowneroftheGovernmentMarkconfirmedundersubsection(1)isthesameSubjectorganizationverifiedbytheVerifiedMarkvettingprocessunderSection3.2,oriftheowneroftheGovernmentMarkisnotthesameSubjectorganization,thattheSubjectorganizationhasobtainedtherighttousetheGovernmentMarkthroughstatute,regulation,treaty,orgovernmentaction,orbyamutuallyagreed-uponlicensefromtheentitywhoistheownerofrecordoftheGovernmentMark.IftheownerofaGovernmentMarkisnottheApplicant,theApplicantmayonlyusetheGovernmentMarkiftheCAobtainsanauthorizationletterfromtheownerofrecordoftheGovernmentMark.IndeterminingwhethertheApplicantistheowneroralicenseeoftheGovernmentMarkcorrespondingtotheMarkRepresentation,theCASHALLmaintainarecordofitsdecisionsandreasonsthereforintheCA’srecordsrequiredinsection3.2.1.

3.2.16.2.3. ConfirmationofMarkRepresentationTheCASHALLconfirmthattheMarkRepresentationsubmittedbytheApplicantmatchestheGovernmentMarkasconfirmedundersubsection(1).IndeterminingwhethertheMarkRepresentationmatchestheGovernmentMarksoconfirmed,theCASHALLmaintainarecordofitsdecisionsandreasonstherefor.TheCAMAYfollowtheguidelinesinAppendixEforcomparisonoftheGovernmentMarkasconfirmedwiththeMarkRepresentation.

3.2.16.2.4. ColorRestrictionsMarkRepresentationsinVerifiedMarkCertificatesforCombinedMarksandDesignMarksSHALLonlybeincolorsaspermittedfortheGovernmentMarkbytheapplicablestatute,regulation,treaty,orgovernmentactionverifiedbytheCA.TheCASHALLexaminetheGovernmentMarktodeterminewhatrights,ifany,theSubjectorganizationhastouseoftheGovernmentMarkinthecolorsoftheMarkRepresentationsubmittedbytheSubscriber.IndeterminingwhetherthecolorsintheMarkRepresentationsubmittedbytheSubscribermatchthecolorspermittedbythestatute,regulation,treaty,orgovernmentactionverifiedbytheCA,theCASHALLmaintainarecordofitsdecisionandreasonsthereforintheCA’srecordsrequiredinsection3.2.1.

3.2.17. OtherVerificationRequirements3.2.17.1. DeniedListsandOtherLegalBlockLists(1) VerificationRequirements:TheCAMUSTverifywhethertheApplicant,theContractSigner,the

CertificateApprover,theApplicant’sJurisdictionofIncorporation,Registration,orPlaceofBusiness:(A) Isidentifiedonanygovernmentdeniedlist,listofprohibitedpersons,orotherlistthatprohibits

doingbusinesswithsuchorganizationorpersonunderthelawsofthecountryoftheCA’sjurisdiction(s)ofoperation;or

(B�HasitsJurisdictionofIncorporation,Registration,orPlaceofBusinessinanycountrywithwhichthelawsoftheCA’sjurisdictionprohibitdoingbusiness.

TheCAMUSTNOTissueanyVerifiedMarkCertificatetotheApplicantifeithertheApplicant,theContractSigner,orCertificateApproveroriftheApplicant’sJurisdictionofIncorporationorRegistrationorPlaceofBusinessisonanysuchlist.

(2)AcceptableMethodsofVerification:TheCAMUSTtakereasonablestepstoverifywiththefollowinglistsandregulations:(A) IftheCAhasoperationsintheU.S.,theCAMUSTtakereasonablestepstoverifywiththefollowingUS

Governmentdeniedlistsandregulations:(i) BISDeniedPersonsList-http://www.bis.doc.gov/dpl/thedeniallist.asp(ii) BISDeniedEntitiesList-http://www.bis.doc.gov/Entities/Default.htm(iii)USTreasuryDepartmentListofSpeciallyDesignatedNationalsandBlockedPersons-

http://www.treas.gov/ofac/t11sdn.pdf(iv)USGovernmentexportregulations

(B) IftheCAhasoperationsinanyothercountry,theCAMUSTtakereasonablestepstoverifywithallequivalentdeniedlistsandexportregulations(ifany)insuchothercountry.

3.2.17.2. Parent/Subsidiary/AffiliateRelationshipACAverifyinganApplicantusinginformationoftheApplicant'sParent,Subsidiary,orAffiliate,whenallowedundersection3.2.7.1,3.2.8.2,3.2.9.1,or3.2.14,MUSTverifytheApplicant'srelationshiptotheParent,Subsidiary,orAffiliate.AcceptablemethodsofverifyingtheApplicant'srelationshiptotheParent,Subsidiary,orAffiliateincludethefollowing:(1) QIISorQGIS:TherelationshipbetweentheApplicantandtheParent,Subsidiary,orAffiliateisidentified

inaQIISorQGIS;(2) IndependentConfirmationfromtheParent,Subsidiary,orAffiliate:ACAMAYverifytherelationship

betweenanApplicantandaParent,Subsidiary,orAffiliatebyobtaininganIndependentConfirmationfromtheappropriateParent,Subsidiary,orAffiliate(asdescribedinSection3.2.13.2);

(3) ContractbetweenCAandParent,Subsidiary,orAffiliate:ACAMAYverifytherelationshipbetweenanApplicantandaParent,Subsidiary,orAffiliatebyrelyingonacontractbetweentheCAandtheParent,Subsidiary,orAffiliatethatdesignatestheCertificateApproverwithsuchVMCAuthority,providedthatthecontractissignedbytheContractSignerandprovidedthattheagencyandSigningAuthorityoftheContractSignerhavebeenverified;

(4)CorporateResolution:ACAMAYverifytherelationshipbetweenanApplicantandaSubsidiarybyrelyingonaproperlyauthenticatedcorporateresolutionthatapprovescreationoftheSubsidiaryortheApplicant,providedthatsuchresolutionis(i)certifiedbytheappropriatecorporateofficer(e.g.,secretary),and(ii)theCAcanreliablyverifythatthecertificationwasvalidlysignedbysuchperson,andthatsuchpersondoeshavetherequisiteauthoritytoprovidesuchcertification.

3.2.18. FinalCross-CorrelationandDueDiligence(1) TheresultsoftheverificationprocessesandproceduresoutlinedintheseRequirementsareintendedto

beviewedbothindividuallyandasagroup.Thus,afteralloftheverificationprocessesandproceduresarecompleted,theCAMUSThaveasecondValidationSpecialistwhoisnotresponsibleforthecollectionofinformationreviewalloftheinformationanddocumentationassembledinsupportoftheVerifiedMarkCertificateapplicationandlookfordiscrepanciesorotherdetailsrequiringfurtherexplanation.

(2) TheCAMUSTobtainanddocumentfurtherexplanationorclarificationfromtheApplicant,CertificateApprover,CertificateRequester,QualifiedIndependentInformationSources,and/orothersourcesofinformation,asnecessary,toresolvethosediscrepanciesordetailsthatrequirefurtherexplanation.

(3) TheCAMUSTrefrainfromissuingaVerifiedMarkCertificateuntiltheentirecorpusofinformationanddocumentationassembledinsupportoftheVerifiedMarkCertificateRequestissuchthatissuanceoftheVerifiedMarkCertificatewillnotcommunicatefactualinformationthattheCAknows,ortheexerciseofduediligenceshoulddiscoverfromtheassembledinformationanddocumentation,tobeinaccurate,Ifsatisfactoryexplanationand/oradditionaldocumentationarenotreceivedwithinareasonabletime,theCAMUSTdeclinetheVerifiedMarkCertificateRequestandSHOULDnotifytheApplicantaccordingly.

(4) InthecasewheresomeorallofthedocumentationusedtosupporttheapplicationisinalanguageotherthantheCA’snormaloperatinglanguage,theCAoritsAffiliateMUSTperformtherequirementsofthisFinalCross-CorrelationandDueDiligencesectionusingemployeesunderitscontrolandhavingappropriatetraining,experience,andjudgmentinconfirmingorganizationalidentificationandauthorizationandfulfillingallqualificationrequirementscontainedinSection5.3oftheseRequirements.WhenemployeesunderthecontroloftheCAdonotpossessthelanguageskillsnecessarytoperformthe

FinalCross-CorrelationandDueDiligenceaCAMAYrelyonlanguagetranslationsoftherelevantportionsofthedocumentation,providedthatthetranslationsarereceivedfromaTranslator.

3.2.19. CriteriaforInteroperationorCertificationTheCASHALLdiscloseallCrossCertificatesthatidentifytheCAastheSubject,providedthattheCAarrangedfororacceptedtheestablishmentofthetrustrelationship(i.e.theCrossCertificateatissue).

3.3. IDENTIFICATIONANDAUTHENTICATIONFORRE-KEYREQUESTS

3.3.1. IdentificationandAuthenticationforRoutineRe-keyNostipulation.

3.3.2. IdentificationandAuthenticationforRe-keyAfterRevocationNostipulation.

3.4. IDENTIFICATIONANDAUTHENTICATIONFORREVOCATIONREQUEST

Nostipulation.

4. CERTIFICATELIFE-CYCLEOPERATIONALREQUIREMENTS

4.1. CERTIFICATEAPPLICATION

4.1.1. WhoCanSubmitaCertificateApplicationInaccordancewithSection5.5.2,theCASHALLmaintainaninternaldatabaseofallpreviouslyrevokedCertificatesandpreviouslyrejectedcertificaterequestsduetosuspectedphishingorotherfraudulentusageorconcerns.TheCASHALLusethisinformationtoidentifysubsequentsuspiciouscertificaterequests.TheCASHALLestablishaprocessthatallowsanApplicanttospecifytheindividualswhomayrequestCertificates.IfanApplicantspecifies,inwriting,theindividualswhomayrequestaCertificate,thentheCASHALLNOTacceptanycertificaterequeststhatareoutsidethisspecification.TheCASHALLprovideanApplicantwithalistofitsauthorizedcertificaterequestersupontheApplicant’sverifiedwrittenrequest.

4.1.2. EnrollmentProcessandResponsibilitiesPriortotheissuanceofaCertificate,theCASHALLobtainthefollowingdocumentationfromtheApplicant:

1. Acertificaterequest,whichmaybeelectronic;and2. AnexecutedSubscriberAgreementorTermsofUse,whichmaybeelectronic.

TheCASHOULDobtainanyadditionaldocumentationtheCAdeterminesnecessarytomeettheseRequirements.PriortotheissuanceofaCertificate,theCASHALLobtainfromtheApplicantacertificaterequestinaformprescribedbytheCAandthatcomplieswiththeseRequirements.OnecertificaterequestMAYsufficeformultipleCertificatestobeissuedtothesameApplicant,subjecttotheagingandupdatingrequirementinSection4.2.1,providedthateachCertificateissupportedbyavalid,currentcertificaterequestsignedbytheappropriateApplicantRepresentativeonbehalfoftheApplicant.ThecertificaterequestMAYbemade,submittedand/orsignedelectronically.

ThecertificaterequestMUSTcontainarequestfrom,oronbehalfof,theApplicantfortheissuanceofaCertificate,andacertificationby,oronbehalfof,theApplicantthatalloftheinformationcontainedthereiniscorrect.

4.2. CERTIFICATEAPPLICATIONPROCESSING

4.2.1. PerformingIdentificationandAuthenticationFunctionsThecertificaterequestMAYincludeallfactualinformationabouttheApplicanttobeincludedintheCertificate,andsuchadditionalinformationasisnecessaryfortheCAtoobtainfromtheApplicantinordertocomplywiththeseRequirementsandtheCA’sCertificatePolicyand/orCertificationPracticeStatement.IncaseswherethecertificaterequestdoesnotcontainallthenecessaryinformationabouttheApplicant,theCASHALLobtaintheremaininginformationfromtheApplicantor,havingobtaineditfromareliable,independent,third-partydatasource,confirmitwiththeApplicant.TheCASHALLestablishandfollowadocumentedprocedureforverifyingalldatarequestedforinclusionintheCertificatebytheApplicant.ApplicantinformationMUSTinclude,butnotbelimitedto,atleastoneFully-QualifiedDomainNametobeincludedintheCertificate’sSubjectAltNameextension.Section6.3.2limitsthevalidityperiodofSubscriberCertificates.TheCAMAYusethedocumentsanddataprovidedinSection3.2toverifycertificateinformation,ormayreusepreviousvalidationsthemselves,providedthattheCAobtainedthedataordocumentfromasourcespecifiedunderSection3.2orcompletedthevalidationitselfnomorethan398dayspriortoissuingtheCertificate.InnocasemayapriorvalidationbereusedifanydataordocumentusedinthepriorvalidationwasobtainedmorethanthemaximumtimepermittedforreuseofthedataordocumentpriortoissuingtheCertificate.Asanexceptiontothevalidationreuseperiodof398daysdefinedabove,face-to-facevalidationisnotrequiredmorethanonceforanySubscriberOrganization(orParent,Subsidiary,orAffiliate)solongastheCAhasmaintainedcontinuouscontactwithoneormoreSubscriberrepresentativesandmaintainsasystemforauthorizationbytheSubscriberofnewSubscriberrepresentatives(orrepresentativesofaParent,Subsidiary,orAffiliate).“Continuouscontact”meanstheCAhasoneormoredirectcontactswithaSubscriberrepresentativeduringthevalidityperiodofanyVMCissuedtotheSubscriberorwithin90daysoftheexpirationofthelastoftheSubscriber’sVMCtoexpire.AfterthechangetoanyvalidationmethodspecifiedintheVerifiedMarkRequirements,aCAmaycontinuetoreusevalidationdataordocumentscollectedpriortothechange,orthevalidationitself,fortheperiodstatedinthissectionunlessotherwisespecificallyprovidedintheseRequirements.

4.2.2. ApprovalorRejectionofCertificateApplicationsCAsSHALLNOTissuecertificatescontainingInternalNames(seesection7.1.4.2.1).

4.2.3. TimetoProcessCertificateApplicationsNostipulation.

4.3. CERTIFICATEISSUANCE

4.3.1. CAActionsduringCertificateIssuance

CertificateissuancebytheRootCASHALLrequireanindividualauthorizedbytheCA(i.e.theCAsystemoperator,systemofficer,orPKIadministrator)todeliberatelyissueadirectcommandinorderfortheRootCAtoperformacertificatesigningoperation.BeforeissuanceofaVerifiedMarkCertificate,theCASHALLlogtheVerifiedMarkCertificatepre-certificate(includingallthedataincludedintheSubjectfieldofthecertificateplustheMarkRepresentation)tooneormorepublicCTlogs.ThelistofCTlogsthatareacceptableforthefulfillmentofthisrequirementisfoundinAppendixF.

4.3.2. NotificationofCertificateIssuanceNostipulation.

4.4. CERTIFICATEACCEPTANCE

4.4.1. ConductconstitutingcertificateacceptanceNostipulation.

4.4.2. PublicationofthecertificatebytheCANostipulation.

4.4.3. NotificationofcertificateissuancebytheCAtootherentitiesNostipulation.

4.5. KEYPAIRANDCERTIFICATEUSAGE

4.5.1. SubscriberprivatekeyandcertificateusageTheSubscriberprivatekeydoesnotneedtobeprotected,andmaybediscarded.

4.5.2. RelyingpartypublickeyandcertificateusageNostipulation.

4.6. CERTIFICATERENEWAL

4.6.1. CircumstanceforcertificaterenewalNostipulation.

4.6.2. WhomayrequestrenewalNostipulation.

4.6.3. ProcessingcertificaterenewalrequestsNostipulation.

4.6.4. NotificationofnewcertificateissuancetosubscriberNostipulation.

4.6.5. ConductconstitutingacceptanceofarenewalcertificateNostipulation.

4.6.6. PublicationoftherenewalcertificatebytheCANostipulation.

4.7. CERTIFICATERE-KEY

4.7.1. Circumstanceforcertificatere-keyNostipulation.

4.7.2. WhomayrequestcertificationofanewpublickeyNostipulation.

4.7.3. Processingcertificatere-keyingrequestsNostipulation.

4.7.5. Conductconstitutingacceptanceofare-keyedcertificateNostipulation.

4.7.6. Publicationofthere-keyedcertificatebytheCANostipulation.

4.8. CERTIFICATEMODIFICATION

4.8.1. CircumstanceforcertificatemodificationNostipulation.4.8.2. WhomayrequestcertificatemodificationNostipulation.4.8.3. ProcessingcertificatemodificationrequestsTheCAmayrelyonapreviouslyverifiedcertificaterequesttoissueareplacementcertificate,solongasthecertificatebeingreferencedwasnotrevokedduetofraudorotherillegalconduct,if:(1)TheexpirationdateofthereplacementcertificateisthesameastheexpirationdateoftheVMCthatis

beingreplaced,and(2)TheSubjectInformationoftheCertificateisthesameastheSubjectintheVMCthatisbeingreplaced.

4.8.5. ConductconstitutingacceptanceofmodifiedcertificateNostipulation.

4.8.6. PublicationofthemodifiedcertificatebytheCANostipulation.

4.9. CERTIFICATEREVOCATIONANDSUSPENSION

4.9.1. CircumstancesforRevocation4.9.1.1. ReasonsforRevokingaSubscriberCertificateTheCASHALLrevokeaCertificatewithin24hoursifoneormoreofthefollowingoccurs:

1. TheSubscriberrequestsinwritingthattheCArevoketheCertificate;2. TheSubscribernotifiestheCAthattheoriginalcertificaterequestwasnotauthorizedanddoesnot

retroactivelygrantauthorization;or3. TheCAobtainsevidencethatthevalidationofdomainauthorizationorcontrolforanyFully-

QualifiedDomainNameintheCertificateshouldnotbereliedupon.TheCASHOULDrevokeacertificatewithin24hoursandMUSTrevokeaCertificatewithin5daysifoneormoreofthefollowingoccurs:

1. TheCertificatenolongercomplieswiththerequirementsofSections6.1.5and6.1.6;2. TheCAobtainsevidencethattheCertificatewasmisused;3. TheCAismadeawarethataSubscriberhasviolatedoneormoreofitsmaterialobligationsunderthe

SubscriberAgreementorTermsofUse;4. TheCAismadeawareofanycircumstanceindicatingthatuseofaFully-QualifiedDomaininthe

Certificateisnolongerlegallypermitted(e.g.acourtorarbitratorhasrevokedaDomainNameRegistrant'srighttousetheDomainName,arelevantlicensingorservicesagreementbetweentheDomainNameRegistrantandtheApplicanthasterminated,ortheDomainNameRegistranthasfailedtorenewtheDomainName);

5. TheCAismadeawareofamaterialchangeintheinformationcontainedintheCertificate;6. TheCAismadeawarethattheCertificatewasnotissuedinaccordancewiththeseRequirementsor

theCA'sCertificatePolicyorCertificationPracticeStatement;7. TheCAdeterminesorismadeawarethatanyoftheinformationappearingintheCertificateis

inaccurate;8. TheCA'srighttoissueCertificatesundertheseRequirementsexpiresorisrevokedorterminated,

unlesstheCAhasmadearrangementstocontinuemaintainingtheCRL/OCSPRepository;9. RevocationisrequiredbytheCA'sCertificatePolicyand/orCertificationPracticeStatement.

4.9.1.2. ReasonsforRevokingaSubordinateCACertificateTheIssuingCASHALLrevokeaSubordinateCACertificatewithinseven(7)daysifoneormoreofthefollowingoccurs:

1. TheSubordinateCArequestsrevocationinwriting;2. TheSubordinateCAnotifiestheIssuingCAthattheoriginalcertificaterequestwasnotauthorized

anddoesnotretroactivelygrantauthorization;3. TheIssuingCAobtainsevidencethattheSubordinateCA'sPrivateKeycorrespondingtothePublic

KeyintheCertificatesufferedaKeyCompromiseornolongercomplieswiththerequirementsofSections6.1.5and6.1.6;

4. TheIssuingCAobtainsevidencethattheCertificatewasmisused;

5. TheIssuingCAismadeawarethattheCertificatewasnotissuedinaccordancewithorthatSubordinateCAhasnotcompliedwiththisdocumentortheapplicableCertificatePolicyorCertificationPracticeStatement;

6. TheIssuingCAdeterminesthatanyoftheinformationappearingintheCertificateisinaccurateormisleading;

7. TheIssuingCAorSubordinateCAceasesoperationsforanyreasonandhasnotmadearrangementsforanotherCAtoproviderevocationsupportfortheCertificate;

8. TheIssuingCA'sorSubordinateCA'srighttoissueCertificatesundertheseRequirementsexpiresorisrevokedorterminated,unlesstheIssuingCAhasmadearrangementstocontinuemaintainingtheCRL/OCSPRepository;or

9. RevocationisrequiredbytheIssuingCA'sCertificatePolicyand/orCertificationPracticeStatement.

4.9.2. WhoCanRequestRevocationTheSubscriber,RA,orIssuingCAcaninitiaterevocation.Additionally,Subscribers,RelyingParties,ApplicationSoftwareSuppliers,andotherthirdpartiesmaysubmitCertificateProblemReportsinformingtheissuingCAofreasonablecausetorevokethecertificate.

4.9.3. ProcedureforRevocationRequestTheCASHALLprovideaprocessforSubscriberstorequestrevocationoftheirownCertificates.TheprocessMUSTbedescribedintheCA'sCertificatePolicyorCertificationPracticeStatement.TheCASHALLmaintainacontinuous24x7abilitytoacceptandrespondtorevocationrequestsandCertificateProblemReports.TheCASHALLprovideSubscribers,RelyingParties,ApplicationSoftwareSuppliers,andotherthirdpartieswithclearinstructionsforreportingsuspectedPrivateKeyCompromise,Certificatemisuse,orothertypesoffraud,compromise,misuse,inappropriateconduct,oranyothermatterrelatedtoCertificates.TheCASHALLpubliclydisclosetheinstructionsthroughareadilyaccessibleonlinemeansandinsection1.5.2oftheirCPS.

4.9.4. RevocationRequestGracePeriodNostipulation.

4.9.5. TimewithinwhichCAMustProcesstheRevocationRequestWithin24hoursafterreceivingaCertificateProblemReport,theCASHALLinvestigatethefactsandcircumstancesrelatedtoaCertificateProblemReportandprovideapreliminaryreportonitsfindingstoboththeSubscriberandtheentitywhofiledtheCertificateProblemReport.

4.9.6. RevocationCheckingRequirementforRelyingPartiesNostipulation.Note:Followingcertificateissuance,acertificatemayberevokedforreasonsstatedinSection4.9.1.Therefore,relyingpartiesshouldchecktherevocationstatusofallcertificatesthatcontainaCDPorOCSPpointer.

4.9.7. CRLIssuanceFrequencyForthestatusofSubscriberCertificates:IftheCApublishesaCRL,thentheCASHALLupdateandreissueCRLsatleastonceeverysevendays,andthevalueofthenextUpdatefieldMUSTNOTbemorethantendaysbeyondthevalueofthethisUpdatefield.ForthestatusofSubordinateCACertificates:

TheCASHALLupdateandreissueCRLsatleast(i)onceeverytwelvemonthsand(ii)within24hoursafterrevokingaSubordinateCACertificate,andthevalueofthenextUpdatefieldMUSTNOTbemorethantwelvemonthsbeyondthevalueofthethisUpdatefield.

4.9.8. MaximumLatencyforCRLsNostipulation.

4.9.9. On-lineRevocation/StatusCheckingAvailabilityOCSPresponsesMUSTconformtoRFC6960and/orRFC5019.OCSPresponsesMUSTeither:

1. BesignedbytheCAthatissuedtheCertificateswhoserevocationstatusisbeingchecked,or2. BesignedbyanOCSPResponderwhoseCertificateissignedbytheCAthatissuedtheCertificate

whoserevocationstatusisbeingchecked.Inthelattercase,theOCSPsigningCertificateMUSTcontainanextensionoftypeid-pkix-ocsp-nocheck,asdefinedbyRFC6960.

4.9.10. On-lineRevocationCheckingRequirementsOCSPrespondersoperatedbytheCASHALLsupporttheHTTPGETmethod,asdescribedinRFC6960and/orRFC5019.ForthestatusofSubscriberCertificateswhichincludeanAuthorityInformationAccessextensionwithaid-ad-ocspaccessMethod(“AIAOCSPpointer”):

• TheCASHALLupdateinformationprovidedviaanOnlineCertificateStatusProtocolatleasteveryfourdays.OCSPresponsesfromthisserviceMUSThaveamaximumexpirationtimeoftendays.

CAsMAYdeclinetoprovidedefinitiveresponsesforthestatusofSubscriberCertificateswhichdonotincludeanAuthorityInformationAccessextensionwithaid-ad-ocspaccessMethod(“AIAOCSPpointer”).ForthestatusofSubordinateCACertificates:

• TheCASHALLupdateinformationprovidedviaanOnlineCertificateStatusProtocol(i)atleasteverytwelvemonths;and(ii)within24hoursafterrevokingaSubordinateCACertificate.

IftheOCSPresponderreceivesarequestforthestatusofacertificateserialnumberthatis"unused",thentheresponderMUSTNOTrespondwitha"good"status.TheOCSPresponderMAYprovidedefinitiveresponsesabout"reserved"certificateserialnumbers,asiftherewasacorrespondingCertificatethatmatchesthePrecertificate[RFC6962].AcertificateserialnumberwithinanOCSPrequestisoneofthefollowingthreeoptions:

1. "assigned"ifaCertificatewiththatserialnumberhasbeenissuedbytheIssuingCA,usinganycurrentorpreviouskeyassociatedwiththatCAsubject;or

2. "reserved"ifaPrecertificate[RFC6962]withthatserialnumberhasbeenissuedby(a)theIssuingCA;or(b)aPrecertificateSigningCertificate[RFC6962]associatedwiththeIssuingCA;or

3. "unused"ifneitherofthepreviousconditionsaremet.

4.9.11. OtherFormsofRevocationAdvertisementsAvailableNostipulation.

4.9.12. SpecialRequirementsRelatedtoKeyCompromise

SeeSection4.9.1.

4.9.13. CircumstancesforSuspensionTheRepositoryMUSTNOTincludeentriesthatindicatethataCertificateissuspended.

4.9.14. WhoCanRequestSuspensionNotapplicable.

4.9.15. ProcedureforSuspensionRequestNotapplicable.

4.9.16. LimitsonSuspensionPeriodNotapplicable.

4.10. CERTIFICATESTATUSSERVICES

4.10.1. OperationalCharacteristicsRevocationentriesonaCRLorOCSPResponseMUSTNOTberemoveduntilaftertheExpiryDateoftherevokedCertificate.

4.10.2. ServiceAvailabilityTheCASHALLoperateandmaintainitsCRLandOCSPcapabilitywithresourcessufficienttoprovidearesponsetimeoftensecondsorlessundernormaloperatingconditions.TheCASHALLmaintainanonline24x7RepositorythatapplicationsoftwarecanusetoautomaticallycheckthecurrentstatusofallunexpiredCertificatesissuedbytheCA.TheCASHALLmaintainacontinuous24x7abilitytorespondinternallytoahigh-priorityCertificateProblemReport,andwhereappropriate,forwardsuchacomplainttolawenforcementauthorities,and/orrevokeaCertificatethatisthesubjectofsuchacomplaint.

4.10.3. OptionalFeaturesNostipulation.

4.11. ENDOFSUBSCRIPTION

Nostipulation.

4.12. KEYESCROWANDRECOVERY

4.12.1. KeyescrowandrecoverypolicyandpracticesNotapplicable.4.12.2. SessionkeyencapsulationandrecoverypolicyandpracticesNotapplicable.

5. MANAGEMENT,OPERTIONAL,ANDPHYSICALCONTROLSTheCA/BrowserForum’sNetworkandCertificateSystemSecurityRequirementsareincorporatedbyreferenceasiffullysetforthherein.TheCASHALLdevelop,implement,andmaintainacomprehensivesecurityprogramdesignedto:

1. Protecttheconfidentiality,integrity,andavailabilityofCertificateDataandCertificateManagementProcesses;

2. Protectagainstanticipatedthreatsorhazardstotheconfidentiality,integrity,andavailabilityoftheCertificateDataandCertificateManagementProcesses;

3. Protectagainstunauthorizedorunlawfulaccess,use,disclosure,alteration,ordestructionofanyCertificateDataorCertificateManagementProcesses;

4. Protectagainstaccidentallossordestructionof,ordamageto,anyCertificateDataorCertificateManagementProcesses;and

5. ComplywithallothersecurityrequirementsapplicabletotheCAbylaw.TheCertificateManagementProcessMUSTinclude:

1. physicalsecurityandenvironmentalcontrols;2. systemintegritycontrols,includingconfigurationmanagement,integritymaintenanceoftrusted

code,andmalwaredetection/prevention;3. networksecurityandfirewallmanagement,includingportrestrictionsandIPaddressfiltering;4. usermanagement,separatetrusted-roleassignments,education,awareness,andtraining;and5. logicalaccesscontrols,activitylogging,andinactivitytime-outstoprovideindividualaccountability.

TheCA’ssecurityprogramMUSTincludeanannualRiskAssessmentthat:

1. Identifiesforeseeableinternalandexternalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofanyCertificateDataorCertificateManagementProcesses;

2. Assessesthelikelihoodandpotentialdamageofthesethreats,takingintoconsiderationthesensitivityoftheCertificateDataandCertificateManagementProcesses;and

3. Assessesthesufficiencyofthepolicies,procedures,informationsystems,technology,andotherarrangementsthattheCAhasinplacetocountersuchthreats.

BasedontheRiskAssessment,theCASHALLdevelop,implement,andmaintainasecurityplanconsistingofsecurityprocedures,measures,andproductsdesignedtoachievetheobjectivessetforthaboveandtomanageandcontroltherisksidentifiedduringtheRiskAssessment,commensuratewiththesensitivityoftheCertificateDataandCertificateManagementProcesses.ThesecurityplanMUSTincludeadministrative,organizational,technical,andphysicalsafeguardsappropriatetothesensitivityoftheCertificateDataandCertificateManagementProcesses.ThesecurityplanMUSTalsotakeintoaccountthen-availabletechnologyandthecostofimplementingthespecificmeasures,andSHALLimplementareasonablelevelofsecurityappropriatetotheharmthatmightresultfromabreachofsecurityandthenatureofthedatatobeprotected.

5.1. PHYSICALSECURITYCONTROLS

5.1.1. SitelocationandconstructionNostipulation.

5.1.2. PhysicalaccessNostipulation.

5.1.3. PowerandairconditioningNostipulation.

5.1.4. WaterexposuresNostipulation.

5.1.5. FirepreventionandprotectionNostipulation.

5.1.6. MediastorageNostipulation.

5.1.7. WastedisposalNostipulation.

5.1.8. Off-sitebackupNostipulation.

5.2. PROCEDURALCONTROLS

5.2.1. TrustedRolesNostipulation.

5.2.2. NumberofIndividualsRequiredperTaskTheCAPrivateKeySHALLbebackedup,stored,andrecoveredonlybypersonnelintrustedrolesusing,atleast,dualcontrolinaphysicallysecuredenvironment.

5.2.3. IdentificationandAuthenticationforTrustedRolesNostipulation.

5.2.4. RolesRequiringSeparationofDutiesNostipulation.

5.3. PERSONNELCONTROLS

5.3.1. Qualifications,Experience,andClearanceRequirementsPriortotheengagementofanypersonintheCertificateManagementProcess,whetherasanemployee,agent,oranindependentcontractoroftheCA,theCASHALLverifytheidentityandtrustworthinessofsuchperson.

5.3.2. BackgroundCheckProceduresNostipulation.

5.3.3. TrainingRequirementsandProceduresTheCASHALLprovideallpersonnelperforminginformationverificationdutieswithskills-trainingthatcoversbasicPublicKeyInfrastructureknowledge,authenticationandvettingpoliciesandprocedures(includingtheCA’sCertificatePolicyand/orCertificationPracticeStatement),commonthreatstothe

informationverificationprocess(includingphishingandothersocialengineeringtactics),andtheseRequirements.TheCASHALLmaintainrecordsofsuchtrainingandensurethatpersonnelentrustedwithValidationSpecialistdutiesmaintainaskilllevelthatenablesthemtoperformsuchdutiessatisfactorily.TheCASHALLdocumentthateachValidationSpecialistpossessestheskillsrequiredbyataskbeforeallowingtheValidationSpecialisttoperformthattask.TheCASHALLrequireallValidationSpecialiststopassanexaminationprovidedbytheCAontheinformationverificationrequirementsoutlinedintheseRequirements.

5.3.4. RetrainingFrequencyandRequirementsAllpersonnelinTrustedRolesSHALLmaintainskilllevelsconsistentwiththeCA’strainingandperformanceprograms.

5.3.5. JobRotationFrequencyandSequenceNostipulation.

5.3.6. SanctionsforUnauthorizedActionsNostipulation.

5.3.7. IndependentContractorControlsTheCASHALLverifythattheDelegatedThirdParty’spersonnelinvolvedintheissuanceofaCertificatemeetthetrainingandskillsrequirementsofSection5.3.3andthedocumentretentionandeventloggingrequirementsofSection5.4.1.5.3.8. DocumentationSuppliedtoPersonnelNostipulation.

5.4. AUDITLOGGINGPROCEDURES

5.4.1. TypesofEventsRecordedTheCAandeachDelegatedThirdPartySHALLrecorddetailsoftheactionstakentoprocessacertificaterequestandtoissueaCertificate,includingallinformationgeneratedanddocumentationreceivedinconnectionwiththecertificaterequest;thetimeanddate;andthepersonnelinvolved.TheCASHALLmaketheserecordsavailabletoitsQualifiedPractitionerasproofoftheCA’scompliancewiththeseRequirements.TheCASHALLrecordatleastthefollowingevents:1.CAcertificateandkeylifecycleevents,including:1.Keygeneration,backup,storage,recovery,archival,anddestruction;2.Certificaterequests,renewal,andre-keyrequests,andrevocation;3.Approvalandrejectionofcertificaterequests;4.Cryptographicdevicelifecyclemanagementevents;5.GenerationofCertificateRevocationListsandOCSPentries;6.IntroductionofnewCertificateProfilesandretirementofexistingCertificateProfiles.2.SubscriberCertificatelifecyclemanagementevents,including:1.Certificaterequests,renewal,andre-keyrequests,andrevocation;

2.AllverificationactivitiesstipulatedintheseRequirementsandtheCA'sCertificationPracticeStatement;3.Approvalandrejectionofcertificaterequests;4.IssuanceofCertificates;and5.GenerationofCertificateRevocationListsandOCSPentries.3.Securityevents,including:1.SuccessfulandunsuccessfulPKIsystemaccessattempts;2.PKIandsecuritysystemactionsperformed;3.Securityprofilechanges;4.Installation,updateandremovalofsoftwareonaCertificateSystem;5.Systemcrashes,hardwarefailures,andotheranomalies;6.Firewallandrouteractivities;and7.EntriestoandexitsfromtheCAfacility.LogentriesMUSTincludethefollowingelements:

1. Dateandtimeofentry;2. Identityofthepersonmakingthejournalentry;and3. Descriptionoftheentry.

5.4.2. FrequencyforProcessingandArchivingAuditLogsNostipulation.

5.4.3. RetentionPeriodforAuditLogsTheCASHALLretain,foratleasttwoyears:1.CAcertificateandkeylifecyclemanagementeventrecords(assetforthinSection5.4.1(1))afterthelateroccurrenceof:a.thedestructionoftheCAPrivateKey;orb.therevocationorexpirationofthefinalCACertificateinthatsetofCertificatesthathaveanX.509v3basicConstraintsextensionwiththecAfieldsettotrueandwhichshareacommonPublicKeycorrespondingtotheCAPrivateKey;2.SubscriberCertificatelifecyclemanagementeventrecords(assetforthinSection5.4.1(2))aftertherevocationorexpirationoftheSubscriberCertificate.3.Anysecurityeventrecords(assetforthinSection5.4.1(3))aftertheeventoccurred.

5.4.4. ProtectionofAuditLogNostipulation.

5.4.5. AuditLogBackupProceduresNostipulation.

5.4.6. AuditLogAccumulationSystem(internalvs.external)Nostipulation.

5.4.7. NotificationtoEvent-CausingSubjectNostipulation.

5.4.8. VulnerabilityAssessmentsAdditionally,theCA’ssecurityprogramMUSTincludeanannualRiskAssessmentthat:

1. Identifiesforeseeableinternalandexternalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofanyCertificateDataorCertificateManagementProcesses;

2. Assessesthelikelihoodandpotentialdamageofthesethreats,takingintoconsiderationthesensitivityoftheCertificateDataandCertificateManagementProcesses;and

3. Assessesthesufficiencyofthepolicies,procedures,informationsystems,technology,andotherarrangementsthattheCAhasinplacetocountersuchthreats.

5.5. RECORDSARCHIVAL

5.5.1. TypesofRecordsArchivedNostipulation.

5.5.2. RetentionPeriodforArchiveTheCASHALLretainalldocumentationrelatingtocertificaterequestsandtheverificationthereof,andallCertificatesandrevocationthereof,foratleasttwoyearsafteranyCertificatebasedonthatdocumentationceasestobevalid

5.5.3. ProtectionofArchiveNostipulation.

5.5.4. ArchiveBackupProceduresNostipulation.

5.5.5. RequirementsforTime-stampingofRecordsNostipulation.

5.5.6. ArchiveCollectionSystem(internalorexternal)Nostipulation.

5.5.7. ProcedurestoObtainandVerifyArchiveInformationNostipulation.

5.6. KEYCHANGEOVER

Nostipulation.

5.7. COMPROMISEANDDISASTERRECOVERY

5.7.1. IncidentandCompromiseHandlingProceduresCAorganizationsSHALLhaveanIncidentResponsePlanandaDisasterRecoveryPlan.TheCASHALLdocumentabusinesscontinuityanddisasterrecoveryproceduresdesignedtonotifyandreasonablyprotectApplicationSoftwareSuppliers,Subscribers,andRelyingPartiesintheeventofadisaster,securitycompromise,orbusinessfailure.TheCAisnotrequiredtopubliclydiscloseitsbusinesscontinuityplansbutSHALLmakeitsbusinesscontinuityplanandsecurityplansavailabletotheCA’sauditorsuponrequest.TheCASHALLannuallytest,review,andupdatetheseprocedures.

ThebusinesscontinuityplanMUSTinclude:

1. Theconditionsforactivatingtheplan,2. Emergencyprocedures,3. Fallbackprocedures,4. Resumptionprocedures,5. Amaintenanceschedulefortheplan;6. Awarenessandeducationrequirements;7. Theresponsibilitiesoftheindividuals;8. Recoverytimeobjective(RTO);9. Regulartestingofcontingencyplans.10. TheCA’splantomaintainorrestoretheCA’sbusinessoperationsinatimelymannerfollowing

interruptiontoorfailureofcriticalbusinessprocesses11. Arequirementtostorecriticalcryptographicmaterials(i.e.,securecryptographicdeviceand

activationmaterials)atanalternatelocation;12. Whatconstitutesanacceptablesystemoutageandrecoverytime13. Howfrequentlybackupcopiesofessentialbusinessinformationandsoftwarearetaken;14. ThedistanceofrecoveryfacilitiestotheCA’smainsite;and15. Proceduresforsecuringitsfacilitytotheextentpossibleduringtheperiodoftimefollowinga

disasterandpriortorestoringasecureenvironmenteitherattheoriginaloraremotesite.

5.7.2. RecoveryProceduresifComputingResources,Software,and/orDataAreCorrupted

Nostipulation.

5.7.3. RecoveryProceduresAfterKeyCompromiseNostipulation.

5.7.4. BusinessContinuityCapabilitiesafteraDisasterNostipulation.

5.8. CAORRATERMINATION

Nostipulation.

6. TECHNICALSECURITYCONTROLS

6.1. KEYPAIRGENERATIONANDINSTALLATION

6.1.1. KeyPairGeneration6.1.1.1. CAKeyPairGenerationForRootCAKeyPairsthatareeither(i)usedasRootCAKeyPairsor(ii)KeyPairsgeneratedforasubordinateCAthatisnottheoperatoroftheRootCAoranAffiliateoftheRootCA,theCASHALL:

1. prepareandfollowaKeyGenerationScript,2. haveaQualifiedPractitionerwitnesstheRootCAKeyPairgenerationprocessorrecordavideoof

theentireRootCAKeyPairgenerationprocess,and

3. haveaQualifiedPractitionerissueareportopiningthattheCAfolloweditskeyceremonyduringitsKeyandCertificategenerationprocessandthecontrolsusedtoensuretheintegrityandconfidentialityoftheKeyPair.

ForotherCAKeyPairsthatarefortheoperatoroftheRootCAoranAffiliateoftheRootCA,theCASHOULD:1. prepareandfollowaKeyGenerationScriptand2. haveaQualifiedPractitionerwitnesstheRootCAKeyPairgenerationprocessorrecordavideoof

theentireRootCAKeyPairgenerationprocess.Inallcases,theCASHALL:

1. generatethekeysinaphysicallysecuredenvironmentasdescribedintheCA’sCertificatePolicyand/orCertificationPracticeStatement;

2. generatetheCAkeysusingpersonnelintrustedrolesundertheprinciplesofmultiplepersoncontrolandsplitknowledge;

3. generatetheCAkeyswithincryptographicmodulesmeetingtheapplicabletechnicalandbusinessrequirementsasdisclosedintheCA’sCertificatePolicyand/orCertificationPracticeStatement;

4. logitsCAkeygenerationactivities;and5. maintaineffectivecontrolstoprovidereasonableassurancethatthePrivateKeywasgeneratedand

protectedinconformancewiththeproceduresdescribedinitsCertificatePolicyand/orCertificationPracticeStatementand(ifapplicable)itsKeyGenerationScript.

6.1.1.2. RAKeyPairGenerationNostipulation.

6.1.1.3. SubscriberKeyPairGenerationNostipulation.

6.1.2. PrivateKeyDeliverytoSubscriberNostipulation.

6.1.3. PublicKeyDeliverytoCertificateIssuerNostipulation.

6.1.4. CAPublicKeyDeliverytoRelyingPartiesNostipulation.

6.1.5. AlgorithmtypeandkeysizesCertificatesMUSTmeetthefollowingrequirementsforalgorithmtypeandkeysize.

6.1.5.1. RootCACertificates

• Digestalgorithm:SHA-256,SHA-384orSHA-512• MinimumRSAmodulussize(bits):2048• ECCcurve:NISTP-256,P-384,orP-521

6.1.5.2. SubordinateCACertificates

• Digestalgorithm:SHA-256,SHA-384orSHA-512• MinimumRSAmodulussize(bits):2048• ECCcurve:NISTP-256,P-384,orP-521

6.1.5.3. SubscriberCertificates

• Digestalgorithm:SHA-256,SHA-384orSHA-512

• MinimumRSAmodulussize(bits):2048• ECCcurve:NISTP-256,P-384,orP-521

6.1.6. PublicKeyParametersGenerationandQualityCheckingRSA:TheCASHALLconfirmthatthevalueofthepublicexponentisanoddnumberequalto3ormore.Additionally,thepublicexponentSHOULDbeintherangebetween216+1and2256-1.ThemodulusSHOULDalsohavethefollowingcharacteristics:anoddnumber,notthepowerofaprime,andhavenofactorssmallerthan752.[Source:Section5.3.3,NISTSP800-89].ECC:TheCASHOULDconfirmthevalidityofallkeysusingeithertheECCFullPublicKeyValidationRoutineortheECCPartialPublicKeyValidationRoutine.[Source:Sections5.6.2.3.2and5.6.2.3.3,respectively,ofNISTSP56A:Revision2].

6.1.7. KeyUsagePurposesPrivateKeyscorrespondingtoRootCertificatesMUSTNOTbeusedtosignCertificatesexceptinthefollowingcases:

1.Self-signedCertificatestorepresenttheRootCAitself;2.CertificatesforSubordinateCAsandCrossCertificateswhichcontainid-kp-BrandIndicatorforMessageIdentification(OID:1.3.6.1.5.5.7.3.31)asthesoleKeyPurposeIdintheextendedKeyUsageextension;3.Certificatesforinfrastructurepurposes(administrativerolecertificates,internalCAoperationaldevicecertificates);and4.CertificatesforOCSPResponseverification.

PrivateKeyscorrespondingtoSubordinateCAorCrossCertificatesMUSTNOTsignCertificatesunlesstheCertificatetobesignedcontainsoneofthefollowingOIDsasthesoleKeyPurposeIdintheextendedKeyUsageextension:a.id-kp-BrandIndicatorforMessageIdentification(OID:1.3.6.1.5.5.7.3.31);orb.id-kp-OCSPSigning(OID:1.3.6.1.5.5.7.3.9)

6.2. PRIVATEKEYPROTECTIONANDCRYPTOGRAPHICMODULEENGINEERINGCONTROLS

TheCASHALLimplementphysicalandlogicalsafeguardstopreventunauthorizedcertificateissuance.ProtectionoftheCAPrivateKeyoutsidethevalidatedsystemordevicespecifiedaboveMUSTconsistofphysicalsecurity,encryption,oracombinationofboth,implementedinamannerthatpreventsdisclosureoftheCAPrivateKey.TheCASHALLencryptitsPrivateKeywithanalgorithmandkey-lengththat,accordingtothestateoftheart,arecapableofwithstandingcryptanalyticattacksfortheresiduallifeoftheencryptedkeyorkeypart.

6.2.1. CryptographicModuleStandardsandControlsNostipulation.

6.2.2. PrivateKey(noutofm)Multi-personControlNostipulation.

6.2.3. PrivateKeyEscrowNostipulation.

6.2.4. PrivateKeyBackup

SeeSection5.2.2.

6.2.5. PrivateKeyArchivalPartiesotherthantheSubordinateCASHALLNOTarchivetheSubordinateCAPrivateKeyswithoutauthorizationbytheSubordinateCA.

6.2.6. PrivateKeyTransferintoorfromaCryptographicModuleIftheIssuingCAgeneratedthePrivateKeyonbehalfoftheSubordinateCA,thentheIssuingCASHALLencryptthePrivateKeyfortransporttotheSubordinateCA.IftheIssuingCAbecomesawarethataSubordinateCA’sPrivateKeyhasbeencommunicatedtoanunauthorizedpersonoranorganizationnotaffiliatedwiththeSubordinateCA,thentheIssuingCASHALLrevokeallcertificatesthatincludethePublicKeycorrespondingtothecommunicatedPrivateKey.

6.2.7. PrivateKeyStorageonCryptographicModuleTheCASHALLprotectitsPrivateKeyinasystemordevicethathasbeenvalidatedasmeetingatleastFIPS140level3oranappropriateCommonCriteriaProtectionProfileorSecurityTarget,EAL4(orhigher),whichincludesrequirementstoprotectthePrivateKeyandotherassetsagainstknownthreats.

6.2.8. ActivatingPrivateKeysNostipulation.

6.2.9. DeactivatingPrivateKeysNostipulation.

6.2.10. DestroyingPrivateKeysNostipulation.

6.2.11. CryptographicModuleCapabilitiesNostipulation.

6.3. OTHERASPECTSOFKEYPAIRMANAGEMENT

6.3.1. PublicKeyArchivalNostipulation.

6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriodsThemaximumvalidityperiodMUSTNOTexceed398days.IfanApplicantisalicenseeofaRegisteredMarkorWordMarkratherthantheRegistrant,theexpirationdateofthecertificateSHALLhaveanexpirationdatethatisnolaterthanthefinalexpirationdateofthelicenseheldbytheApplicanttousetheRegisteredMarkorWordMark,whichSHALLbeconfirmedbytheCAduringtheverificationprocess.

6.4. ACTIVATIONDATA

6.4.1. ActivationdatagenerationandinstallationNostipulation.

6.4.2. Activationdataprotection

Nostipulation.

6.4.3. OtheraspectsofactivationdataNostipulation.

6.5. COMPUTERSECURITYCONTROLS

6.5.1. SpecificComputerSecurityTechnicalRequirementsTheCASHALLenforcemulti-factorauthenticationforallaccountscapableofdirectlycausingcertificateissuance.

6.5.2. ComputerSecurityRatingNostipulation.

6.6. LIFECYCLETECHNICALCONTROLS

6.6.1. SystemdevelopmentcontrolsNostipulation.

6.6.2. SecuritymanagementcontrolsNostipulation.

6.6.3. LifecyclesecuritycontrolsNostipulation.

6.7. NETWORKSECURITYCONTROLS

Nostipulation.

6.8. TIME-STAMPING

Nostipulation.

7. CERTIFICATE,CRL,ANDOCSPPROFILES

7.1. CERTIFICATEPROFILE

VerifiedMarkCertificatesSHALLcomplywiththeVerifiedMarkCertificateprofilerequirementssetoutinthissection.CAsSHALLonlyissueVerifiedMarkCertificatesfromadedicatedsub-CAthatcontainstheEKUspecifiedinsection7.1.2.2(f).TheCASHALLalsomeetthetechnicalrequirementssetforthinSection2.2–PublicationofInformation,Section6.1.5–KeySizes,andSection6.1.6–PublicKeyParametersGenerationandQualityChecking.CAsSHALLgeneratenon-sequentialCertificateserialnumbersgreaterthanzero(0)containingatleast64bitsofoutputfromaCSPRNG.

7.1.1. VersionNumber(s)CertificatesMUSTbeoftypeX.509v3.

7.1.2. CertificateContentandExtensions;ApplicationofRFC5280ThissectionspecifiestheadditionalrequirementsforCertificatecontentandextensionsforCertificates.

7.1.2.1. RootCACertificatea. basicConstraints

ThisextensionMUSTappearasacriticalextension.ThecAfieldMUSTbesettrue.ThepathLenConstraintfieldSHOULDNOTbepresent.

b. keyUsage

ThisextensionMUSTbepresentandMUSTbemarkedcritical.BitpositionsforkeyCertSignandcRLSignMUSTbeset.IftheRootCAPrivateKeyisusedforsigningOCSPresponses,thenthedigitalSignaturebitMUSTbeset.

c. certificatePolicies

ThisextensionSHOULDNOTbepresent.

d. extendedKeyUsageThisextensionMUSTNOTbepresent.

7.1.2.2. SubordinateCACertificatea. certificatePolicies

ThisextensionMUSTbepresentandSHOULDNOTbemarkedcritical.TheCAMUSTincludeCertificatePolicyOIDsinSubordinateCACertificates,asspecifiedfromoneofthefollowingtwooptions:

1) BothofthefollowingOIDs,asspecified:a. ThefirstcertificatepoliciesvaluecontainsanidentifierthatnamestheCA’s

CertificationPracticeStatement(CPS)applicabletotheVerifiedMarkCertificate,togetherwithaURLforthewebpagewheretheCertificationPracticeStatementcanbepubliclyreviewed.TheCACPSidentifieristhePolicyIdentifierofthecertificatepoliciesextension.TheCACPSURLisappendedasaCPSpointerqualifier.

b. ThesecondcertificatepoliciesvaluecontainsaVerifiedMarkCertificateGeneralPolicyIdentifier(1.3.6.1.4.1.53087.1.1)whichindicatesadherencetoandcompliancewiththeseVMCRequirementsandtheVMCTerms.ThisidentifierisassignedtothePolicyIdentifierofthecertificatepoliciesextension.

2) anyPolicy(2.5.29.32.0).TheanyPolicyPolicyOIDMUSTNOTbeincludediftheSubordinateCAisnotcontrolledbytheRootCA.

b. cRLDistributionPoints

ThisextensionMUSTbepresentandMUSTNOTbemarkedcritical.ItMUSTcontaintheHTTPURLoftheCA’sCRLservice.

c. authorityInformationAccess

ThisextensionSHOULDbepresentandMUSTNOTbemarkedcritical.ItSHOULDcontaintheHTTPURLoftheIssuingCA’scertificate(accessMethod=1.3.6.1.5.5.7.48.2).ItMAYcontaintheHTTPURLoftheIssuingCA’sOCSPresponder(accessMethod=1.3.6.1.5.5.7.48.1).

d. basicConstraints

ThisextensionMUSTbepresentandMUSTbemarkedcritical.ThecAfieldMUSTbesettrue.ThepathLenConstraintfieldMAYbepresent.

e. keyUsage

ThisextensionMUSTbepresentandMUSTbemarkedcritical.BitpositionsforkeyCertSignandcRLSignMUSTbeset.IftheSubordinateCAPrivateKeyisusedforsigningOCSPresponses,thenthedigitalSignaturebitMUSTbeset.

f. extkeyUsage

TheExtendedKeyUsageextension[RFC5280]MUSTbepresentandMUSTcontainid-kp-BrandIndicatorforMessageIdentification(OID:1.3.6.1.5.5.7.3.31)asspecifiedinSection7oftheIETFInternet-Draftathttps://tools.ietf.org/html/draft-chuang-bimi-certificate-00.ThisindicatestheapplicationoftheVerifiedMarkCertificateProfile.OtherKeyPurposeIdsMUSTNOTbeincluded.ThisextensionSHOULDbemarkednon-critical.

7.1.2.3. SubscriberCertificatea. certificatePolicies

ThisextensionMUSTbepresentandSHOULDNOTbemarkedcritical.certificatePolicies:policyIdentifier(Required)EachVerifiedMarkCertificateissuedbytheCAtoaSubscriberSHALLbeidentifiedbythepresenceofthefollowingVerifiedMarkCertificateOIDsinthecertificate’scertificatePoliciesextensionthat:

(i) indicatewhichCApolicystatementrelatestothatCertificate,(ii) asserttheCA'sadherencetoandcompliancewiththeseVMCRequirementsandassert

therequirementofadherencetoandcompliancewiththeVMCTermsasaconditionofissuanceoftheVerifiedMarkCertificate.

ThefirstcertificatepoliciesvaluecontainsanidentifierthatnamestheCA’sCertificationPracticeStatement(CPS)applicabletotheVerifiedMarkCertificate,togetherwithaURLforthewebpagewheretheCertificationPracticeStatementcanbepubliclyreviewed.TheCACPSidentifieristhePolicyIdentifierofthecertificatepoliciesextension.TheCACPSURLisappendedasaCPSpointerqualifier.ThesecondcertificatepoliciesvaluecontainsaVerifiedMarkCertificateGeneralPolicyIdentifier(1.3.6.1.4.1.53087.1.1)whichindicatesadherencetoandcompliancewiththeseVMCRequirementsandtheVMCTerms.ThisidentifierisassignedtothePolicyIdentifierofthecertificatepoliciesextension.

b. cRLDistributionPoints

ThisextensionMUSTbepresent.ItMUSTNOTbemarkedcritical,anditMUSTcontaintheHTTPURLoftheCA’sCRLservice.

c. authorityInformationAccess

ThisextensionSHOULDbepresent.ItMUSTNOTbemarkedcritical,anditSHOULDcontaintheHTTPURLoftheIssuingCA’scertificate(accessMethod=1.3.6.1.5.5.7.48.2)..ItMAYcontaintheHTTPURLoftheIssuingCA’sOCSPresponder(accessMethod=1.3.6.1.5.5.7.48.1).

d. basicConstraints(optional)

ThecAfieldMUSTNOTbetrue.

e. keyUsage(optional)

Ifpresent,bitpositionsforkeyCertSignandcRLSignMUSTNOTbeset.

f. extKeyUsage(required)

TheExtendedKeyUsageextension[RFC5280]MUSTcontainid-kp-BrandIndicatorforMessageIdentification(OID:1.3.6.1.5.5.7.3.31)asspecifiedinSection7oftheIETFInternet-Draftathttps://tools.ietf.org/html/draft-chuang-bimi-certificate-00.ThisindicatestheapplicationoftheVerifiedMarkCertificateProfile.OtherKeyPurposeIdsMUSTNOTbeincluded.ThisisREQUIRED,andtheextensionSHOULDbemarkednon-critical.

g. signedCertificateTimestampList(OID:1.3.6.1.4.1.11129.2.4.2)VerifiedMarkCertificatespre-certificatesMUSTbeloggedtoatleastoneofwell-knownCertificateTransparency(CT)logs[RFC6962]whichthenprovideSignedCertificateTimestamps(SCT).TheSCTmustbeaddedtotheCertificateTransparencyextensionasaSignedCertificateTimestampListencodedasanoctetstring[RFC6962section3.3].TheAuthindicatorsWorkingGroupmaintainsalistofacceptableCTlogs,andthecurrentlistisattachedasAppendixF.ThisisREQUIRED,andSHOULDNOTbemarkedcritical.

h. logotypeextension(OID:1.3.6.1.5.5.7.1.12)

TheextensionMUST:• containsubjectLogowithaLogotypeDataelement[RFC3709]containingtheMark

RepresentationassertedbytheSubjectoftheVerifiedMarkCertificateandverifiedbytheCA.• embedtheimageelementin“data:”URLasdefinedinRFC6170section4.• TheMarkRepresentationMUST:• embeddedsecuredSVGimage[RFC6170]• usetheSVGTinyPSprofiletosecuretheSVG• becompressed• followotherrequirementssetforthin[RFC6170section5.2]TheMarkRepresentationMUSTNOTcontain<script>tags.AdditionallytheAuthindicatorsWorkingGrouphaspublishedaSVGTinyPSGuidelinesdocumentaswellasaRNCtooltohelpvalidatetheSVG.TheVMCSVGisalsorequiredtofollowthosespecifications.ThelogotypeextensionisREQUIRED,andSHOULDbemarkednon-critical.TheCASHALLverifythattheApplicantprovidedMarkRepresentationmeetsthissecureprofile.

7.1.2.4. AllCertificatesAllotherfieldsandextensionsMUSTbesetinaccordancewithRFC5280.TheCASHALLNOTissueaCertificatethatcontainsakeyUsageflag,extendedKeyUsagevalue,Certificateextension,orotherdatanotspecifiedinsection7.1.2.1,7.1.2.2,or7.1.2.3unlesstheCAisawareofareasonforincludingthedataintheCertificate.CAsSHALLNOTissueaCertificatewith:

a. ExtensionsthatdonotapplyinthecontextofthepublicInternet(suchasanextendedKeyUsagevalueforaservicethatisonlyvalidinthecontextofaprivatelymanagednetwork),unless:i. suchvaluefallswithinanOIDarcforwhichtheApplicantdemonstratesownership,orii. theApplicantcanotherwisedemonstratetherighttoassertthedatainapubliccontext;or

b. semanticsthat,ifincluded,willmisleadaRelyingPartyaboutthecertificateinformationverifiedby

theCA(suchasincludingextendedKeyUsagevalueforasmartcard,wheretheCAisnotabletoverifythatthecorrespondingPrivateKeyisconfinedtosuchhardwareduetoremoteissuance).

7.1.2.5. ApplicationofRFC5280Forpurposesofclarification,aPrecertificate,asdescribedinRFC6962–CertificateTransparency,SHALLnotbeconsideredtobea“certificate”subjecttotherequirementsofRFC5280-InternetX.509PublicKeyInfrastructureCertificateandCertificateRevocationList(CRL)ProfileundertheseRequirements.

7.1.3. AlgorithmObjectIdentifiersCAsMUSTissueCertificatesusingonlythosealgorithmidentifierslistedinSection6.1.5.

7.1.4. NameForms

7.1.4.1. IssuerInformationThecontentoftheCertificateIssuerDistinguishedNamefieldMUSTmatchtheSubjectDNoftheIssuingCAtosupportNamechainingasspecifiedinRFC5280,section4.1.2.4.

7.1.4.2. SubjectInformation–SubscriberCertificatesByissuingtheCertificate,theCArepresentsthatitfollowedtheproceduresetforthinitsCertificatePolicyand/orCertificationPracticeStatementtoverifythat,asoftheCertificate’sissuancedate,alloftheSubjectInformationwasaccurate.CAsSHALLNOTincludeaDomainNameinaSubjectattributeexceptasspecifiedinSection3.2.2.4orSection3.2.2.5.SubjectattributesMUSTNOTcontainonlymetadatasuchas'.','-',and''(i.e.space)characters,and/oranyotherindicationthatthevalueisabsent,incomplete,ornotapplicable.

7.1.4.2.1. SubjectAlternativeNameExtensionRequiredContents:ThisextensionMUSTcontainatleastoneentry.EachentryMUSTbeadNSNamecontainingtheFully-QualifiedDomainName.TheCAMUSTconfirmthattheApplicantcontrolstheFully-QualifiedDomainNameorhasbeengrantedtherighttouseitbytheDomainNameRegistrant,asappropriate.CAsSHALLNOTissuecertificateswithasubjectAlternativeNameextensioncontaininganInternalName.EntriesinthedNSNameMUSTbeinthe"preferrednamesyntax",asspecifiedinRFC5280,andthusMUSTNOTcontainunderscorecharacters("_").

7.1.4.2.2. SubjectDistinguishedNameFieldsa. CertificateField:subject:commonName(OID2.5.4.3)

Required/Optional:Deprecated(Discouraged,butnotprohibited)Contents:ThecontentsMUSTeitherbethesameastheSubjectOrganizationNamedefinedinsection7.1.4.4.2(b),ortheWordMarkfielddefinedinsection7.1.4.4.2(p).

b. CertificateField:subject:organizationName(OID2.5.4.10)

RequiredContents:ThisfieldMUSTcontaintheSubject’sfulllegalorganizationnameaslistedintheofficialrecordsoftheIncorporatingorRegistrationAgencyintheSubject’sJurisdictionofIncorporationorRegistrationorasotherwiseverifiedbytheCAasprovidedherein.ACAMAYabbreviatetheorganizationprefixesorsuffixesintheorganizationname,e.g.,iftheofficialrecordshows“CompanyNameIncorporated”theCAMAYinclude“CompanyName,Inc.”

When abbreviating a Subject’s full legal name as allowed by this subsection, the CA MUST useabbreviationsthatarenotmisleadingintheJurisdictionofIncorporationorRegistration.Inaddition,anassumednameorDBAnameusedbytheSubjectMAYbeincludedatthebeginningofthisfield,providedthatitisfollowedbythefulllegalorganizationnameinparenthesis.If thecombinationofnamesor theorganizationnameby itselfexceeds64characters, theCAMAYabbreviatepartsoftheorganizationname,and/oromitnon-materialwordsintheorganizationnameinsuchawaythatthetextinthisfielddoesnotexceedthe64-characterlimit;providedthattheCAchecksthisfieldinaccordancewithsection3.2andaRelyingPartywillnotbemisledintothinkingthattheyaredealingwithadifferentorganization.Incaseswherethisisnotpossible,theCAMUSTNOTissuetheVerifiedMarkCertificate.

c. CertificateField:Numberandstreet:subject:streetAddress(OID:2.5.4.9)OptionalContents:Thesubject:streetAddressfieldMUSTcontaintheSubject’sstreetaddressinformationasverifiedunderSection3.2.

d. CertificateField:subject:localityName(OID:2.5.4.7)

Requiredifthesubject:stateOrProvinceNamefieldisabsent.Optionalifthesubject:stateOrProvinceNamefieldispresent.Contents:Ifpresent,thesubject:localityNamefieldMUSTcontaintheSubject’slocalityinformationasverifiedunderSection3.2.Ifthesubject:countryNamefieldspecifiestheISO3166-1user-assignedcodeofXXinaccordancewithSection7.1.4.2.2(g),thelocalityNamefieldMAYcontaintheSubject’slocalityand/orstateorprovinceinformationasverifiedunderSection3.2.2.1.

e. CertificateField:subject:stateOrProvinceName(OID:2.5.4.8)Requiredifthesubject:localityNamefieldisabsent.Optionalifthesubject:localityNamefieldispresent.Contents:Ifpresent,thesubject:stateOrProvinceNamefieldMUSTcontaintheSubject’sstateorprovinceinformationasverifiedunderSection3.2.Ifthesubject:countryNamefieldspecifiestheISO3166-1user-assignedcodeofXXinaccordancewithSection7.1.4.2.2(g),thesubject:stateOrProvinceNamefieldMAYcontainthefullnameoftheSubject’scountryinformationasverifiedunderSection3.2.2.1.

f. CertificateField:subject:postalCode(OID:2.5.4.17)OptionalContents:Thesubject:postalCodefieldMUSTcontaintheSubject’sziporpostalinformationasverifiedunderSection3.2.2.1.

g. CertificateField:subject:countryName(OID:2.5.4.6))RequiredContents:Thesubject:countryNameMUSTcontainthetwo-letterISO3166-1countrycodeassociatedwiththelocationoftheSubjectverifiedunderSection3.2.2.1..IfaCountryisnotrepresentedbyanofficialISO3166-1countrycode,theCAMAYspecifytheISO3166-1user-assignedcodeofXXindicatingthatanofficialISO3166-1alpha-2codehasnotbeenassigned.

h. CertificateField:subject:organizationalUnitName(OID:2.5.4.11)

OptionalTheOrganizationalUnitNamefieldspecifiesanorganizationalunit.Itidentifiesanorganizationalunitwithwhichthecertificateisaffiliated.ThedesignatedorganizationalunitisunderstoodtobepartofanorganizationdesignatedbyanorganizationNamefield.ThevalueforOrganizationalUnitNameisastringchosenbytheorganizationofwhichitispart(e.g.,OU="TechnologyDivision").SeeISO/IEC9594-6:2014(E)Rec.ITU-TX.520(10/2012).

i. CertificateField:subject:businessCategory(OID:2.5.4.15)RequiredContents:ThisfieldMUSTcontainoneofthefollowingstrings:"PrivateOrganization","GovernmentEntity","BusinessEntity",or"Non-CommercialEntity"dependinguponwhethertheSubjectqualifiesunderthetermsofSection3.2.11,2,3,or4oftheseRequirements,respectively.

j. Certificatefields:

Locality(ifrequired):subject:jurisdictionLocalityName(OID:1.3.6.1.4.1.311.60.2.1.1)

Stateorprovince(ifrequired): subject:jurisdictionStateOrProvinceName(OID:1.3.6.1.4.1.311.60.2.1.2)

Country:subject:jurisdictionCountryName(OID:1.3.6.1.4.1.311.60.2.1.3)

RequiredContents:ThesefieldsMUSTNOTcontaininformationthatisnotrelevanttotheleveloftheIncorporatingAgencyorRegistrationAgency.Forexample,theJurisdictionofIncorporationforanIncorporatingAgencyorJurisdictionofRegistrationforaRegistrationAgencythatoperatesatthecountrylevelMUSTincludethecountryinformationbutMUSTNOTincludethestateorprovinceorlocalityinformation.Similarly,thejurisdictionfortheapplicableIncorporatingAgencyorRegistrationAgencyatthestateorprovincelevelMUSTincludebothcountryandstateorprovinceinformation,butMUSTNOTincludelocalityinformation.And,thejurisdictionfortheapplicableIncorporatingAgencyorRegistrationAgencyatthelocalitylevelMUSTincludethecountryandstateorprovinceinformation,wherethestateorprovinceregulatestheregistrationoftheentitiesatthelocalitylevel,aswellasthelocalityinformation.CountryinformationMUSTbespecifiedusingtheapplicableISOcountrycode.Stateorprovinceorlocalityinformation(whereapplicable)fortheSubject’sJurisdictionofIncorporationorRegistrationMUSTbespecifiedusingthefullnameoftheapplicablejurisdiction.

k. Certificatefield:Subject:serialNumber(OID:2.5.4.5)RequiredContents:ForPrivateOrganizations,thisfieldMUSTcontaintheRegistration(orsimilar)NumberassignedtotheSubjectbytheIncorporatingorRegistrationAgencyinitsJurisdictionofIncorporationorRegistration,asappropriate.IftheJurisdictionofIncorporationorRegistrationdoesnotprovideaRegistrationNumber,thenthedateofIncorporationorRegistrationSHALLbeenteredintothisfieldinanyoneofthecommondateformats.ForGovernmentEntitiesthatdonothaveaRegistrationNumberorreadilyverifiabledateofcreation,theCASHALLenterappropriatelanguagetoindicatethattheSubjectisaGovernmentEntity.ForBusinessEntities,theRegistrationNumberthatwasreceivedbytheBusinessEntityupongovernmentregistrationSHALLbeenteredinthisfield.ForthoseBusinessEntitiesthatregisterwithanIncorporatingAgencyorRegistrationAgencyinajurisdictionthatdoesnotissuenumberspursuanttogovernmentregistration,thedateoftheregistrationSHALLbeenteredintothisfieldinanyoneofthecommondateformats.

l. CertificateField:Subject:legalEntityIdentifier(OID:1.3.6.1.4.1.53087.1.5)Optional:Contents:Containsa20-characteralphanumericLEIstringfromavalidregistration.Thevalidationprocessisasfollows:1)ThisinformationSHALLbevalidatedbymatchingtheorganizationnameandregistrationnumberfoundintheGlobalLEIIndexagainsttheSubjectOrganizationNameField(seeVerifiedMarkRequirementsSection7.1.4.4.2(b))andSubjectSerialNumberField(seeVerifiedMarkRequirementsSection71.4.4.2(k))withinthecontextofthesubject’sjurisdictionasspecifiedin

VerifiedMarkRequirementsSection7.1.4.4.2(j))TheaddressinformationfromVerifiedMarkvalidationSHALLbecomparedtotheHeadquartersAddressinformationintheLEIrecordinordertodetectpotentialmatchingerrorsorerrorsintheregistrationinformation.Iftheaddressesdonotmatch,theCAwillattempttovalidatetheaddressfoundintheLEIrecordasaconfirmedofficelocationfortheSubscriber,ifpossible.3)TheCASHALLverifythattheValidationSourcesfieldoftheassociatedLEIrecordcontainsthedesignationFULLY_CORROBORATEDbeforeincludinganLEIinaVMC.

m. Certificatefield:Subject:trademarkCountryOrRegionName(OID:1.3.6.1.4.1.53087.1.3)

RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.1;ProhibitedotherwiseContents:ThisstringvalueidentifiesthecountryorregionoftheTrademarkOfficethatregisteredtheRegisteredMarkasanWIPOST.3twolettercountryandintergovernmental/regionalagencycode(seelistathttp://www.wipo.int/export/sites/www/standards/en/pdf/03-03-01.pdf).RegionalagenciessuchastheAfricanRegionalIntellectualPropertyOrganization(ARIPO)(AP),BeneluxOfficeforIntellectualProperty(BOIP)(BX,)EuropeanUnionIntellectualPropertyOffice(EUIPO)(EM),andAfricanIntellectualPropertyOrganization(OA)SHALLbeencodedusingtheir2-lettercodesinthisfield.

n. Certificatefield:Subject:trademarkOfficeName(OID:1.3.6.1.4.1.53087.1.2)

RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.1andtheapplicablecountry/regionhasmorethanonenational/regionalintellectualpropertyagencywheretrademarkscanberegistered;optionaliftheCertificateotherwisecontainsaMarkverifiedinaccordancewithSection3.2.16.1Contents:ThisstringvalueidentifiestheTrademarkOfficebyinsertingtheURLlistedinthe“Website”columnortheTrademarkOfficenamelistedinthe“Office”columnintheWIPOdirectoryofcountryandregionalintellectualpropertyagenciesathttps://www.wipo.int/directory/en/urls.jspfortheTrademarkOfficethatregisteredtheRegisteredMarkincludedintheVerifiedMarkCertificate.Effective2022-07-01,theNamefortheTrademarkOfficeSHALLbeencodedinthisfieldandtheURLfortheTrademarkOfficeSHALLNOTbeencodedinthisfield.

o. Certificatefield:Subject:trademarkRegistration(OID:1.3.6.1.4.1.53087.1.4)

RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.1;ProhibitedotherwiseContents:ThisstringvaluecontainstheregistrationnumbergivenbytheTrademarkOfficetoidentifytheRegisteredMark.ThisfieldisREQUIRED.

p. Certificatefield:Subject:wordMark(OID:1.3.6.1.4.1.53087.1.6)

OptionalContents:ContainsaWordMarkortheword(s)includedinaCombinedMark.

q. Certificatefield: Subject:organizationIdentifier(OID:2.5.4.97)OptionalContents:Ifpresent,thisfieldMUSTcontainaRegistrationReferenceforaLegalEntityassignedinaccordancetotheidentifiedRegistrationScheme.TheorganizationIdentifierMUSTbeencodedasaPrintableStringorUTF8String.TheRegistrationSchemeMUSTbeidentifiedusingtheusingthefollowingstructureinthepresented

order:• 3characterRegistrationSchemeidentifier;• 2characterISO3166countrycodeforthenationinwhichtheRegistrationSchemeisoperated,

oriftheschemeisoperatedgloballyISO3166code"XG"SHALLbeused;• FortheNTRRegistrationSchemeidentifier,ifrequiredunderSection9.2.4,a2characterISO

3166-2identifierforthesubdivision(stateorprovince)ofthenationinwhichtheRegistrationSchemeisoperated,precededbyplus"+"(0x2B(ASCII),U+002B(UTF-8));

• ahyphen-minus"-"(0x2D(ASCII),U+002D(UTF-8));• RegistrationReferenceallocatedinaccordancewiththeidentifiedRegistrationSchemeNote:RegistrationReferencesMAYcontainhyphens,butRegistrationSchemes,ISO3166countrycodes,andISO3166-2identifiersdonot.Thereforeifmorethanonehyphenappearsinthestructure,theleftmosthyphenisaseparator,andtheremaininghyphensarepartoftheRegistrationReference.Asinsection7.1.4.4.2(j),thespecifiedlocationinformationMUSTmatchthescopeoftheregistration

beingreferenced.Examples:• NTRGB-12345678(NTRscheme,GreatBritain,UniqueIdentifieratCountrylevelis12345678)• NTRUS+CA-12345678(NTRScheme,UnitedStates-California,UniqueidentifieratStatelevelis

12345678)• VATDE-123456789(VATScheme,Germany,UniqueIdentifieratCountryLevelis12345678)• PSDBE-NBB-1234.567.890(PSDScheme,Belgium,NCA'sidentifierisNBB,SubjectUnique

IdentifierassignedbytheNCAis1234.567.890)RegistrationSchemeslistedinAppendixJarecurrentlyrecognizedasvalidundertheseguidelines.TheCASHALL:1. confirmthattheorganizationrepresentedbytheRegistrationReferenceisthesameasthe

organizationnamedintheorganizationNamefieldasspecifiedinSection7.1.4.4.2(b)withinthecontextofthesubject’sjurisdictionasspecifiedinSection7.1.4.4.2(j);

2. furtherverifytheRegistrationReferencematchesotherinformationverifiedinaccordancewithsection3.2;

3. takeappropriatemeasurestodisambiguatebetweendifferentorganizationsasdescribedinAppendixJforeachRegistrationScheme;

4. ApplythevalidationrulesrelevanttotheRegistrationSchemeasspecifiedinAppendixJ.

r. Certificatefield: Subject:markType(OID:1.3.6.1.4.1.53087.1.13)OptionalforCertificatesissuedpriorto2022-07-01thatcontainMarksverifiedinaccordancewithSection3.2.16.1;RequiredotherwiseContents:IftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.1,thenthisfieldMUSTcontainthestring“RegisteredMark”.IftheCertificatescontainsaMarkverifiedinaccordancewithSection3.2.16.2,thenthisfieldMUSTcontainthestring“GovernmentMark”.AnyothervaluesMUSTNOTbeincluded.

s. Certificatefields:Locality(ifrequired):

subject:statuteLocalityName(OID:1.3.6.1.4.1.53087.3.4)Stateorprovince(ifrequired):

subject:statuteStateOrProvinceName(OID:1.3.6.1.4.1.53087.3.3)Country:

subject:statuteCountryName(OID:1.3.6.1.4.1.53087.3.2)RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.2;ProhibitedotherwiseContents:CertificatesMUSTNOTcontainthesefieldsunlesstheyarerelevanttotheleveloftheGovernmentEntityorNon-CommercialEntity(InternationalOrganization)thatestablishedtheGovernmentMarkthroughstatute,regulation,treaty,orgovernmentaction.Forexample,thejurisdictionforaGovernmentEntityorNon-CommercialEntity(InternationalOrganization)thatoperatesatthecountrylevelMUSTincludethestatuteCountryfieldbutMUSTNOTincludethestatuteStateOrProvinceandstatuteLocalityfields.Similarly,thejurisdictionfortheapplicableGovernmentEntityorNon-CommercialEntity(InternationalOrganization)atthestateorprovincelevelMUSTincludebothstatuteCountryandstatuteStateOrProvincefieldsbutMUSTNOTincludethestatuteLocalityfield.And,thejurisdictionfortheapplicableGovernmentEntityorNon-CommercialEntity(InternationalOrganization)atthelocalitylevelMUSTincludethestatuteCountryandstatuteStateOrProvincefields,wherethestateor

provinceregulatestheregistrationoftheentitiesatthelocalitylevel,aswellasthestatuteLocalityfield.statuteCountryfieldvaluesMUSTbespecifiedusingtheapplicableISOcountrycode.statuteStateOrProvinceandstatuteLocalityfieldvalues(whereapplicable)MUSTbespecifiedusingthefullnameoftheapplicablejurisdiction.

t. Certificatefield: Subject:statuteCitation(OID:1.3.6.1.4.1.53087.3.5)RequirediftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.2;ProhibitedotherwiseContents:IftheCertificatescontainsaMarkverifiedinaccordancewithSection3.2.16.2,thenthisfieldMUSTincludetheofficialstatute,regulation,treaty,orgovernmentactionbywhichtheGovernmentMarkwasgrantedorclaimed,asconfirmedbytheCA.Thefieldmaycontaincommonabbreviations,andSHOULDconform,ifpossible,toapplicablelegalguidelinesinthejurisdictionforhowsuchofficialstatutes,regulations,orgovernmentactionsarenormallycited(e.g.,“TheBluebook:AUniformSystemofCitation”orothersimilarstandardsystemofcitation.)Inaddition,theCAMAYincludebriefexplanatorytexttoassistRelyingPartiesinlocatingtheofficialstatute,regulation,treaty,orgovernmentactionbywhichtheGovernmentMarkwasgrantedorclaimed.

u. Certificatefield: Subject:statuteURL(OID:1.3.6.1.4.1.53087.3.6)OptionaliftheCertificatecontainsaMarkverifiedinaccordancewithSection3.2.16.2;Prohibitedotherwise

v. Contents: If present, this field MUST contain a HTTP/HTTPS URL where the official statute,regulation,treaty,orgovernmentactionbywhichtheGovernmentMarkwasgrantedorclaimedcanbefound.OtherSubjectAttributes

OtherattributesMAYbepresentwithinthesubjectfield.Ifpresent,otherattributesMUSTcontaininformationthathasbeenverifiedbytheCA.

7.1.4.3. SubjectInformation–RootCertificatesandSubordinateCACertificatesByissuingaSubordinateCACertificate,theCArepresentsthatitfollowedtheproceduresetforthinitsCertificatePolicyand/orCertificationPracticeStatementtoverifythat,asoftheCertificate’sissuancedate,alloftheSubjectInformationwasaccurate.

7.1.4.3.1. SubjectDistinguishedNameFieldsa.CertificateField:subject:commonName(OID2.5.4.3)

RequiredContents:ThisfieldMUSTbepresentandthecontentsSHOULDbeanidentifierforthecertificatesuchthatthecertificate'sNameisuniqueacrossallcertificatesissuedbytheissuingcertificate.

b.CertificateField:subject:organizationName(OID2.5.4.10)

RequiredContents:ThisfieldMUSTbepresentandthecontentsMUSTcontaineithertheSubjectCA’snameasverifiedunderSection3.2.TheCAmayincludeinformationinthisfieldthatdiffersslightlyfromtheverifiedname,suchascommonvariationsorabbreviations,providedthattheCAdocumentsthedifferenceandanyabbreviationsusedarelocallyacceptedabbreviations;e.g.,iftheofficialrecordshows“CompanyNameIncorporated”,theCAMAYuse“CompanyNameInc.”or“CompanyName”.

c.CertificateField:subject:countryName(OID:2.5.4.6)

RequiredContents:ThisfieldMUSTcontainthetwo-letterISO3166-1countrycodeforthecountryinwhichtheCA’splaceofbusinessislocated.

7.1.5. NameConstraintsCAsMUSTNOTincludethenameConstraintsextensioninCertificates.

7.1.6. CertificatePolicyObjectIdentifier7.1.6.1. RootCACertificatesARootCACertificateSHOULDNOTcontainthecertificatePoliciesextension.

7.1.6.2. SubordinateCACertificatesAsspecifiedin7.1.2.2(a).

7.1.6.3. SubscriberCertificatesAsspecifiedin7.1.2.3(a).

7.1.7. UsageofPolicyConstraintsExtensionNostipulation.

7.1.8. PolicyQualifiersSyntaxandSemanticsNostipulation.

7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtensionNostipulation.

7.2. CRLPROFILE

7.2.1. Versionnumber(s)Nostipulation.

7.2.2. CRLandCRLentryextensionsNostipulation.

7.3. OCSPPROFILE

7.3.1. Versionnumber(s)Nostipulation.

7.3.2. OCSPextensionsNostipulation.

8. COMPLIANCEAUDITANDOTHERASSESSMENTSTheCASHALLatalltimes:

1. IssueCertificatesandoperate itsPKI inaccordancewithall lawapplicable to itsbusinessand theCertificatesitissuesineveryjurisdictioninwhichitoperates;

2. ComplywiththeseRequirements;3. Complywiththeauditrequirementssetforthinthissection;and4. BelicensedasaCAineachjurisdictionwhereitoperates,iflicensingisrequiredbythelawofsuch

jurisdictionfortheissuanceofCertificates.

8.1. FREQUENCYORCIRCUMSTANCESOFASSESSMENT

TheperiodduringwhichtheCAissuesCertificatesSHALLbedividedintoanunbrokensequenceofauditperiods.AnauditperiodMUSTNOTexceedoneyearinduration.

8.2. IDENTITY/QUALIFICATIONSOFASSESSOR

TheCA’sauditSHALLbeperformedbyaQualifiedPractitioner.AQualifiedPractitionermeansanaturalperson,LegalEntity,orgroupofnaturalpersonsorLegalEntitiesthatcollectivelypossessthefollowingqualificationsandskills:

1. Independencefromthesubjectoftheaudit;2. TheabilitytoconductanauditthataddressesthecriteriaspecifiedinanEligibleAuditScheme(see

Section8.4);3. EmploysindividualswhohaveproficiencyinexaminingPublicKeyInfrastructuretechnology,

informationsecuritytoolsandtechniques,informationtechnologyandsecurityauditing,andthethird-partyattestationfunction;

4. QualifiedPractitionerenrolledintheWebTrustprogram;5. Boundbylaw,governmentregulation,orprofessionalcodeofethics;and6. MaintainsProfessionalLiability/Errors&Omissionsinsurancewithpolicylimitsofatleastone

millionUSdollarsincoverage.

8.3. ASSESSOR'SRELATIONSHIPTOASSESSEDENTITY

Nostipulation.

8.4. TOPICSCOVEREDBYASSESSMENT

TheCASHALLundergoanauditinaccordancewithoneofthefollowingschemes:1. “WebTrustforCAsv2.0ornewer”AND“WebTrustPrinciplesandCriteriaforCertification

Authorities–VerifiedMarkCertificates”TheauditschemeMUSTincorporateperiodicmonitoringand/oraccountabilityprocedurestoensurethatitsauditscontinuetobeconductedinaccordancewiththerequirementsofthescheme.TheauditMUSTbeconductedbyaQualifiedPractitioner,asspecifiedinSection8.2.

8.5. ACTIONSTAKENASARESULTOFDEFICIENCY

Nostipulation.

8.6. COMMUNICATIONOFRESULTS

TheAuditReportSHALLstateexplicitlythatitcoverstherelevantsystemsandprocessesusedintheissuanceofallCertificatesthatasserttheVMCpolicyidentifierOID(1.3.6.1.4.1.53087.1.1).TheCASHALLmaketheAuditReportpubliclyavailable.TheCAisnotrequiredtomakepubliclyavailableanygeneralauditfindingsthatdonotimpacttheoverallauditopinion.TheCASHOULDmakeitsAuditReportpubliclyavailablenolaterthanthreemonthsaftertheendoftheauditperiod.Intheeventofadelaygreaterthanthreemonths,andifsorequestedbyanApplicationSoftwareSupplier,theCASHALLprovideanexplanatorylettersignedbytheQualifiedPractitioner.

8.7. SELF-AUDITS

DuringtheperiodinwhichtheCAissuesCertificates,theCASHALLmonitoradherencetoitsCertificatePolicy,CertificationPracticeStatementandtheseRequirementsandstrictlycontrolitsservicequalitybyperformingselfauditsonatleastaquarterlybasisagainstarandomlyselectedsampleofthegreaterofonecertificateoratleastthreepercentoftheCertificatesissuedbyitduringtheperiodcommencingimmediatelyafterthepreviousself-auditsamplewastaken.

9. OTHERBUSINESSANDLEGALMATTERS

9.1. FEES

9.1.1. CertificateissuanceorrenewalfeesNostipulation.

9.1.2. CertificateaccessfeesNostipulation.

9.1.3. RevocationorstatusinformationaccessfeesNostipulation.

9.1.4. FeesforotherservicesNostipulation.

9.1.5. RefundpolicyNostipulation.

9.2. FINANCIALRESPONSIBILITY

9.2.1. InsurancecoverageNostipulation.

9.2.2. OtherassetsNostipulation.

9.2.3. Insuranceorwarrantycoverageforend-entitiesNostipulation.

9.3. CONFIDENTIALITYOFBUSINESSINFORMATION

9.3.1. ScopeofconfidentialinformationNostipulation.

9.3.2. InformationnotwithinthescopeofconfidentialinformationNostipulation.

9.3.3. ResponsibilitytoprotectconfidentialinformationNostipulation.

9.4. PRIVACYOFPERSONALINFORMATION

9.4.1. PrivacyplanNostipulation.

9.4.2. InformationtreatedasprivateNostipulation.

9.4.3. InformationnotdeemedprivateNostipulation.

9.4.4. ResponsibilitytoprotectprivateinformationNostipulation.

9.4.5. NoticeandconsenttouseprivateinformationNostipulation.

9.4.6. DisclosurepursuanttojudicialoradministrativeprocessNostipulation.

9.4.7. OtherinformationdisclosurecircumstancesNostipulation.

9.5. INTELLECTUALPROPERTYRIGHTS

Nostipulation.

9.6. REPRESENTATIONSANDWARRANTIES

9.6.1. CARepresentationsandWarrantiesByissuingaCertificate,theCAmakesthecertificatewarrantieslistedhereintothefollowingCertificateBeneficiaries:

1. TheSubscriberthatisapartytotheSubscriberAgreementorTermsofUsefortheCertificate;2. AllApplicationSoftwareSupplierswithwhomtheRootCAhasenteredintoacontractforinclusionof

itsRootCertificateinsoftwaredistributedbysuchApplicationSoftwareSupplier;and3. AllRelyingPartieswhoreasonablyrelyonaValidCertificate.

TheCArepresentsandwarrantstotheCertificateBeneficiariesthat,duringtheperiodwhentheCertificateisvalid,theCAhascompliedwiththeseRequirementsanditsCertificatePolicyand/orCertificationPracticeStatementinissuingandmanagingtheCertificate.TheCertificateWarrantiesspecificallyinclude,butarenotlimitedto,thefollowing:

1. RighttoUseDomainName:That,atthetimeofissuance,theCA(i)implementedaprocedureforverifyingthattheApplicanteitherhadtherighttouse,orhadcontrolof,theDomainName(s)listedintheCertificate’ssubjectfieldandsubjectAltNameextension(orwasdelegatedsuchrightorcontrolbysomeone who had such right to use or control); (ii) followed the procedure when issuing the

Certificate; and (iii) accurately described the procedure in the CA’s Certificate Policy and/orCertificationPracticeStatement;

2. AuthorizationforCertificate:That,atthetimeofissuance,theCA(i)implementedaprocedureforverifying that the Subject authorized the issuance of the Certificate and that the ApplicantRepresentative is authorized to request the Certificate on behalf of the Subject; (ii) followed theprocedure when issuing the Certificate; and (iii) accurately described the procedure in the CA’sCertificatePolicyand/orCertificationPracticeStatement;

3. Accuracyof Information: That, at the time of issuance, the CA (i) implemented a procedure forverifyingtheaccuracyofalloftheinformationcontainedintheCertificate;(ii)followedtheprocedurewhenissuingtheCertificate;and(iii)accuratelydescribedtheprocedureintheCA’sCertificatePolicyand/orCertificationPracticeStatement;

4. Identity of Applicant: That, if the Certificate contains Subject Identity Information, the CA (i)implementedaproceduretoverifytheidentityoftheApplicantinaccordancewithSections3.2;(ii)followedtheprocedurewhenissuingtheCertificate;and(iii)accuratelydescribedtheprocedureintheCA’sCertificatePolicyand/orCertificationPracticeStatement;

5. SubscriberAgreement:That,iftheCAandSubscriberarenotAffiliated,theSubscriberandCAarepartiestoalegallyvalidandenforceableSubscriberAgreementthatsatisfiestheseRequirements,or,if the CA and Subscriber are the same entity or are Affiliated, the Applicant RepresentativeacknowledgedtheTermsofUse;

6. Status: That the CA maintains a 24 x 7 publicly-accessible Repository with current informationregardingthestatus(validorrevoked)ofallunexpiredCertificates;and

7. Revocation: That the CA will revoke the Certificate for any of the reasons specified in theseRequirements.

TheRootCASHALLberesponsiblefortheperformanceandwarrantiesoftheSubordinateCA,fortheSubordinateCA’scompliancewiththeseRequirements,andforallliabilitiesandindemnificationobligationsoftheSubordinateCAundertheseRequirements,asiftheRootCAweretheSubordinateCAissuingtheCertificates.

9.6.2. RARepresentationsandWarrantiesNostipulation.

9.6.3. SubscriberRepresentationsandWarrantiesTheCASHALLrequire,aspartoftheSubscriberAgreementorTermsofUse,thattheApplicantmakethecommitmentsandwarrantiesinthissectionforthebenefitoftheCAandtheCertificateBeneficiaries.PriortotheissuanceofaCertificate,theCASHALLobtain,fortheexpressbenefitoftheCAandtheCertificateBeneficiaries,either:

1. TheApplicant’sagreementtotheSubscriberAgreementwiththeCA,or2. TheApplicant’sacknowledgementoftheTermsofUse.

TheCASHALLimplementaprocesstoensurethateachSubscriberAgreementorTermsofUseislegallyenforceableagainsttheApplicant.Ineithercase,theAgreementMUSTapplytotheCertificatetobeissuedpursuanttothecertificaterequest.TheCAMAYuseanelectronicor"click-through"AgreementprovidedthattheCAhasdeterminedthatsuchagreementsarelegallyenforceable.AseparateAgreementMAYbeusedforeachcertificaterequest,orasingleAgreementMAYbeusedtocovermultiplefuturecertificaterequestsandtheresultingCertificates,solongaseachCertificatethattheCAissuestotheApplicantisclearlycoveredbythatSubscriberAgreementorTermsofUse.TheSubscriberAgreementorTermsofUseMUSTcontainprovisionsimposingontheApplicantitself(ormadebytheApplicantonbehalfofitsprincipaloragentunderasubcontractororhostingservicerelationship)thefollowingobligationsandwarranties:

1. AccuracyofInformation:AnobligationandwarrantytoprovideaccurateandcompleteinformationatalltimestotheCA,bothinthecertificaterequestandasotherwiserequestedbytheCAinconnectionwiththeissuanceoftheCertificate(s)tobesuppliedbytheCA;

2. AcceptanceofCertificate:AnobligationandwarrantythattheSubscriberwillreviewandverifytheCertificatecontentsforaccuracy;

3. Useof Certificate: Anobligation andwarranty to install theCertificate onlyon servers that areaccessible at the subjectAltName(s) listed in the Certificate, and to use the Certificate solely incompliancewithallapplicablelawsandsolelyinaccordancewiththeSubscriberAgreementorTermsofUse;

4. Reporting and Revocation: An obligation and warranty to promptly request revocation of theCertificate,andceaseusingit,ifanyinformationintheCertificateisorbecomesincorrectorinaccurate.

5. Responsiveness: Anobligation to respond to the CA’s instructions concerningCertificatemisusewithinaspecifiedtimeperiod.

6. AcknowledgmentandAcceptance: AnacknowledgmentandacceptancethattheCAisentitledtorevoke the certificate immediately if the Applicant were to violate the terms of the SubscriberAgreementorTermsofUseoriftheCAdiscoversthattheCertificateisbeingusedtoenablecriminalactivitiessuchasphishingattacks,fraud,orthedistributionofmalware.

9.6.4. RelyingPartyRepresentationsandWarrantiesNostipulation.

9.6.5. RepresentationsandWarrantiesofOtherParticipantsNostipulation.

9.7. DISCLAIMERSOFWARRANTIES

Nostipulation.

9.8. LIMITATIONSOFLIABILITY

IftheCAhasissuedandmanagedtheCertificateincompliancewiththeseRequirementsanditsCertificatePolicyand/orCertificationPracticeStatement,theCAMAYlimitliabilitytotheCertificateBeneficiariesoranyotherthirdpartiesforanylossessufferedasaresultofuseorrelianceonsuchCertificatebeyondthosespecifiedintheCA'sCertificatePolicyand/orCertificationPracticeStatement,pursuanttotheminimumliabilityrequirementbelow.IftheCAhasnotissuedormanagedtheCertificateincompliancewiththeseRequirementsanditsCertificatePolicyand/orCertificationPracticeStatement,theCAMAYseektolimititsliabilitytotheSubscriberandtoRelyingParties,regardlessofthecauseofactionorlegaltheoryinvolved,foranyandallclaims,lossesordamagessufferedasaresultoftheuseorrelianceonsuchCertificatebyanyappropriatemeansthattheCAdesires.IftheCAchoosestolimititsliabilityforCertificatesthatarenotissuedormanagedincompliancewiththeseRequirementsoritsCertificatePolicyand/orCertificationPracticeStatement,thentheCASHALLincludethelimitationsonliabilityintheCA’sCertificatePolicyand/orCertificationPracticeStatement,pursuanttotheminimumliabilityrequirementbelow.TheCAMAYNOTlimititsliabilitytoSubscribersorRelyingPartiesforlegallyrecognizedandprovableclaimstoamonetaryamountlessthantwothousandUSdollarsperSubscriberorRelyingPartyperVerifiedMarkCertificate.

9.9. INDEMNITIES

9.9.1. IndemnificationbyCAsNostipulation.

9.9.2. IndemnificationbySubscribersNostipulation.

9.9.3. IndemnificationbyRelyingPartiesNostipulation.

9.10. TERMANDTERMINATION

9.10.1. TermNostipulation.

9.10.2. TerminationNostipulation.

9.10.3. EffectofterminationandsurvivalNostipulation.

9.11. INDIVIDUALNOTICESANDCOMMUNICATIONSWITHPARTICIPANTS

Nostipulation.

9.12. AMENDMENTS

9.12.1. ProcedureforamendmentNostipulation.

9.12.2. NotificationmechanismandperiodNostipulation.

9.12.3. CircumstancesunderwhichOIDmustbechangedNostipulation.

9.13. DISPUTERESOLUTIONPROVISIONS

Nostipulation.

9.14. GOVERNINGLAW

Nostipulation.

9.15. COMPLIANCEWITHAPPLICABLELAW

Nostipulation.

9.16. MISCELLANEOUSPROVISIONS

9.16.1. EntireAgreementNostipulation.

9.16.2. AssignmentNostipulation.

9.16.3. SeverabilityIntheeventofaconflictbetweentheseRequirementsandalaw,regulationorgovernmentorder(hereinafter'Law')ofanyjurisdictioninwhichaCAoperatesorissuescertificates,aCAMAYmodifyanyconflictingrequirementtotheminimumextentnecessarytomaketherequirementvalidandlegalinthejurisdiction.ThisappliesonlytooperationsorcertificateissuancesthataresubjecttothatLaw.Insuchevent,theCASHALLimmediately(andpriortoissuingacertificateunderthemodifiedrequirement)includeinSection9.16.3oftheCA’sCPSadetailedreferencetotheLawrequiringamodificationoftheseRequirementsunderthissection,andthespecificmodificationtotheseRequirementsimplementedbytheCA.TheCAMUSTalso(priortoissuingacertificateunderthemodifiedrequirement)notifytheAuthindicatorsWorkingGroupoftherelevantinformationnewlyaddedtoitsCPSbysendingamessagetotheAuthindicatorsWorkingGroupandreceivingconfirmationthatithasbeenreceived,sothattheAuthindicatorsWorkingGroupmayconsiderpossiblerevisionstotheseRequirementsaccordingly.AnymodificationtoCApracticeenabledunderthissectionMUSTbediscontinuedifandwhentheLawnolongerapplies,ortheseRequirementsaremodifiedtomakeitpossibletocomplywithboththemandtheLawsimultaneously.Anappropriatechangeinpractice,modificationtotheCA’sCPSandanoticetotheAuthindicatorsWorkingGroup,asoutlinedabove,MUSTbemadewithin90days.

9.16.4. Enforcement(attorneys'feesandwaiverofrights)Nostipulation.

9.16.5. ForceMajeureNostipulation.

9.17. OTHERPROVISIONS

Nostipulation.

APPENDIXA–DNSCONTACTPROPERTIESThesemethodsallowdomainownerstopublishcontactinformationinDNSforthepurposeofvalidatingdomaincontrol.A.1.CAAMethodsA.1.1.CAAcontactemailPropertySYNTAX:contactemail<utf8emailaddress>TheCAAcontactemailpropertytakesanemailaddressasitsparameter.TheentireparametervalueMUSTbeavalidemailaddressasdefinedinsection3.4ofRFC5322andextendedbysection3.2ofRFC6532,withnoadditionalpaddingorstructure,oritcannotbeused.Thefollowingisanexamplewheretheholderofthedomainspecifiedthecontactpropertyusinganemailaddress.$ORIGINexample.com.CAA0contactemail"domainowner@example.com"ThecontactemailpropertyMAYbecritical,ifthedomainownerdoesnotwantCAswhodonotunderstandittoissuecertificatesforthedomain.A.1.2.CAAcontactphonePropertySYNTAX:contactphone<rfc3966GlobalNumber>TheCAAcontactphonepropertytakesaphonenumberasitsparameter.TheentireparametervalueMUSTbeavalidGlobalNumberasdefinedinRFC3966section5.1.4,oritcannotbeused.GlobalNumbersMUSThaveapreceding+andacountrycodeandMAYcontainvisualseparators.Thefollowingisanexamplewheretheholderofthedomainspecifiedthecontactpropertyusingaphonenumber.$ORIGINexample.com.

CAA0contactphone"+1(555)123-4567"ThecontactphonepropertyMAYbecriticalifthedomainownerdoesnotwantCAswhodonotunderstandittoissuecertificatesforthedomain.A.2.DNSTXTMethodsA.2.1.DNSTXTRecordEmailContactTheDNSTXTrecordMUSTbeplacedonthe_validation-contactemailsubdomainofthedomainbeingvalidated.TheentireRDATAvalueofthisTXTrecordMUSTbeavalidemailaddressasdefinedinsection3.4ofRFC5322andextendedbysection3.2ofRFC6532,withnoadditionalpaddingorstructure,oritcannotbeused.A.2.2.DNSTXTRecordPhoneContact

TheDNSTXTrecordMUSTbeplacedonthe_validation-contactphonesubdomainofthedomainbeingvalidated.TheentireRDATAvalueofthisTXTrecordMUSTbeavalidGlobalNumberasdefinedinRFC3966section5.1.4,oritcannotbeused.

APPENDIXB– MAPPINGOFCOMBINED,DESIGN,ANDWORDMARKTERMINOLOGYTOTERMINOLOGYOFAUTHORIZEDTRADEMARKOFFICES

ThistableisincludedasanexampleofhowtomapthestandardsandterminologyoftheVerifiedMarkCertificatesRequirementstothestandardsandterminologyofsamplecountries.CAsshouldgenerallyfollowthesemappingexamplesfortrademarksissuedbyothercountries.

Country/Region

CombinedMark DesignMark WordMark

UnitedStates(US)1

MarkscomprisingwordsplusadesignarecodedasMarkDrawingCode3-DesignPlusWords,Letters,and/orNumbersMarkscomprisingstylizedlettersand/ornumeralswithnodesignfeaturearecodedasMarkDrawingCode5

SpecialFormDrawings.MarkscomprisingonlyadesignarecodedasMarkDrawingCode2-DesignOnly

StandardCharacterDrawings-Markscomprisingwords,letters,numbers,oranycombinationthereofwithoutclaimtoanyparticularfontstyle,size,orcolorarecodedasMarkDrawingCode4-StandardCharacterMark.[PriortoNovember2,2003,typeddrawings(seeTMEP§807.03(i))thesewerecodedasMarkDrawingCode1]

Canada(CA)2 CompositeMark DesignMark StandardCharacterTrademark

EuropeanUnion(EM)3

Type:Figurativemarkcontainingwordelements-Afigurativemarkconsistingofacombinationofverbalandfigurativeelements

Type:Figurativemark-Itisatrademarkwherenon-standardcharacters,stylisationorlayout,oragraphicfeatureoracolourareused,includingmarksthatconsistexclusivelyoffigurativeelements

Type:Wordmark-Awordmarkconsistsexclusivelyofwordsorletters,numerals,otherstandardtypographiccharactersoracombinationthereofthatcanbetyped

UnitedKingdom(GB)4

LogoMark5(Image) LogoMark(Image) WordMark6

1https://tmep.uspto.gov/RDMS/TMEP/current#/current/TMEP-800d1e2068.htmlhttp://www.lo101.com/mdc.html2https://trademark.witmart.com/canada/registration3https://euipo.europa.eu/ohimportal/en/trade-mark-definition4https://www.trademarkdirect.co.uk/blog/word-marks-logo-marks5Seehttps://trademarks.ipo.gov.uk/ipo-tmcase/page/Results/1/UK00002192618forBurgerKingcombinedmarkregistrationintheUK.Thesearchdropdownfieldonthesiteusestheterm“design”.Theregistrationdoesnotappeartocalloutthewordsinthecombinedmark,soMVAsmustextractthewordstoinsertintheVMCSec.4.5.2.4.4WordMarkfield.6Seehttps://trademarks.ipo.gov.uk/ipo-tmcase/page/Results/1/UK00001351798forwordmarkregistrationforBurgerKing.Thesearchdropdownfieldonthesiteusestheterm“word”.Theregistrationdoesnotappeartocalloutthewordsinthecombinedmark,soMVAsmustextractthewordstoinsertintheVMCSec.4.5.2.4.4WordMarkfield.NotethatUKtrademarkregistrationforwordmarksallows“series”ofthesamewordmarktobelistedinasingleregistration(wherewordsarearrangedindifferentconfigurations–linear,stacked–butalwaysreadthesamewaytoaconsumer).

Germany(DE)7

Combinedwordandfigurativemark(Wort-Bildmarke)-Combinedword/figurativemarksconsistofacombinationofwordelementsandgraphicalelements,orofwordsinletteringstyles.

FigurativeMark(Bildmarke)-arepictures,graphicalelementsorimages(withoutwordsorwordelements).

WordMark(Wortmarke)-aretrademarksthatconsistofwords,letters,numbersorothercharactersthatarepartofthestandardsetofcharactersusedbytheDeutschesPatentundMarkenamt(DPMA).

Japan(JP)8 Combined(結合商標) Symbol(記号商標)Figurative/GraphicTrademark(図形商標)Combined(結合商標)

WordOnly(文字商標)

Australia(AU)

FigurativeMark9 FigurativeMark10 WordMark11

Spain(ES)12 DeviceMark DeviceMark WordMark

7Englishdefinitionfromglossaryin:https://www.dpma.de/docs/dpma/veroeffentlichungen/broschueren/200129_bromarken_engl_nichtbarr.arm.pdfEnglish/Germanmappingisbylookingatthe"550Markenform"(Germanversion)of:https://register.dpma.de/register/htdocs/prod/en/hilfe/recherchefelder/marken/index.htmlandusingthelanguagetranslatortooltomaptoEnglish.Seealsosection“Whatisthedifferencebetweenawordmarkandacombinedword/figurativemarkorfigurativemark?”inhttps://www.dpma.de/english/trade_marks/faq/index.html8https://www.globalipdb.inpit.go.jp/jpowp/wp-content/uploads/2018/11/170c54c04df539b80e52f33800a1e643.pdfandhttps://www.jetro.go.jp/ext_images/world/asia/sg/ip/pdf/search_ip_communique2016.pdfAlsohttps://elaws.e-gov.go.jp/document?lawid=334AC00000001279Seehttps://search.ipaustralia.gov.au/trademarks/search/view/381026?s=9f1d9c31-769b-4472-a055-e8c636007f26Notethatregistrationshows“AMERICANSTANDARDIDEALSTANDARD”for“Words”field.10Seehttps://search.ipaustralia.gov.au/trademarks/search/view/373483?s=9f1d9c31-769b-4472-a055-e8c636007f26forDeltatrianglefigurativemarkregistration.Notethatregistrationshows“A”for“Words”field(unclear–aplaceholder?).11Seehttps://search.ipaustralia.gov.au/trademarks/search/view/723899?s=6f75163b-7cac-44f6-9784-7cf7496ceec0.Notethatregistrationshows“BURGERKING”for“Words”field12https://companiesinn.com/articles/different-types-trademark

APPENDIXC–AUTHORIZEDTRADEMARKOFFICESFORVMCS

ThisAppendixisintentionallyleftblank.

APPENDIXD-VMCTERMSOFUSE(“VMCTERMS”)AllMarkAssertingEntities(MAEs)arerequired,asaconditionofbeingissuedaVerifiedMarkCertificate,toagreetotheseVMCTerms.Anyandalluse,display,orrelianceonanyVerifiedMarkCertificate(andanyMarkRepresentationandanyotherdataorinformationtherein)byConsumingEntities,RelyingParties,andanyotherperson,issubjecttoandconditionaluponacceptanceoftheseVMCTerms.TheOID1.3.6.1.4.1.53087.1.1intheVerifiedMarkCertificateincorporatesbyreferencetheseVMCTerms.IfanypersondoesnotagreetotheseVMCTerms,suchpersonmaynotobtain,use,publish,orrelyuponanyVerifiedMarkCertificateoronanyMarkRepresentationoranyotherdataorinformationinaVerifiedMarkCertificate.1. Definitions.CapitalizedwordswillhavemeaningssetoutinSection1.6oftheVerifiedMarkCertificate

Requirements..2. LimitedRighttoReproduceandDisplay.TheMAEherebygrants,subjecttotheterms,conditionsand

restrictionsintheVMCRequirementsandtheseVMCTerms:2.1. totheIssuingCA,alimited,non-exclusive,worldwidelicensetoissueaVerifiedMarkCertificatethat

containstheVMCMarksandtologsaidcertificateinalimitednumberofCertificateTransparencyLogsasrequiredbytheVMCRequirements;and

2.2. toConsumingEntities,alimited,non-exclusive,worldwidelicensetousetheVMCMarksinconjunctionwithinternallogorecognitionsystems,andtohost,store,reproduce,display,process,andmodifyaspermittedbysection3.1theVMCMarksonlyindirectvisualassociationwithcommunications,correspondence,orservicesauthoredorprovidedbytheMAEfromorthroughoneofthesamedomainsincludedwithintheVerifiedMarkCertificate’sSubjectAlternativeNamefield;and

2.3. tocertificatetransparencylogoperatorsifdifferentfromtheIssuingCA,alimited,non-exclusive,worldwidelicensetoretainacopyofandtoreproducetheVerifiedMarkCertificatetosupportadurablepublicrecordofthoseissuedcertificates,andforthepurposeofpermittingmembersofthepublictoaudittheverificationofVerifiedMarkCertificates.

Nootherlicenseisgrantedtoanyotherparty,orforanyotheruse.3. LicenseRestrictionsandConditions.AnyConsumingEntitythatincorporatesorintendstoincorporate

theVMCMarksobtainedthroughanissuedandpublishedVerifiedMarkCertificateintoitsproductsandservices,agreesthatitslicensetodosoissubjecttoandconditionalonthefollowing:3.1. QualityControl,SameTreatment.TheConsumingEntitymaynotdistortatdisplaytimeanyMark

RepresentationobtainedfromapublishedVerifiedMarkCertificate,changeitscolorsorbackground,modifyitstransparency,oralteritinanywayotherthantoadjustitssizeorscale,ortocropitinamannerconsistentwithcroppingperformedonotherMarkRepresentationsdisplayedinthesamecontext.IfaConsumingEntitydisplaysaWordMarkobtainedfromapublishedVerifiedMarkCertificate,itmustdosoinaneutralmannerappliedconsistentlytoallWordMarksfromallVerifiedMarkCertificatesthatareshowninthesamevisualcontext.TheConsumingEntitymaydisplayaMarkincludedinaVerifiedMarkCertificatewithoutalsodisplayingaWordMarkincludedinthesameVerifiedMarkCertificate,buttheConsumingEntitymaynotdisplayaWordMarkincludedinaVerifiedMarkCertificatewithoutalsodisplayingtheMarkincludedinthesameVerifiedMarkCertificate.

3.2. NoPartnershiporRelationshipsimplied.SubjecttoanexpressagreementtothecontrarybetweentheConsumingEntityandtheMAE,neithertheVMCMarksnoranyothercontentoftheVerifiedMarkCertificatemaybeusedordisplayedinanywaythatreasonablyimpliesanyrelationshipbetweentheConsumingEntityandtheMAE,beyondthebarelicensor-licenseerelationshipcreatedbytheseVMCTerms.

3.3. CRLorOCSPChecks.ConsumingEntitiesmustchecktheCertificateRevocationListsmaintainedbytheCAorperformanon-linerevocationstatuscheckusingOCSPtodeterminewhetheraVerifiedMarkCertificatehasbeenrevokednolessfrequentlythanevery7days.

3.4. LawfulUse.ConsumingEntitiesmayonlyusetheMarkRepresentationinaVerifiedMarkCertificateinaccordancewithapplicablelaw.

4. SufficientOwnershiporLicense.TheMAEwarrantsthattheVMCMarkspublishedviaaVerifiedMark

CertificaterepresentaRegisteredMark(andWordMark,ifany)thattheMAEownsorforwhichtheMAEhasobtainedsufficientlicensetobeabletograntthelimitedlicenseintheseVMCTerms,andthatitwillimmediatelyrevoketheVerifiedMarkCertificateifitnolongerownsorhasasufficientlicensetotheapplicableRegisteredMark(orWordMark,ifany).TheMAEwilldefendandwillbeliableforanyintellectualpropertyorotherclaimsagainstanyConsumingEntity,RelyingPartyorCAthatarisefromthecontentoftheMAE’sapplicationforaVerifiedMarkCertificate.

5. Noobligationtodisplay.TheMAEacknowledgesthatConsumingEntitiesareundernoobligationto

displaytheVMCMarksinconnectionwithcontenttheMAEpublishesthatisassociatedwiththedomainstheMAEownsorcontrolsasaDomainRegistrant,evenifacommunicationormessageisconfirmedtobefromtheMAEandasuitableVMCMarkcanbeobtainedandsafelydisplayedfromtheapplicableVerifiedMarkCertificate.Instead,ConsumingEntitiesmaychoosetodisplaytheVMCMarksinaccordancewiththeseVMCTerms,ornotdisplaythem,attheiroption.

6. Termination.ImmediatelyuponrevocationorexpirationoftheVerifiedMarkCertificate,theMAEwill

ceasepublishingorusingtheVerifiedMarkCertificate,andthelicensegrantedtoConsumingEntitiesinSection2.2aboveSHALLterminate.ThelicensetoaConsumingEntityinSection2.2abovealsoterminatesautomaticallyandimmediatelyuponbreachofanyprovisionoftheseVMCTermsbytheConsumingEntity.ConsumingEntitiesmustimmediatelyceaseanyandalluseoftheVMCMarksuponterminationoftheapplicablelicense.

7. UpdatestoVMCRequirementsandVMCTerms.TheVMCRequirementsandVMCTermsmaybeupdated

fromtimetotime.AllpartiesagreethattheversionoftheVMCRequirementsandVMCTermsineffectatthetimeofissuanceofaVerifiedMarkCertificateSHALLapplythroughthedateofexpirationorrevocationoftheVerifiedMarkCertificate(and,forthoseprovisionsthatbytheirnatureextendbeyondthedateofexpirationorrevocation,untiltheprovisionsnolongerwouldapplybytheirterms).Itistheresponsibilityofeachentitywhoobtains,uses,publishesorreliesuponaVerifiedMarkCertificatetoreviewandfamiliarizeitselffromtimetotimewithanyupdatedversionsoftheVMCRequirementsandVMCTerms.

APPENDIXE-OPTIONALRULESFORMATCHINGMARKREPRESENTATIONSUBMITTEDBYSUBSCRIBERWITHREGISTEREDMARKVERIFIEDBYCATheseareoptionalrulesapprovedbytheAuthindicatorswhichCAsMAYusewhenmatchingtheMarkRepresentationsubmittedbytheSubscriberwiththeRegisteredMarkverifiedbytheCA.TrademarksregisteredintheUnitedStates

[ThisAppendixisstillbeingdrafted.]

APPENDIXF-CTLOGSAPPROVEDBYAUTHINDICATORSWORKINGGROUPLogURL Namehttps://gorgon.ct.digicert.com/log Gorgon

APPENDIXG–ADDITIONALF2FVERIFICATIONPROCEDURETheContractSignerorCertificateApproverfortheVerifiedMarkCertificatemustperformtheF2FVerificationProcedurefortheApplicantaccordingtotheprocessdescribedineitherSection1orSection2below,asselectedbytheCAatitsdiscretion.IftheContractSignerandCertificateApproverrolesarefulfilledbydifferentnaturalpersons,thenonlyoneofContractSignerorCertificateApprovermustperformtheF2FVerificationProcedure.Inallcases,thenaturalpersonperformingtheF2FVerificationProcedureisreferredtoasthe“DesignatedIndividual”intheproceduredefinedbelow.Section1–NotarizationprocessfordocumentsignedbyDesignatedIndividualIfthisF2FVerificationProcedureisselectedbytheCA,theDesignatedIndividualmustperformtheNotarizationprocedurefortheApplicantasdescribedbelow.1. ReceiveinformationfromtheDesignatedIndividual.TheCAwillasktheDesignatedIndividualtosubmit

thefollowinginformation:name,emailaddress,andtelephonenumberforuseintheNotarizationprocessdescribedinSections2and3below.

2. ConductNotarizationProcess.TheCAwillarrangeforaNotarytomeetwiththeDesignatedIndividual.TheNotaryMUSTNOTbeanemployeeoftheSubscriberoramemberofanylawfirmusedbytheSubscriber.TheNotarizationprocessMAYbeperformedbyRemoteNotarization,providedthatitisconductedinaccordancewithapplicablelawintheNotary'sjurisdiction.TheDesignatedIndividualMUSTbelocatedinajurisdictioninwhichtheNotaryispermittedtoNotarizeaccordingtoapplicablelaw.TheCAwillprovidetheNotaryinadvancewithaVerificationDocumentfortheDesignatedIndividualtosignbeforetheNotaryandbeNotarized.ThenotaryshouldbeinstructedtoconfirmtheDesignatedIndividual’sfaceconformstothephotoontheDesignatedIndividual’sphotoID,andthatthenameoftheDesignatedIndividuallistedonthephotoIDconformstotheDesignatedIndividualnameontheVerificationDocument.TheNotarymustobservetheDesignatedIndividualasheorshesignstheVerificationDocument,thenNotarizetheVerificationDocument,TheNotaryshouldrecordanyrequireddetailsoftheNotarizationprocessintheNotary’snotaryjournal(orequivalent)asnormallyrequiredinthejurisdictionforaNotarization.Digitalsignaturesmaybeusedifacceptedinthejurisdiction.TheNotarymusttheneither:(1)SendaphotoorPDFcopyoftheNotarizedVerificationDocumenttotheCAaccordingtotheCA’sinstructionsandgivetheoriginaldocumenttotheDesignatedIndividualforhisorherfilesordestruction,or(2)sendtheoriginalsignedVerificationDocumenttotheCA.TheNotaryshouldnotretainacopyoftheVerificationDocumentortheDesignatedIndividual’sphotoIDintheNotary’sownfilesunlessrequiredtodosobyapplicablelaworregulationinthejurisdiction,inwhichcasetheNotaryshouldtreatthedocumentandphotoIDasPIItobearchivedanddisposedofinasecuremannerandinaccordancewithanyapplicablelaworregulation.

Section2–Web-basedF2FsessionwithDesignatedIndividual.IfthisF2FVerificationProcedureisselectedbytheCA,theCAoritsthirdpartyagentwillperformaweb-basedrecordedorphotographedsessionwiththeDesignatedIndividual.Thisformofvalidationmustincludethefollowingbasicsteps:

1. ReceiveinformationfromtheDesignatedIndividual.TheCAwillasktheDesignatedIndividualto

submitthefollowinginformation:name,emailaddress,andtelephonenumberforuseintheweb-basedF2FprocessdescribedinSections2and3below.

2. Processforweb-basedF2Fsession.Theweb-basedF2Fsessionwillincludethefollowingsteps.

a) TheCAoragentinitiatesalive,recordedvideoconferencewithDesignatedIndividual.The

recordingcaneitherbesavedbytheCA,orappropriatescreenshotsoftheconferencecanbesavedbytheCAinstead.

b) TheDesignatedIndividualrecitesonthevideoconferencehisorherbasicinformation,includingname,address,organization,title,telephonenumber,IDtype(passportnationalID,driver’slicense,etc.),andIDnumberthatwillbeusedduringthevalidationsession.

c) TheCAoragentaskstheDesignatedIndividualtopresenthisorherIDdocumenttothecamera,closeenoughtoprovideaclearpictureofthefront,back,andanyotherpagesasmaybenecessarytoreadandexaminethedocumentandcaptureitonthevideoand/orscreenshots.TheCAoragentisnotexpectedtodeterminewhetherornottheIDdocumentisgenuine,onlytorecordwhatwaspresented.TheCAagentmayrejecttheIDdocumentattheCAagent’sdiscretionifappropriate(e.g.,expired,namemis-match,photomis-match).

d) TheCAoragentaskstheDesignatedIndividualtoholdIDinfrontofhisorherface,toturnthedocumentaroundinthatposition,andtowavehisorherotherhandinthespacebetweentheIDandtheDesignatedIndividual’sface.TheCAmustmakereasonableaccommodationsifnecessaryincasetheDesignatedIndividualhasarelevantphysicaldisability.TheCAoragentmayaskadditionalquestionsathisorherdiscretion.

e) Thevideoconferenceiscompleted.TheCAoragentthenapprovesorfailstheIDverificationrequestbasedontheprocedureandsecurelyarchivestherecording.

TheCAmayuseacompetentthirdpartyserviceprovidertrustedbytheCAtoperformthisrecordedorphotographedweb-basedsessionwithDesignatedIndividualsolongastheCAobtainsandretainstherecordedsessionand/orscreenshotsinthevalidationfile.Section3–PIIandPrivacyRequirementsVMCDesignatedIndividualPII&PrivacyProcessesTheissuanceofaVMCrequirestheissuingCAtovalidatethefollowinginformation:

• Theapplyingorganization’sownershipoftheirbusinessdomain• Theapplyingorganization’sownershipofthelogotobeused• TheDesignatedIndividual’sconnectiontotheorganization• TheDesignatedIndividual’sidentity

DuetothenovelnatureofvalidatingtheidentityoftheDesignatedIndividualthroughF2Fverification,whichisperformedeitherthroughameetingwithanotaryorequivalentorthroughaweb-basedF2Fsession,additionalinformationthatisnottypicallycollectedforcertificateissuanceisrequired.Assuch,measurestoprotecttheDesignatedIndividual’spersonallyidentifiableinformationmustbeexercised.

InitialDesignatedIndividualGuidanceforNotarizationprocess1. BeforeanapplicantbeginstheNotarizationprocess,eachCAshould:

• SetexpectationsandpreparetheDesignatedIndividualbyprovidingashortlistofitemsneededforandabriefexplanationoftheNotarizationprocessandrequiredpersonaldocumentsandinformation:○ DescriptionoftheNotarizationprocessthatwillbefollowedandPIIdetailstobecollected,

includingtypesofgovernment-issuedIDthatwillbeaccepted.• ProvidelinkstotheCA’sofficialprivacypolicies

2. DuringtheNotarizationprocess,eachCAmustensure:

• DesignatedIndividualPIIiscollectedviasecureportalorsafefilesharesite.SuchPIIalsoincludesinformationassociatedwithtypicalaccountsetupsuchasname,title,phone,andemailaddressoftheDesignatedIndividual.

CAPIIRetentionTransparencyGuidance• WherePIIiscollected,theCAmustincludelinkstoorinformationaboutthefollowing:

○ Summaryofthecollection,use,storage,anddestructionofinformationasitappliestotheapplicationandprocess;pointtorelevantstandards

• ExplanationandreasoningforcollectionofrequiredinformationbytheCA(and,ifapplicable,bythenotary)• Contextastotherelativenormalcyofthis(e.g.forstandardnotarization

process,SSLcertsorhomeloansetc.)• IncludeCA’sofficialprivacypolicies

3. GuidanceonPIIsenttoNotary

• Forthein-personmeetingtheDesignatedIndividualshouldprovideonlythebelowfieldstotheCA.Thecollectionofadditional,personallyidentifiableinformationisnotrequiredorrecommended.○ Name○ Emailaddress○ Meetinglocation,date,time○ Cellphonenumber(forthepurposesofcoordinatingthemeetingbetweentheDesignated

Individualandnotary)4. GuidanceonDesignatedIndividualPIITreatmentbyNotary

• TheNotarymustmaintainlimitedDesignatedIndividualPII,asnotedintherequiredfieldsofItem3,includingdataentriesinaNotaryJournalthattheNotarymustretainbylaworpractice(orsimilarrecordthataLatinNotary,lawyer,orsolicitormustretain).

• TheCAshouldprovidetheDesignatedIndividualwithinformationaboutthein-personmeetinganddocument(s)thatwillbepresentedforsignature(s).○ TheCAshouldprovidetheDesignatedIndividualthelifecycledetailsofthesigned

documentsorPIIretainedbytheNotary.InitialDesignatedIndividualGuidanceforweb-basedF2FsessionprocessCAsmustfollowtheirownPIIandprivacyprotectionrequirementsforallweb-basedF2Fsessionprocesstheyconduct,andfollowallapplicablelaws.IfaCAusesanexternalserviceprovidertoconductweb-basedF2Fsessions,theCAmustfirstconductduediligenceabouttheserviceprovider,andconfirmthattheserviceproviderhasPIIandprivacyprotectionrequirementsforallweb-basedF2Fsessionprocesstheyconduct,andfollowallapplicablelaws.1. Beforeanapplicantbeginstheweb-basedF2Fsessionprocess,eachCAshould:

• SetexpectationsandpreparetheDesignatedIndividualbyprovidingashortlistofitemsneededforandabriefexplanationoftheweb-basedF2Fsessionprocessandrequiredpersonaldocumentsandinformation:○ Descriptionoftheweb-basedF2FsessionprocessthatwillbefollowedandPIIdetailstobe

collected,includingtypesofgovernment-issuedIDthatwillbeaccepted.• ProvidelinkstotheCA’sofficialprivacypolicies

2. Duringtheweb-basedF2Fsessionprocess,eachCAmustensure:

• DesignatedIndividualPIIiscollectedviasecureportalorsafefilesharesite.SuchPIIalsoincludesinformationassociatedwithtypicalaccountsetupsuchasname,title,phone,andemailaddressoftheDesignatedIndividual.

CAPIIRetentionTransparencyGuidance• WherePIIiscollected,theCAmustincludelinkstoorinformationaboutthefollowing:

○ Summaryofthecollection,use,storage,anddestructionofinformationasitappliestotheapplicationandprocess;pointtorelevantstandards

• ExplanationandreasoningforcollectionofrequiredinformationbytheCA(and,ifapplicable,bytheweb-basedF2Fsession)• IncludeCA’sofficialprivacypolicies

APPENDIXH-COUNTRY-SPECIFICINTERPRETATIVEGUIDELINES(NORMATIVE)NOTE:ThisappendixprovidesalternativeinterpretationsoftheVMCRequirementsforcountriesthathavealanguage,cultural,technical,orlegalreasonfordeviatingfromastrictinterpretationoftheseRequirements.Morespecificinformationforparticularcountriesmaybeaddedtothisappendixinthefuture.1.OrganizationNames(1) Non-LatinOrganizationNameWhereanVerifiedMarkApplicant’sorganizationnameisnotregisteredwithaQGISinLatincharactersandtheApplicant’sforeigncharacterorganizationnameandregistrationhavebeenverifiedwithaQGISinaccordancewiththeseRequirements,aCAMAYincludeaLatincharacterorganizationnameintheVerifiedMarkCertificate.Insuchacase,theCAMUSTfollowtheprocedureslaiddowninthissection.(2)RomanizedNamesInordertoincludeatransliteration/Romanizationoftheregisteredname,theRomanizationMUSTbeverifiedbytheCAusingasystemofficiallyrecognizedbytheGovernmentintheApplicant’sJurisdictionofIncorporation.IftheCAcannotrelyonatransliteration/RomanizationoftheregisterednameusingasystemofficiallyrecognizedbytheGovernmentintheApplicant’sJurisdictionofIncorporation,thenitMUSTrelyononeoftheoptionsbelow,inorderofpreference:

(A) AsystemrecognizedbytheInternationalOrganizationforStandardization(ISO);(B) AsystemrecognizedbytheUnitedNations;or(C) ALawyer’sOpinionorAccountant’sLetterconfirmingtheproperRomanizationoftheregistered

name.(3) TranslatedNameInordertoincludeaLatincharacternameintheVerifiedMarkcertificatethatisnotadirectRomanizationoftheregisteredname(e.g.anEnglishName)theCAMUSTverifythattheLatincharacternameis:

(A) IncludedintheArticlesofIncorporation(orequivalentdocument)filedaspartoftheorganizationregistration;or

(B) RecognizedbyaQTISintheApplicant’sJurisdictionofIncorporationastheApplicant’srecognizednamefortaxfilings;or

(C) ConfirmedwithaQIIStobethenameassociatedwiththeregisteredorganization;or(D) ConfirmedbyaVerifiedLegalOpinionorAccountant’sLettertobeatranslatedtradingname

associatedwiththeregisteredorganization.

Country-SpecificProceduresH-1.JapanAsinterpretationoftheproceduressetoutabove:1.OrganizationNames

(A) TheRevisedHepburnmethodofRomanization,aswellasKunrei-shikiandNihon-shikimethodsdescribedinISO3602,areacceptableforJapaneseRomanizations.

(B) TheCAMAYverifytheRomanizedtransliteration,languagetranslation(e.g.Englishname),orotherrecognizedRoman-lettersubstituteoftheApplicant’sformallegalnamewitheitheraQIIS,VerifiedLegalOpinion,orVerifiedAccountantLetter.

(C) TheCAMAYusetheFinancialServicesAgencytoverifyaRomanized,translated,orotherrecognizedRoman-lettersubstitutename.Whenused,theCAMUSTverifythatthetranslatedEnglishisrecordedintheauditedFinancialStatements.

(D)WhenrelyingonArticlesofIncorporationtoverifyaRomanized,translated,orotherrecognizedRoman-lettersubstitutename,theArticlesofIncorporationMUSTbeaccompaniedeither:byadocument,signedwiththeoriginalJapaneseCorporateStamp,thatprovesthattheArticlesofIncorporationareauthenticandcurrent,orbyaVerifiedLegalOpinionoraVerifiedAccountantLetter.TheCAMUSTverifytheauthenticityoftheCorporateStamp.

(E)ARomanized,translated,orotherrecognizedRoman-letteredsubstitutenameconfirmedinaccordancewiththisAppendixH-1storedintheROBINSdatabaseoperatedbyJIPDECMAYberelied

uponbyaCAfordeterminingtheallowedorganizationnameduringanyissuanceorrenewalprocessofanVerifiedMarkCertificatewithouttheneedtore-performtheaboveprocedures.

2.AccountingPractitionerInJapan:

(A)AccountingPractitionerincludeseitheracertifiedpublicaccountant(公認会計士-Konin-kaikei-shi)oralicensedtaxaccountant(税理士–Zei-ri-shi).

(B)TheCAMUSTverifytheprofessionalstatusoftheAccountingPractitionerthroughdirectcontactwiththerelevantlocalmemberassociationthatisaffiliatedwitheithertheJapaneseInstituteofCertifiedPublicAccountants(http://www.hp.jicpa.or.jp),theJapanFederationofCertifiedTaxAccountant’sAssociations(http://www.nichizeiren.or.jp),oranyotherauthoritativesourcerecognizedbytheJapaneseMinistryofFinance(http://www.mof.go.jp)asprovidingthecurrentregistrationstatusofsuchprofessionals.

3.LegalPractitionerInJapan:

(A)LegalPractitionerincludesanyofthefollowing: alicensedlawyer(弁護士-Ben-go-shi), ajudicialscrivener(司法書士-Shiho-sho-shilawyer),anadministrativesolicitor(行政書士-Gyosei-

sho-shiLawyer),oranotarypublic(公証人-Ko-sho-nin). ForpurposesoftheseRequirements,aJapaneseNotaryPublicisconsideredequivalenttoaLatin

Notary.(B)TheCAMUSTverifytheprofessionalstatusoftheLegalPractitionerbydirectcontactthroughthe

relevantlocalmemberassociationthatisaffiliatedwithoneofthefollowingnationalassociations: theJapanFederationofBarAssociations(http://www.nichibenren.or.jp), theJapanFederationofShiho-ShoshiLawyer’sAssociations(http://www.shiho-shoshi.or.jp), theJapanFederationofAdministrativeSolicitors(http://www.gyosei.or.jp), theJapanNationalNotariesAssociation(http://www.koshonin.gr.jp),or anyotherauthoritativesourcerecognizedbytheJapaneseMinistryofJustice(http://www.moj.go.jp)

asprovidingthecurrentregistrationstatusofsuchprofessionals.

APPENDIXI–ABSTRACTSYNTAXNOTATIONONEMODULEFOREVCERTIFICATESThedefinitionoftheseattributesisidenticaltothoseincludedinEVCertificatesandareincludedinVerifiedMarkCertificates.CABFSelectedAttributeTypes{joint-iso-itu-t(2)international-organizations(23)ca-browser-forum(140)module(4)cabfSelectedAttributeTypes(1)1}DEFINITIONS::=BEGIN--EXPORTSAllIMPORTS--fromRec.ITU-TX.501|ISO/IEC9594-2selectedAttributeTypes,ID,ldap-enterpriseFROMUsefulDefinitions{joint-iso-itu-tds(5)module(1)usefulDefinitions(0)7}--fromtheX.500seriesub-locality-name,ub-state-nameFROMUpperBounds{joint-iso-itu-tds(5)module(1)upperBounds(10)7}--fromRec.ITU-TX.520|ISO/IEC9594-6DirectoryString{},CountryNameFROMSelectedAttributeTypesselectedAttributeTypes;id-evat-jurisdictionID::={ldap-enterprise311ev(60)21}id-evat-jurisdiction-localityNameID::={id-evat-jurisdiction1}id-evat-jurisdiction-stateOrProvinceNameID::={id-evat-jurisdiction2}id-evat-jurisdiction-countryNameID::={id-evat-jurisdiction3}jurisdictionLocalityNameATTRIBUTE::={SUBTYPEOFnameWITHSYNTAXDirectoryString{ub-locality-name}LDAP-SYNTAXdirectoryString.&idLDAP-NAME{"jurisdictionL"}IDid-evat-jurisdiction-localityName}jurisdictionStateOrProvinceNameATTRIBUTE::={SUBTYPEOFnameWITHSYNTAXDirectoryString{ub-state-name}LDAP-SYNTAXdirectoryString.&idLDAP-NAME{"jurisdictionST"}IDid-evat-jurisdiction-stateOrProvinceName}jurisdictionCountryNameATTRIBUTE::={SUBTYPEOFnameWITHSYNTAXCountryNameSINGLEVALUETRUELDAP-SYNTAXcountryString.&idLDAP-NAME{"jurisdictionC"}IDid-evat-jurisdiction-countryName}END

APPENDIXJ–REGISTRATIONSCHEMESThefollowingRegistrationSchemesarecurrentlyrecognizedasvalidundertheseRequirements:NTR:TheinformationcarriedinthisfieldSHALLbethesameasheldinSubjectSerialNumberFieldasspecifiedin7.1.4.4.2(k)andthecountrycodeusedintheRegistrationSchemeidentifierSHALLmatchthatofthesubject’sjurisdictionasspecifiedinSection7.1.4.4.2(j).WheretheSubjectJurisdictionofIncorporationorRegistrationFieldin7.1.4.4.2(j)includesmorethanthecountrycode,theadditionallocalityinformationSHALLbeincludedasspecifiedinsectionin7.1.4.4.2(j).VAT:ReferenceallocatedbythenationaltaxauthoritiestoaLegalEntity.ThisinformationSHALLbevalidatedusinginformationprovidedbythenationaltaxauthorityagainsttheorganizationasidentifiedbytheSubjectOrganizationNameField(see7.1.4.4.2(b))andSubjectSerialNumberField(see7.1.4.4.2(k))withinthecontextofthesubject’sjurisdictionasspecifiedinSection7.1.4.4.2(j).PSD:AuthorizationnumberasspecifiedinETSITS119495clause4.4allocatedtoapaymentserviceproviderandcontainingtheinformationasspecifiedinETSITS119495clause5.2.1.ThisinformationSHALLbeobtaineddirectlyfromthenationalcompetentauthorityregisterforpaymentservicesorfromaninformationsourceapprovedbyagovernmentagency,regulatorybody,orlegislationforthispurpose.ThisinformationSHALLbevalidatedbybeingmatcheddirectlyorindirectly(forexample,bymatchingagloballyuniqueregistrationnumber)againsttheorganizationasidentifiedbytheSubjectOrganizationNameField(see7.1.4.4.2(b))andSubjectSerialNumberField(see7.1.4.4.2(k))withinthecontextofthesubject’sjurisdictionasspecifiedinSection7.1.4.4.2(j).ThestatedaddressoftheorganizationcombinedwiththeorganizationnameSHALLNOTbetheonlyinformationusedtodisambiguatetheorganization.

Minimum Security Requirements for Issuance of Verified

Documents

1014 (issuance

Verified Petition

Verified Complaint

ABK SECUREPAY ABK SecurePay 1 Verified by Visa … · ABK SECUREPAY 2019 08 .7.8 153.9.10 SecureCode Verified by Visa SecureCode Verified by Visa.11 SecureCode Verified by Visa.12.13

Instant Issuance

Process Verified

ModelPlex: Verified Runtime Validation of Verified Cyber

Euro 50,000,000,000 Debt Issuance Programme for the ...Credit Linked Certificates will be defined after the ... Minimum Interest Rate: Not Applicable 19. ... Interest Deferral: Applicable

Field Verified Wearing Surface Thickness Verified Wearing... · Field Verified Wearing Surface Thickness Last Modified: 7/18/2016 1 Topics Covered Field verified wearing surface thickness

VERIFIED SYNTHESES OF ZEOLITIC MATERIALSasia.iza-structure.org/IZA-SC/verified...Verified...3rd-Edition-2016.pdf · VERIFIED SYNTHESES OF ZEOLITIC MATERIALS Third Revised Edition

Verified Rejoinder

Minimum Requirements for the Issuance and Management of ... · i Version 1.1 (September 22, 2016) Code Signing Working Group* Minimum Requirements . for the . Issuance and Management

Republic of the Philippines Office of the President Honsim ... and Issuance/HLURB-Reso921-… · The HLURB, in the exercise of its visitorial powers, may motu propio or upon verified

Verified Accounts

CITIZEN’S CHARTER SERVICES: Issuance of Mayor’s Certification Issuance of Mayor’s Clearance Issuance of Mayor’s Permit Issuance of Mayor’s Endorsement/Referral Issuance of

Garage Policy Issuance Guidelines Ed 0313 - … · Garage Policy Issuance Guidelines Ed. 01/13 [1]$ $ GARAGE POLICY ISSUANCE GUIDELINES 2013 Issuance Changes ... 32 As defined by

Source Verified capital group source verified capital group · Vande Rose Farms Artisan Ham LineVande Rose Farms Artisan Ham Line Source Verified capital group source verified capital

2018This report hasn't been verified by third-parties. Evermore Chemical Industry issues a report every year, the last issuance was in June 2018, this issuance is in June 2019, while

VeriPhy: Verified Controller Executables from Verified ...smitsch/pdf/VeriPhy.pdf · Keywords cyber-physical systems, hybrid systems, formal verification, verified compilation, verified

Verified Course Sequences Verified Course · VCS Handbook This handbook contains all of the policies and procedures regarding Verified Course Sequences • • • • •