From 6a602517510badd2e898c0c288aba272291b8401 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 10:57:16 +0100 Subject: [PATCH 01/17] Updates to section 16 --- docs/EVG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 4f1d5df9..f7d0da04 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1356,7 +1356,7 @@ As specified in Section 5.4 of the Baseline Requirements. # 16. Data Security -As specified in Section 5 of the Baseline Requirements. In addition, systems used to process and approve EV Certificate Requests MUST require actions by at least two trusted persons before creating an EV Certificate. +As specified in Section 5 of the Baseline Requirements. # 17. Audit From dd34cf114982adde943720354847ae873279f7b7 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 11:20:37 +0100 Subject: [PATCH 02/17] Updates to section 11.13 --- docs/EVG.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index f7d0da04..4abcd070 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1229,7 +1229,17 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ## 11.13. Final Cross-Correlation and Due Diligence -1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Thus, after all of the verification processes and procedures are completed, the CA MUST have a person who is not responsible for the collection of information review all of the information and documentation assembled in support of the EV Certificate application and look for discrepancies or other details requiring further explanation. +1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. + +Due Diligence is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that each verification process and procedure performed, separately, meets the requirements of these Guidelines. + +The CA MUST perform Due Diligence for each verification process and procedure where a decision is made by a Validation Specialist. Due Diligence is not required for automated processes and/or procedures, including Verification of Domain Name(s). + +Cross Correlation is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that all information and documentation relate to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. + +The CA MUST have a person not responsible for the collection of information perform this Cross Correlation. Verification of Domain Name(s) is out of scope of Cross Correlation. + +Due Diligence and Cross Correlation can be performed by a single Validation Specialist, however the Validation Specialist MUST be independent of the information and documentation reviewed, (i.e. not involved in the processes and procedures performed). 2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. 3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. 4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: From 708504fb7862979e7fd20acbe1ad87371d359cff Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 11:21:43 +0100 Subject: [PATCH 03/17] formatting updates --- docs/EVG.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 4abcd070..35f8e28f 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1229,16 +1229,11 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ## 11.13. Final Cross-Correlation and Due Diligence -1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. - +1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. Due Diligence is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that each verification process and procedure performed, separately, meets the requirements of these Guidelines. - The CA MUST perform Due Diligence for each verification process and procedure where a decision is made by a Validation Specialist. Due Diligence is not required for automated processes and/or procedures, including Verification of Domain Name(s). - Cross Correlation is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that all information and documentation relate to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. - The CA MUST have a person not responsible for the collection of information perform this Cross Correlation. Verification of Domain Name(s) is out of scope of Cross Correlation. - Due Diligence and Cross Correlation can be performed by a single Validation Specialist, however the Validation Specialist MUST be independent of the information and documentation reviewed, (i.e. not involved in the processes and procedures performed). 2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. 3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. From d1ac08f585624f9a247527892aa2e4165fb263e7 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 11:23:59 +0100 Subject: [PATCH 04/17] formatting updates --- docs/EVG.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 35f8e28f..0629b2bf 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1228,16 +1228,18 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. ## 11.13. Final Cross-Correlation and Due Diligence +The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. -1. The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. -Due Diligence is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that each verification process and procedure performed, separately, meets the requirements of these Guidelines. -The CA MUST perform Due Diligence for each verification process and procedure where a decision is made by a Validation Specialist. Due Diligence is not required for automated processes and/or procedures, including Verification of Domain Name(s). -Cross Correlation is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that all information and documentation relate to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. +1. Due Diligence is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that each verification process and procedure performed, separately, meets the requirements of these Guidelines. The CA MUST perform Due Diligence for each verification process and procedure where a decision is made by a Validation Specialist. Due Diligence is not required for automated processes and/or procedures, including Verification of Domain Name(s). + +2. Cross Correlation is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that all information and documentation relate to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. The CA MUST have a person not responsible for the collection of information perform this Cross Correlation. Verification of Domain Name(s) is out of scope of Cross Correlation. -Due Diligence and Cross Correlation can be performed by a single Validation Specialist, however the Validation Specialist MUST be independent of the information and documentation reviewed, (i.e. not involved in the processes and procedures performed). -2. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. -3. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -4. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: + +3. Due Diligence and Cross Correlation MAY be performed by a single Validation Specialist, however the Validation Specialist MUST be independent of the information and documentation reviewed, (i.e. not involved in the processes and procedures performed). + +4. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. +5. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. +6. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or From f58be889691657d11b2471d7c8c6f6023c7d931b Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 11:24:47 +0100 Subject: [PATCH 05/17] formatting paragraph 7 --- docs/EVG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 0629b2bf..865340ca 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1245,7 +1245,7 @@ The CA MUST have a person not responsible for the collection of information perf B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). -In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. +7. In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. ## 11.14. Requirements for Re-use of Existing Documentation From 80da1e8bc0922612d2ecb1efa0d3bcb82bbe9d76 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 11:26:02 +0100 Subject: [PATCH 06/17] Updates to Section 11.14.3 --- docs/EVG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 865340ca..1310c9ea 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1283,7 +1283,8 @@ A CA may rely on a previously verified certificate request to issue a replacemen 2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. 3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). -4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). +4. The CA MAY rely on previously performed due-diligence and cross-correlation checks in support of multiple EV Certificate applications containing the same Subject, under the condition that an authorized Contract Signer has signed the Subscriber Agreement, and the individual Certificate Request is requested or approved by an authorized Certificate Approver. +5. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). # 12. Certificate Issuance by a Root CA From b36e0e4b68ad7fd0e8938b3f4ebb2636e0210668 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 11:27:00 +0100 Subject: [PATCH 07/17] Capitalized terms --- docs/EVG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 1310c9ea..201bbd85 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1283,7 +1283,7 @@ A CA may rely on a previously verified certificate request to issue a replacemen 2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. 3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). -4. The CA MAY rely on previously performed due-diligence and cross-correlation checks in support of multiple EV Certificate applications containing the same Subject, under the condition that an authorized Contract Signer has signed the Subscriber Agreement, and the individual Certificate Request is requested or approved by an authorized Certificate Approver. +4. The CA MAY rely on previously performed Due Diligence and Cross Correlation checks in support of multiple EV Certificate applications containing the same Subject, under the condition that an authorized Contract Signer has signed the Subscriber Agreement, and the individual Certificate Request is requested or approved by an authorized Certificate Approver. 5. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). # 12. Certificate Issuance by a Root CA From cf66444f2edf83da2e0f003ebbe40a139b6173e7 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 11:38:56 +0100 Subject: [PATCH 08/17] Updates to Section 14.1.3 --- docs/EVG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 201bbd85..9cc25bfb 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1328,7 +1328,7 @@ The requirements in Section 5.3.3 of the Baseline Requirements apply equally to ### 14.1.3. Separation of Duties -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an EV Certificate. The Final Cross-Correlation and Due Diligence steps, as outlined in [Section 11.13](#1113-final-cross-correlation-and-due-diligence), MAY be performed by one of the persons. For example, one Validation Specialist MAY review and verify all the Applicant information and a second Validation Specialist MAY approve issuance of the EV Certificate. +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one Validation Specialist can single-handedly complete all verification processes and procedures. Due Diligence and Cross Correlation MAY be performed by a single Validation Specialist, however the Validation Specialist MUST be independent of the information and documentation reviewed, (i.e. not involved in the processes and procedures performed). For example, one Validation Specialist collects all Applicant information and a second Validation Specialist performs Due Diligence and Cross Correlation. 2. Such controls MUST be auditable. ## 14.2. Delegation of Functions to Registration Authorities and Subcontractors From 016b3c658a747a7bb38c48d4bc5840f8155393c6 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 12 Dec 2023 16:21:32 +0100 Subject: [PATCH 09/17] Removed first sentence from 11.13 since it's replaced with the definitions in items 1 and 2 --- docs/EVG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 9cc25bfb..323f02d2 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1228,8 +1228,6 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. ## 11.13. Final Cross-Correlation and Due Diligence -The results of the verification processes and procedures outlined in these Guidelines are intended to be viewed both individually and as a group. - 1. Due Diligence is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that each verification process and procedure performed, separately, meets the requirements of these Guidelines. The CA MUST perform Due Diligence for each verification process and procedure where a decision is made by a Validation Specialist. Due Diligence is not required for automated processes and/or procedures, including Verification of Domain Name(s). 2. Cross Correlation is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that all information and documentation relate to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. From b9cacbc14f420aa5e64f56388cfbfb1feb3080dc Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 23 Jan 2024 16:05:51 +0100 Subject: [PATCH 10/17] Various updates based on last validation WG meeting --- docs/EVG.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 323f02d2..201e985c 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1228,22 +1228,23 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. ## 11.13. Final Cross-Correlation and Due Diligence -1. Due Diligence is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that each verification process and procedure performed, separately, meets the requirements of these Guidelines. The CA MUST perform Due Diligence for each verification process and procedure where a decision is made by a Validation Specialist. Due Diligence is not required for automated processes and/or procedures, including Verification of Domain Name(s). +1. The CA MUST perform Due Diligence and Cross-Correlation for each verification process and procedure where a decision is made by a Validation Specialist. Verification of Domain Name(s), if performed in an automated manner, is out of scope of Due Diligence and Cross-Correlation. -2. Cross Correlation is the process whereby a Validation Specialist reviews all information and documentation assembled in support of the EV Certificate application to confirm that all information and documentation relate to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. -The CA MUST have a person not responsible for the collection of information perform this Cross Correlation. Verification of Domain Name(s) is out of scope of Cross Correlation. +2. Due Diligence is the process of confirming that each verification process and procedure performed, separately, meets the requirements of these Guidelines. -3. Due Diligence and Cross Correlation MAY be performed by a single Validation Specialist, however the Validation Specialist MUST be independent of the information and documentation reviewed, (i.e. not involved in the processes and procedures performed). +3. Cross-Correlation is the process of confirming that all Subject information and documentation assembled as part of the verification process relates to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. -4. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. -5. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of due diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -6. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: +4. Due Diligence and Cross-Correlation MUST be performed by a Validation Specialist that was not involved in the processes and procedures for assembling the information and documentation. Due Diligence and Cross-Correlation MAY be performed as two actions together by a single individual. + +5. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. +6. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of Due Diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. +7. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). -7. In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. +8. In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. ## 11.14. Requirements for Re-use of Existing Documentation @@ -1281,8 +1282,7 @@ A CA may rely on a previously verified certificate request to issue a replacemen 2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. 3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). -4. The CA MAY rely on previously performed Due Diligence and Cross Correlation checks in support of multiple EV Certificate applications containing the same Subject, under the condition that an authorized Contract Signer has signed the Subscriber Agreement, and the individual Certificate Request is requested or approved by an authorized Certificate Approver. -5. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). +4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). # 12. Certificate Issuance by a Root CA @@ -1326,7 +1326,7 @@ The requirements in Section 5.3.3 of the Baseline Requirements apply equally to ### 14.1.3. Separation of Duties -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one Validation Specialist can single-handedly complete all verification processes and procedures. Due Diligence and Cross Correlation MAY be performed by a single Validation Specialist, however the Validation Specialist MUST be independent of the information and documentation reviewed, (i.e. not involved in the processes and procedures performed). For example, one Validation Specialist collects all Applicant information and a second Validation Specialist performs Due Diligence and Cross Correlation. +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one Validation Specialist can single-handedly complete all verification processes and procedures. Due Diligence and Cross-Correlation MAY be performed by a single Validation Specialist, however the Validation Specialist MUST not be involved in the processes and procedures performed. For example, one Validation Specialist collects all Applicant information and a second Validation Specialist performs Due Diligence and Cross-Correlation. 2. Such controls MUST be auditable. ## 14.2. Delegation of Functions to Registration Authorities and Subcontractors From 27b064a9eedce49aead4e6593a620979bfbfd011 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 23 Jan 2024 16:10:55 +0100 Subject: [PATCH 11/17] Clarified due diligence and cross correlation difference for domain validation --- docs/EVG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 201e985c..cc5f5fff 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1228,11 +1228,11 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. ## 11.13. Final Cross-Correlation and Due Diligence -1. The CA MUST perform Due Diligence and Cross-Correlation for each verification process and procedure where a decision is made by a Validation Specialist. Verification of Domain Name(s), if performed in an automated manner, is out of scope of Due Diligence and Cross-Correlation. +1. The CA MUST perform Due Diligence and Cross-Correlation for each verification process and procedure where a decision is made by a Validation Specialist. -2. Due Diligence is the process of confirming that each verification process and procedure performed, separately, meets the requirements of these Guidelines. +2. Due Diligence is the process of confirming that each verification process and procedure performed, separately, meets the requirements of these Guidelines. Verification of Domain Name(s), if performed in an automated manner, is out of scope of Due Diligence. -3. Cross-Correlation is the process of confirming that all Subject information and documentation assembled as part of the verification process relates to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. +3. Cross-Correlation is the process of confirming that all Subject information and documentation assembled as part of the verification process relates to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. Verification of Domain Name(s) is out of scope of Cross-Correlation. 4. Due Diligence and Cross-Correlation MUST be performed by a Validation Specialist that was not involved in the processes and procedures for assembling the information and documentation. Due Diligence and Cross-Correlation MAY be performed as two actions together by a single individual. From 11ad0725fb60f948f2a72ff75f8c671b9a2b8880 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 23 Jan 2024 17:08:21 +0100 Subject: [PATCH 12/17] Removed Enterprise RA language and updated 11.14 --- docs/EVG.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index cc5f5fff..fa04b0b6 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1066,7 +1066,7 @@ Acceptable methods of authenticating the signature of the Certificate Requester ### 11.10.1. Verification Requirements -In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST verify that an authorized Certificate Approver reviewed and approved the EV Certificate Request. +In cases where an EV Certificate Request is submitted by a Certificate Requester, before the CA issues the requested EV Certificate, the CA MUST ensure that an authorized Certificate Approver reviewed and approved the EV Certificate Request. ### 11.10.2. Acceptable Methods of Verification @@ -1244,12 +1244,12 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or C. When the CA has utilized the services of an RA, the CA MAY rely on the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with this section and is subjected to the Audit Requirements of [Section 17.5](#175-regular-self-audits) and [Section 17.6](#176-auditor-qualification). -8. In the case of EV Certificates to be issued in compliance with the requirements of [Section 14.2](#142-delegation-of-functions-to-registration-authorities-and-subcontractors), the Enterprise RA MAY perform the requirements of this Final Cross-Correlation and Due Diligence section. - ## 11.14. Requirements for Re-use of Existing Documentation For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. +The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under Section 11.9 and Section 11.10. + ### 11.14.1. Validation For Existing Subscribers If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: @@ -1281,8 +1281,7 @@ A CA may rely on a previously verified certificate request to issue a replacemen G. Name, Title, Agency, and Authority – 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated. 2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA. -3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 11.9](#119-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 11.10](#1110-verification-of-approval-of-ev-certificate-request). -4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). +3. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 11.14.1](#11141-validation-for-existing-subscribers). # 12. Certificate Issuance by a Root CA @@ -1342,9 +1341,8 @@ The CA SHALL verify that the Delegated Third Party's personnel involved in the i The CA MAY contractually authorize a Subscriber to perform the RA function and authorize the CA to issue additional EV Certificates. In such case, the Subscriber SHALL be considered an Enterprise RA, and the following requirements SHALL apply: -1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; -2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and -3. The Final Cross-Correlation and Due Diligence requirements of [Section 11.13](#1113-final-cross-correlation-and-due-diligence) MAY be performed by a single person representing the Enterprise RA. +1. In all cases, the Subscriber MUST be an organization verified by the CA in accordance with these Guidelines; and +2. The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA. Enterprise RAs that authorize the issuance of EV Certificates solely for its own organization are exempted from the audit requirements of [Section 17.1](#171-eligible-audit-schemes). In all other cases, the requirements of [Section 17.1](#171-eligible-audit-schemes) SHALL apply. From f0de246e48d753842ab45aa25e36fcd8912948e3 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Wed, 24 Jan 2024 12:51:37 +0100 Subject: [PATCH 13/17] Update to scope of cross correlation and due diligence, rewrote performs to ensure --- docs/EVG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index fa04b0b6..cba8ed16 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1042,7 +1042,7 @@ Such an agreement MUST provide that the Applicant shall be obligated under the S ## 11.9. Verification of Signature on Subscriber Agreement and EV Certificate Requests -Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. +Both the Subscriber Agreement and each non-pre-authorized EV Certificate Request MUST be signed. The Subscriber Agreement MUST be signed by an authorized Contract Signer. The EV Certificate Request MUST be signed by the Certificate Requester submitting the document, unless the Certificate Request has been approved by a Certificate Approver pre-authorized in line with [Section 11.8.4](#1184-pre-authorized-certificate-approver). If the Certificate Requester is not also an authorized Certificate Approver, then an authorized Certificate Approver MUST independently approve the EV Certificate Request. In all cases, applicable signatures MUST be a legally valid and contain an enforceable seal or handwritten signature (for a paper Subscriber Agreement and/or EV Certificate Request), or a legally valid and enforceable electronic signature (for an electronic Subscriber Agreement and/or EV Certificate Request), that binds the Applicant to the terms of each respective document. ### 11.9.1. Verification Requirements @@ -1228,11 +1228,11 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. ## 11.13. Final Cross-Correlation and Due Diligence -1. The CA MUST perform Due Diligence and Cross-Correlation for each verification process and procedure where a decision is made by a Validation Specialist. +1. The CA MUST ensure that all information and documentation assembled as part of the verification processes and procedures has undergone Due Diligence and Cross-Correlation prior to issuance of the Certificate. 2. Due Diligence is the process of confirming that each verification process and procedure performed, separately, meets the requirements of these Guidelines. Verification of Domain Name(s), if performed in an automated manner, is out of scope of Due Diligence. -3. Cross-Correlation is the process of confirming that all Subject information and documentation assembled as part of the verification process relates to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. Verification of Domain Name(s) is out of scope of Cross-Correlation. +3. Cross-Correlation is the process of confirming that all Subject information and documentation assembled as part of the verification processes and procedures relates to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. Verification of Domain Name(s) is out of scope of Cross-Correlation. 4. Due Diligence and Cross-Correlation MUST be performed by a Validation Specialist that was not involved in the processes and procedures for assembling the information and documentation. Due Diligence and Cross-Correlation MAY be performed as two actions together by a single individual. @@ -1246,7 +1246,7 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ## 11.14. Requirements for Re-use of Existing Documentation -For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the age limitations on for the use of documentation collected by the CA. +For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST ensure all authentication and verification tasks required by these Guidelines have been completed, to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the conditions on the re-use of documentation collected by the CA. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under Section 11.9 and Section 11.10. From f1681c36c12c63257839e80b095e02b5775a59e1 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Wed, 24 Jan 2024 16:46:04 +0100 Subject: [PATCH 14/17] Added clause for relying on previously performed Due Dilgence and Cross Correlation --- docs/EVG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/EVG.md b/docs/EVG.md index cba8ed16..31ddad37 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1248,6 +1248,13 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST ensure all authentication and verification tasks required by these Guidelines have been completed, to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the conditions on the re-use of documentation collected by the CA. +The CA MAY rely on previously performed Due Diligence and Cross Correlation for the an Applicant to support multiple EV Certificate Requests for that Subscriber, on the conditions that: +1. the data used to support issuance of an EV Certificate meets the Age of Validated Data requirement as set forth in 11.14.3; +2. a Pre‑Authorized Certificate Approver, pre-Authorized in line with 11.8.4 reviewed and approved the EV Certificate Request by use of: + A. 11.10.2. option 2; + B. 11.9.2. option 3, in case the Pre‑Authorized Certificate Approver also acts in the capacity of a Certificate Requester + + The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under Section 11.9 and Section 11.10. ### 11.14.1. Validation For Existing Subscribers From 8b4a4df43a99cd23449fcc7bf5823ca917bf02c5 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 19 Mar 2024 11:25:05 +0100 Subject: [PATCH 15/17] Updates based on F2F feedback: link to certificate issuance, removal of definitions, clarification of applicable sections, use of terminology --- docs/EVG.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index 31ddad37..f75f75f8 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1228,17 +1228,19 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi ii. the CA can reliably verify that the certification was validly signed by such person, and that such person does have the requisite authority to provide such certification. ## 11.13. Final Cross-Correlation and Due Diligence -1. The CA MUST ensure that all information and documentation assembled as part of the verification processes and procedures has undergone Due Diligence and Cross-Correlation prior to issuance of the Certificate. +1.Prior to issuance, the CA MUST ensure that it has followed the requirements of these Guidelines and that all information and documentation assembled as part of the verification processes and procedures supports the issuance of a certificate with the information specified in the certificate request by performing due diligence and cross-correlation checks. -2. Due Diligence is the process of confirming that each verification process and procedure performed, separately, meets the requirements of these Guidelines. Verification of Domain Name(s), if performed in an automated manner, is out of scope of Due Diligence. +A. The CA confirms that each verification process and procedure performed, separately, meets the requirements of these Guidelines by performing due diligence checks. The verification of the Applicant’s Domain Name, verified in accordance with Section 11.7, if performed in an automated manner, is out of scope of the due diligence checks. -3. Cross-Correlation is the process of confirming that all Subject information and documentation assembled as part of the verification processes and procedures relates to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. Verification of Domain Name(s) is out of scope of Cross-Correlation. +B. As part of the cross-correlation checks, the CA confirms that all Subject information and documentation assembled as part of the verification processes and procedures relates to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. The verification of the Applicant’s Domain Name, verified in accordance with Section 11.7, is out of scope of the cross-correlation checks. -4. Due Diligence and Cross-Correlation MUST be performed by a Validation Specialist that was not involved in the processes and procedures for assembling the information and documentation. Due Diligence and Cross-Correlation MAY be performed as two actions together by a single individual. +2. Due diligence and cross-correlation checks MUST be performed by a Validation Specialist that was not involved in the processes and procedures for assembling the information and documentation. Due diligence and cross-correlation checks MAY be performed as two actions together by a single individual. -5. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. -6. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of Due Diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. -7. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: +3. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. + +4. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of Due Diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. + +5. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or B. When the CA has utilized the services of an RA, the CA MAY rely on the language skills of the RA to perform the Final Cross-Correlation and Due Diligence, provided that the RA complies with [Section 11.13](#1113-final-cross-correlation-and-due-diligence), Subsections (1), (2) and (3). Notwithstanding the foregoing, prior to issuing the EV Certificate, the CA MUST review the work completed by the RA and determine that all requirements have been met; or @@ -1248,13 +1250,14 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi For each EV Certificate Request, including requests to renew existing EV Certificates, the CA MUST ensure all authentication and verification tasks required by these Guidelines have been completed, to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate is still accurate and valid. This section sets forth the conditions on the re-use of documentation collected by the CA. -The CA MAY rely on previously performed Due Diligence and Cross Correlation for the an Applicant to support multiple EV Certificate Requests for that Subscriber, on the conditions that: +The CA MAY rely on previously performed due diligence and cross-correlation checks performed in accordance with Section 11.13 to support multiple EV Certificate Requests for the same Subscriber, on the conditions that: + 1. the data used to support issuance of an EV Certificate meets the Age of Validated Data requirement as set forth in 11.14.3; -2. a Pre‑Authorized Certificate Approver, pre-Authorized in line with 11.8.4 reviewed and approved the EV Certificate Request by use of: + +2. a Pre‑Authorized Certificate Approver, pre-Authorized in line with 11.8.4 reviewed and approved the EV Certificate Request by use of: A. 11.10.2. option 2; B. 11.9.2. option 3, in case the Pre‑Authorized Certificate Approver also acts in the capacity of a Certificate Requester - The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under Section 11.9 and Section 11.10. ### 11.14.1. Validation For Existing Subscribers @@ -1332,8 +1335,7 @@ The requirements in Section 5.3.3 of the Baseline Requirements apply equally to ### 14.1.3. Separation of Duties -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one Validation Specialist can single-handedly complete all verification processes and procedures. Due Diligence and Cross-Correlation MAY be performed by a single Validation Specialist, however the Validation Specialist MUST not be involved in the processes and procedures performed. For example, one Validation Specialist collects all Applicant information and a second Validation Specialist performs Due Diligence and Cross-Correlation. -2. Such controls MUST be auditable. +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one Validation Specialist can single-handedly complete all verification processes and procedures. Due diligence and cross-correlation checks MAY be performed by a single Validation Specialist, however the Validation Specialist MUST not be involved in the processes and procedures under review. For example, one Validation Specialist validates all Applicant information and a second Validation Specialist performs the due diligence and cross-correlation checks. ## 14.2. Delegation of Functions to Registration Authorities and Subcontractors From 0141ef400e911753625b4eecbf034278ea4f09da Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Tue, 19 Mar 2024 11:30:45 +0100 Subject: [PATCH 16/17] Removed spaces, fixed 14.1.3 --- docs/EVG.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/EVG.md b/docs/EVG.md index f75f75f8..7ac5f830 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1231,15 +1231,11 @@ A CA verifying an Applicant using information of the Applicant's Parent, Subsidi 1.Prior to issuance, the CA MUST ensure that it has followed the requirements of these Guidelines and that all information and documentation assembled as part of the verification processes and procedures supports the issuance of a certificate with the information specified in the certificate request by performing due diligence and cross-correlation checks. A. The CA confirms that each verification process and procedure performed, separately, meets the requirements of these Guidelines by performing due diligence checks. The verification of the Applicant’s Domain Name, verified in accordance with Section 11.7, if performed in an automated manner, is out of scope of the due diligence checks. - B. As part of the cross-correlation checks, the CA confirms that all Subject information and documentation assembled as part of the verification processes and procedures relates to the same Subject and that there are no discrepancies between the verification elements as they relate to one another. The verification of the Applicant’s Domain Name, verified in accordance with Section 11.7, is out of scope of the cross-correlation checks. 2. Due diligence and cross-correlation checks MUST be performed by a Validation Specialist that was not involved in the processes and procedures for assembling the information and documentation. Due diligence and cross-correlation checks MAY be performed as two actions together by a single individual. - 3. The CA MUST obtain and document further explanation or clarification from the Applicant, Certificate Approver, Certificate Requester, Qualified Independent Information Sources, and/or other sources of information, as necessary, to resolve those discrepancies or details that require further explanation. - 4. The CA MUST refrain from issuing an EV Certificate until the entire corpus of information and documentation assembled in support of the EV Certificate Request is such that issuance of the EV Certificate will not communicate factual information that the CA knows, or the exercise of Due Diligence should discover from the assembled information and documentation, to be inaccurate,. If satisfactory explanation and/or additional documentation are not received within a reasonable time, the CA MUST decline the EV Certificate Request and SHOULD notify the Applicant accordingly. - 5. In the case where some or all of the documentation used to support the application is in a language other than the CA's normal operating language, the CA or its Affiliate MUST perform the requirements of this Final Cross-Correlation and Due Diligence section using employees under its control and having appropriate training, experience, and judgment in confirming organizational identification and authorization and fulfilling all qualification requirements contained in [Section 14.1](#141-trustworthiness-and-competence). When employees under the control of the CA do not possess the language skills necessary to perform the Final Cross-Correlation and Due Diligence a CA MAY: A. Rely on language translations of the relevant portions of the documentation, provided that the translations are received from a Translator; or @@ -1252,10 +1248,9 @@ For each EV Certificate Request, including requests to renew existing EV Certifi The CA MAY rely on previously performed due diligence and cross-correlation checks performed in accordance with Section 11.13 to support multiple EV Certificate Requests for the same Subscriber, on the conditions that: -1. the data used to support issuance of an EV Certificate meets the Age of Validated Data requirement as set forth in 11.14.3; - +1. the data used to support issuance of an EV Certificate meets the Age of Validated Data requirement as set forth in 11.14.3; 2. a Pre‑Authorized Certificate Approver, pre-Authorized in line with 11.8.4 reviewed and approved the EV Certificate Request by use of: - A. 11.10.2. option 2; + A. 11.10.2. option 2; or B. 11.9.2. option 3, in case the Pre‑Authorized Certificate Approver also acts in the capacity of a Certificate Requester The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under Section 11.9 and Section 11.10. @@ -1336,6 +1331,7 @@ The requirements in Section 5.3.3 of the Baseline Requirements apply equally to ### 14.1.3. Separation of Duties 1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one Validation Specialist can single-handedly complete all verification processes and procedures. Due diligence and cross-correlation checks MAY be performed by a single Validation Specialist, however the Validation Specialist MUST not be involved in the processes and procedures under review. For example, one Validation Specialist validates all Applicant information and a second Validation Specialist performs the due diligence and cross-correlation checks. +2. Such controls MUST be auditable. ## 14.2. Delegation of Functions to Registration Authorities and Subcontractors From 65e1b18f7d9c42041266e26f03f224acc7401496 Mon Sep 17 00:00:00 2001 From: Christophe Bonjean Date: Thu, 21 Mar 2024 14:56:24 +0100 Subject: [PATCH 17/17] Section reference and clarification of involvement of processes under review --- docs/EVG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/EVG.md b/docs/EVG.md index 7ac5f830..1045b29c 100644 --- a/docs/EVG.md +++ b/docs/EVG.md @@ -1330,7 +1330,7 @@ The requirements in Section 5.3.3 of the Baseline Requirements apply equally to ### 14.1.3. Separation of Duties -1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one Validation Specialist can single-handedly complete all verification processes and procedures. Due diligence and cross-correlation checks MAY be performed by a single Validation Specialist, however the Validation Specialist MUST not be involved in the processes and procedures under review. For example, one Validation Specialist validates all Applicant information and a second Validation Specialist performs the due diligence and cross-correlation checks. +1. The CA MUST enforce rigorous control procedures for the separation of validation duties to ensure that no one Validation Specialist can single-handedly complete all verification processes and procedures. Due diligence and cross-correlation checks specified in Section 11.13 MAY be performed by a single Validation Specialist, however the Validation Specialist MUST NOT have been involved in the processes and procedures under review. For example, one Validation Specialist validates all Applicant information and a second Validation Specialist performs the due diligence and cross-correlation checks. 2. Such controls MUST be auditable. ## 14.2. Delegation of Functions to Registration Authorities and Subcontractors