For our products, three types of validation exist:
Certificates with domain authentication constitute the lowest possible authentication level available and are suitable for organizations where encryption is the main priority. A company requesting a certificate with domain authentication will be subject to a certification process to establish that the requested domain name belongs to the company and that the company has the right to use this domain name. GeoTrust will also verify that the e-mail address of the contact person requesting the certificate is listed in the WHOIS list, and that it meets the requirements for e-mail addresses.
Authentication of a business identity, also called company authentication, offers a high level of security. For SSL certificates at this level of authentication, the existence of an organization will be verified through official documents. Usually, Symantec/GeoTrust will gather this independent confirmation from public and private databases. If Symantec/GeoTrust cannot find proof that the applicant is entitled to such a certificate, the following documents may be required by Symantec/GeoTrust:
- Certificate of incorporation
- Trading certificate
- Founding certificate
- Company name
- Brand registration
- Founding documents
- Partnership contracts
- Explanation of fictitious name
- Licenses for vendors, retailers, merchants
- List of retailers
The organization's name, stated as a Distinguished Name (CSR) for the applicant of the certificate, must correspond with the full legal name of the organization. Symantec/GeoTrust can not accept any application where the full company name, as stated in one of the documents above, does not correspond with the Distinguished Name of the applicant.
Designations such as AG, GmbH, etc. may be disregarded. For example, "Diana's Coffee Shop" may be used to authenticate "Diana's Coffee Shop AG", but "Diana's Coffee Shop" may not be used to authenticate "Diana's Coffee and Gift Shop AG". Business identity and the domain name of the applicant will be verified for any certificate application. The organization requesting the SSL certificate must own the domain name or provide proof that it has the right to use said domain name. Symantec/GeoTrust will also verify that the person requesting the certificate for the company or organization is employed by the organization.
Symantec/GeoTrust requires signed contract confirmation from the contact person named by the company on the application for an EV SSL certificate. If Symantec/GeoTrust is not able to confirm the organization's data by means of a public or private database, register extracts will be required. A legal opinion may be necessary to confirm the following particulars of a company requesting an EV SSL certificate:
- Actual address of the company's place of business
- Telephone number
- Confirmation of the exclusive right to use the domain
- Additional confirmation about the existence of the company if said company is less than three years old.
- Confirmation of employment of the contact person of the company.
These methods are standard procedures used for the verification of identities to confirm information given by companies for EV SSL certificates. Documentation requirements may vary depending on the amount of information available in various legitimate online databases.