Organization Authentication Requirements
An Extended Validation SSL Certificate offers more than just encryption, as it also enables the organization behind the website to present its own validated identity of legal, physical and operational existence and hence authenticate itself to website visitors.
A trust hierarchy demands that entities "vouch" for each other. Companies that issue SSL Certificates are in the business of establishing that entities on the internet are, in fact, who they claim to be. The potential for criminal activity on the internet (in relevance to SSL), is in the online hijacking of websites or connections to siphon encrypted data. Persons so inclined to can easily copy web site interfaces and pose as well-known vendors, simply to collect data. The use of an EV SSL certificate prevents this from occurring because we will only issue an EV SSL certificate to a legitimate entity.
The EV SSL Certificate provides the highest level of identity assurance and works as a guarantee that the organization behind the website, as well as the trusted third party validating the identity, completed a thorough identity verification process as per the EV guidelines (a set of vetting principles and policies approved by the CA/Browser forum).
There are strict industry standards that must first be met before the EV SSL Certificate can be issued. EV verification guidelines, drawn up by the Certificate Authority/Browser (CAB) Forum require a much more rigorous check then other SSL Certificate types. Requiring to obtain and verify multiple pieces of identifying information of the requesting company.
The following entities are eligible to receive an Extended Validation (EV) SSL Certificate provided they are currently registered with and approved by an official registration agency in their jurisdiction. The resulting charter, certificate, license or equivalent must be verifiable through that registration agency :
- Government agencies
- General partnerships
- Unincorporated associations
- Sole proprietorships
We must be able to confirm all of the following organizational registration requirements from official government agency records :
- The organization's registration number
- Date of registration / incorporation
- Organization's registered address (or the address of the organization's registered agent)
A non-government data source (such as Dun & Bradstreet) must include the organization's place of business address if it is not included in the government agency records.
If the organization has been registered for less than three years, we may be required to verify operational existence through one of the following means :
Through a non-government data source (such as Dun & Bradstreet), or by verifying the organization has an active demand deposit account (such as a checking account) with a regulated financial institution through a professional opinion letter or directly with the financial institution.
The company name and address listed on the order must be confirmed as registered and operational in the country listed on the order and have a verifiable physical address.
These details are checked by Comodo themselves using a 'Qualified Government Information Source'. Below are some examples of various government agencies that we can use :
- United Kingdom : Companies House
- Israel : The Ministry Of Justice
- United States : The Local Secretary Of State
- Austria : FirmanABC
There must be an exact match between the company name entered on the order and the company name that is officially registered. This includes corporate identifiers, including Limited, Ltd, LLC, Inc etc.
The company must also be confirmed as operational for at least 3 years. A Principal Individual Letter (PIL) may also be required if the company has been operating for less than 3 years.