Identification and authentication

See below for the practice statements on identification and authentication.

Naming

See below for the practice statements on naming.

Types of names: The Subject names in a Certificate comply with the X.501 Distinguished Name (DN) form.
Need for names to be meaningful: CA Certificates must identify the subject as a CA and include the Customer organization name. The RA must ensure the Subject names in Subscriber Certificates have meaning to Relying Parties.
Anonymity or pseudonymity of subscribers: No stipulation.
Rules for interpreting various name forms: No stipulation.
Uniqueness of names: CA distinguished names shall be unique.
Recognition, authentication, and role of trademarks: No stipulation.

See below for the practice statements on initial identity validation.

Method to prove possession of private key: The CA will perform proof of possession tests for CSRs created using reversible asymmetric algorithms (such as RSA) by validating the signature on the CSR submitted with the Certificate Application.
Authentication of an organization identity: Responsibility of the RA.
Authentication of an individual identity: Responsibility of the RA.
Non-verified subscriber information: Responsibility of the RA.
Validation of authority:
- During the initial onboarding process, the Customer identifies who will act as the RA and be responsible for the Customer’s RA credentials.
- To create the RA credential, PKIaaS generates a one-time passcode (OTP) and transmits it to the identified RA.
- The RA holds validation of authority responsibility for subscriber certificates.
Criteria for interoperation: Responsibility of the RA.

The RA holds responsibility for:

Before revoking Certificates, the RA shall validate the authorization to revoke such Certificate.