Certificates issued by the CA bind a subject name to an identified entity that is in possession of the private key pertaining to that certificate. This binding will be authenticated by the CA or its assigned RA's. In case the entity is a natural person, this authentication will be based on suitable identification documents or firm personal acquaintance by the CA or RA, testified to in writing by such RA.
In case the entity to be certified is a machine or software component, the requester (a natural person) shall prove to the satisfaction of the CA and RA that the binding will be to the service or system defined in the subject and that the requester is adequately authorised.
For subscribers, the CA shall ensure that the applicants identity is verified in accordance with this CP/CPS. In addition, the CA and RA shall record the process followed for issuance of each certificate. This record shall include:
For authentication identification, the applicant must appear in-person before the RA or CA and show at least one of either a passport, a Dutch driving license or a European Identity Card. The RA or CA will meet the holder in-person and compare the photographs and will register the number of the identity piece. The RA and CA will make sure that the subject name of the certificate is non-null. In case of a natural person, the subject name must be conforming to the full name shown of the identity piece.
In case the RA or CA has firm personal knowledge about the identity of the requester, and can positively identify requester by voice, a phone conversation verifying that the requester made this request, and during which the integrity of the request is checked by comparing fingerprints or content data, the requirement of an in-person appearance is waived. Such form of authentication shall be stated on the audit record. Only RA's designated as such in section 1.4.2 of this document may testify on the identity of applicants in this way.
The affiliation of application with the organisation mentioned in the request is performed by checking public databases maintained by such organisation, or by written statement by such organisation testifying said affiliation to the RA or CA. When phone identity verification is used in the authorization process, the phone number used must be within the number range or ranges assigned to the organisation.
Machines and object are authorised by contacting the natural person responsible for such machine or object. This responsible will be authorised in accordance with the stipulation made in this section.
Any information exchanged between the RA and the CA shall be either by strong cryptographic means, or shall be verified by out-of-band methods in a phone conversation with firm positive identification by both parties (CA and RA) involved.
The certificate is send to the subscriber at the electronic mail address provided within or as part of the request. On request of the subscriber, the certificate may be delivered by other suitable means.
Since no private keys are generated by the CA, these need not be delivered to the subscriber.