ETSI EN 319 411-1 Subscriber identity validation for certificate authorities

Clause 6.2.2 starts with a direct rule: the TSP verifies the identity of the subscriber and the subject. It then requires the TSP to collect and validate either direct evidence or an attestation from an appropriate and authorized source for the subject's identity and, where applicable, subject attributes.

The validation decision must also cover the certificate request itself. ETSI EN 319 411-1 requires the TSP to check that certificate requests are accurate, authorized, and complete against the collected evidence or attestation. Identity verification happens at registration, and the registration service passes verified identity and attribute results to certificate generation.

For natural-person subjects under NCP requirements, ETSI EN 319 411-1 expects identity evidence to be checked against the person directly by physical presence, unless a duly mandated subscriber represents the subject, or indirectly using means that provide equivalent assurance. The evidence set includes the person's full name and either date and place of birth, a recognized identity-document reference, or other distinguishing attributes.

For a natural person associated with a legal person, the file needs both personal and organization evidence: the subject's name and distinguishing attributes, the legal person's full name and legal status, relevant registration information, the affiliation, and approval by both the legal person and natural person that the subject attributes identify the organization. For legal-person and device/system subjects, the evidence shifts to the organization's name, registration or distinguishing attributes, relevant organizational associations, and a device identifier such as an Internet domain name where applicable.

The evidence record should be specific enough to re-perform the validation decision without collecting unnecessary long-term personal data. ETSI EN 319 411-1 requires the TSP to record all information necessary to verify the subject identity and attributes, including any reference number on verification documentation and any limits on its validity. The standard notes that long-term retention may be limited to a reference to the document used, depending on the records obligations and applicable law.

The file should also prove process integrity. Keep the request, evidence or attestation source, validation method, certificate profile, subscriber contact attributes, authorization evidence, approval history, and the registration officer or RA record. The registration officer who verifies identity must not be the natural person receiving the certificate as subject.