---
title: "Subscriber identity validation under ETSI EN 319 411-1"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation"
author: "Sorena AI"
description: "How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records."
published_at: "2026-05-09"
updated_at: "2026-05-27"
keywords:
  - "ETSI EN 319 411-1"
  - "subscriber identity validation"
  - "subject identity validation"
  - "registration authority"
  - "certificate authority"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Subscriber identity validation under ETSI EN 319 411-1

How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.

*FAQ* *GLOBAL* *ETSI EN 319 411-1*

## ETSI EN 319 411-1 Subscriber identity validation for certificate authorities

A focused answer for certification authorities and trust service providers validating subscribers, subjects, representatives, organizations, and device identities before certificate issuance.

Grounded in ETSI EN 319 411-1 and ETSI EN 319 401 source text. Use it as implementation guidance, not for legal interpretation.

Under ETSI EN 319 411-1, the TSP must verify the identity of both the subscriber and the certificate subject before issuance. The validation file should show the subject category, the subscriber-subject relationship, the direct evidence or authorized attestation used, the authorization to request the certificate, and the registration record needed to reconstruct the decision later.

## What must be validated before a certificate is issued?

Clause 6.2.2 starts with a direct rule: the TSP verifies the identity of the subscriber and the subject. It then requires the TSP to collect and validate either direct evidence or an attestation from an appropriate and authorized source for the subject's identity and, where applicable, subject attributes.

The validation decision must also cover the certificate request itself. ETSI EN 319 411-1 requires the TSP to check that certificate requests are accurate, authorized, and complete against the collected evidence or attestation. Identity verification happens at registration, and the registration service passes verified identity and attribute results to certificate generation.

- Identify whether the subject is a natural person, a natural person linked to a legal person, a legal person or organizational entity, or a device or system operated by or for a natural or legal person.
- Collect direct evidence or an authorized-source attestation for the subject identity and any certificate attributes that will be included or relied on.
- Check request accuracy, authorization, and completeness before certificate generation uses the registration result.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for clause 6.2.2 initial identity validation: subscriber and subject verification, evidence or attestation, registration timing, and request accuracy checks.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the records governance behind identity-validation evidence, including accessible records, integrity, confidentiality, and legal-evidence purposes.

## How does the answer change by subject type?

For natural-person subjects under NCP requirements, ETSI EN 319 411-1 expects identity evidence to be checked against the person directly by physical presence, unless a duly mandated subscriber represents the subject, or indirectly using means that provide equivalent assurance. The evidence set includes the person's full name and either date and place of birth, a recognized identity-document reference, or other distinguishing attributes.

For a natural person associated with a legal person, the file needs both personal and organization evidence: the subject's name and distinguishing attributes, the legal person's full name and legal status, relevant registration information, the affiliation, and approval by both the legal person and natural person that the subject attributes identify the organization. For legal-person and device/system subjects, the evidence shifts to the organization's name, registration or distinguishing attributes, relevant organizational associations, and a device identifier such as an Internet domain name where applicable.

- Do not use a single identity checklist for every certificate profile; map the requested certificate to the subject type and policy conditions that apply.
- When the subscriber and subject are different entities, keep evidence that the subscriber is authorized to act for the subject and, if the subscriber is not a natural person, that a natural person is authorized to represent the subscriber.
- For web certificates, use the domain-name and IP-address verification methods in BRG clauses 3.2.2.4 to 3.2.2.9 for the applicable certificate profile, instead of a generic verification path.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the subject-category split in clauses 5.4.2 and 6.2.2, including natural persons, associated legal persons, legal persons, devices, subscriber authorization, and representative proof.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the EU trust-services legal context for certificates and trust service providers where ETSI EN 319 411-1 is used for eIDAS-oriented certification services.

## What evidence should a CA keep for subscriber identity validation?

The evidence record should be specific enough to re-perform the validation decision without collecting unnecessary long-term personal data. ETSI EN 319 411-1 requires the TSP to record all information necessary to verify the subject identity and attributes, including any reference number on verification documentation and any limits on its validity. The standard notes that long-term retention may be limited to a reference to the document used, depending on the records obligations and applicable law.

The file should also prove process integrity. Keep the request, evidence or attestation source, validation method, certificate profile, subscriber contact attributes, authorization evidence, approval history, and the registration officer or RA record. The registration officer who verifies identity must not be the natural person receiving the certificate as subject.

- Record the subject type, subscriber-subject relationship, certificate profile, evidence source, validation method, document reference, validity limitations, and request approval.
- Keep subscriber contact attributes such as a physical address or other contact attributes, plus evidence showing how the registration process meets applicable data-protection legislation.
- Track registration officer independence, RA involvement, and any delegated evidence source so the CA can show who validated what and under which CPS process.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the registration evidence requirements for identity records, document references, subscriber contact attributes, data-protection evidence, and registration officer independence.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports preserving identity-validation records as controlled trust-service evidence with maintained confidentiality, integrity, availability, and retention appropriate to the service.

## Primary sources

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary ETSI source for subscriber and subject definitions, initial identity validation, evidence and attestation requirements, subject-category evidence, subscriber authorization, contact attributes, data-protection evidence, and registration officer separation.
  - Quote: "Initial identity validation"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general TSP evidence governance, including accessible records, confidentiality and integrity of archived records, legal-evidence use, and appropriate retention.
  - Quote: "Collection of evidence"
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal context for EU electronic identification and trust services when ETSI certificate-policy requirements are used by eIDAS-oriented trust service providers.
  - Quote: "electronic identification and trust services"

## Topic Guides

- [CP vs CPS under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps.md): Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
- [EN 319 411-1 vs EN 319 411-2 Certificate Policy](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2.md): Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.
- [ETSI EN 319 411-1 Audit File Evidence](/artifacts/global/etsi-en-319-411-1/audit-file-evidence.md): Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
- [ETSI EN 319 411-1 CA Key Management](/artifacts/global/etsi-en-319-411-1/ca-key-management.md): CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
- [ETSI EN 319 411-1 certificate lifecycle workflow](/artifacts/global/etsi-en-319-411-1/certificate-lifecycle-workflow.md): Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
- [ETSI EN 319 411-1 certificate re-key FAQ](/artifacts/global/etsi-en-319-411-1/faq/re-key.md): What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
- [ETSI EN 319 411-1 Certificate Suspension FAQ](/artifacts/global/etsi-en-319-411-1/faq/suspension.md): How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
- [ETSI EN 319 411-1 Certification Audit Evidence FAQ](/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence.md): How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.
- [ETSI EN 319 411-1 Compliance Guide](/artifacts/global/etsi-en-319-411-1/compliance.md): Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
- [ETSI EN 319 411-1 CP and CPS template](/artifacts/global/etsi-en-319-411-1/cp-and-cps-template.md): Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
- [ETSI EN 319 411-1 FAQ for Certificate Services](/artifacts/global/etsi-en-319-411-1/faq.md): Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
- [ETSI EN 319 411-1 Identity Validation](/artifacts/global/etsi-en-319-411-1/identity-validation.md): Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
- [ETSI EN 319 411-1 Identity Validation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/identity-validation-evidence-workflow.md): A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
- [ETSI EN 319 411-1 RA Delegation Guide](/artifacts/global/etsi-en-319-411-1/ra-delegation.md): How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
- [ETSI EN 319 411-1 RA Delegation Review Workflow](/artifacts/global/etsi-en-319-411-1/ra-delegation-review-workflow.md): Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
- [ETSI EN 319 411-1 requirements map for certificate services](/artifacts/global/etsi-en-319-411-1/requirements.md): Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
- [ETSI EN 319 411-1 Revocation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/revocation-evidence-workflow.md): Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
- [ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations](/artifacts/global/etsi-en-319-411-1/revocation-ocsp-and-crl-operations.md): Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
- [ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements.md): Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
- [How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?](/artifacts/global/etsi-en-319-411-1/faq/revocation-evidence.md): What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
- [RA delegation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/ra-delegation.md): How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
- [Subscriber agreements under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md): How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.

*Recommended next step*

*Placement: after identity validation evidence*

## Map subscriber identity validation to ETSI EN 319 411-1 evidence

Use this FAQ to align subject categories, subscriber authorization, RA records, CPS procedures, and registration evidence before certificate issuance.

- [Review registration evidence](/solutions/assessment.md): Convert subscriber and subject validation requirements into owners, records, and audit-ready checks.
- [Resolve validation questions](/solutions/research-copilot.md): Check ambiguous subject categories, authorization evidence, and certificate-profile assumptions against cited ETSI requirements.
- [Talk through implementation](/contact.md): Review subscriber identity validation scope, RA involvement, CPS wording, and evidence records with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation