Map identity validation for EU qualified certificates to the policy profile, subject type, verification method, and registration evidence EN 319 411-2 expects.
Use this as standards implementation guidance for certificate-service design and audits, not for legal interpretation.
Structured answer sets in this page tree.
Cited legal and guidance references.
Use this page when a qualified certificate service needs to show how subscriber and subject identity is verified before issuance. ETSI EN 319 411-2 imports the general EN 319 411-1 identity-validation requirements and adds qualified-certificate rules for natural persons, legal persons, and qualified website authentication certificates.
Identity proofing cannot be reviewed in isolation from the certificate policy. EN 319 411-2 uses different qualified certificate policy indicators for natural persons, legal persons, QSCD-backed certificates, and qualified website authentication certificates.
Before reviewing any registration file, identify whether the certificate is issued under QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. That choice decides whether the evidence must prove a natural person, a legal person and authorized representative, a website-domain link, a QSCD-related route, or a combination of those elements.
For qualified natural-person certificates, EN 319 411-2 requires identity verification by physical presence or by a method that gives equivalent assurance and whose equivalence the TSP can prove. For legal-person certificates, the same structure applies to the authorized representative of the legal person.
Remote or delegated proofing should therefore leave a clear equivalence file. The file should show which route was used, which person or representative was checked, what attributes were validated, and why the route provides assurance comparable to physical presence for the certificate policy in scope.
The identity-proofing outcome has to control certificate issuance, not just sit in a registration archive. EN 319 411-1 requires the TSP to check that certificate requests are accurate, authorized, and complete according to the collected evidence or attestation of identity.
Use a release gate that compares the registration file with the certificate request and the intended certificate profile. The gate should catch mismatches in subject name, organization, role, domain name, representative authority, QSCD indication, subscriber agreement choices, and any attribute that will appear in the certificate.
Use this ETSI EN 319 411-2 guidance to align certificate profiles, registration procedures, certificate-request gates, and evidence records.
Convert identity-proofing checks into accountable tasks, registration evidence requests, and audit review milestones.
Use cited source material to resolve profile, registration, evidence, and certificate-request questions before implementation.
Review identity-proofing scope, evidence gaps, owners, and the next certificate-service actions with Sorena.
Identity proofing should produce a replayable registration record. EN 319 411-1 calls for logging registration events and recording the documents or attestations used, unique identification data where applicable, storage location of copies, subscriber agreement choices, the entity accepting the application, validation method, and the receiving TSP or submitting Registration Authority where applicable.
That record should also respect privacy expectations. The standard recognizes that evidence can include personal data such as identity-card or passport information and requires privacy of subject information and protection of registration data confidentiality and integrity.
The most common failures are traceability failures: the certificate profile says one thing, the registration record proves another, or the proofing route is described without evidence that it is appropriate for the profile.
Review these gaps before an audit, conformity assessment, or production certificate issuance run. Each gap should be closed in the registration procedure, CPS, subscriber agreement, certificate request gate, or evidence-retention process.
"certificate requests are accurate"
"equivalent assurance"