EV Certificate Validation Checklist
This article is intended to provide only a general outline of the data verified by Comodo when processing an EV Certificate application. The document is not definitive and does not reflect Comodo’s full EV process. For a complete listing of Comodo’s validation requirements, please refer to both Comodo’s EV Certificate Practice Statement and the EV Guidelines.
When submitting an EV Certificate application, Comodo will validate the following:
1. Applicant’s Legal Status. This verification must be obtained or verified directly with registration agency. Verification of the legal status depends on the type of organization.
- a. Private Organizations -- Incorporated entities with suffixes such as Inc., LLC, (US) Ltd. (UK), Pty. Ltd. (AUS), GmBh (Germany), AS (Norway)
- b. Government Entities -- Government entities include departments of the government, pubic/state schools, local governments, etc.
- c. Business Entities – Non-incorporated businesses that are created by filing with a government entity. To qualify for an EV certificate, there must be a registration authority and something equivalent to a business license. General Partnerships and Limited Partnerships generally fall into this category. Some sole proprietors qualify as a Business Entity, but others do not. For example UK sole proprietors do not currently qualify for EV as there is no registration authority for sole proprietors in the UK.
- d. Non-Commercial Entities -– International organizations that are not specifically tied to one country or government. NATO and the United Nations fall into this category.
2. Flagged Entity Check. Comodo checks the organization against an anti phishing work group, the US treasury department denied persons and organizations list, and other exclusion lists. Entities found on these lists will either be denied a certificate or require additional validation prior to issuance.
3. DBA/Trade Name (if applicable). Trade and DBA names are verified directly with registration agency or through a third party database such as D&B or Hoovers.
4. Physical Existence. This information must be confirmed through a third party database such as Dun and Brad Street (D&B).
5. Operational Existence. Registration of longer than three years will demonstrate operational existence. Otherwise, the organization must be verified with a third party database (D&B) or through a bank letter verifying that the organization has a demand deposit account with a regulated financial institution.
6. Phone Number. Phone numbers must be verified through a third party database or through an online source that receives information directly from a telecommunications provider.
7. Domain Ownership -- Domain names are verified through the domain registrar. Privacy on domains should be suspended until the validation process is complete.
8. Name, Title, and Authority of Contract Signer. If the contract signer’s name is on the registration documents or a third party database (such as D&B), further verification is generally not necessary. If further validation is necessary, a call to HR or another individual listed as a key person within the organization can be used to verify the name and title of the contract signer. During the phone call, the contract signer can be used to verify the authority of the certificate approver/requester. Having the contract signer, certificate approver, and certificate requester as the same person will help accelerate the process.
9. Name, Title, and Authority of Certificate Approver/Requester. Certificate Approver/Requesters are verified by a phone call to either HR or the contract signer.
10. Signature/Approval -- Verified through a phone call to the contract signer.
As an alternative, verification of items 3-9 can be completed using a letter from a CPA, a chartered accountant, or a legal opinion from an attorney. Sample letters that are sufficient for verification can be downloaded from here.