3. IDENTIFICATION AND AUTHENTICATION
3.1 Naming
3.1.1 Types of names
Certificate distinguished names and subject alternative names are compliant with the CP.
3.1.2 Need for names to be meaningful
ISRG certificates include a “Subject” field which identifies the subject entity (i.e. organization or domain). The subject entity is identified using a distinguished name.
ISRG certificates include an “Issuer” field which identifies the issuing entity. The issuing entity is identified using a distinguished name.
3.1.3 Anonymity or pseudonymity of subscribers
Subscribers are not identified in DV certificates, which have subject fields identifying only domain names (not people or organizations). Relying parties should consider DV certificate subscribers to be anonymous.
3.1.4 Rules for interpreting various name forms
Distinguished names in certificates are to be interpreted using X.500 standards and ASN.1 syntax. RFC 2253 and RFC 2616 provide more information.
Certificates do not assert any specific relationship between subscribers and registrants of domain names contained in certificates.
Regarding Internationalized Domain Names, ISRG will have no objection so long as the domain is resolvable via DNS. It is the CA’s position that homoglyph spoofing should be dealt with by registrars, and Web browsers should have sensible policies for when to display the punycode versions of names.
3.1.5 Uniqueness of names
No stipulation.
3.1.6 Recognition, authentication, and role of trademarks
ISRG reserves the right to make all decisions regarding Subscriber names in certificates. Entities requesting certificates will be required to demonstrate their right to use names (e.g. demonstrate control of a domain name), but trademark rights are not verified.
While ISRG will comply with U.S. law and associated legal orders, it is ISRG’s position that trademark enforcement responsibility for domain names should lie primarily with domain registrars and the legal system.
3.2 Initial identity validation
ISRG may elect not to issue any certificate at its sole discretion.
3.2.1 Method to prove possession of private key
Applicants are required to prove possession of the Private Key corresponding to the Public Key in a Certificate request, which can be done by signing the request with the Private Key.
3.2.2 Authentication of organization and domain identity
ISRG only issues Domain Validation (DV) certificates. When a certificate request includes a list of FQDNs in a SAN list, all domains in the list are fully validated prior to issuance.
Validation for DV certificates involves demonstrating proper control over a domain. ISRG validates domain control in an automated fashion via the ACME protocol.
There are three methods used for demonstrating domain control:
Agreed-Upon Change to Website: Confirming the Applicant’s control over the requested FQDN by confirming the presence of agreed-upon content contained in a file or on a web page under the “/.well-known/acme-challenge/” directory on the requested FQDN that is accessible to the CA via HTTP over port 80, following redirects. (BR Section 3.2.2.4.6)
DNS Change: Confirming the Applicant’s control over the requested FQDN by confirming the presence of a random value (with at least 128 bits entropy) in a DNS TXT or CAA record for the requested FQDN prefixed with the label ‘_acme-challenge’. (BR Section 3.2.2.4.7)
TLS Using a Random Number: Confirming the Applicant’s control over the requested FQDN by confirming the presence of a random value (with at least 128 bits entropy) within a Certificate on the requested FQDN which is accessible to the CA via TLS over port 443. (BR Section 3.2.2.4.10)
Validation for wildcard domain requests must be completed using the DNS Change method.
All validations are performed in compliance with the current CAB Forum Baseline Requirements at the time of validation.
3.2.3 Authentication of individual identity
ISRG does not issue certificates to individuals, and thus does not authenticate individual identities.
3.2.4 Non-verified subscriber information
Non-verified Applicant information is not included in ISRG certificates.
3.2.5 Validation of authority
ISRG does not issue certificates to organizations, and thus does not validate any natural person’s authority to request certificates on behalf of organizations.
Organizations have the option to specify CA issuance authority via CAA records, which ISRG respects.
3.2.6 Criteria for interoperation
ISRG discloses Cross Certificates in its Certificate Repository:
https://letsencrypt.org/certificates/
3.3 Identification and authentication for re-key requests
3.3.1 Identification and authentication for routine re-key
See Section 4.7.
3.3.2 Identification and authentication for re-key after revocation
See Section 4.7.
3.4 Identification and authentication for revocation request
Identification and authentication for revocation requests is performed by ISRG in compliance with Section 4.9 of this document.
Identification and authentication are not required when revocation is being requested by ISRG.