Organization Validation KYV Certificates (OV Certs)
When TRISA issues an Organization Validation SSL certificate, we will verify that your organization is a legal, legitimate VASP. TRISA will issue your digital certificate after verifying your organization through a few steps, including confirming your organization’s presence in the registered location, telephone numbers, and domain ownership.
Extended Validation Certificates will be issued in later which will validate the TRIXO questionnaire answers plus additional cybersecurity elements.
1 – Organization Validation
To ensure the process begins smoothly, double-check that all information registered with your state or country matches information supplied at checkout and in your user dashboard and is up to date. TRISA will confirm that your organization is registered and active in the location provided. VASP or regulator
2 – Locality Validation
TRISA or TRISA-approved Registration Authorities will verify that your organization is legally incorporated, constituted or otherwise established (registered) in the state or country you have provided. We will confirm that you have a legitimate physical presence within the area registered. We can typically verify this information through a government database. Should additional information be required, we will notify you.
3 – Telephone Validation
In order to receive an OV certificate, you must have a registered active telephone listing that is verifiable by an online telephone directory. It is important that your listing matches the exact business name and physical address that have been provided and verified.
4 – Domain Validation
In this step, we will confirm that the domain you are registering the certificate for is in fact owned by your organization. To do this, we will start by searching the internet database that houses domain registrar information, WHOIS.
There are a number of ways to prove domain control – all of them are outlined in the Baseline Requirements so as to be well-defined and the same for all CAs to follow.
You must have a registered Domain Name to register for TRISA and receive an Organization Validation SSL certificate.
3 methods of Domain Validation or Physical Address:
* Email – we send a simple challenge/verification email (‘enter this unique code into this web form’) to an ‘administrative’ email contact at the domain.
There are a set of allowed emails:
Any email we find on WHOIS. Privacy emails like Namecheap and GoDaddy use are generally fine – they are simply anonymized addresses that forward through to the actual domain controller who can action the email.
We are seeing more problems from WHOIS since the GDPR came about, and scraping emails from WHOIS is used less and less these days. Emails are no longer on the output or WHOIS is kept behind a CAPTCHA, which we cannot use.
* DNS – a ‘token’ is placed in DNS in a specific record type and format. Our system looks for the record and target, and if correct – domain control is proven.
* HTTP(s) – a text file with a specific file name and content must be placed on the webserver in a specific location. Our systems look for the file, and need to receive a HTTP 200 response with the .txt file content. If we do, domain control is proven.
In the case that the VASP does not control a domain name, validation of physical address is required.
5 – TRISA Endpoint Validation
The End Point Validation is easy just provide a fully qualified domain name and designated port address.
6 – Final Verification Call
The final step of verification is simple. We will call the telephone number associated with your organization to verify ownership and order. This is a short call and all you need to do is ensure you or a designated site admin are available and pick up the phone.