Nobody wants to download something that will affect their computer negatively and Operating Systems are well aware of this. That’s why they’ve gone out of their way to generate warning messages anytime someone attempts to download something that may not come from a trustworthy source.
To software developers and engineers, these messages can mean the difference between someone adopting your software and someone forgetting it in their download folder. And losing users is bad for business—bad for the bottom line. So how do you become a trustworthy source? How do you prevent those messages and alerts from popping up before someone attempts to run YOUR software or code?
Individual Validation is a little different than Organizational Validation because you’re not proving that you’re a company, rather you’re a single developer that must prove your identity to the CA. We’ll go into how in each individual section, but for now, just know there are essentially three different components.
The first requirement for all Individual Validated Code Signing Certificates is Identity Authentication. Here the CA will attempt to verify the identity of the individual applying for the certificate.
What is Identity Authentication?
To satisfy the Identity Authentication requirement, the CA will need to make sure that you are who you say you are. That means verifying the personal identity of the applicant. The applicant's identity can be proven by completing a Notary ID form. This form must be notarized by a licensed Notary Public, or your country's equivalent of a Notary Public. The CA will send you the ID form via email, or you can download it when you fill out the initial application.
In addition to the form, you will also need to send some additional documentation. The best way to explain this is by breaking it down by CA.
In addition to a required form of Government-Issued Identification, you will also have to send in two forms of secondary evidence.
You may send in the following forms of Government-Issued ID:
- Driver's License
- Personal ID Card
- Military ID
In addition to the Government-Issued ID, Comodo also wants two forms of additional documentation. The first form is a financial document that contains your full name. This can be a:
- Credit Card Statement
- Debit Card Statement
- Mortgage Statement
- Bank Statement
Then Comodo also wants a form of non-financial documentation with your full name on it. Examples of this form of documentation include:
- Utility Bill
- Lease Agreement
- Birth Certificate
- Tax Bill
After providing the notarized ID form, plus a copy of your Government-Issued ID and two additional forms of documentation, you will have satisfied Comodo's Individual Authentication requirements
The next requirement for an Individual Validated CodeSigning Certificate is far less rigorous than the Identity Authentication requirement;you simply have to prove you have an active, listed telephone number.
What is Telephone Verification
To satisfy the Telephone Verification requirement you musthave an active telephone number listed that's verifiable by an acceptabletelephone directory such as Dun & Bradstreet. That listing must containyour full name and physical address.
Alternatively, Comodo will accept a Legal Opinion Letter. A legal opinion letter, sometimes called a Professional Opinion Letter or POL,is a piece of documentation in which an attorney or accountant – in goodstanding – essentially vouches for your personal information by signing aletter.
Once you've completed the Identity Authentication and theTelephone Verification, there's just one requirement remaining: the FinalVerification Call.
Final Verification Call
The Final Verification Call is the final requirement to receive an Individual Validated Code Signing Certificate. And it's exactly what it sounds like, the Certificate Authority (CA) reaches out to you over the phone to verify the details of your order.
What is the Final Verification Call?
To satisfy the final requirement, you must simply field a phone call from the Certificate Authority and confirm your order details. Comodo will call the listed phone number that they verified during the Telephone Verification requirement.
The process is simple, just pick up the phone. Hold it to your ear. Talk into the receiver. Answer the CA's questions and you'll satisfy this requirement. Did we just explain how to use a telephone to you? Maybe. Is it really this easy? Yes.
If your listed number doesn't connect to you directly or it's not a personal number, the CA can also attempt to reach you in two additional ways.
In addition to reaching you on a personal number, the CA's can also reach you via:
- Extension or IVR – If your phone system uses extensions or Interactive Voice Response (IVR) the CA will work through the system to connect with you. So as long as your extension is listed (or you provided it) or your phone can be reached via the IVR, you'll be fine.
- Transfer or Alternative Number – If you don't have an extension or IVR, the CA can also have the operator or receptionist transfer them or provide them with your direct number (which, frankly, it would have been easier had you just provided this number from the outset, but hey, you do you). Either way works just fine and will allow the CA to get in touch with you and satisfy this requirement.
Now all that's left is for the CA to issue the Code Signing certificate. Then you'll need to install it. For more help signing using your Code Signing Certificate, click here.
Please Note: As of January 23, 2017, Comodo will be the only CA that continues to offer code signing certificates for individual developers. Unfortunately, Symantec and Thawte will no longer support this type of certificate.