Ryan,
- Symantec and its affiliates must not participate in any of the information verification roles permitted under the Baseline Requirements, such as Delegated Third Parties, including that of Enterprise RAs, or as Validation Specialists. That is, the non-affiliated organization bears full responsibility to perform all information verification controls related to the issuance of the certificates. Symantec and its affiliates may, however, seek to collect and aggregate all of the information as part of the Certificate Request process in order to expedite and simplify the verification process.
You say that Symantec can't perform verification tasks like being Delegated Third Parties, Enterprise RAs, or Validation Specialists. But you then go on to say they they can seek to collect and aggregate all of the information as part of the Certificate Request process.
I'm curious where we can draw the line between RA functions and non-RA functions in general, thus this new thread. I would have assumed that collecting and aggregating documents was an RA function, else the RA could be tricked into accepting falsified documents.
Is it acceptable for a person in a non-trusted role to collect and organize documents (like the signed subscriber agreement, the articles of incorporation from Sec of state databases, print Organization data from GIS systems, etc.) and then allow the RA to rely on that after "inspection"?
To what extent would this person be covered in a WT audit? I'm assuming these individuals would not; however the overall process would be audited.