IPTC Verified News Publisher Certificate Policy

When an organisation is approved as a Verified News Publisher, their Certificate may be added to the Verified News Publisher List. Applicants can submit a certificate they have obtained from a CA for inclusion on this list, provided they have met the following requirements:

1. The publisher has been accepted for a Verified News Publisher Credential issued by the IPTC, and the certificate’s validity period starts before or at the same time as the VNP Credential, and ends before or at the same time as the VNP Credential
2. The certificate has been issued by an certificate authority this list, and is issued with the certificate policies listed under each:
   • Truepic:
     • Any policy
   • GlobalSign:
     • Document Signing Policies: 1.3.6.1.4.1.4146.10.5
3. The certificate has been issued to the same organisation that is the subject of a valid Verified News Publisher Credential
4. The Subject Distinguished Name of the issued certificate must match the issued Verified News Publisher Credential, which is supplied in the “Self Certification Form” as part of the Verified News Publisher Application Procedure

To be considered for addition to the list of Eligible Certificate Authorities given above, the CA must conform to the following criteria:

1. The accepted certificate policies of the Certificate Authority MUST define a policy for the secure handling of private keys, and require that end-entities notify the CA in the event that keys are handled outside of this policy. Such a notification MUST trigger a revocation event.
2. The issuing CA MUST offer an OCSP responder service.
3. The accepted certificate policies of the Certificate Authority MUST include organisational identity validation (that this is a real organisation registered in a supported jurisdiction) and requestor authorisation validation (i.e. that the person requesting the certificate is acting on behalf of the organisation)