DirectTrust standards currently support a model where certificates can be unique to an individual Direct address (Address Certificates), or to a collective, organizational domain (Organizational Certificates).
In either case, the organization must display ownership of the domain to be used in the Direct Address.
Address certificates are bound to a single Direct Address. Any Address Certificate Subscriber must be identity vetted (remotely or in-person) to LoA3 standards, which can include inspection of a valid government-issued photo ID, and/or utility/financial information.
Organizational certificates are bound to a single domain and all addresses under this domain may only be given to employees/affiliates of the same legal entity. Organizational certificates must have a Trusted Agent named on the application (an identity vetted individual at the organization) , and the responsibility of validating identities for the users in the organization falls on that Trusted Agent, or TA.