1. Field of the Invention
The present invention relates generally to an improved data processing system, and in particular, to a computer implemented method for enforcing the security of interactions between data processing systems. Still more particularly, the present invention relates to a computer implemented method, system, and computer usable program code for verifying and enforcing certificate use by an application in a data processing system.
2. Description of the Related Art
Applications executing on different data processing systems communicate with each other over data networks. Some of these data communications may have to include certain security mechanisms, such as encryption, digital signatures, and certificates.
Encryption is the process of transforming plain text using a cipher algorithm, to create an encoded form of plain text. In some other data communications, security mechanisms based on encryption may prevent repudiation of the communication by one or both parties, such as by using digital signatures. A digital signature provides a method of identifying and authenticating the author of message or communication based on the digital signature of that message, in a manner analogous to a handwritten signature. A digital signature may also be used to prove that a message has not been modified since it was initially signed. In some data communications, the security mechanism is designed to ensure the identity of the data processing systems on each end of the data communication, and encrypting the data communication between the two communicating systems.
Further, in these solutions, a “digital certificate” is used to verify an identity of an entity, such as an identity of the user, or of a data process system. A sender of a message may include a digital certificate with the message, so that the recipient can verify the identity of the sender.
For example, a digital signature using a digital certificate encrypts a message with a private key held by one and only one sending entity. Anyone holding the corresponding public key can validate the identity of the entity that generated the message. If the entity attempting to validate the signature does not have the required public key, the public key can be obtained from the digital certificate. This digital certificate may be carried with a message, such as in a WS-SecureConversation message exchange. Alternatively, the digital certificate may be already established in a local certificate store, as required by many applications, or may be optionally stored locally and exchanged with the messages, as with secure socket layer (SSL) negotiations. The digital certificate carries the binding of the public key to an entity's identity, the entity being the one that will be validated to have signed the message.
A digital certificate is also known simply as a certificate. Usually, a certificate itself is “signed” by a trusted third party, such as the issuer of the certificate called a certificate authority (CA), who can attest to the identity of the holder of the certificate to some degree. The CA also assigns parameters for the validity of the certificate. These parameters include the certificate's issuance date and expiration date, and many other attributes. A Certificate Authority will not validate the identity and the key pair binding represented by the certificate beyond the expiration date of the certificate.
Certificates can be assigned to software applications as well as data processing systems. Software applications and data processing systems can use the certificates, and the keys bound to the certificates, for authentication, encryption, non-repudiation, and other uses.