The invention relates generally to information certificate issuing apparatus and methods and more particularly to information certificate format converting apparatus and methods.
With the increase in electronic commerce and other information dissemination systems, the need to protect information has become critical. As a result, symmetric key cryptosystems and public key based cryptosystems have found increasing usage. As known in the art, data structures such as certificates are generated by a certificate issuing unit, referred to as a certification authority, that is trusted by entities communicating information. For example, in public key infrastructures, a certificate may be generated in a format consistent with the public-key certificate format defined in the specification commonly referred to as X.509 and formally known as ITU-T Recommendation X.509 ISO/IEC 9594-8, Information Technologyxe2x80x94Open Systems Interconnectionxe2x80x94The Directory: Authentication Framework. As known, such certificates include, among other things, the public key of an entity such as a software application, node in a network, stand alone processing unit, end-user or other entity, wrapped in a digital signature format by a private key of a certification authority. In known public key cryptographic systems, for example, digital signature key pairs (a private key and a public key) are used to create and authenticate a digital signature of a subscriber to ensure that a message sent by a subscriber actually came from the subscriber sending the message. In addition to digital signature key pairs, encryption key pairs are also generally used to encrypt and decrypt the data being sent from one subscriber to another subscriber. Certificates are generated by a certification authority for the public keys of the private/public key pair to certify that the keys are authentic and valid. Public keys and certificates are used for two main purposes: verifying digital signatures and encrypting information. In many cases, two separate key pairs are used to support these services. Specifically, one key pair is used to support digital signature generation and verification and the other key pair is used to support encryption and decryption. The receiver of a digitally signed e-mail or other documents, for example, uses the public key in the sender certificate to verify the digital signature of the sender. A user wishing to send encrypted e-mails or other information first encrypts the e-mail with a random symmetric key, then uses the intended receiver""s public key to encrypt the symmetric key and then attaches the encrypted symmetric key to the encrypted e-mail so that the receiver can decrypt the e-mail.
Other information security systems may allow each subscriber to generate certificates for one another. One example of such a system is based on pretty good privacy (PGP) technology as known in the art. These systems use differing certificate formats. A problem arises when subscribers that use certificates having different formats wish to communicate information. There is an incompatibility among certificate formats so that subscribers and certificate issuing units are only capable of analyzing a certificate format native to their security infrastructure. As such, a certificate validation engine cannot validate a certificate when the certificate has an unknown syntax.
Moreover, different versions of the same basic format, such as X.509 version 1, version 2 and version 3 certificates may include different information. As such, systems may require additional separate validation engines wherein one is dedicated to validate each different type of version of certificate. This is especially true where additional information may be present such as with version 2 or version 3 certificiates.
One mechanism for overcoming the incompatibility problem is to issue all users a plurality of different certificates in the different formats expected to be used among differing security information infrastructures. However, such a system may require an enormous amount of overhead and storage capabilities, particularly when hundreds of thousands of users may desire to communicate in such a system. Alternatively, incompatibility may be overcome by having all consumers of the certificates be able to validate all expected formats. Again, this may require that each subscriber have additional capabilities to provide validation of numerous different certificate formats. This again can add unnecessary overhead costs to each subscriber unit and further unnecessarily complicate the security operation of the subscriber.
Consequently, a need exists for a certificate issuing apparatus and method that facilitates compatibility among users of certificates having differing data structures and/or different syntaxes of certificate information. Such a system should provide suitable compatibility for any suitable certificate including public key certificates, non-public key certificates, verification certificates, encryption certificates, or other desirable certificates.