1. Field of the Invention
The present invention relates to an information processing apparatus that uses a digital certificate.
2. Description of the Related Art
Digital certificates (hereinafter referred to as “certificates”) used in, for example, encrypted communication contain the issuer of the certificate, the validity expiration date of the certificate, the public key, the certifier, or the algorithm information about the algorithm used to generate the public key. Information processing apparatuses determine whether a certificate for use of the information processing apparatus has expired or has been revoked, and restrict the use of the certificate in a case where the certificate has expired or has been revoked (for example, Japanese Patent Application Laid-Open No. 2007-274060).
Hash algorithms and signature algorithms used in certificates are designed to prevent alteration of the certificates and provide safety in use of the certificates. For example, Rivest-Shamir-Adleman (RSA), Digital Signature Algorithm (DSA), and Elliptic Curve Digital Signature Algorithm (ECDSA), which are well-known signature algorithms, maintain safety based on the difficulity of a prime factorization problem or a discrete logarithm problem, and it is difficult to acquire a secret key from a public key used in a certificate.
However, the safety of algorithms used in certificates is reduced over time because of the improvement in the capabilities of computers, mathematical advancements, and the like. For example, National Institute of Standards and Technology (NIST) in the United States has set out the guidelines about encryption algorithms used in the world, and has reported the time period for which the safety is supposed to be maintained for each algorithm and each key size. Using an algorithm and a key size beyond the reported time period increases the possibility of forgery of the certificate and leaking of the secret key.
According to the conventional techniques, information processing apparatuses determine whether a certificate for the information processing apparatus has expired, and use the certificate as long as the certificate has not expired. As a result, information processing apparatuses may keep using a certificate as long as the certificate is within its validity period even if the algorithm or the public key utilized in the certificate is beyond the guaranteed usable period. In other words, the conventional techniques check the validity expiration date of a certificate, but fail to check the usable period of the algorithm and the public key utilized in the certificate.
For example, even if an algorithm utilized in a certificate has a usable date up to 2010, the certificate having a validity expiration date of 2015 may keep being used until 2015. Currently, there are various worldwide types of software capable of generating a certificate, and an individual person can generate a certificate and a key pair (a pair of a certificate and a secret key). For a certificate and a key pair generated by an individual person, the validity expiration date is not always set to the certificate and the key pair in consideration of the usable dates of the algorithm and the public key. Some users may find the update of a certificate and a key pair bothersome, and generate a certificate and a key pair by setting a long validity period thereto. Acquiring such a certificate from an external apparatus and continuing to use it increases the possibility of forgery of the certificate and leaking of the secret key.