The present invention relates to automated public key certificate transfer.
Public key cryptography uses public-private key pairs for electronic signatures, electronic signature verification and encryption and decryption of data for security during electronic transmission. In simple terms, a public key owned by an individual receiving the data (the “recipient”) is used by a sender to encrypt the data. The recipient then uses the recipient's corresponding private key to decrypt the data. In order to encrypt the data, the sender must have access to the recipient's public key.
When electronically signing data, a sender signs the data using the sender's private key, an operation that can involve using the private key to encrypt a “cryptographic hash” of the data that is being signed, and then making available to the recipient the signed data and the encrypted hash (the “signature”). The recipient verifies the signature by computing a new hash over the data using the sender's public key, decrypting the encrypted hash of the signature and comparing the two hashes. If the hashes match, then the data integrity is proven.
Typically, a public key for another individual (the sender for example) is obtained by obtaining the individual's public key certificate directly or indirectly from that individual. A certificate is an electronic data object including a public key, and can be issued by a trusted third party, a certificate authority, that verifies the identity of the certificate holder. The certificate can also include the name of the certificate authority and the name of the individual or entity for whom the certificate is issued. The recipient of another individual's certificate should take steps to verify the trustworthiness or authenticity of the certificate, which can then be added to a personal certificate database for later use. The recipient of an electronically signed document can verify the identity of the sender (signer) by verifying the certificate of the sender.
Currently, there are a number of ways to obtain someone's certificate, some of which are covered by standards issued by the Internet Engineering Task Force public-key infrastructure (X.509) working group (IETF-PKIX). For instance, the certificate can be found in a searchable database on a server. Such a server would typically be provided and managed by a trusted party that undertakes to ensure the validity of the database's contents, including the certificates it contains.
A certificate owner can also manually include the certificate as an attachment to an e-mail message sent to a recipient. This requires the owner to place the certificate into a file that will be attached to the e-mail message, and the recipient must manually add the certificate to a personal certificate database for later use.