1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for multicomputer data transferring. Still more particularly, the present invention relates generally to computer-to-computer authentication.
2. Description of Related Art
Distribution of information across the Internet has continued to increase dramatically. Web-based and Internet-based applications have now become so commonplace that when one learns of a new product or service, one assumes that the product or service will incorporate Internet functionality into the product or service. New applications that incorporate significant proprietary technology are only developed when an enterprise has a significantly compelling reason for doing so. Many corporations have employed proprietary data services for many years, but it is now commonplace to assume that individuals and small enterprises also have access to digital communication services. Many of these services are or will be Internet-based, and the amount of electronic communication on the Internet is growing exponentially.
One of the factors influencing the growth of the Internet is the adherence to open standards for much of the Internet infrastructure. Individuals, public institutions, and commercial enterprises alike are able to introduce new content, products, and services that are quickly integrated into the digital infrastructure because of their ability to exploit common knowledge of open standards.
Concerns about the integrity and privacy of electronic communication have also grown with adoption of Internet-based services. Various encryption and authentication technologies have been developed to protect electronic communication. For example, an open standard promulgated for protecting electronic communication is the X.509 standard for digital certificates.
An X.509 digital certificate is an International Telecommunications Union (ITU) standard that has been adopted by the Internet Engineering Task Force (IETF) body. It cryptographically binds the certificate holder, presumably the subject name within the certificate, with its public cryptographic key. This cryptographic binding is based on the involvement of a trusted entity within the Internet Public Key Infrastructure for X.509 certificates (PKIX) called the certifying authority (CA). As a result, a strong and trusted association between the certificate holder and its public key can become public information yet remain tamper-proof and reliable.
An important aspect of this reliability is a digital signature that the certifying authority stamps on a certificate before it is released for use; a certifying authority certifies a holder's public key by cryptographically signing the certificate data structure. Subsequently, whenever the certificate is presented to a system for use of a service, its signature is verified before the subject holder is authenticated. After the authentication process is successfully completed, the certificate holder may be provided access to, i.e. authorized for, certain information, services, or other controlled resources.
Although PKI technology provides robust standards for secure communication, PKI technology has been adopted slowly. For example, in order to be truly useful, digital certificates must be widely available. To this end, the Certificate Management Protocol (CMP) of PKIX facilitates the publication of an issued certificate in an LDAP-based (Lightweight Directory Protocol) directory so that it can be retrieved for use by applications and security protocols. Immediate publishing of certificates to a public repository results in the immediate availability of those certificates for security-conscious services.
Another reason for the slow deployment of PKI technology is the complexity of PKI management. For example, two entities that exchange digital certificates during a secure transaction need to validate each other's digital certificate via a trust path. Administrative management and processing of information associated with these trust paths can be quite complex, and the deployment of a standard public key infrastructure is already hampered by the cost of the complexity of the public key infrastructure.
Therefore, it would be advantageous to have a method and system that simplifies the administrative processing associated with the trust paths that are required for valid use of digital certificates.