1. Field of the Invention
The present invention relates to technology used in electronic commerce where principal certification is performed by using principal certificate information such as a password or digital data (biometric information) representing physical features of a principal.
2. Description of the Related Art
There exists PKI (Public Key Infrastructure) as a method of certifying a principal in electronic commerce. In PKI, a certificate authority (hereinafter, referred to as CA) issues a secret key and a public key to a registered user. The user, when placing an order for a commodity or the like with a dealer, encrypts the electronics signature of the user by the secret key and sends it to the dealer with the public key. The dealer confirms that the transmitted electronic signature can be decrypted by the public key, and verifies the user with CA based on the public key to certify that the sender is the user himself/herself. PKI guarantees that information of the user transmitted on a network has not been falsified and a third person has not impersonated the user.
In PKI, security on network paths is ensured by using a public key encryption method. However, if the third person steals the secret key of the user and uses it, PKI cannot determine whether it is a valid user or unauthorized use by the third person. Therefore, a principal certificate that can surely prove that the principal uses the secret key is required in addition to PKI. With a “word” such as the password, it is only possible to confirm that one knows it and is impossible to determine that the user is a principal or another person.
Consequently, verification by biometric information has been proposed as an alternative certification method to the password. The biometric information is the physical features of the user, which are transformed into data, and typical biometric information is fingerprint, palm pattern, retina, iris, sign, voice or the like. By verifying the biometric information previously registered with the biometric information that the user input, it is possible to confirm that a person who has just input the biometric information is the user himself/herself.
A method disclosed in Japanese Patent Laid-open No. 2001-297269 (Patent Document 1) is known as the principal certification means using biometrics data. In this method, an orderer (user) sends his/her biometric information from an ordering terminal to an electronic commerce server of a dealer (order receiver) when an order is placed for the commodity. Then, the electronic commerce server sends the biometric information of the orderer to an identification terminal (verifying terminal) arranged in a store that the orderer specified as a receiving store. After that, when a recipient requests to hand over a commodity, a store clerk obtains the biometric information of the recipient using the identification terminal and verifies it with the biometric information of the orderer, which has been sent from electronic commerce server. Then, the store clerk hands over the commodity when the biometric information match.
However, in such electronic commerce, biometric information must be passed to the dealer and there is a danger that the biometric information will run out by mistake. If the biometric information runs out, there is a possibility that the third person will abuse it to perform unauthorized order or unauthorized transaction by impersonation.
Further, certification is performed by using the biometric information in the above-described electronic commerce, only the orderer himself/herself can receive the commodity, and there has not been receiving means when an agent tries to receive the commodity if the orderer cannot receive it.
The present invention has been created in view of such problems. Its first object is to prevent without fail the abuse of certificate information such as the password and biometric information, which is exchanged on the network when performing electronic commerce, and the second object is to enable not only an orderer himself/herself but also an agent specified by the orderer himself/herself to receive a commodity or the like.