The present invention relates to a public key certificate issuing technique and a technique for verifying the validity of the public key certificate in the public key infrastructure (PKI).
When transmitting digital data such as an electronic document, a signature and a public key certificate of the transmitting person are added to a subject data. A receiving person checks the digital signature (hereinafter, referred to simply as signature) and the public key certificate added to the received data so as to determine whether the transmitted data has not been altered and whether the data has been transmitted from the transmitting person.
Public key certificate issuing and its validity validation are performed on the public key infrastructure and their standard specifications are defined in RFC2459 (Internet X.509 Public Key Infrastructure Certificate and CRL Profile), RFC2510 (Internet X.509 Public Key Infrastructure Certificate Management Protocols), and the like.
As indicated in the configuration models of RFC2459 (chapter 3) and RFC2510 (1.3), a certificate authority has two main works: a registration work and an issuing work.
The registration work includes registration and examination of a user which are performed in a registration authority.
The issuing work includes issuing of a public key certificate to the user who has been registered, which work is performed by an issuing authority.
It should be noted that in RFC2459 and RFC2510, the authority performing the issuing work is defined as a certificate authority. However, in this Specification, an authority performing the issuing work is defined as an issuing authority. That is, the certificate authority is defined to consist of the registration authority and the issuing authority.
Since the issuing work requires a secured installation and equipment, it is necessary to pay a high maintenance fee and construction fee. For this, an organization to organize a certificate authority may entrust (hereinafter, referred to as outsourcing) the issuing work processing to an external organization (hereinafter, referred to as outsourcing).
Conventionally, two methods have been used for outsourcing the issuing work.
In Method 1, an organization constructing a certificate authority performs identification and examination of an end entity (EE) as an end user by its own registration authority while outsourcing issuing authority works (operation of installation and equipment, and management of issuing authority). An outsourced agency acts for public key certificates of a plurality of registration authorities. Here a secret key of the outsourced agency is used for issuing a public key certificate and the outsourced agency name is described as a public key certificate issuer.
In Method 2, an organization constructing a certificate authority performs registration authority work by its own registration authority while outsourcing issuing authority works such as management of equipment to an outside agency. In the outsourced agency uses an issuing authority equipment and a secret key for each of the certificate authorities. For example, an issuing authority and an issuing authority secret key are provided for each of the different authorities. In this case, the organization name (registration authority manager name) constructing the certificate authority (registration authority manager) name is described as the public key certificate issuer.
For example, the aforementioned two methods are used by Japan Certification Services Inc. (JCSI) which provides a certificate issuing service called SecureSign. The JCSI “SecureSign public service standard rule (V1.0)” (JCSI SecureSign is a registered trademark of the Japan Certificate Service), page 5 has a description as follows.
The SecureSign is divided into two types of services: a “public service” and a “private service”. In case of the private service, the certificate policy and CPS (certificate practice statement) are determined by a customer and is disclosed on a network domain required by the customer. On the other hand, in case of the public service, the JCSI is the certificate issuer of the public service and signs the certificate.
When the issuing work and the registration work are performed by different organizations, there is a problem that the responsibility ranges of the issuing authority and the registration authority are not clear, although their responsibility ranges are defined by the Certificate Practice Statement (hereinafter, referred to as CPS). However, when a problem arises in the issued public key certificate (for example, an error is contained in the description items), internal data (log and the like) of the issuing authority and the registration authority should be checked to determine who is responsible. This is not easy and requires quite a time.