1. Technical Field
This invention relates generally to digital certificates issued by a certification authority, digital signatures, and public key cryptography, all of which are part of a security infrastructure for on-line transactions. More particularly, this invention relates to the local hosting of services related to such digital certificates, including, for example, issuing new digital certificates, verifying existing digital certificates, and revoking compromised digital certificates.
2. Background Art
As of the result of the continuous development of new technologies, particularly in the areas of computer networks and communications, the use of large computer networks, such as the Internet, is becoming more widespread. This has resulted in an increase in electronic commerce and other electronic transactions conducted over these networks, with a corresponding need for security for these transactions.
Public key cryptography, as described in Bruce Schneier, Applied Cryptography (John Wiley and Sons, Inc., New York, 1996), is one technology addressing this need for security. A PKI (public key infrastructure) is based on assigning key pairs to entities. Each key pair includes a private key and a public key. Either key may be used to encrypt a message; the other key must be used to decrypt the message. The private key is securely held by the entity to which it is assigned; while the public key is widely made available.
The use of these key pairs addresses many of the inherent security problems in an open network such as the Internet. However, without more, two significant problems remain. First, parties must be able to access the public keys in an efficient manner. Second, since communications and transactions are secured by the key pairs and entities are associated with their public keys, there must be a secure method for third parties to verify that a certain public key corresponds to a certain entity.
Digital certificates are one method for addressing both of these problems. A trusted third party, commonly known as a certification authority, issues digital certificates to subscribers. Each digital certificate typically includes the subscriber""s public key along with other information about the subscriber. The certification authority xe2x80x9cdigitally signsxe2x80x9d the digital certificate, thereby securing its contents against subsequent tampering. Third parties who wish to verify that a certain public key corresponds to a certain subscriber may do so by examining the corresponding digital certificate.
Digital certificates, therefore, form a significant part of the PKI, and significant resources are required to maintain this infrastructure. For example, new digital certificates are constantly being issued, compromised digital certificates must be revoked, and third parties must be able to efficiently locate and verify another party""s digital certificate.
In a prior art approach, these digital certificate services are provided by a central server operated by a certification authority. Clients who desire digital certificate services submit a request to the central server, which processes and fulfills these requests.
One disadvantage of this approach is that the central server alone performs the vast majority of the processing required to fulfill the requests received from clients. In a typical scenario, a certification authority may be responsible for providing digital certificate services to millions of clients, either directly or indirectly through intermediate certification authorities. Even with current processors, the computing resources required to provide this amount of services is significant. This is especially true since digital certificate services are highly confidential by nature and, therefore, significant resources are required to adequately secure the certificate services. In other situations, such as on-line advertising or on-line search engines, the central server bottleneck may be solved in part by establishing mirror sites of the central server. This approach, however, is significantly less attractive for the case of digital certificate services because the security requirements make the establishment of mirror sites significantly more difficult.
Another disadvantage concerns affiliates of the certification authority. In many instances, an entity other than the certification authority would like to appear as the provider of digital certificate services, with the actual provider (i.e., the certification authority) being invisible to the end user. Such entities shall be referred to as affiliates. For example, an affiliate may be a credit card company which issues digital certificates to its card holders, but contracts with the certification authority to actually provide the required digital certificate services. Under the prior art approach, this is difficult to achieve because the affiliate""s customers interact directly with the certification authority""s central server which, for efficiency reasons, typically provides the same interface to each customer. For example, the central server""s interface might include the certification authority""s logo but typically would not include the affiliate""s logo or other customizations desired by the affiliate. In certain situations, the affiliate""s customer may actually be confused because the interface is clearly associated with the certification authority, whereas the customer believes that his digital certificate services are provided by the affiliate.
As a result, there is a need for a capability to enable the local hosting of digital certificate services, for example, on local servers operated by affiliates of a certification authority.
In accordance with the present invention, a method for having a local server (202) locally host the provision of digital certificate services to a client (102) includes the following steps. Preferably in response to the client""s (102) request for digital certificate services, the local server (202) transmits (304) a custom entry form (210) to the client (102). In response to the client""s (102) use of the custom entry form (210), the client (102) transmits (306) a standard request for digital certificate services to a central server (104). The central server (104) fulfills (310) the request, generating a standard response. The standard response is transmitted (312) to the local server (202), which generates (314) a custom display of the results contained in the standard response. The custom display is transmitted (316) to the client (102), fulfilling the client""s request. Information is provided (320,330), enabling the local server (202) to create (322) appropriate custom entry forms (210) and to generate (314) the custom display from the standard response.
In further accordance with the present invention, a computer readable medium contains such information. The information preferably includes model entry forms (FIG. 4) which query for data included in the standard request. The custom entry forms (210) are based on the model entry forms. The information preferably also includes model templates for displays. The model templates have placeholders for the actual data to be included in the displays. The custom display is based on the model template, and the information may also include a software program (212) to insert the actual data into the placeholders.
In another aspect of the invention, a method for having a local server (202) locally host the provision of digital certificate services to a client (102) includes the following steps. The local server (202) transmits (804) a custom entry form (610) to the client (102). In response to the client""s (102) use of the custom entry form (610), the client (102) transmits (806) a custom request for digital certificate services to the local server (202). The local server (202) generates (808) a standard request from the custom request and transmits (810) the standard request to a central server (104), which fulfills (810) the request, generating a standard response. The standard response is transmitted (816) to the local server (202), which generates (818) a custom display of the results contained in the standard response. The custom display is transmitted (820) to the client (102), fulfilling the client""s request. Information is provided (320,330), enabling the local server (202) to generate (808) standard requests from custom requests and to generate (818) the custom display from the standard response.
The present invention has many advantages. For example, the local hosting of certificate services allows some of the processing required for digital certificate services to be off-loaded from the central server (104) to local servers (202). This is especially advantageous because the central server (104) typically must have a certain degree of complexity in order to meet the security requirements associated with digital certificate services. The off-loading of functions which do not require this degree of complexity allows the capabilities of the central server (104) to be used more efficiently.
The off-loading of functions to local server (202) also allows a fair amount of customization. For example, the entry forms and displays may be customized by each local server (202). Hence, they are referred to as xe2x80x9ccustomxe2x80x9d entry forms and displays above. In addition, the local hosting may be implemented so that the client (102) appears to interact solely with local server (202), giving the appearance that local server (202) rather than central server (104) is providing the digital certificate services.