The present invention relates to a system which uses a network for providing services. The present invention also includes apparatuses and program products constituting the system. The present invention relates in particular to a certificate validity checking method and apparatus, especially for use in a system using certificates based on a public key.
A method of providing services in a system using a network is disclosed in Japanese Published Unexamined Patent Application No. 2000-123095. In this publication, a technique is disclosed which defines many different types of electronic tickets for general purpose use to provide services.
A recent major trend in electronic commerce and communications is toward authentication processing using public-key-based certificates (hereinafter referred to as public key certificates or simply as certificates), and communication encryption processing.
On an electronic certificate, there are provided an issuance date, an expiration date, the signature of an issuer, and the like, in addition to information co concerning the certifyee of the certificate. During the effective period, there should be no problem in the validity of the certificate itself.
However, it might become necessary to nullify the certificate during the effective period because of loss or theft of the secret key corresponding to the certificate, or due to company retirement. This is called certificate nullification processing. An authentication station periodically (e.g., twice per day) prepares and stores a nullification list containing a list of serial numbers of certificates that became null during the effective period. The nullification list is called a CRL (Certificate Revocation List) according to RFC (Request for Comments) 2459 of the IETF (Internet Engineering Task Force).
In applications (Web server, client, encrypted mail) using certificates, the validity of the certificate can not be confirmed without information about whether the certificate has been nullified. As a method of checking a certificate for validity (certificate validity checking method), a method has been employed by which users obtain a CRL by some method (periodic distribution by an authentication station to users or access to the authentication station by users), and confirm the validity of the certificate by confirming that there is no certificate information to be checked for validity in the CRL.
In applications using a CRL distributed from an authentication station, the CRL data must be analyzed to determine whether a certificate is nullified.
OCSP (Online Certificates Status Protocol) recommended as RFC 2560 of IETF lessens loads on the applications and defines a protocol for inquiring of an OCSP responder as to whether a certificate itself is valid.
The responder obtains and manages a nullification list issued from an authentication station, whereby the applications can manipulate a validity checking protocol called OCSP to check for the validity without the applications themselves searching the nullification list.