The Internet comprises a vast number of computers and computer networks that are interconnected through communication links. The interconnected computers exchange information using various services, such as electronic mail, Gopher, and the World Wide Web (WWW). The WWW service allows a server computer system (i.e., Web server or Web site) to send graphical Web pages of information to a remote client computer system. The remote client computer system can then display the Web pages. Each resource (e.g., computer or Web page) of the WWW is uniquely identifiable by a Uniform Resource Locator (URL). To view a specific Web page, a client computer system specifies the URL for the Web page in a request (e.g., a HyperText Transfer Protocol (HTTP) request). These follow the familiar format http://www.example.com uniquely identifying the particular resource. The request is forwarded to the Web server that supports that Web page to the client computer system. When the client computer system receives that Web page, it typically displays the Web page using a browser. A browser is a special-purpose application program that effects the requesting of Web pages and the displaying of Web pages.
The domain name system (DNS) is the world's largest distributed computing system that enables access to any resource in the Internet by translating user-friendly domain names to IP Addresses. The process of translating domain names to IP Addresses is called Name Resolution. A DNS name resolution is the first step in the majority of Internet transactions. The DNS is in fact a client-server system that provides this name resolution service through a family of servers called Domain Name Servers. The hierarchical domain space is divided into administrative units called zones. A zone usually consists of a domain (e.g., example.com) and possibly one or more sub domains (e.g., projects.example.com, services.example.com). The authoritative data needed for performing the name resolution service is contained in a file called the zone file and the DNS servers hosting this file are called the authoritative name servers for that zone. The DNS clients that make use of the services provided by authoritative name servers may be of two types. One type is called a stub resolver that formulates and sends a query every time it receives a request from an application that requires Internet service (e.g., a browser). The other type is called a caching (also called recursive/resolving) name server that caches the name resolution responses it has obtained from authoritative name servers and thus able to serve multiple stub resolvers.
Generally a web page's address or URL is made up of the name of the server along with the path to the file or the server. Rather than using a web hosting service's server name as their URL, most companies and many individuals and other entities prefer a “domain name” of their own choosing. In other words, the Ford Motor Company probably would prefer http://www.ford.com as its URL rather than, say, http://servername.com/.about.ford, where “servername” is the name of a Web hosting service whose server The Ford Motor Company uses. For this purpose then a “domain name,” e.g. “ford” can be registered, if available, and the hosting service will use that URL for its customer's web address.
As is well known, the Internet is used every day to execute a large number of transactions, many of which can be of a sensitive or confidential nature. Monetary transactions, for example, often involve the communication of sensitive financial data that should not be divulged to third parties. Other transactions may involve trade secrets, personal information, and the like, that should not be publicly available. When sensitive information is communicated via the Internet, in certain circumstances, it is sometimes possible for malicious third parties to access that information. Two common schemes for accessing such information involve 1) the malicious user creating a web site that imitates the identity of another, trusted, entity, and 2) a man-in-the-middle attack, where the malicious user intercepts the sensitive communication.
The first type of fraud involves the malicious operator of a web site hiding or obscuring their identity from their customers. Essentially, the operator of a web site takes advantage of the anonymity provided by the Internet, thereby making it difficult for customers to locate and punish a fraudulent web site operator. For example, a web site may purport to be from a known and trusted business when the web site is in fact operated by an unscrupulous individual. The malicious user may try to receive credit card numbers or pass off goods and services under another's trademark as part of their fraudulent scheme.
To increase the perceived validity of the malicious user's false web site, the malicious user may have inserted false information in the WHOIS database when registering their false domain name in order to hide their identity.
The second type of fraud involves malicious individuals intercepting confidential information, such as credit card numbers, transmitted over the Internet between a customer and a legitimate web site. This type of fraud is less common and can be prevented by transmitting confidential information only in a sufficiently strong encrypted format.
A common method for Internet businesses to protect their customers from these two types of fraud is to obtain a secure certificate, such as a Secure Sockets Layer (SSL) certificate, for their web sites. A secure certificate, once installed on a web site, lets customers know that the owner of the web site (that is, the holder of the certificate) has been verified by a trusted third party (e.g., a certificate authority or CA) and that confidential communications with the web site are or, at least, can be encrypted. SSL is a protocol for transmitting private documents via the Internet. SSL protects confidential information by using a private key to encrypt data transferred over an SSL connection. Many, many applications support the SSL protocol, and many web sites use the protocol to communicate confidential information with their customers.
When connecting to a web site using the SSL protocol, the customer's browser accesses the web site's security certificate and retrieves information regarding the certificate authority that issued the web site's security certificate. The browser may then decide whether or not to trust the web site's security certificate based on which certificate authority issued the web site's security certificate, as well as other information contained within the security certificate.
Before a formal SSL certificate can be issued, a certificate authority is required to sign off on the identity of the holder of the certificate. As such, the certificate authority is required to confirm that the individual or business listed in the subject field of the certificate actually exists and is accurately described within the certificate.