It is difficult for a web server that provides a web service on the Internet to perform encrypted communication based on mutual authentication with a server operated in a device on a local network (hereinafter, simply called “device”) through a web browser of a user. Specifically, there are the following three problems.
[1] The web browser (and a front end of the web server) cannot discover the device on the local network.
[2] The device does not have a regular server certificate. Therefore, the web browser (and the front end of the web server) cannot verify that the device on the local net is a reliable device.
[3] The device cannot control authentication and access for the web server and the user.
To solve the problem [1], the user figures out an IP address of the device in advance, and the web server side is provided with a registration interface for figuring out the IP address. The IP address can be set in the web server to realize access from the web server to the device.
To solve the problem [2], the user launches a certification authority and generates a root certificate signed by the certification authority. The user registers the root certificate in the web browser as a reliable certificate. The user herself generates a server certificate signed by the certification authority and sets the server certificate in the device. As a result, the user can cause the web browser to recognize that the device is a reliable device.
To solve the problem [3], a user ID and a password can be set in advance in the device, and the access can be controlled by requiring ID/password authentication when the web browser accesses the device.
However, the user needs to perform manual setting operation in all cases, and this is a problem in terms of usability. In the problems [2] and [3], the web server is not verifying the device as a legitimate device, and the device is not verifying the web server as a legitimate web server, respectively. Specifically, it is not verified that the web server and the device are servers with server certificates issued by a regular certification authority. Therefore, a malicious user can easily cause the web server and the device to communicate even if one of the web server and the device is “evil”.
The main cause of the problem [2] is that the device does not have a reliable server certificate. However, the regular certification authority generally issues a certificate to a server with a globally accessible domain and with a clear management entity. A method in which the regular certification authority issues a regular server certificate to the device on the local network is not known.
An example of a related technique includes a method of issuing a certificate to a device. However, the technique is a method of issuing a client certificate for the device and is not a method of issuing a server certificate for safely accessing the device when the device behaves as a server.
When the device on the local network behaves as a server, the server includes an IP address that belongs to a private address space and that can be changed. The related technique has problems that cannot be solved, such as at what point of time a fixed name is provided to the server and how to issue a certificate for the name.