1. Field of the Invention
The present invention relates to systems and methods for securing transmission and receipt of electronic data, and in particular to a method and system providing a web-based digital certificate authority.
2. Description of the Related Art
In recent years, the use of the internet and other electronic communication and message transfer methods have become widespread. While these communication methods have numerous advantages, they are vulnerable to unauthorized tampering. Persons transmitting electronic messages must be assured that their messages are not opened or disclosed to unauthorized persons. Further, the addressee of the electronic message should be certain of the identity of the sender and that the message was not tampered with at some point during transmission. Many methods have been developed to secure the integrity of electronic messages during transmission. Simple encryption is the most common method of securing data. Both secret key encryption such as DES (Data Encryption Standard) and public key encryption methods which use both a public and a private key are implemented.
Although public and private key encryption methods allow users to send internet and e-mail messages without concern that the message will be read by unauthorized persons or that its contents will be tampered with, key cryptographic methods alone do not protect the receiver of the message. That is, they do not allow the recipient to authenticate the validity of the public key or to validate the identity of the sender of the electronic message.
One method for validating the authenticity of a public key is the use of digital certificates. A digital certificate is a signed document attesting to the identity and public key of the person signing the message. Digital certificates prevent impersonation using a phony key pair.
Digital certificates are issued by a digital certificate authority (CA). Certificate authorities typically run in a trustworthy manner and are highly secure. Consequently, although they provide a high degree of security, they are difficult and expensive to implement, and are therefore unsuitable for widespread application, particularly where near-bulletproof security is not necessary or desired. Consider, for example, a driver""s license and an auto club card. Both are analogous to a xe2x80x9ccertificatexe2x80x9d in the sense that they certify to a certain extent that the person in possession of the card is who they say they are. The driver""s license is issued by a trusted xe2x80x9ccertificate authorityxe2x80x9d (the state department of motor vehicles), and is therefore globally accepted (by the issuing CA and all instances that trust the issuing CA) as a genuine indication of the bearer""s identity. The auto club card is issued by a xe2x80x9clocalxe2x80x9d certificate authority (the auto club itself), and is not globally accepted as a genuine indication of the bearer""s identity and his attributes (i.e. gold membership). However, for the auto club""s purposes, it is sufficient to show that the bearer has paid for the auto club""s services, and from the auto-club""s perspective, is adequate to permit transactions between the bearer and the club.
Digital libraries and other vendors who could benefit from the user of digital certificates are currently faced with the choice of either using a third party CA""s services or developing their own CA. Using a third party CA minimizes development costs, but does not allow the vendor to customize the CA to meet its particular requirements. Also, third party CAs generally provide much more security and overhead than is desired or needed, and at a higher cost. Vendors may develop their own CA with certificate toolkits, but the vendor must program everything on its own, and this can be a daunting and expensive task for most. What is needed is a digital certificate authority that provides a less trusted, but more easily implemented indication of identity, and one which allows for easy vendor customization. The present invention satisfies that need.
To address the requirements described above, the present invention discloses a method, apparatus, and article of manufacture for issuing digital certificates.
The method comprises the steps of accepting a digital certificate request from a client in a web server, the digital certificate request comprising at least one client parameter, passing the client parameter to a user exit external to the servlet to determine if a digital certificate should be issued to the client, and if the external processing module indicates that the digital certificate should be issued to the client, transmitting the digital certificate to the client. The article of manufacture comprises a data storage device tangibly embodying instructions to perform the method steps described above.
The apparatus comprises means for accepting a digital certificate request with client parameters from a client in a web server, means for passing the client parameter to an external processing module to determine, among other things, if the digital certificate should be issued to the client, for creating certificates, and a means for transmitting the digital certificate to the client.