JP2003005640A - Apparatus and method for processing public key certificate - Google Patents

Abstract

PROBLEM TO BE SOLVED: To include a URL for intending advertisement, etc., in a public key certificate and make a client browse the URL. SOLUTION: A user inputs an accessed URL and the public key certificate of the client by using a web browser 302 at a client site 30. A certificate processing part 303 retrieves the description of a designated URL in the public key certificate of the client, accesses a designated server by using the designated URL and receives information such as a text, etc., from the designated server. The certificate processing part 303 sends a request for browsing to a server of the accessed URL and receives information such as a text, etc., from the server of the accessed URL.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a technique for processing a public key certificate, and more particularly, it enables a user to obtain predetermined designated information, for example, advertisement information when using the public key certificate, and eventually uses it. This allows people to use public key certificates at low cost or free of charge.

[0002]

2. Description of the Related Art A certificate is highly effective because it is used for confirming the identity of a user in a communication network such as the Internet and for encryption on a transmission line. On the other hand, there are obstacles that become popular due to the understanding of the certificate principle and cost.

Web such as EC (electronic commerce)
The site uses SSL / T with a certificate for server authentication.
LS (Secure Socket Layer / Tr)
Many of them are equipped with encryption of the transmission line by the ansport Layer Security), but S
In many cases, the conventional system that does not use SL / TLS is also prepared. In addition, there are few examples of using a personal certificate for client-side authentication instead of server authentication, and server authentication and passwords are mostly used. Due to the difficulty of understanding the principle of public key certificates and the cost of using them, personal public key certificates have not spread much.

[0004]

SUMMARY OF THE INVENTION The present invention has been made in consideration of the above circumstances, and an object thereof is to provide an environment in which public key certificates are easy to use.

[0005]

In order to achieve the above-mentioned object, the present invention adopts the constitution as set forth in the claims.

The present invention will be described below.

What has hindered the widespread use of certificates as described above is that the principle of certificates is difficult and the cost is burdened (the cost costs several thousand yen per year). The principle is difficult to change, so consider reducing costs. The format of the certificate is defined by ISO etc., but some fields are reserved for later expansion. In this portion, a URL for advertising / subscription / information provision window etc. is inserted, and the cost of issuing the certificate is reduced by the consideration. The browser / Web server / PKI (public key infrastructure) application side incorporates a mechanism for accessing and displaying the URL when the URL for this advertisement / application / information provision contact point, etc. Display the service provider etc. to the user.

Merits on the side of the user: The certificate issuance fee is 0 or cheaper than before. When the certificate is widely used, it can be used for user authentication / encryption of transmission path, for example, for enclosing the user, and if the usage increases as a result, a more sophisticated user interface can be developed. It is made more convenient.

Merit on the side of certification body: There is no cost demerit because the issue cost of the certificate can be passed on to the advertiser. By placing advertisements, the cost of using certificates will be reduced, and if the number of issued certificates increases, profits will increase and there will be merits. If convenience is improved, many applications will support certificates, which will increase the number of issued certificates and further increase profits.

Merits on the side of advertisement / application / information provision counter: The owner of the certificate, the person who has been presented with the certificate may access the URL in the certificate, and an advertisement is displayed for each access ( If you do things such as banner ads, the access will increase and the advertising effect will increase. In many cases, a certificate can assume a specific user group, so that it becomes possible to collect marketing / information that matches the user group. Also, if you use a personal certificate to access advertisements, you can clearly see "who" is accessing it and help identify the user group. Currently, only cookies are used and tracking is inaccurate, but if you use a certificate, you can reliably track. Although cookies can be prohibited or deleted, in the case of certificates, deletion is not performed because there are many demerits such as decryption of e-mail and access to the Web server itself when deleted. Further, it is possible to send the connection history, purchase history and the like customized for each user and send the customized information for each user. Further, since the personal certificate usually includes an e-mail address, it is possible to provide information by e-mail or the like to the individual based on the e-mail information.

The present invention will be further described. According to one aspect of the present invention, a public key certificate processing device in a client terminal: means for inputting a client public key certificate including a description of a predetermined URL and an access destination URL; UR specified above
A means for acquiring information from the predetermined URL based on the description of L; and a means for transmitting a predetermined request to the access destination URL are provided.

In this structure, a predetermined designated URL is used when accessing an arbitrary server from the client terminal.
Since the information is acquired from the information, the information such as advertisement can be automatically supplied to the user of the client terminal. Instead of browsing the advertisement or the like, the user can use the public key certificate at low cost or free of cost at the expense of the advertisement provider.

A predetermined URL may be included in the public key certificate for the server instead of the above public key certificate for the client.

The present invention can be realized not only as an apparatus or system, but also as a method, or a part of the method can be implemented as a computer program.

The above aspects of the invention and other aspects of the invention are set forth in the claims and are described in greater detail below using examples.

[0016]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below.

FIG. 1 shows a public key infrastructure to which the present invention is applied. In this figure, a certificate issuing center (certificate authority) 10 is based on a request from a user (both client and server). Issue a public key certificate. The server site 20 has a server such as a web server 201, and provides services such as document browsing in response to a request from the client site 30. In this example, S
It is premised on the processing in SL / TLS, but, of course, the processing without using the public key certificate or the like is also performed. The certificate issuing center 10, the server site 20, and the client site 30 are connected by a communication network 40 such as the Internet. The certificate issuing center 10 may store the public key certificate in an IC card or the like and send it to the user.
It may be transmitted via any secure transmission path via the communication network 40.

Here, the format of the public key certificate peculiar to this embodiment will be described. FIG. 2 shows an outline of this public key certificate. This public key certificate is a standard ITU-T Recommendation X.264. Similar to the 509-compliant public key certificate, the subject name, public key, etc. are added with the issuer's signature. Further, an arbitrary URL is described in this public key certificate. This URL is, for example, “https://www.publication.com”.
xxx. com / campaign / ”, which is determined by the certificate issuing center 10 based on its own standard or, if necessary, based on the information and wishes of the certificate issue requester. The issue of this public key certificate will be described later. This public key certificate applies not only to the client certificate but also to the server certificate. In some cases, it can be applied to certificates other than public key certificates, such as attribute certificates.

Returning to FIG. 1, the description will be continued. In FIG. 1, the certificate issuing center 10 is, for example, a web server 1
01, the application server 102, the database management system 103, etc. are connected to the LAN 104. The LAN 104 is connected to the communication network 40 via the router 105. Web server 101
Provides a user interface with the client site 30. The user of the client site 30 uses the user interface to request the certificate issuing center 10 to issue a public key certificate.
The application server 102 performs the selection of the URL to be inserted, the certificate issuing process, and the like based on the public key certificate issuance request sent from the client site 30.
The public key certificate is stored and managed in the certificate database 103a of the database management system 103, and the information for determining the URL to be inserted is stored and managed in the URL database 103b.

The server site 20 is the client site 3
It provides services such as web browsing based on requests from 0 users. At the server site 20, various servers such as a web server 201, a certificate processing unit 202,
A certificate storage unit 203 is provided. Certificate processing unit 2
Reference numeral 02 refers to the URL included in the public key certificate of the client sent from the client site 30 at the time of client certification, and provides the information of the URL to the client. Client site 3
If 0 has a similar processing function, this processing can be passed. This processing may not be performed.
This process will be described in detail later. Certificate storage section 2
Reference numeral 03 is for storing the public key certificate of the server in a secure state.

The client site 30 sends a service request to the server site 20, and also requests the certificate issuing center 10 to issue a public key certificate. The client site 30 has a client terminal 30
1, a web browser 302, a certificate processing unit 303, a certificate storage unit 304, etc. are provided. The client terminal 301 can be a personal computer, personal digital assistants, or any other information terminal. The web browser 302 is a normal agent software for browsing the web. Certificate processing unit 303
Is for performing processing related to the URL inserted in the public key certificate. This will be described in detail later. The certificate processing unit 303 can be provided as, for example, plug-in software of the web browser 302. The certificate storage unit 304 stores the public key certificate for the client in a secure state.

Next, the operation of this embodiment will be described in detail.

FIG. 3 shows the operation of the certificate issuance request at the client site 30. In this figure, the following processing is executed.

[Step S10]: The user of the client site 30 uses the web browser 302 to access the certificate issuing site of the certificate issuing center 10. [Step S11]: The document for requesting the certificate issuance is received, and the client information is input using the document. The requester information is other relevant information such as a subject name (distinguishing name), an electronic mail address, and the like. [Step S12]: Input information for selecting the designated URL. This information includes hobbies, occupations, types of specific destination URLs, and the like. The certificate issuing center 10 later searches the URL database 103b based on this information and selects a URL that is useful for business. [Step S13]: The input information is transmitted.

FIG. 4 shows the certificate issuing operation of the certificate issuing center 10. In FIG. 4, the following processing is executed.

[Step S20]: Client information is received from the client site 30. [Step S21]: UR from the client site 30
Receive L selection information. [Step S22]: The URL selection unit 111 (FIG. 1) is U
The URL database 103b is searched using the information for RL selection to determine the desired URL. The URL of the URL database 103b can be registered based on a request from the operator of the server who desires an advertisement or the like. For example, one URL related to "fishing" is selected for the public key certificate of a user whose hobby is "fishing". of course,
It is also possible to select a plurality of URLs and present the URLs in a round robin manner by a predetermined method. [Step S23]: The certificate issuing unit 112 (FIG. 1)
A public key certificate (FIG. 2) is generated using the requester information and the selection URL. [Step S24]: Register the certificate information and the certificate in the certificate database 103a.

Next, web access using a public key certificate will be described. First, a case where the certificate processing unit 303 of the client site 30 performs processing related to the public key certificate of the client certificate will be described with reference to FIG. The process related to the public key certificate of the server certificate will be described later in detail with reference to FIG. Further, the web browser of the client site 30 does not include the certificate processing unit 303 that conforms to the public key certificate (FIG. 2) of this embodiment,
A case where the access destination server (server site 20) performs the same processing will be described in detail later with reference to FIG. 7.

[Step S30]: At the client site 30, the user uses the web browser 302 to input the access destination URL and the public key certificate of the client. [Step S31]: The certificate processing unit 303 extracts the description of the designated URL of the public key certificate of the client. [Step S32]: The designated destination URL is used to access the designated destination server. [Step S33]: Information such as a document is received from the designated server. [Step S34]: A browsing request or the like is issued to the server of the access destination URL. [Step S35]: Information such as a document is received from the server of the access destination URL.

Next, the processing of the public key certificate of the server certificate will be described. In FIG. 6, the client site 3
When the certificate processing unit 303 of 0 receives the public key certificate of the server certificate from the access destination server, the certificate processing unit 303 performs the following processing.

[Step S40]: At the client site 30, the user uses the web browser 302 to input the access destination URL and the public key certificate of the client. [Step S41]: The client site 30 and the access destination server (server site 20) exchange the client certification public key certificate and the server certification public key certificate for mutual authentication. [Step S42]: The certificate processing unit 303 extracts the description of the designated URL included in the server certificate. [Step S43]: The designated destination URL is used to access the designated destination server. [Step S44]: Information such as a document is received from the designated server. [Step S45]: A browsing request or the like is issued to the server of the access destination URL. [Step S46]: Information such as a document is received from the server of the access destination URL.

In this method, the server of the access destination can allow the user to browse the desired site, and the fee or the like may be charged according to this.

Next, a case where the server site 20 (access destination server) processes a public key certificate will be described. This is effective when the client site 30 cannot process the public key certificate as described above. In FIG. 7, the server site 20 operates as follows.

[Step S50]: The web server 201 of the server site 20 receives the browsing request and the public key certificate of the client certificate. [Step S51]: Specified UR included in public key certificate
Take out the description of L. [Step S52]: Specify U on behalf of the client
Send the request to the designated server of the RL. Based on this request, the designated server of the designated URL provides the client with information such as a document. [Step S53]: Send the document of the own website to the client.

Next, the operation of the designated server will be described. In FIG. 8, the designated server operates as follows.

[Step S60]: The browsing request, access destination, and certificate information are received from the client site 30 (or another server site 20, step S52 in FIG. 7). [Step S61]: Information such as a document is selected based on one or both of the access destination and the certificate information. Instead of dynamically selecting information such as a document, it may be predetermined. [Step S62]: Information such as a document is transmitted to the client site 30. [Step S63]: The access count of the client (certificate owner) is cumulatively recorded. The previous document or the like may be selected by this cumulative recording.

FIG. 9 illustrates a typical flow of the operation of the embodiment described above. In this figure, first,
When the client site 30 tries to access the access destination, the certificate processing unit 303 refers to the certificate information and accesses the designated server (,). Since the designated server receives the certificate information and the information of the access URL, the document can be dynamically generated and the access of the client can be tracked. Further, by using the count of the number of times of access, the usage fee of the public key certificate may be charged / charged to the user who has not accessed a predetermined number of times.

After that, the web browser 302 of the client site 30 performs a normal operation and acquires information such as a document from the access destination server (,). The access destination server may dynamically change information such as a document according to the URL of the designated destination server.

[0038]

As described above, according to the present invention, it is possible to provide desired information to the user by including predetermined URL information in the public key certificate and using it. In return, public key certificates can be used at low cost or free of charge. It is also possible to perform access tracking and the like.

[Brief description of drawings]

FIG. 1 is a diagram showing an embodiment of the present invention as a whole.

FIG. 2 is a diagram illustrating an example of a public key certificate used in this embodiment.

FIG. 3 is a flowchart illustrating a certificate issuance request operation in a client terminal.

FIG. 4 is a flowchart illustrating a certificate issuing operation in a certificate issuing center.

FIG. 5 is a flowchart illustrating a web access operation of a client terminal.

FIG. 6 is a flowchart illustrating another web access operation of the client terminal.

FIG. 7 is a flowchart illustrating certificate processing in an access destination server.

FIG. 8 is a flowchart illustrating certificate processing in a designated server.

FIG. 9 is a diagram for explaining the overall operation of the above embodiment.

[Explanation of symbols]

10 Certificate issuing center 20 server sites 30 client sites 40 communication network 101 Web server 102 Application server 103 database management system 103a certificate database 103b database 104 LAN 105 router 111 URL selector 112 Certificate Issuing Department 201 Web server 202 Certificate processing unit 203 Certificate Storage Department 301 Client terminal 302 Web browser 303 Certificate processing unit 304 Certificate Store

   ─────────────────────────────────────────────────── ─── Continued front page    F term (reference) 5J104 AA09 AA16 EA05 LA06 MA01                       PA07

Claims (13)

[Claims] 1. A means for inputting a client public key certificate including a description of a predetermined URL and an access destination URL, and the predetermined URL based on the description of the predetermined URL of the client public key certificate. A public key certificate processing apparatus in a client terminal, comprising: a means for acquiring information from the client and a means for sending a predetermined request to the access destination URL. 2. The means for acquiring information from the predetermined URL transmits one or both of predetermined information of the public key certificate for the client and the access destination URL to the predetermined URL. A public key certificate processing device in a client terminal. 3. A means for sending a predetermined request to a server computer, and a predetermined URL from the server computer.
Means for receiving the public key certificate for the server including the description, means for obtaining information from the predetermined URL based on the description of the predetermined URL of the public key certificate for the server, and a predetermined means from the server computer. A public key certificate processing apparatus in a client terminal, comprising means for receiving a service. 4. The means for acquiring information from the predetermined URL transmits one or both of predetermined information of the server public key certificate and the access destination URL to the predetermined URL. A public key certificate processing device in a client terminal. 5. A means for receiving a request accompanied by a public key certificate including a description of a predetermined URL, and the predetermined UR as a browsing request from a client based on the description of the predetermined URL of the public key certificate.
A server computer comprising means for sending a browsing request to L and means for processing the request accompanied by the public key certificate. 6. A means for inputting information on an owner of a public key certificate to be issued, and information from a host device used by the owner when the public key certificate to be issued is used by the owner. A certificate issuing device comprising means for inputting a destination URL for transmitting an acquisition request and means for adding a signature to public key certificate information including the owner information and the destination URL. . 7. One or both of the predetermined information of the public key certificate for the client and the access destination URL transmitted from the public key certificate processing device in the client terminal according to claim 2, or the server. Information of the public key certificate for use and the above access destination URL
Means for receiving one or both of them together with a request from the client terminal, means for transmitting information to the client terminal in response to the request, predetermined information of the client public key certificate and the access destination URL. One or both, or a means for storing predetermined information of the server public key certificate and one or both of the access destination URLs, a server computer. 8. The predetermined information of the public key certificate for the client or the predetermined information of the public key certificate for the server is the information of the owner of the public key certificate, and the access is counted for each owner. The server computer according to item 7. 9. The server computer according to claim 8, wherein the usage fee of the public key certificate is calculated based on the counted number of accesses. 10. The server computer according to claim 9, wherein charging is performed when the number of times of access exceeds a predetermined value. 11. The predetermined information of the public key certificate for the client or the predetermined information of the public key certificate for the server is the information of the owner of the public key certificate, and the information of the owner and the access destination. The server computer according to claim 7, wherein access tracking is performed using a URL. 12. A step of inputting a client public key certificate including a description of a predetermined URL and an access destination URL, and the predetermined URL based on the description of the predetermined URL of the client public key certificate. And a step of sending a predetermined request to the access destination URL, a public key certificate processing method in a client terminal. 13. A step of transmitting a predetermined request to a server computer, a step of receiving a server public key certificate containing a description of a predetermined URL from the server computer, and a step of receiving the server public key certificate of the predetermined number. A public key certificate processing method in a client terminal, comprising: a step of acquiring information from the predetermined URL based on a description of the URL; and a step of receiving a predetermined service from the server computer.