JP2017103614A - Electronic certificate management system, electronic certificate utilization terminal, and electronic certificate management method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic certificate management system, an electronic certificate utilization terminal suitable for the electronic certificate management system, and an electronic certificate management method that are capable of further improving reliability of an electronic certificate.SOLUTION: An authentication gateway 30 issues an electronic certificate on the basis of application information and manages the issued electronic certificate. The authentication gateway 30 comprises: a corporation information determination unit 33 that acquires corporation information and a specified corporation number included in the application information from the application information, and determines validity of the corporation information included in the application information on the basis of the degree of agreement between corporation information acquired from a corporation information management device as one corresponding to the specified corporation number and the corporation information included in the application information; a certificate issue unit 36 that issues an electronic certificate based on the application information correspondingly to a result of the corporation information determination unit 33 determining that the corporation information included in the application information is valid; and a history registration unit 42 that registers, as a history, the issue of the electronic certificate in a history DB 453.SELECTED DRAWING: Figure 4

Description

  The present invention is suitable for use in an electronic certificate management system that issues and manages an electronic certificate that is added to information transmitted / received via a network and guarantees the validity of the information, and an electronic certificate management system The present invention relates to an electronic certificate using terminal and an electronic certificate management method.

  Conventionally, with the spread of the Internet, which is an open network, a lot of information is exchanged via the Internet. For example, it is common to use electronic mail via the Internet for exchanging information between users. On the other hand, since the Internet is an open network, problems have been pointed out that information is intercepted, tampered with, and spoofed on the communication path. Therefore, a public key cryptosystem is known as a technique for appropriately solving such problems (for example, Patent Document 1).

  The public key cryptosystem is a scheme that performs encryption and decryption using a pair of keys, a public key that is widely open to the public and a secret key that only the owner keeps secret, and plaintext encrypted with one key is It can only be decrypted with the other key. Thus, in ciphertext communication, the sender sends the ciphertext obtained by encrypting the plaintext with the receiver's public key, and the receiver decrypts the received ciphertext with its own private key to obtain the plaintext. . Thereby, the content of communication is concealed and the possibility that information is intercepted or tampered with is reduced.

  In addition, in order to verify the sender, the sender transmits a ciphertext obtained by encrypting the message digest with a private key and a public key with an electronic certificate. The receiver confirms the validity of the public key based on the electronic certificate and verifies that the sender is the owner of the private key based on the fact that the message digest can be decrypted with the public key. This verifies that the sender is the person who issued the electronic certificate, and reduces the possibility that the sender is impersonated.

JP 2001-36521 A

By using the public key cryptosystem in this way, it is possible to ensure the confidentiality of information and verify the legitimacy of the sender.
By the way, the electronic certificate attached by the sender is acquired by applying to the electronic certificate management system of the electronic certificate issuing organization from the sender's electronic certificate using terminal. The issuing organization of the electronic certificate strictly examines the application contents of the applicant and issues an electronic certificate to the applicant when it is determined that the application contents are appropriate. Therefore, the reliability of the electronic certificate is secured by the examination standards and examination ability of the issuing organization of the electronic certificate. As a result, the reliability of electronic certificates may vary depending on the issuing authority, and improper applications may not be excluded during examination.

  The present invention has been made in view of such circumstances, and an object of the present invention is to provide an electronic certificate management system capable of further improving the reliability of the electronic certificate, and an electronic certificate suitable for the electronic certificate management system. It is to provide a certificate using terminal and an electronic certificate management method.

  An electronic certificate management system that solves the above problems is an electronic certificate management system that issues an electronic certificate based on application information and manages the issued electronic certificate. Acquires a certificate history storage unit to be held, corporate information included in the application information from the application information, and a specific corporate number uniquely assigned to the corporate, and manages the corporate information in association with the specific corporate number The corporation included in the application information based on the degree of coincidence between the corporate information obtained from the corporate information management apparatus as corresponding to the specific corporate number acquired from the application information and the corporate information included in the application information Corresponding to the result of determining that the corporate information included in the application information is valid by the corporate information determination unit that determines the legitimacy of the information, the application information determination unit And a history registering unit that registers that the electronic certificate has been issued as a history relating to the issued electronic certificate in the certificate history storage unit. And

  An electronic certificate management method for solving the above problem is an electronic certificate management method used in an electronic certificate management system that issues an electronic certificate based on application information and manages the issued electronic certificate, Corporate information management unit that obtains corporate information included in the application information from the application information and a specific corporate number uniquely assigned to the corporate and manages the corporate information in association with the specific corporate number The corporate information corresponding to the acquired specific corporate number is acquired from the device, and the legitimacy of the corporate information included in the application information based on the degree of coincidence between the acquired corporate information and the corporate information included in the application information The certificate issuing unit issues an electronic certificate based on the application information in response to a result of the corporate information determining unit determining that the corporate information included in the application information is valid. And, history registration unit, and gist to register that it has issued the electronic certificate as history relating to the issued digital certificate in the certificate history storage unit.

  According to such a configuration, the corporate information included in the application information is determined to be valid based on the degree of coincidence with the corporate information obtained based on the specific corporate number. Is issued. In other words, when it is determined that the corporate information included in the application information is not valid, the electronic certificate is not issued. Therefore, the possibility that an electronic certificate is issued in response to an unauthorized electronic certificate issuance application such as impersonation is reduced, and the reliability of the electronic certificate is improved. In addition, in issuing an electronic certificate, the accuracy of examination of corporate information can be improved, the examination load can be reduced, and examination variations can be reduced.

As a preferred configuration, the information processing apparatus further includes a history search unit that searches and outputs a history related to the electronic certificate registered in the certificate history storage unit in response to an external request.
According to such a configuration, it is possible to search and refer to the history related to the electronic certificate from the outside for the issued electronic certificate.

  As a preferred configuration, the information processing apparatus further includes a public key storage unit that stores a public key and publishes the public key, and sets the target of the registration information based on public key registration information generated based on the issued electronic certificate. A key registration unit for registering a public key in the public key storage unit together with the issued electronic certificate;

  According to such a configuration, of the private key and public key created based on the issued electronic certificate, the public key is registered in the public key storage unit together with the corresponding electronic certificate based on the registration information. Thereby, the legitimacy of the public key is increased by giving a highly reliable electronic certificate.

  As a preferred configuration, the application information includes position information indicating a position of the terminal to which the application information is transmitted, and is included in the position information included in the application information and the corporate information corresponding to the specific corporate number. A position information processing unit that determines the degree of coincidence with the location of the corporation is further provided, and the certificate issuing unit further reflects the determination result of the position information processing unit in issuing the electronic certificate.

  According to such a configuration, the degree of coincidence between the location information of the terminal that transmitted the application information and the location of the corporation included in the corporate information corresponding to the specific corporate number is reflected in the determination of validity. And the reliability of the electronic certificate is further increased.

  As a preferred configuration, an IP address obtained from a domain management apparatus that manages a domain and its IP address in association with each other based on the domain corresponding to the corporate information of the application information, and an IP obtained from the domain that transmitted the application information A domain information processing unit that determines the degree of coincidence with the address is further included, and the certificate issuing unit further reflects the determination result of the domain information processing unit in issuing the electronic certificate.

  According to such a configuration, the degree of coincidence between the IP address obtained from the domain management device based on the domain corresponding to the corporate information of the application information and the IP address obtained from the domain that transmitted the application information is valid. Since it is reflected in the determination, the validity of the application information is enhanced and the reliability of the electronic certificate is further enhanced.

As a preferred configuration, the application information includes sender information that is information indicating a sender, and the certificate issuing unit issues the electronic certificate including the sender information.
According to such a configuration, the sender information is also added to the electronic certificate, so that the reliability of the electronic certificate is further increased.

As a preferred configuration, the application information includes recipient information that is information indicating a recipient, and the certificate issuing unit issues the electronic certificate including the recipient information.
According to such a configuration, the recipient information is also added to the electronic certificate, so that the reliability of the electronic certificate is further improved for the recipient who has received the electronic certificate.

  As a preferred configuration, a reply unit is further provided that returns a result of determination of the validity of the electronic certificate determined based on a request for verification of the electronic certificate from the receiving terminal that has received the electronic certificate to the receiving terminal. The history registration unit further registers in the certificate history storage unit the fact that a request for verification has been received from the receiving terminal in association with the history related to the electronic certificate.

  According to such a configuration, the fact that the receiving terminal has requested verification of the electronic certificate is registered in the certificate history storage unit, so that communication traceability is improved. For example, the applicant can check the usage status of the electronic certificate.

  As a preferable configuration, when the history registration unit receives from the receiving terminal that the determination result of the reply unit has been trusted, the domain information of the receiving terminal, the address information of the user of the receiving terminal, and the receiving terminal At least one piece of address information of the user of the transmitting terminal that sent the electronic certificate is acquired, and the acquired information is registered in the certificate history storage unit in association with the history related to the electronic certificate.

  According to such a configuration, it is registered that the receiving terminal trusts the public key, that is, that the communication text is decrypted using the public key, so that the communication traceability is improved. For example, the sender of the message can confirm that the message has been decrypted at the receiving terminal.

  An electronic certificate using terminal that solves the above problems is an electronic certificate using terminal that issues an electronic certificate and applies for an electronic certificate issuance to an electronic certificate management system that manages the issued electronic certificate. The electronic certificate management system according to any of the above, wherein the electronic certificate using terminal includes corporate information and a specific corporate number uniquely assigned to the corporate Generates application information and transmits it to the electronic certificate management system, receives an electronic certificate issued by the electronic certificate management system for the transmitted application information, and based on the received electronic certificate The gist of the present invention is to provide an application unit that applies the public key of the generated public key and private key to the electronic certificate management system together with the electronic certificate.

According to such a configuration, it is possible to acquire a highly reliable electronic certificate using a specific corporate number and to disclose a public key related to the electronic certificate.
An electronic certificate using terminal that solves the above problems is an electronic certificate using terminal that issues an electronic certificate and requests the electronic certificate management system that manages the issued electronic certificate to verify the electronic certificate. The electronic certificate management system according to any one of the above, wherein the electronic certificate using terminal transmits an electronic certificate including a specific corporate number received from a sender to the electronic certificate. Sent to the management system, requests the electronic certificate management system to verify the validity of the transmitted electronic certificate, and obtains a determination from the electronic certificate management system that the request is valid. The electronic certificate transmitted by the sender is trusted on the basis of the domain information of the terminal using the electronic certificate and the address of the user of the terminal using the electronic certificate. Along with information and at least one information of the sender address information comprising a receiving unit for transmitting to the electronic certificate management system.

  According to such a configuration, when a highly reliable electronic certificate using a specific corporate number is trusted, the fact that it was trusted, that is, a message with an attached electronic certificate was used, History management will be possible with the electronic certificate management system. Thereby, the traceability of communication is improved.

  According to the electronic certificate management system, the electronic certificate using terminal, and the electronic certificate management method, the reliability of the electronic certificate can be further increased.

The block diagram which shows the schematic structure about one Embodiment which actualized the electronic certificate management system, the electronic certificate utilization terminal, and the electronic certificate management method. Schematic which shows the outline of the data structure of the electronic certificate utilized in the embodiment. The block diagram which shows schematic structure of the application part of the electronic certificate utilization terminal in the embodiment. The block diagram which shows schematic structure of the authentication gateway in the same embodiment. The schematic diagram which shows the schematic structure of the data of the application information which an authentication gateway receives in the embodiment. Schematic which shows the schematic structure of the data of the publication request information which an authentication gateway receives in the embodiment. 4 is a schematic diagram illustrating a schematic structure of registration data of an electronic certificate history received by the authentication gateway in the embodiment. FIG. 4 is a schematic diagram illustrating a schematic structure of reference data of an electronic certificate history received by the authentication gateway in the embodiment. FIG. The sequence diagram which shows the process sequence when an authentication gateway issues an electronic certificate in the same embodiment. The sequence diagram which shows the process sequence which acquires a public key from the authentication gateway in the embodiment. The sequence diagram which shows the process sequence of transmission / reception of a communication text in the same embodiment. Schematic which shows the outline of other data structures about an electronic certificate.

An embodiment in which an electronic certificate management system, an electronic certificate using terminal, and an electronic certificate management method are embodied will be described with reference to FIGS.
As shown in FIG. 1, the communication system 10 includes a domain management device 12, a first terminal 13, a second terminal 14, and a domain management device 12 that are communicably connected to each other via the Internet N, which is an open network. An authentication gateway 30 as an electronic certificate management system is provided. Further, the authentication gateway 30 is connected to a corporate information management apparatus 15 that manages corporate information through a communication path different from the Internet N so as to allow mutual communication.

  The authentication gateway 30 is a so-called certificate authority (CA), a function for issuing an electronic certificate (electronic certificate issuing function), and a function for managing the issued electronic certificate and its history (history function). And a function for publicizing the registered public key (public key repository function).

  As shown in FIG. 2, in this embodiment, the electronic certificate 50 is an “ITU-T X.509 v3” standard electronic certificate, and includes a pre-signature certificate 501, a signature algorithm 502, and a digital signature 503. Have. The basic areas of the pre-signature certificate 501 are: certificate version information 50a, certificate serial number 50b, hash function / public key encryption algorithm 50c, certificate issuer (certificate authority) 50d, certificate validity period 50e, certificate Issued object: It has a corporate name 50f and a public key 50g to be issued. In the present embodiment, among these, the certificate issuance target: corporation name 50f stores the name of the corporation that applied for the issuance of the electronic certificate, and the issuance target public key 50g applies for the issuance of the electronic certificate. The public key generated by the registered corporation is stored.

  The pre-signature certificate 501 has an extended area that can be used according to the purpose. In the present embodiment, the extension area of the pre-signature certificate 501 has corporate information 50h such as a specific corporate number / position information. The corporate information 50h such as the specific corporate number / position information stores “corporate number” as the specific corporate number of the corporation that has applied for issuance of the electronic certificate and “corporate information” such as location information. In this embodiment, the “corporate number” is the “Law Concerning the Use of Numbers for Identifying Specific Individuals in Administrative Procedures (Act No. 27 of May 31, 2000)”, It is a corporate number prescribed by the so-called numbering law.

  As shown in FIG. 1, each of the first terminal 13 and the second terminal 14 is a computer device including a personal computer. The first terminal 13 and the second terminal 14 make various processing requests to various server devices such as the domain management device 12 and the authentication gateway 30 connected via the Internet N, and receive responses to the processing requests. For example, the first terminal 13 and the second terminal 14 may be connected to a mail server (not shown), and may exchange e-mail with each other via the mail server. The first terminal 13 and the second terminal 14 have a position measuring device such as a GPS, and can transmit the current position detected by the position measuring device attached to the communication data. Further, the first terminal 13 and the second terminal 14 have a clock, and can transmit the current time measured by the clock attached to the communication data. Further, in the present embodiment, the first terminal 13 and the second terminal 14 belong to different corporations, and each of the corporations is issued an electronic certificate 50 from the authentication gateway 30 and also public keys to the authentication gateway 30. Is registered. Therefore, the first terminal 13 and the second terminal 14 can request the authentication gateway 30 to authenticate the electronic certificate 50 or request the acquisition of the public key, respectively.

  The first terminal 13 includes an application unit 13a as an electronic certificate using terminal that makes a predetermined application as a processing request to the authentication gateway 30, a transmission unit 13b that transmits a communication message with an electronic certificate to a receiver, And a receiving unit 13c as an electronic certificate using terminal that receives a communication message with a certificate from a sender. The second terminal 14 includes an application unit 14a, a transmission unit 14b, and a reception unit 14c. These functions are the same as the application unit 13a, the transmission unit 13b, and the reception unit 13c of the first terminal 13, respectively. Since it is the same, the detailed description is omitted.

  The application unit 13a performs a process for applying to the authentication gateway 30 to issue the electronic certificate 50, a process for receiving the electronic certificate 50 issued from the authentication gateway 30, and a public key being disclosed to the authentication gateway 30. Process to apply.

As illustrated in FIG. 3, the application unit 13 a includes a certificate application unit 20, a certificate acquisition unit 21, a key generation unit 22, a signature unit 23, and a key disclosure application unit 24.
As shown in FIG. 5, the certificate application unit 20 acquires information necessary for issuing the electronic certificate 50 and generates application information D1 necessary for issuing the electronic certificate 50, and the generated application information. Apply to the authentication gateway 30 to issue the electronic certificate 50 based on D1. The application information D1 includes, for example, “corporate number D1a”, “organization name D1b”, “base address D1c”, “applicant name D1d”, “applicant identification code D1e”, “applicant terminal location information etc. D1f”. Including. Note that “organization name D1b” and “base address D1c” constitute “corporate information”, and “applicant name D1d” and “applicant identification code D1e” constitute “applicant information”. The “applicant terminal position information etc. D1f” includes “latitude, longitude” and “time”. The “applicant identification code D1e” is a code for identifying an individual applicant, and may be the number of an employee or customer managed by a corporation, the number of an individual managed by a government, etc. If allowed, it may be a personal number specified in the Numbering Law.

  By the way, in the present embodiment, the “applicant” performs a procedure for application of the corporation on behalf of the corporation, for example, an employee of the corporation, and the corporation transmits a message. Sometimes the employee becomes an “applicant” or “sender”. In addition, when a corporation receives a message, employees of the corporation become “receivers”.

As illustrated in FIG. 3, the certificate acquisition unit 21 acquires the electronic certificate 50 issued according to the application from the authentication gateway 30 and stores the electronic certificate 50 in the first terminal 13.
The key generation unit 22 adds the contents of the extension area to the acquired electronic certificate 50 and, based on the electronic certificate 50 to which the contents of the extension area are added, a pair of secret keys corresponding to the public key cryptosystem and Generate a public key.

  The signature unit 23 stores the public key in the public key 50g to be issued of the received electronic certificate 50, and stores the algorithm of the public key cryptosystem in the signature algorithm 502 of the electronic certificate 50. The digital signature 503 Stores a digital signature generated with a private key.

  As shown in FIG. 6, the key disclosure application unit 24 generates public key registration information D2 including a signed electronic certificate 50 with a public key, and registers the public key based on the generated registration information D2. Apply to the authentication gateway 30. The registration information D2 includes, for example, “sender address D2a”, “signed corporate public key D2b”, “signed personal public key D2c”, “receiver address D2d”, “applicant terminal location information etc. D2e”. . “Applicant terminal position information D2e” includes “latitude, longitude”, and “time”. If there is no personal public key or if it is not necessary, the signed personal public key may not be stored in the signed personal public key D2c. If the recipient is not specified, the recipient address may not be stored in the recipient address D2d.

  The transmission unit 13b sends a communication message with the electronic certificate 50 to the receiver. More specifically, the transmission unit 13b calculates a value such as a hash value that cannot reproduce the communication message from the communication message, a so-called message digest (MD) by a predetermined method, and uses the calculated MD as its own secret. Encode with key. Then, the transmission unit 13b attaches the electronic certificate 50 including the encoded MD and the public key to the communication text and sends it to the receiver. The transmission unit 13b notifies the authentication gateway 30 of information indicating that the sender has attached the electronic certificate 50 and sent the communication message, and the history is managed by the authentication gateway 30 as a history regarding the electronic certificate 50. You may make it do. For example, information indicating that a message has been sent includes “sender address”, “sender's corporate electronic certificate”, “sender's personal electronic certificate”, “receiver address”, and “sender terminal” Location information etc. ".

  In addition, when concealing the communication text, the transmission unit 13b encrypts the communication text with the public key of the recipient acquired in advance, and the electronic certificate 50 includes the encoded MD and the public key in the encrypted communication text. And send it to the recipient. In order to acquire the public key, acquisition information having “sender address”, “receiver address”, “corporate electronic certificate number”, and “personal electronic certificate number” is transmitted to the authentication gateway 30.

  At this time, the transmission unit 13b indicates that the communication message encrypted with the recipient's public key has been sent as “sender address”, “receiver's corporate electronic certificate number”, “recipient's personal electronic certificate number” ”,“ Recipient address ”,“ Sender terminal location information, etc. ”are notified to the authentication gateway 30, and the history is managed by the authentication gateway 30 as a history regarding the electronic certificate 50 of the receiver.

  The receiving unit 13c receives the encoded message attached to the communication message and the electronic certificate 50 including the public key together with the communication message sent from the sender. The receiving unit 13c calculates the MD from the communication text by the same pre-defined method as the transmitting unit 13b. The receiving unit 13c confirms the validity of the electronic certificate 50 with the certificate authority that issued the electronic certificate 50, here, the authentication gateway 30, and based on the confirmation that the electronic certificate 50 is “valid”. The MD encoded with the public key of the certificate 50 is restored to obtain the MD. Then, the receiving unit 13c verifies that the communication text is not falsified based on the fact that the MD calculated from the communication text matches the MD restored with the public key, and verifies the reliability of the sender of the public key. To do. On the other hand, if the tampering of the communication text cannot be verified or the reliability of the sender of the public key cannot be verified, the receiving unit 13c warns that fact or discards the communication text. The receiving unit 13c indicates that the sender's electronic certificate 50 has been verified by "sender address", "sender's corporate electronic certificate", "sender's personal electronic certificate", "receiver address", " The information may be notified to the authentication gateway 30 together with the “receiver terminal location information etc.” and the history may be managed by the authentication gateway 30 as the history regarding the electronic certificate 50 of the sender.

  Note that if the communication text is encrypted, the receiving unit 13c decrypts the communication text with its own secret key. Since the communication text encrypted with the receiver's public key can be decrypted only with the receiver's private key, the communication text is concealed using the public key cryptosystem.

  At this time, as shown in FIG. 7, the receiving unit 13c trusts the communication text encrypted with the recipient's public key, and notifies the authentication gateway 30 that the decrypted information is the same as the recorded information D3. The history is managed by the authentication gateway 30 as a history regarding the electronic certificate 50 of the recipient. That is, the receiving unit 13c obtains “sender address D3a”, “corporate electronic certificate number D3b”, “personal electronic certificate number D3c”, “receiver address D3d”, “receiver terminal location information etc. D3e”, and the like. The authentication gateway 30 is notified. In addition, you may link with the log | history regarding the sender's electronic certificate 50. FIG.

  The domain management device 12 is a server device including a computer, and manages the latest registration information of domain names registered in the Internet N. Since the relationship between the “domain name” and the “IP address” often changes, each time the “IP address” corresponding to the “domain name” is referred to, the domain management apparatus that manages the latest correspondence relationship 12 is sure to confirm the correspondence. The domain management device 12 receives a domain name search request from the authentication gateway 30 and returns an “IP address” corresponding to the domain as a result of the search request. In the domain name search request, “host name” and “domain name” are input to the domain. The domain management apparatus 12 may receive other information in addition to “host name” and “domain name”, or may return other domain registration information in addition to “IP address”.

  The corporate information management device 15 is a server device including a computer, and manages a “corporate number” and a “public corporate electronic certificate” corresponding to the “corporate number”. The “public corporate electronic certificate” includes corporate information such as “corporate registration information”, “trade name”, “name”, “head office”, and “main office location”. Therefore, the corporate information management device 15 is a device that is directly or indirectly managed by a predetermined public organization such as a country. The corporate information management apparatus 15 receives an inquiry regarding “corporate number” and “corporate information” from the authentication gateway 30 and returns a “public corporate electronic certificate” corresponding to the “corporate number”. That is, the authentication gateway 30 obtains a highly reliable “public corporation electronic certificate” managed by the country or the like based on the “corporate number”, and uses the obtained “public corporation electronic certificate”. The “corporate information” included can be compared with the “corporate information” of the application information D1, and the degree of coincidence can be obtained to determine the validity of the application information D1.

  Next, the authentication gateway 30 will be described in detail with reference to FIG. As described above, the authentication gateway 30 is a certificate authority, and has an electronic certificate issuing function, a public key repository function, and a history function. The authentication gateway 30 is a server device including a computer, and includes a storage unit 45 that stores various data necessary for various processes.

  The storage unit 45 is configured by a storage device such as a hard disk, and in a storage area for storing data, an electronic certificate database (DB) 451, a public key DB 452 as a public key storage unit, and a certificate history storage. A history DB 453 as a section is provided. The electronic certificate DB 451 stores the electronic certificate 50 issued by the authentication gateway 30, the public key DB 452 stores the electronic certificate 50 including the public key, and the history DB 453 stores the electronic certificate 50 including the public key. An acquisition history or the like is stored as a history regarding the electronic certificate 50.

  In addition, the authentication gateway 30 has, as an electronic certificate issuing function, an issuance application processing unit 31, a domain information determination unit 32 as a domain information processing unit, a corporate information determination unit 33, a position information processing unit 34, and a personal identification. An information processing unit 35, a certificate issuing unit 36, a certificate registration unit 37, and a certificate verification unit 38 as a reply unit are provided.

The electronic certificate issuing function issues an electronic certificate 50 and registers a public key.
The issuance application processing unit 31 receives the application information D1 from the application units 13a and 14a of the first terminal 13 and the second terminal 14, and determines whether or not the bibliographic items of the application information D1 are appropriate.

  The domain information determination unit 32 requests the domain management device 12 to search for the “domain name” obtained based on the “corporate information” included in the application information D1, and corresponds to the “domain name” as a result of the search request. An “IP address” is obtained as domain information. The domain information determination unit 32 matches the “IP address” corresponding to the “domain name” obtained from the domain management device 12 and the “IP address” obtained from the domain that transmitted the application information D1. It is determined that the degree is high, and if it does not match, it is determined that the degree of matching is low.

  The corporate information determination unit 33 requests the corporate information management apparatus 15 to search based on the corporate number, and obtains a “public corporate electronic certificate” or the like as a result of the search request. Further, the corporate information determination unit 33 compares the “corporate information” included in the application information D1 with the “corporate information” included in the acquired “public corporate electronic certificate”, and if they match, the degree of matching is increased. It is determined to be high (valid), and if they do not match, it is determined that the degree of matching is low (invalid). Since the corporate information determination unit 33 obtains a highly reliable “public corporate electronic certificate” based on the corporate number from the corporate information management device 15, the corporate information determination unit 33 examines the “corporate information” when issuing the electronic certificate 50. It will be possible to improve accuracy, reduce examination load, and reduce examination variation.

  The degree of coincidence is, for example, “name” of corporate information included in “public corporate electronic certificate”, “location of main office”, “organization name D1b” of “corporate information” of application information D1, and “ The base address D1c "is compared. Note that the degree of coincidence of addresses and the like may be determined in consideration of fluctuations in expression. In addition, the corporate information included in the “public corporate electronic certificate” and the corporate information included in the application information D1 do not always match, so the combination of corresponding items is considered, You may consider the degree.

  The position information processing unit 34 determines the identity between the “longitudinal office location” of the corporate information and the “longitude, latitude” included in the “applicant terminal location information etc. D1f” of the application information D1. Is added to the determination of the degree of coincidence. This verifies that the application is made from “the location of the main office”, prevents applications made from different places, and increases the legitimacy of the application. Further, the position information processing unit 34 verifies whether the “time” included in the “applicant terminal position information etc. D1f” is a normal business time, and adds this verification result to the determination of the degree of coincidence. Also good. As a result, the time available for application is narrowed down to an appropriate range, the inappropriate application is eliminated, and the validity of the application is further increased.

  The personal identification information processing unit 35 determines the reliability of the “applicant name D1d” and “applicant identification code D1e” included in the “applicant information” of the application information D1 based on the reliability of the “corporate information”. To do. If the “applicant information” is reliable, the personal identification information processing unit 35 may cause the electronic certificate 50 to include the “applicant information”, or based on the “applicant information” A (personal) electronic certificate 51 (see FIG. 12) may be issued. In other words, the reliability of the electronic certificate 51 of the applicant's individual is ensured based on the legitimacy of the “corporate information” and the ability to manage information such as employees of the corporation.

  The certificate issuing unit 36 determines that the degree of matching is high by the domain information determining unit 32, determines that the degree of matching is high (valid) by the corporate information determining unit 33, and determines whether the matching is performed by the position information processing unit 34. The electronic certificate 50 based on the application information D1 is issued based on the determination that the degree of matching is high. That is, the certificate issuing unit 36 reflects the determination result of the domain information determination unit 32, the determination result of the corporate information determination unit 33, and the determination result of the position information processing unit 34 in issuing the electronic certificate. The certificate issuing unit 36 returns the issued electronic certificate 50 to the sender of the application information D1.

  The certificate issuing unit 36 can include “applicant information” in the electronic certificate 50 in accordance with the determination result and instruction of the personal identification information processing unit 35, or apply based on the “applicant information”. An electronic certificate 51 (see FIG. 12) can be issued to a person (individual).

  The certificate registration unit 37 registers and manages the electronic certificates 50 and 51 issued by the certificate issuing unit 36 in the electronic certificate DB 451. In addition, the certificate registration unit 37 registers that the electronic certificates 50 and 51 are issued in the history DB 453 via the history registration unit 42 as a history related to the electronic certificates 50 and 51.

  The certificate verification unit 38 determines whether or not the electronic certificate is valid in response to receiving verification information including the issued electronic certificates 50 and 51 from the first terminal 13 or the like. Returns the judgment result. When the verification information includes “sender address” and “recipient address”, the certificate verification unit 38 also determines the validity of these addresses via the domain information determination unit 32, and the determination The result can also be returned.

  The authentication gateway 30 includes a key registration unit 40 and a key search unit 41 as a public key repository function. The public key repository function registers a public key and makes the registered public key publicly available via the Internet N or the like so that the user of the authentication gateway 30 can obtain it.

  As shown in FIG. 6, the key registration unit 40 registers the public key in the public key DB 452 based on the registration information D2. When the public key is registered in the public key DB 452, the key registration unit 40 generates registration information D2, and additionally registers the generated registration information D2 in the history DB 453 as a history regarding the electronic certificate 50 attached to the public key. . The registration information D2 includes “sender address D2a”, “signed corporate public key D2b”, “signed personal public key D2c”, “receiver address D2d”, and “sender terminal location information etc. D2e”.

  “Sender address D2a” is an address of a person who discloses a public key, and “signed corporate public key D2b” is a signed electronic certificate 50 including the generated public key of the corporate. The “signed personal public key D2c” is the signed electronic certificate 51 including the generated personal public key, and the “recipient address D2d” is the use of the public key designated by the public key generator. "Sender terminal location information D2e" is the location of the sender. Note that the “signed personal public key D2c”, “recipient address D2d”, and “sender terminal location information D2e” may not be stored if not necessary.

  The key search unit 41 searches the public key registered in the public key DB 452 based on the received acquisition information, and returns the searched public key. The acquired information includes “sender address”, “receiver address”, “corporate electronic certificate number”, and “personal electronic certificate number”. Then, the key search unit 41 additionally registers in the history DB 453 that the public key is searched from the public key DB 452 in association with the electronic certificate 50 attached to the public key.

  The “sender address” is the address of the sender of the communication text, and the “recipient address” is the address of the recipient of the communication text who has disclosed the public key. The “corporate electronic certificate number” and the “individual electronic certificate number” are numbers for identifying the corporate and personal electronic certificates. The search and history registration need only be able to identify the electronic certificate and public key registered in the authentication gateway 30. Therefore, the electronic certificate is not a “corporate electronic certificate” or a “personal electronic certificate”, but is unique. What is necessary is just to know the “corporate electronic certificate number” and “personal electronic certificate number” that it has. The same applies to the following description. Instead of “corporate electronic certificate number” or “personal electronic certificate number”, “corporate electronic certificate” or “personal electronic certificate” itself may be used.

  The authentication gateway 30 includes a history registration unit 42 and a history reference unit 43 as a history search unit as a history function. The history function generates a digital certificate and a public key, and stores a history of use and makes it available for reference.

  As shown in FIG. 7, the history registration unit 42 stores “sender address D3a”, “corporate electronic certificate number D3b”, “personal electronic certificate number D3c”, “recipient address” as recorded information D3 in the history DB 453. D3d "and" Destination terminal location information D3e "are registered.

  The history registration unit 42 registers in the history DB 453 that an electronic certificate and a public key have been generated and used. For example, in the history registration unit 42, the certificate issuing unit 36 has issued the electronic certificate 50, the key registration unit 40 has registered the public key in the public key DB 452, and the key search unit 41 is registered in the public key DB 452. Search for the public key that was returned and register the reply. Further, the history registration unit 42 indicates that the communication text receiver has decrypted the communication text received from the communication text sender using the public key, as a history related to the electronic certificate attached with the public key. Register with. As a result, it becomes possible to verify that the recipient of the communication text trusts the communication text received from the sender of the communication text based on the electronic certificate 50 and decrypts it.

  As illustrated in FIG. 8, the history reference unit 43 receives history reference information D4 related to the electronic certificate 50 attached to the communication text from the sender of the communication text, searches the history related to the electronic certificate 50, The search result is returned to the sender of the message. Thereby, the sender of the communication text can confirm whether or not the receiver of the communication text has received the communication text and has decrypted the received communication text. The reference information D4 includes “sender address D4a”, “receiver address D4b”, “referencer address D4c”, “referencer electronic certificate number D4d”, “receiver terminal location information etc. D4e”. Yes.

  Further, the history reference unit 43 receives history reference information about the use of its public key from the recipient of the communication message, searches the history related to the electronic certificate 50, and displays the search result of the communication message. Reply to the recipient. Thereby, the receiver of the communication text can confirm whether or not the sender of the communication text has acquired his / her public key.

(Function)
Next, the operation of the communication system 10 will be described with reference to FIGS.
First, with reference to FIG. 9, a procedure for issuing an electronic certificate 50 and releasing a public key will be described. Here, it is assumed that a corporation requiring the electronic certificate 50 applies for issuance of the electronic certificate 50 from the first terminal 13 to the authentication gateway 30 by the person in charge (applicant).

  The first terminal 13 creates application information D1 (message M10) for applying for issuance of an electronic certificate by the application unit 13a, and performs processing E10 for transmitting the created application information D1 to the authentication gateway 30.

  The authentication gateway 30 performs an application content confirmation process E11 in which the issue application processing unit 31 receives the application information D1 from the first terminal 13 and confirms the bibliographic items. As the application content confirmation processing E11, the issuance application processing unit 31 checks the content of the application information D1 for excess or deficiency, consistency, etc., and if there is inconvenience in the content, information (message M11) indicating that it is not accepted is the first terminal 13. Send to. And the 1st terminal 13 which received the information to the effect of rejection performs the process E12 corresponding to rejection. For example, as the processing E12 corresponding to the non-acceptance, it is possible to convey the non-acceptance by screen display.

  When the authentication gateway 30 confirms that the bibliographic items of the application information D1 are appropriate, the domain information determination unit 32 performs a verification process E13 based on the domain registration information. The domain information determination unit 32 makes an inquiry about domain registration information in the verification process E13, and receives an answer to the inquiry. More specifically, the domain information determination unit 32 transmits “host name” and “domain name” (message M12) to the domain management apparatus 12, and domain registration information corresponding to the transmitted “host name” and “domain name”. "IP address" (message M13) is obtained from the domain management apparatus 12 as a reply. Then, the authentication gateway 30 determines the degree of coincidence between the “IP address” obtained by the domain information determination unit 32 and the “IP address” obtained from the application information D1. If it is determined that the degree of coincidence is low, the authentication gateway 30 transmits information indicating that it is not accepted (message M11) from the domain information determination unit 32 to the first terminal 13. And the 1st terminal 13 performs the process E12 corresponding to the information to the effect of non-acceptance.

  Further, the authentication gateway 30 performs verification processing E14 based on the corporate number in the corporate information determination unit 33. In the verification process E14, the corporate information determination unit 33 inquires corporate information and obtains an answer to the inquiry. More specifically, the corporate information determination unit 33 transmits a “corporate number” (message M14) to the corporate information management device 15, and the corporate information management device 15 sets “public corporation” as a verification result corresponding to the transmitted corporate number. An “electronic certificate” (message M15) is obtained as an answer. Then, the authentication gateway 30 determines the degree of coincidence between the “corporate information” included in the “public corporate electronic certificate” obtained as a reply and the “corporate information” of the application information D1 by the corporate information determination unit 33. .

  At the same time, the location information processing unit 34 includes “the location of the main office” included in the corporate information of the “public corporate electronic certificate” and “applicant terminal location information D1f” of the application information D1. The identity (degree of coincidence) with “longitude and latitude” may be determined and reflected in the determination of electronic certificate issuance by the certificate issuing unit 36. Further, the position information processing unit 34 verifies the degree of coincidence of the “time” included in the “applicant terminal position information etc. D1f” with respect to the normal business hours, and the certificate issuing unit 36 determines the electronic certificate. It may be reflected. By such comparison, the reliability of the electronic certificate 50 for the corporation is further improved.

  If it is determined that the degree of coincidence is low, the authentication gateway 30 transmits non-acceptance information (message M11) to the first terminal 13 from the corporate information determination unit 33. And the 1st terminal 13 performs the process E12 corresponding to the information to the effect of non-acceptance.

  Further, the authentication gateway 30 determines that the determination results of the domain information determination unit 32, the corporate information determination unit 33, and the position information processing unit 34 are all high, and the certificate issuing unit 36 The electronic certificate 50 issuance process E15 is performed. In the issuing process E15, the certificate issuing unit 36 issues the electronic certificate 50 shown in FIG. 2 based on the application information D1. In the authentication gateway 30, the certificate registration unit 37 registers the electronic certificate 50 in the electronic certificate DB 451, and the history registration unit 42 registers in the history DB 453 that the electronic certificate 50 has been issued. In addition, the authentication gateway 30 transmits the issued electronic certificate 50 (message M16) to the first terminal 13. And the 1st terminal 13 performs the reception process E16 of the electronic certificate 50 by the application part 14a. The authentication gateway 30 may issue an electronic certificate 51 (see FIG. 12) to a corporate applicant (individual) by the certificate issuing unit 36.

  When the first terminal 13 receives the electronic certificate 50, the application unit 13a performs processing E17 for applying for registration of a public key. The application unit 13a generates a public key and a private key in processing E17 for applying for registration of a public key, stores the public key in the electronic certificate 50, and then uses the digital signature using the private key for the electronic certificate 50. Is added. And the 1st terminal 13 produces | generates the registration information D2 containing the electronic certificate which attached the digital signature in the application part 13a, and transmits this produced | generated registration information D2 (message M17) to the authentication gateway 30. FIG.

  When the authentication gateway 30 receives the registration information D2 from the first terminal 13, the key registration unit 40 performs public key registration processing E18. In the registration process E18, the key registration unit 40 registers the public key included in the received registration information D2 in the public key DB 452, and the history registration unit 42 registers that the public key corresponding to the electronic certificate 50 has been registered. The history is registered in the history DB 453.

  As a result, the authentication gateway 30 issues an electronic certificate 50 in response to an electronic certificate issuance application from a corporation, and publishes a public key generated by the corporation based on the issued electronic certificate 50.

  Next, with reference to FIG. 10, a procedure in which the sender of the message (second terminal 14) acquires the public key of the receiver will be described. Here, it is assumed that the sender of the communication text transmits the communication text to the receiver using the second terminal 14. Further, it is assumed that the sender of the communication text encrypts the communication text with the acquired public key.

  The second terminal 14 generates public key acquisition information disclosed by the receiver in the transmission unit 14b (process E20), and transmits the generated public key acquisition information (message M20) to the authentication gateway 30. The public key acquisition information includes the “sender address” and “recipient address” of the communication text.

  In the authentication gateway 30, the key search unit 41 receives the public key acquisition information from the second terminal 14 and performs a process E 21 for releasing the public key. The key search unit 41 transmits the “sender address” and the “recipient address” (message M21) included in the acquired information to the domain management apparatus 12 in the process E21 for releasing the public key, and corresponds to each transmitted address. The latest “domain registration information” is obtained from the domain management apparatus 12 as the inquiry result (message M22) to be performed. Then, the authentication gateway 30 transmits the public key (message M23) corresponding to the latest “domain registration information” based on the “recipient address” to the second terminal 14 using the key search unit 41. Therefore, the second terminal 14 performs the process E22 of acquiring the public key corresponding to the “recipient address” by receiving the message M23.

  In addition, the authentication gateway 30 uses the history registration unit 42 as a history relating to the electronic certificate 50 corresponding to the public key, such as “sender address”, “receiver address”, “time”, etc. Is registered in the history DB 453. This makes it possible to verify that the sender of the communication text has acquired the public key.

  Next, with reference to FIG. 11, a process when transmission / reception of a communication text is performed will be described. Here, it is assumed that the sender of the communication text transmits the communication text using the second terminal 14 and the receiver of the communication text receives the communication text using the first terminal 13.

  First, the second terminal 14 performs a process E30 for acquiring the public key (message M30) corresponding to the “recipient address” of the receiver of the communication text from the authentication gateway 30 in the transmission unit 14b, and performs communication using the acquired public key. An encryption process E31 for encrypting the sentence is performed. And the 2nd terminal 14 performs the process E32 which transmits communication start information (message M31) to the authentication gateway 30 by the transmission part 14b.

  The authentication gateway 30 performs processing E33 in which the history registration unit 42 registers in the history DB 453 of the electronic certificate 50 that the encrypted communication text has been transmitted. The history registration unit 42 registers the “electronic certificate number”, “sender address”, and “recipient address” obtained from the communication start information in the history DB 453 as history related to the electronic certificate 50 in the registration process E33. This makes it possible to verify that a communication message has been sent from the sender to the receiver. The history registration unit 42 may verify “sender address” and “recipient address”. That is, the history registration unit 42 transmits the “sender address” and “recipient address” (message M32) of the sender to the domain management device 12 for domain inquiry, and the inquiry result (message M33) is domain management. Obtained from device 12. Thereby, the legitimacy of the “sender address” and the “recipient address” can be registered as a history related to the electronic certificate 50, and the reliability of the history can be improved.

  Further, the second terminal 14 transmits a communication message (encoded communication message) (message M34) encrypted by the transmission unit 14b to the receiver. In addition to the encoded communication message, the communication message also includes “sender's electronic certificate number”, “receiver's electronic certificate number”, “sender address”, “recipient address”, and the like. It is.

  The first terminal 13 performs the reception process E34 of the encoded communication message received from the second terminal 14 at the reception unit 13c. In the reception process E34, the reception unit 13c sends the communication content to the authentication gateway 30 in order to verify the sender of the message (message M35). The authentication gateway 30 starts the verification process E35 in response to the verification request by the certificate verification unit 38, the domain information determination unit 32, or the like. The verification process E35 may verify the “sender address” and “recipient address”. That is, the verification process E35 transmits the “sender address” and the “recipient address” (message M36) to the domain management apparatus 12 for domain inquiry, and obtains the inquiry result (message M37) from the domain management apparatus 12. . Then, the authentication gateway 30 verifies each address based on the verification result, and transmits the verification result (message M38) to the first terminal 13. Thereby, the validity of the “sender address” and the “recipient address” is verified.

  If the sender's validity cannot be verified, the first terminal 13 determines that the sender is not reliable by the receiving unit 13c, and determines that the reliability of the encoded communication text is also low. Then, the first terminal 13 does not decode the encoded communication text and discards it or notifies the display screen that it cannot be trusted.

  On the other hand, when the validity of the sender can be verified, the first terminal 13 determines that the sender of the communication text can be trusted by the receiving unit 13c, and performs a decryption process E36 that decrypts the encrypted communication text. . In the decryption process E36, the communication text (encoded communication text) encrypted with the receiver's public key is decrypted with the receiver's own private key. Since the encoded communication message can be decrypted with its own private key, non-tampering of the communication message is ensured.

  In addition, the first terminal 13 performs processing E <b> 37 for sending reception history information (message M <b> 39) indicating that the encoded communication text has been reliably decoded to the authentication gateway 30 in the reception unit 13 c. The reception history information has the same contents as the record information D3, and includes “sender address”, “corporate electronic certificate number”, “personal electronic certificate number”, and “recipient address”. When receiving the reception history information from the first terminal 13, the authentication gateway 30 performs a process E 38 in which the history registration unit 42 registers that fact in the history DB 453 as a history regarding the electronic certificate 50 of the sender. As a result, the sender of the message can verify that the receiver has decrypted the message.

  That is, the authentication gateway 30 transmits a notification (message M40) indicating that the encoded communication message has been decoded by the first terminal 13 to the second terminal 14, and this notification is transmitted by the transmission unit 14b of the second terminal 14. Are received as the latest history related to the history related to the electronic certificate 50. Accordingly, the second terminal 14 can know in real time that the encoded communication message transmitted by itself is decoded by the first terminal 13 in a short time.

  The second terminal 14 transmits the history reference information D4 (message M41) related to its own electronic certificate 50 to the authentication gateway 30 by the transmission unit 14b (process E39). The authentication gateway 30 searches the history related to the electronic certificate 50 of the sender according to the reference information D4 received from the second terminal 14, and returns the search result (message M42). Even in this case, the sender of the communication text (second terminal 14) confirms the history related to the electronic certificate 50 used for communication together with the communication text, thereby receiving the receiver of the communication text (first terminal 13). ) Can confirm whether or not the message has been decrypted.

As described above, according to the electronic certificate management system, the electronic certificate using terminal, and the electronic certificate management method according to the present embodiment, the following effects can be obtained.
(1) The electronic certificate 50 corresponding to the fact that the “corporate information” included in the application information D1 is determined to be valid based on the degree of coincidence with the corporate information obtained based on the “corporate number”. Is issued. In other words, when it is determined that the “corporate information” included in the application information D1 is not valid, the electronic certificate 50 is not issued. Therefore, the possibility that the electronic certificate 50 is issued in response to an unauthorized electronic certificate issuance application such as impersonation is reduced, and the reliability of the electronic certificate 50 is improved. Further, in issuing the electronic certificate 50, it is possible to improve the accuracy of examination of “corporate information”, reduce examination burden, and reduce examination variation.

(2) With respect to the issued electronic certificate 50, the history related to the electronic certificate 50 can be searched and referenced from the outside.
(3) Of the private key and public key created based on the issued electronic certificate 50, the public key is registered in the public key DB 452 together with the corresponding electronic certificate 50 based on the registration information D2. Thereby, the legitimacy of the public key is increased by giving a highly reliable electronic certificate.

  (4) Since the degree of coincidence between the “location information” of the terminal that transmitted the application information D1 and the “location of the main office” included in the corporate information corresponding to the corporate number is reflected in the determination of validity, The validity of the application information D1 is further increased, and the reliability of the electronic certificate 50 is further increased.

  (5) Degree of coincidence between the “IP address” obtained from the domain management device 12 based on the domain corresponding to the “corporate information” of the application information D1 and the “IP address” obtained from the domain that transmitted the application information D1 Is reflected in the determination of validity, the validity of the application information D1 is enhanced, and the reliability of the electronic certificate 50 is further enhanced.

(6) The reliability of the electronic certificate 50 is further increased by adding sender information as a person in charge of the corporation to the electronic certificate 50.
(7) The recipient information indicating the recipient of the message is added to the electronic certificate 50, so that the reliability of the electronic certificate 50 is further improved for the recipient who has received the electronic certificate 50.

(8) Since the fact that the receiving terminal requested verification of the electronic certificate 50 is registered in the history DB 453, the traceability of communication is improved.
(9) Since it is registered that the receiving terminal trusts the public key, that is, the communication text is decrypted using the public key, the traceability of communication is improved. For example, the sender of the message can confirm that the message has been decrypted at the receiving terminal.

  (10) According to the terminal that generates the application information D1 including the specific corporate number and applies for the issuance of the electronic certificate with the application information D1, obtaining a highly reliable electronic certificate using the specific corporate number; The public key related to the electronic certificate can be disclosed.

  (11) According to the terminal notifying that a highly reliable electronic certificate using a specific corporate number has been trusted, a message that the electronic certificate is trusted, that is, a message with the electronic certificate attached is used. The history can be managed by the electronic certificate management system. Thereby, the traceability of communication is improved.

(Other embodiments)
In addition, the said embodiment can also be implemented with the following aspects.
In the above embodiment, the case where the corporate electronic certificate 50 is issued based on the corporate number is exemplified. However, it is not limited to this. For individuals other than corporations, electronic certificates that are highly reliable to individuals can be used if a specific personal number that identifies the individual can be verified by a highly reliable organization such as a public organization. May be issued.

  Specifically, as shown in FIG. 12, the electronic certificate 51 has the same items (51 a to 51 e, 512, 513) as the electronic certificate 50. The certificate issuance target of the electronic certificate 51: the name of the individual who applied for the issuance of the electronic certificate is stored in the personal name 51f, and the public key 51g of the issuance target is applied for the issuance of the electronic certificate. A public key generated by an individual may be stored. The extension area of the pre-signature certificate 511 may include personal identification information 51h such as a specific personal number / position information. The personal identification information 51h such as the specific personal number / position information includes an electronic certificate. Personal information such as a specific personal number or location information of an individual who has applied for issuance may be stored.

  In the above embodiment, the case where the corporate electronic certificate 50 and the personal electronic certificate 51 are separate has been illustrated. However, the present invention is not limited to this, and a plurality of electronic certificates may be handled as a group. For example, one electronic certificate may have a corporate electronic certificate and a personal electronic certificate. In this case, each electronic certificate may be verified.

  In the above embodiment, the case where the authentication gateway 30 and the corporate information management apparatus 15 are connected to each other via a communication path different from the Internet N is illustrated. However, the present invention is not limited to this, and the authentication gateway and the corporate information management apparatus may be connected to each other via the Internet N so long as communication confidentiality can be maintained.

  In the above-described embodiment, the case where the item of the corporate information 50h such as the specific corporate number / position information is provided in the extended area of the electronic certificate 50 and “corporate information” is stored in this item has been described. However, not limited to this, the extended area is provided with items of “applicant name” and “applicant identification number” in addition to storing corporate information in items such as specific corporate number and location information. The corresponding contents may be stored in each item. Further, an item “recipient information” may be provided, and contents corresponding to this item may be stored. As a result, the validity of the electronic certificate 50 can be improved.

  In the above embodiment, the case where the current position is detected by GPS or the like is illustrated. However, the present position is not limited to this, and the current position may be detected based on a wireless or wired telephone communication network, a mail delivery area, or the like, or may be detected using GPS or the like.

  In the above embodiment, the sender (second terminal 14) of the message sends a notification (message M40) that the encoded message sent by himself / herself has been decoded by the receiver (first terminal 13). The case where it can confirm by receiving and receiving the reply of the search result (message M42) with respect to the reference information D4 (message M41) was illustrated. However, the present invention is not limited to this, and the sender receives a notification (message M40) that the encoded communication message transmitted by the sender has been decoded by the receiver, or a search result for the reference information D4 (message M41). It may be possible to confirm either one of the responses to (Message M42).

  In the above embodiment, the case where “longitude / latitude” and “time” are included in the application information D1, the registration information D2, the record information D3, and the reference information D4 is illustrated. However, the present invention is not limited to this, and at least one of “longitude / latitude” and “time” may not be included in at least one of application information, public information, registration information, and reference information. This also reduces the amount of data handled while maintaining the reliability of the electronic certificate.

  In the above embodiment, the case where each of the first terminal 13 and the second terminal 14 includes the application units 13a and 14a, the transmission units 13b and 14b, and the reception units 13c and 14c is illustrated. However, the present invention is not limited to this, and the first terminal and the second terminal may include at least one of an application unit, a transmission unit, and a reception unit, depending on the application.

  In the above embodiment, the case where the “applicant”, “recipient”, and “sender” are employees of a corporation is illustrated. However, the present invention is not limited to this, and any device that can automatically perform the procedure concerned has at least one of “applicant”, “receiver”, and “sender” all or part of the device. May be.

  In the above embodiment, the certificate issuing unit 36 determines that the degree of matching by the domain information determining unit 32 is high, determines that the degree of matching by the corporate information determining unit 33 is high, and the position information processing unit 34. The case where the electronic certificate 50 is issued based on the determination that the degree of coincidence is high is illustrated. However, the present invention is not limited to this, and the certificate issuing unit may issue an electronic certificate based at least on a determination result that the degree of matching by the corporate information determination unit 33 is high (valid). Thereby, the amount of data handled can be reduced while maintaining the reliability of the electronic certificate.

  In the above-described embodiment, the case where the specific corporate number is a corporate number defined in the Japanese numbering law is illustrated. However, the present invention is not limited to this, and any information that can publicly specify a corporation may be used as a specific corporation number. For example, a code for identifying a corporation in a foreign country having the same function as a corporate number in Japan can be used. For example, “EIN” (Employer Identification Number) in the United States, “Enterprise Number” in Belgium, “KVK Number” in the Netherlands, and “Organization Number” in the Netherlands correspond to corporate numbers in Japan. . Also, “Business ID” in Norway, “CVR Number” in Denmark, “Organization Number” in Sweden, “UEN” in Singapore, “Organization Organization Code” in China, “Registration Number” in Thailand, In India, “CIN” is listed.

  N ... Internet, 10 ... Communication system, 12 ... Domain management device, 13 ... First terminal, 13a ... Application section, 13b ... Transmission section, 13c ... Reception section, 14 ... Second terminal, 14a ... Application section, 14b ... Transmission , 14c: receiving unit, 15: corporate information management apparatus, 20 ... certificate application unit, 21 ... certificate acquisition unit, 22 ... key generation unit, 23 ... signature unit, 24 ... key disclosure application unit, 30 ... authentication gateway 31 ... Issuing application processing unit, 32 ... Domain information determining unit, 33 ... Corporate information determining unit, 34 ... Location information processing unit, 35 ... Personal identification information processing unit, 36 ... Certificate issuing unit, 37 ... Certificate registration unit , 38 ... Certificate verification unit, 40 ... Key registration unit, 41 ... Key search unit, 42 ... History registration unit, 43 ... History reference unit, 45 ... Storage unit, 50 ... Electronic certificate, 51 ... Electronic certificate, 451 ... Electronic certificate database (DB), 52 ... public key DB, 453 ... history DB.

An electronic certificate management system that solves the above problems is an electronic certificate management system that issues an electronic certificate based on application information and manages the issued electronic certificate. a certificate history storage unit for holding, and corporate information included in the application information from the application information, country acquires a specific corporate number was assigns uniquely to corporations, a specific corporate number to the acquired specific to corporate information management apparatus for managing corporate information that country gave support to the corporation number
And transmits, receives the corporate information for a specific corporation number you acquired said corporate information management device or al, and corporate information thus received, based on the degree of matching between the corporate information included in the application information Corresponding to the result of determining that the corporate information included in the application information is valid by the corporate information determination unit that determines the legality of the corporate information included in the application information, the application information And a history registering unit that registers that the electronic certificate has been issued as a history relating to the issued electronic certificate in the certificate history storage unit. And

An electronic certificate management method for solving the above problem is an electronic certificate management method used in an electronic certificate management system that issues an electronic certificate based on application information and manages the issued electronic certificate, Corporate information determination unit, and corporate information included in the application information from the application information, country acquires a specific corporate number was assigns uniquely to corporations, a specific corporate number to the acquired, in particular corporate number The corporate information associated with the country is transmitted to the corporate information management apparatus that manages the corporate information , the corporate information corresponding to the acquired specific corporate number is received from the corporate information management apparatus, and the received corporate information and the application information are received. The legality of the corporate information included in the application information is determined based on the degree of coincidence with the included corporate information, and the certificate issuing unit determines the corporate information included in the application information in the corporate information determining unit. The electronic certificate based on the application information is issued corresponding to the result determined to be valid, and the history registration unit issues the electronic certificate as a history related to the issued electronic certificate in the certificate history storage unit The gist is to register what has been done.

As a preferred configuration, the application information includes position information indicating a current position detected by a position measurement device provided in the terminal to which the application information is transmitted, and the position information included in the application information A position information processing unit for determining a degree of coincidence with the location of the corporation included in the corporate information corresponding to the specific corporate number; and the certificate issuing unit further includes the location information processing for issuing the electronic certificate. Reflect the judgment result of the part.

As a preferred configuration, the application information includes sender information that is information indicating a person in charge of transmission of a communication message with the electronic certificate, and the certificate issuing unit includes the sender information. Including the electronic certificate.
According to such a configuration, the sender information is also added to the electronic certificate, so that the reliability of the electronic certificate is further increased.

As a preferred configuration, the application information includes receiver information that is information indicating a person in charge of receiving a communication message attached with the electronic certificate, and the certificate issuing unit includes the receiver information. Issue the electronic certificate.
According to such a configuration, the recipient information is also added to the electronic certificate, so that the reliability of the electronic certificate is further improved for the recipient who has received the electronic certificate.

An electronic certificate management system that solves the above problems is an electronic certificate management system that issues an electronic certificate based on application information and manages the issued electronic certificate. Holds the specific corporate number managed by the corporate information management device that manages the specific corporate number assigned to the corporate by the country , the certificate history storage unit to hold, the specific corporate number that is held, A terminal that generates the application information that is necessary for issuing the electronic certificate and includes the specific corporate number and the corporate information based on the corporate information that is held as information corresponding to the specific corporate number When the transmitted said acquired the corporate information from application information contained in the application information and with said certain corporate number, specific corporate number to the acquisition of the terminal, the country specific corporate number Transmits to the corporate information management device for managing together corporate information attached response, receive corporate information for a specific corporate number to the acquired from the corporate information management device, and corporate information thus received, the applicant A corporate information determination unit that determines the legitimacy of the corporate information included in the application information based on a degree of coincidence with the corporate information included in the information; and the corporate information included in the application information is valid by the corporate information determination unit. In response to the determination result, a certificate issuing unit that issues an electronic certificate based on the application information, and issuing the electronic certificate as a history related to the issued electronic certificate in the certificate history storage unit The gist of the present invention is to include a history registration unit for registering what has been done.

An electronic certificate management method for solving the above problem is an electronic certificate management method used in an electronic certificate management system that issues an electronic certificate based on application information and manages the issued electronic certificate, The terminal holds the specific corporate number managed by the corporate information management apparatus that manages the specific corporate number assigned to the legal entity by the country, and the specific corporate number held by the terminal and the specific corporate number Based on corporate information held as corresponding information, the application information that is necessary for issuing the electronic certificate and includes the specific corporate number and the corporate information is generated . get the said corporate information and the specific corporate number included in the application information from the transmitted said application information of the terminal, a specific corporate number to the acquired corporate information the country associated to a specific corporate number Transmits to the corporate information management device for managing together, the receive corporate information from corporate information management device corresponding to the specific corporate number to the acquired corporate information included in the received corporate information and the application information The legality of the corporate information included in the application information is determined based on the degree of coincidence with the certificate information, and the certificate issuing unit determines that the corporate information included in the application information is valid in the corporate information determination unit In response to the result, an electronic certificate based on the application information is issued, and the history registration unit registers in the certificate history storage unit that the electronic certificate has been issued as a history relating to the issued electronic certificate. The gist.

Preferred configuration, the application information is included positional information indicating the detected present position by the position measuring device is provided to the terminal to which the application information is transmitted, the position information included in the application information And a position information processing unit for determining a degree of coincidence between the location of the corporation included in the corporate information corresponding to the specific corporate number, and the certificate issuing unit further includes the location information for issuing the electronic certificate. Reflect the judgment result of the processing unit.

Claims (12)

An electronic certificate management system that issues an electronic certificate based on application information and manages the issued electronic certificate,
A certificate history storage unit that holds a history of issued electronic certificates;
From the corporate information management apparatus that acquires corporate information included in the application information from the application information and a specific corporate number uniquely assigned to the corporate entity and manages the corporate information in association with the specific corporate number, the application information Corporate information for determining the legitimacy of corporate information included in the application information based on the degree of coincidence between the corporate information obtained as corresponding to the specific corporate number acquired from the corporate information included in the application information A determination unit;
A certificate issuing unit that issues an electronic certificate based on the application information in response to a result of the corporate information determination unit determining that the corporate information included in the application information is valid;
An electronic certificate management system comprising: a history registration unit that registers that the electronic certificate has been issued as a history related to the issued electronic certificate in the certificate history storage unit. The electronic certificate management system according to claim 1, further comprising a history search unit that searches and outputs a history related to the electronic certificate registered in the certificate history storage unit in response to an external request. A public key storage unit for storing the public key and publicizing the public key;
A key registration unit for registering the public key to be registered in the public key storage unit together with the issued electronic certificate based on the registration information of the public key generated based on the issued electronic certificate; The electronic certificate management system according to claim 1 or 2. The application information includes position information indicating the position of the terminal to which the application information is transmitted. The position information included in the application information and the location of the corporation included in the corporate information corresponding to the specific corporate number A position information processing unit for determining the degree of matching of
The electronic certificate management system according to any one of claims 1 to 3, wherein the certificate issuing unit further reflects a determination result of the position information processing unit in issuing the electronic certificate. A match between the IP address obtained from the domain corresponding to the corporate information of the application information from the domain management device that manages the domain and its IP address in association with the IP address obtained from the domain that transmitted the application information A domain information processing unit for determining the degree of
The electronic certificate management system according to claim 1, wherein the certificate issuing unit further reflects a determination result of the domain information processing unit in issuing the electronic certificate. The application information includes sender information that is information indicating the sender,
The electronic certificate management system according to any one of claims 1 to 5, wherein the certificate issuing unit issues the electronic certificate including the sender information. The application information includes recipient information that is information indicating the recipient,
The electronic certificate management system according to any one of claims 1 to 6, wherein the certificate issuing unit issues the electronic certificate including the recipient information. A reply unit that returns a result of determination of the validity of the electronic certificate determined based on a request for verification of the electronic certificate from the receiving terminal that has received the electronic certificate to the receiving terminal;
The history registering unit further registers in the certificate history storage unit the fact that a request for verification has been received from the receiving terminal in association with the history regarding the electronic certificate. Electronic certificate management system. The history registration unit further receives domain information of the receiving terminal, user address information of the receiving terminal, and the electronic certificate to the receiving terminal when receiving from the receiving terminal that the determination result of the reply unit is trusted. The at least one piece of information of the address information of the user of the transmitting terminal that sent the certificate is acquired, and the acquired information is registered in the certificate history storage unit in association with the history about the electronic certificate. Electronic certificate management system. An electronic certificate using terminal that issues an electronic certificate and applies for an electronic certificate issuance to an electronic certificate management system that manages the issued electronic certificate,
The electronic certificate management system is the electronic certificate management system according to any one of claims 1 to 9,
The electronic certificate using terminal generates application information including corporate information and a specific corporate number uniquely assigned to the corporate entity and transmits the application information to the electronic certificate management system. The electronic certificate management system receives an electronic certificate issued by a certificate management system, and uses a public key of a pair of public key and private key generated based on the received electronic certificate together with the electronic certificate. An electronic certificate using terminal, characterized in that it has an application department that applies for disclosure. An electronic certificate using terminal that issues an electronic certificate and requests the electronic certificate management system that manages the issued electronic certificate to verify the electronic certificate,
The electronic certificate management system is the electronic certificate management system according to any one of claims 1 to 9,
The electronic certificate using terminal transmits an electronic certificate including a specific corporate number received from a sender to the electronic certificate management system, and verifies the validity of the transmitted electronic certificate. The electronic certificate transmitted by the sender based on the fact that the determination that the request is valid is obtained from the electronic certificate management system, and that the electronic certificate is trusted A receiving unit that transmits to the electronic certificate management system together with domain information of the electronic certificate using terminal, address information of the user of the electronic certificate using terminal, and address information of the sender An electronic certificate using terminal. An electronic certificate management method used in an electronic certificate management system that issues an electronic certificate based on application information and manages the issued electronic certificate,
Corporate information management unit that obtains corporate information included in the application information from the application information and a specific corporate number uniquely assigned to the corporate and manages the corporate information in association with the specific corporate number The corporate information corresponding to the acquired specific corporate number is acquired from the device, and the legitimacy of the corporate information included in the application information based on the degree of coincidence between the acquired corporate information and the corporate information included in the application information Determine
The certificate issuing unit issues an electronic certificate based on the application information corresponding to the result of determining that the corporate information included in the application information is valid in the corporate information determination unit,
A history registration unit registers in the certificate history storage unit that the electronic certificate has been issued as a history relating to the issued electronic certificate.