JP2020017308A - Information processing apparatus and program - Google Patents

Abstract

To provide an information processing apparatus for retrieving documents with attributes of related subjects, while suppressing a data amount of attribute information of the document, compared with a method of including the attribute of the subject related to the document in the attribute information of the document.SOLUTION: Attributes of each document (including an ID of a processing apparatus that generated the document)are stored in a metadata server 230, and attributes of the processing apparatus that generated each document are stored in a processing apparatus management server 240. (1) A search server 250 inquires of the processing apparatus management server 240 about a processing apparatus that satisfies a first search condition relating to an attribute of the processing apparatus, when a search condition including the first search condition is input, and inquires of the metadata server 230 about the document generated by the processing apparatus answered thereto. Then, from a document group answered for this inquiry, one that satisfies the remaining conditions among search conditions is retrieved.SELECTED DRAWING: Figure 19

Description

  The present invention relates to an information processing device and a program.

  In the system disclosed in Patent Document 1, a request for a document is received from a plurality of users having a computer having a display device or a printer together with unique user identification information. Next, the requests from the plurality of users are authenticated by the copyright server. Next, the copyright server instructs the document server to affect the correct authentication of each request. In response, the document server creates a uniquely encoded, compressed, and encrypted document for each authenticated request and authenticates the document to each authenticated requesting user over the network. The request is forwarded to the corresponding display or print agent of each requesting user. The document is uniquely encoded for each of a plurality of users. Finally, each agent decrypts and decompresses the document, making the document available only in response to the correct private key provided to the agent by the authenticated requesting user.

JP-A-7-239828

  The data may have several entities related to the data, such as a creator of the data, a user to which the data is provided, a device that generated the data, and the like. In addition to attribute items specific to the data, such as the creation date and creator of the data, attributes of the subject related to the data (for example, the version of the device that generated the data) are incorporated into the attribute information of the data. This makes it possible to search for the target data using the attribute of the related subject.

  However, if the attribute of the related subject is included, the data amount of the attribute information of the data becomes enormous, and the cost of storage and transfer increases.

  The present invention provides a mechanism capable of searching for data with the attribute of the related subject while suppressing the data amount of the attribute information of the data as compared with the method of including the attribute of the subject related to the data in the attribute information of the data.

  The invention according to claim 1 is a receiving unit that receives a search request including a first search condition for subject attribute information that is attribute information of a subject and a second search condition for data attribute information that is attribute information of data. A first search unit that searches for the subject identification information corresponding to the subject attribute information that satisfies the first search condition from a first management device that manages the subject identification information identifying the subject and the subject attribute information in association with each other , The data, the subject identification information of the subject related to the data, and the data attribute information of the data in association with the second management device. A second search unit that searches for data that is associated with information and has data attribute information that satisfies the second search condition. The subject related to the data is a processing device that has performed a process on the data, and the information processing device corresponds to the subject identification information associated with the data retrieved by the second retrieval unit. The information processing apparatus further includes control means for controlling the processing apparatus to perform reprocessing on the data.

  The invention according to claim 2, wherein the first management device manages the subject identification information and the attribute information of the subject in the time or the period in association with a time or a period, and the second management device Manages the subject identification information of the subject related to the data in the time or the time period in association with the data, and the first search means performs the first search The time or period corresponding to the attribute information satisfying a condition and the subject identification information are searched, and the second search unit searches the data corresponding to the time or period searched by the first search unit and the subject identification information. The information processing apparatus according to claim 1, wherein the information processing apparatus searches for the information.

  The invention according to claim 3, wherein: a receiving unit that receives a search condition relating to the attribute information of the subject; and a first management device that manages the subject identification information for identifying the subject in association with the attribute information of the subject. A first search unit that searches for the subject identification information corresponding to the attribute information that satisfies, and a second management device that manages data and the subject identification information of the subject related to the data in association with each other. A second search unit that searches for data associated with the subject identification information searched by the first search unit, wherein the first management device is associated with a time or a period, The second management device manages the subject identification information and the attribute information of the subject during the time or period, and associates the second management device with the data during the time or period in association with the time or period. Managing the subject identification information of the subject to be associated with the data, the first search means searches for a time or period and subject identification information corresponding to the attribute information satisfying the search condition, The second search unit searches for data corresponding to the time or period searched by the first search unit and the subject identification information, and the subject related to the data executes a process on the data. The information processing apparatus causes the processing apparatus corresponding to the subject identification information associated with the data retrieved by the second retrieval means to execute reprocessing on the data. Control means for performing control, wherein the processing is processing for generating encrypted data by encrypting the data with encryption software, and the re-processing is the second processing. It said data search means searches a process of re-encrypted by the latest version of the encryption software, an information processing apparatus.

  The invention according to claim 4 is a receiving unit that receives a search request including a first search condition for subject attribute information that is attribute information of the subject and a second search condition for data attribute information that is attribute information of data. A first search unit that searches for the subject identification information corresponding to the subject attribute information that satisfies the first search condition from a first management device that manages the subject identification information identifying the subject and the subject attribute information in association with each other , The data, the subject identification information of the subject related to the data, and the data attribute information of the data in association with the second management device. A second search unit that searches for data that is associated with information and has data attribute information that satisfies the second search condition. The subject related to the data is a user of the delivery destination of the data, and the second management device associates the data with the data and stores the delivery destination of the data as the subject identification information of the subject related to the data. Manages the user identification information of the user, and further manages the device identification information of the processing device that has executed the process on the data, and the information processing device stores the device identification information in the data searched by the second search means. The information processing apparatus further includes a control unit that controls the processing apparatus corresponding to the associated apparatus identification information to execute reprocessing on the data.

  The invention according to claim 5, wherein the process is a process of associating metadata including a list of user identification information of a user to which the data is distributed with the data, and the re-processing is performed by the second search unit. The information processing apparatus according to claim 4, wherein the processing is a step of deleting user identification information of a user searched by the first search unit from the list in the metadata associated with the searched data.

  The invention according to claim 6, wherein the processing is processing for associating metadata including information indicating the contents of the access authority of the distribution destination user to the data with the data, and wherein the reprocessing is performed by the second processing. The information processing apparatus according to claim 4, wherein the processing is a process of updating the content of the access right in the metadata associated with the data searched by a search unit.

  According to a seventh aspect of the present invention, a computer receives a search request including a first search condition relating to subject attribute information which is attribute information of a subject and a second search condition relating to data attribute information which is attribute information of data. Means for searching for the subject identification information corresponding to the subject attribute information that satisfies the first search condition from a first management device that manages the subject identification information identifying the subject and the subject attribute information in association with each other; A search unit, the subject searched by the first search unit from a second management device that manages data in association with the subject identification information of the subject related to the data and data attribute information of the data. A second search unit that searches for data that is associated with the identification information and that has data attribute information that satisfies the second search condition. A program, wherein the subject related to the data is a processing device that has executed processing on the data, and the program further corresponds to the computer in accordance with the data searched by the second search means. A program for causing the processing device corresponding to the attached subject identification information to function as control means for performing control to cause the data to be reprocessed.

  The invention according to claim 8, wherein a receiving unit for receiving a search condition relating to the attribute information of the subject, a first management device that manages the subject identification information identifying the subject and the attribute information of the subject in association with each other, A first search unit that searches for the subject identification information corresponding to the attribute information that satisfies a search condition; a second management device that manages data in association with the subject identification information of the subject related to the data; A program for functioning as a second search unit that searches for data associated with the subject identification information searched by the first search unit, wherein the first management device is configured to associate the time with a time or a period. , Manages the subject identification information and the attribute information of the subject in the time or period, and the second management device associates the time or period with the time or period. Manages the subject identification information of the subject related to the data in the data in association with the data, and the first search unit performs a process when the time or period and the subject identification information correspond to the attribute information satisfying the search condition. And the second search means searches for data corresponding to the time or period searched by the first search means and the subject identification information, and the subject related to the data includes A processing device that has performed processing for the data, the program stores the computer in the processing device corresponding to the subject identification information associated with the data retrieved by the second retrieval means, Control means for performing re-processing on the data, and the processing is to encrypt the data by encryption software. A process of generating the encrypted data and the re-processing is processing for re-encrypted by the latest version of the data to which the second retrieval means has retrieved the encrypted software, a program.

  According to the invention according to claim 1 or 7, while reducing the data amount of the attribute information of the data as compared with the method of including the attribute of the subject related to the data in the attribute information of the data, the data is stored in the attribute of the related subject Can be searched. Further, it is possible to search for data processed by a processing device that is a subject that satisfies the search condition, and cause the processing device to reprocess the data.

  According to the second aspect of the present invention, it is possible to search for a subject that satisfies the search condition at a certain time or period in the past, at that time or during a relevant period.

  According to the third or eighth aspect of the present invention, it is possible to search for data encrypted with vulnerable encryption software and re-encrypt the data with the latest vulnerable encryption software.

  According to the fourth aspect of the present invention, it is possible to search for data distributed to a user who is a subject that satisfies a search condition, and cause the processing device that has processed the data to reprocess the data.

  According to the invention according to claim 5, when it is desired to remove the user from the distribution destination for the data distributed to the user whose attribute is changed, the data distributed to such a user is searched. The distribution destination can be changed.

  According to the invention according to claim 6, when data to be distributed to a user whose attribute is changed is to be changed in the access right to the data in accordance with the attribute change, the data distributed to such a user , And the contents of the access authority to the searched data can be changed.

FIG. 1 is a diagram illustrating an example of a configuration of a document management system. FIG. 2 is a diagram for describing an outline of distribution and browsing of a document using a document management system. FIG. 4 is a diagram illustrating an example of data content of metadata. FIG. 4 is a diagram illustrating data contents managed by a user ID server. FIG. 4 is a diagram illustrating data contents managed by a DID server. FIG. 4 is a diagram illustrating data contents managed by a processing device management server. FIG. 3 is a diagram illustrating a configuration of a processing device and data contents of the processing device. FIG. 3 is a diagram illustrating a flow of document distribution and browsing in the document management system. It is a figure showing the example of the input screen of attribute data. It is a figure showing an example of an option setting screen. It is a figure showing an example of a list screen. It is a figure showing the example of the system composition provided with the organization management system. FIG. 11 is a diagram illustrating an example of a processing flow when a user obtains and browses metadata of a document using a processing device to which the user is not registered. FIG. 9 is a diagram illustrating an example of a processing flow when a user registers a document in a document management system using a processing device that is not registered by the user. It is a figure showing an example of data contents of DID. FIG. 9 is a diagram illustrating a flow of a status check process of a processing device executed by the processing device management server. FIG. 21 is a diagram illustrating another example of the flow of the status check processing of the processing device executed by the processing device management server. FIG. 11 is a diagram illustrating an example of a processing flow of a processing device when a vulnerability is found in encryption software. FIG. 9 is a diagram illustrating an example of a flow of searching for a protected document. FIG. 7 is a diagram illustrating a processing procedure of a search server. FIG. 14 is a diagram illustrating another example of the processing procedure of the search server.

  FIG. 1 shows a schematic configuration of one embodiment of a document management system.

  In the case of a paper document, a person having the document can freely copy or give it to another person. Also, those who have obtained the document can read the document. Thus, paper documents have an extremely high risk of information leakage.

  On the other hand, the document management system according to the present embodiment aims to provide an environment in which electronic documents can be used securely and reduce the risk of information leakage of the documents. Here, the document is content data that can be distributed as one unit (for example, one file), and the type of data is not particularly limited. For example, the concept of a document includes text data, document data created by word processing software, spreadsheet data created by spreadsheet software, CAD (Computer Aided Design) data, image data, video data, audio data, multimedia Includes data, page data displayed on a web browser, and other data created, edited, viewed on a PC, and printed out.

  This document management system includes a plurality of local systems 100 and a management system 200 that manages the local systems (particularly, a processing system described later). The management system 200 can communicate with each local system 100 via the wide area network 10 such as the Internet.

  The local system 100 includes one or more creating terminals 102, one or more viewing terminals 104, and a processing device 110 connected to a local network 108. The local network 108 is a private network (for example, configured as a LAN) provided in an organization such as a company, and is protected from the wide area network 10 by a firewall or the like. Basically, one processing device 110 is installed in the local system 100. When the private network in the organization is a large-scale one, each network segment constituting the private network may be a local system 100, and one processing device 110 may be installed in each local system 100. . For example, a network segment in a living room for each department of a certain company becomes the local system 100 of that department, and one processing device 110 is installed in that segment. In this example, a local system 100 having a processing device 110 as a core is formed for each company or each department of each company, and the processing devices 110 are managed by a central management system 200.

  The creation terminal 102 is a terminal used for creating a document, for example, a desktop or notebook personal computer, a workstation, a tablet terminal, a smartphone, a multifunction device, a scanner, a facsimile device, a digital camera, and the like. is there. An application for creating and editing documents is installed in the creating terminal 102. Software for requesting the document management system to distribute the created document is installed in the creation terminal 102. As a form of this software, implementation as a device driver for exchanging information with the processing device 110 described later, implementation using a Web application, and the like can be considered.

  The processing device 110 converts the document created by the creating terminal 102 into a protected document (hereinafter, also referred to as an “eDoc file”) that is used in a secure environment provided by the document management system of the present embodiment. Perform protection processing. The protection process can be said to be a process of encoding an original document into an eDoc, and in this sense, the processing device 110 is a kind of encoder. In this protection processing, the document is converted into, for example, data in a special format designed for the system of the present embodiment, and is encrypted in a form that can be decrypted only by the user specified as the distribution destination of the document. . Either format conversion or encryption may be performed first.

  Further, the processing device 110 creates metadata of the protected document, and registers the created metadata in the management system 200 which is a higher-level system. The metadata includes bibliographic information of the protected document, information on a distribution destination, information on a key used by each distribution destination to decrypt the protected document, and the like. The metadata includes a plurality of items, and data is assigned, edited, and updated by a corresponding device or user according to a function provided by this service.

  As an example, some of these items are specified by the user who has issued a document registration instruction to the document management system, and another part is created by the processing device 110. Further, the values of some items of the metadata may be set by the management system 200 or the browsing terminal 104. Further, the processing device 110 transmits the generated protected document (eDoc file) to the viewing terminal 104 of the distribution destination specified by the user.

  The protected document, that is, the eDoc file is obtained by converting the original document into a dedicated format and encrypting it, and is also called the main body of eDoc. To be able to view an eDoc file, corresponding metadata is required. The eDoc file and the metadata together constitute a complete protected document that can be viewed. The set of the eDoc file and the metadata corresponding to the eDoc file is hereinafter referred to as “eDoc”.

  The processing device 110 may have a function of a wireless LAN access point. In this case, the viewing terminal 104 can communicate with the processing device 110 via the wireless LAN.

  The viewing terminal 104 is a terminal used for viewing a protected document (eDoc file). Here, “browsing” means that the protected document is used in a form corresponding to the information content represented by the document. For example, when the protected document has a document such as a word processing data or a drawing as the information content, the browsing is that the user reads or views the document displayed by the browsing terminal 104. When the information content represented by the protected document is audio, browsing means that the user listens to the audio reproduced by the browsing terminal 104. The browsing terminal 104 is configured by installing a viewer application for browsing a protected document on a general-purpose computer such as a desktop or notebook personal computer, a workstation, a tablet terminal, and a smartphone. Alternatively, a terminal dedicated to browsing, such as an electronic book terminal, having the same function as the viewer application may be used as the browsing terminal 104. The viewer application has a function of decrypting an encrypted protected document by using information of metadata and a function of decoding data represented in a dedicated format of the protected document into readable data. Note that a computer that does not have a viewer application corresponding to the document management system of the present embodiment cannot decode data in a dedicated format into readable data.

  The browsing terminal 104 may have a function of receiving processing (editing) from the user on the displayed document in addition to the function of decrypting and decoding the protected document and displaying the document. Although the processed document has a different content from the original protected document, the edited document can be sent from the viewing terminal 104 to the processing device 110 and registered in the document management system (that is, encoded into a protected document). You may do so. Thus, one terminal may have the functions of both the creating terminal 102 and the browsing terminal 104. In addition, the authority (access authority information in the metadata described later) permitted to the viewer is set in the eDoc, and the contents of the authority include restrictions on writing to the eDoc, restrictions on the redistribution destination, and the like. It may be. In the case of an eDoc defined in the access authority information, such a restriction is accepted by the viewing terminal 104 only for a processing (editing) operation from the viewer within the range of the writing restriction, and for a new eDoc after the processing. The specification of the redistribution destination is accepted only within the limit of the redistribution destination.

  In the present embodiment, as an example, the authentication device 130 carried by the user is used as a tool for authenticating the user who uses the document management system of the present embodiment. The authentication device 130 is a device, such as an IC card, that incorporates identification information unique to a user who carries the device and executes data processing for user authentication in response to a request from an external device. The authentication device 130 may be a mobile terminal such as a smart phone that has a function equivalent to such an IC card for personal authentication. The viewing terminal 104 and the creation terminal 102 have a function of communicating with the authentication device 130 using a wireless communication protocol such as NFC (Near Field Communication). The browsing terminal 104 and the creation terminal 102 exchange information for user authentication with the authentication device 130 according to a predetermined protocol, and authenticate the user who carries the authentication device 130. Alternatively, the actual user authentication is executed by the server side of the document management system of this embodiment, such as the processing device 110 and the management system 200, and the browsing terminal 104 and the creation terminal 102 transfer data between the server side and the authentication device 130. May be used as a mediation system. Further, the browsing terminal 104 and the creating terminal 102 may have the function of the authentication device 130 built-in.

  The management system 200 manages the processing devices 110 in each local system 100. The management system 200 manages the metadata of the protected document generated by each of the processing devices 110, and provides the metadata to the browsing terminal 104 in response to a request. The management system 200 includes one computer or a plurality of computers that can communicate with each other, and has functions of a user ID server 210, a DID server 220, a metadata server 230, and a processing device management server 240.

  The user ID server 210 is a server that manages information of each user who uses the document management system. A user who uses the document management system has two layers. One is a contractor who has concluded a contract for using the document management system with the operator of this system, and the other is to register and browse documents using the system under the contract. General user. For example, it is assumed that a company is a contractor, and a processing device 110 is installed on the local network 108 of the company, and employees of the company often use the document management system via the processing device 110 as general users. Is done. The user ID server 210 holds and manages information on each of the contractor and the general user.

  The DID server 220 manages DID (document ID) which is identification information (ID) of a protected document. It is the processing device 110 that has created the protected document that actually assigns the DID to the protected document. However, the DID server 220 assigns the DID issuing authority and the issuance limit (number of issuances) to the processing device 110. , And receives and records the DID actually issued by the processing device 110 in the issuance authority and the issuance frame. As a result, the DID server 220 suppresses the occurrence of an invalid DID, and can detect a document having an invalid DID.

  The metadata server 230 holds and manages the metadata of the protected document (eDoc file) generated by the processing device 110. When a user requests metadata of a protected document from the user via the viewing terminal 104, the metadata server 230 provides the metadata to the viewing terminal 104 if the user is a valid person. It should be noted that the user (viewer) who requests the metadata is “a legitimate person” for the metadata server 230 when the combination of the user and the browsing terminal 104 used when the user issues the request is described. , The delivery destination user and the delivery destination indicated in the delivery destination information (described in detail later) in the metadata held by the metadata server 230 in association with the DID of the eDoc file (this is included in the request). This is the case where the combination corresponds to the combination of the viewing terminals 104.

  The processing device management server 240 is a server that manages the status (state) of each processing device 110.

  With reference to FIG. 2, the mechanism of the present embodiment will be schematically described.

  (0) The management system 200 (the DID server 220) previously assigns a right to issue a DID (document ID) and an issuance frame (number of documents) accompanying the right to issue to the processing device 110 in the local system 100. . The right to issue the DID is not limited and is limited to the issuance limit of the management system 200. In other words, the processing device 110 can assign a DID based on the issuance right granted at the same time as long as the number of documents is equal to or less than the number indicated by the issuance space assigned from the management system 200. When the issue slots are used up, the processing device 110 receives a new issue right and a new issue slot from the management system 200.

  (1) When the user wants to register a document in the document management system of the present embodiment (that is, to distribute the document), the user instructs the creation terminal 102 to register the document (for example, instructs “registration” on a menu of the application). The creation terminal 102 receiving this instruction requests user authentication. This authentication may be performed by inputting a user ID and a password, or may be performed by the user bringing the authentication device 130 close to the vicinity of the card reader unit of the creation terminal 102. The user authentication may be performed by the creation terminal 102 or the processing device 110 to which the document is registered. Then, the user selects a document to be registered in the document management system from the documents held in the creation terminal 102 and instructs the registration.

  When receiving a document registration instruction from a user, the creation terminal 102 (more specifically, a registration processing program installed in the creation terminal 102) specifies items (for example, document Of the distribution destination). Here, the designation of the combination of the user and the viewing terminal 104 may be received as the distribution destination. In this case, when the combination of the user and the browsing terminal 104 used by the user for browsing the document matches the combination specified as the distribution destination, the user can browse the document.

  The creation terminal 102 converts the attribute data such as the distribution destination input by the user and other attribute items (eg, registrant information, creation date and time) generated by the creation terminal 102 itself into data of the document. With the processing device 110. Note that the creation terminal 102 may have a driver that converts documents in various formats created by various applications into a unified format that can be handled by the viewing terminal 104. For example, in the case of data indicating a static document image such as word processing data, spreadsheet, or CAD data, the driver converts the data into a document described in a page description language, similar to a printer driver. Further, for example, when the original data is audio data, the driver converts the audio data into data (document) in a specific audio data format supported by the document management system (particularly, the browsing terminal 104) of the present embodiment. .

  (2) The processing device 110 performs a protection process on the document to be registered received from the creation terminal 102 to generate a protected document (eDoc file). In this generation, the received document is encoded into a dedicated format of the document management system according to the present embodiment, and the encoded data is encrypted using the generated encryption key to generate an eDoc file. The order of encoding and encryption may be reversed. Further, the processing device 110 assigns a unique DID to the eDoc. The DID has information (issuance authority key, which will be described later) proving that it is based on the issuance authority received from the management system 200, and information (issued, which will be described later) which has been given by the processing apparatus 110 itself. Certification key). A detailed example of the data structure of the DID will be described later. The generated DID is embedded in the eDoc file (for example, as one item of the property of the file).

  Further, the processing device 110 generates metadata corresponding to the generated eDoc file. The metadata includes attribute data received together with the document from the creation terminal 102 and values of attribute items (for example, DID, ID of the processing device itself, encoding date and time, encryption key information) generated by the processing device 110 itself. included. The encryption key information included in the metadata is information indicating a key for decrypting the eDoc file. When a common key method is used for encryption, the encryption key information is information indicating the common key. However, if the common key itself is included in the metadata in plain text, there is a concern that it will be misused by eavesdropping or eavesdropping. Therefore, the common key encrypted with the public key of the distribution destination user is embedded in the metadata as encryption key information. .

  Further, the processing device 110 stores the generated eDoc file and metadata in a built-in database.

  (3) The processing device 110 transmits the generated metadata to the management system 200 and registers it. The management system 200 (metadata server 230) stores the received metadata.

  (4) The processing device 110 distributes the generated eDoc file to the viewing terminal 104 designated as the distribution destination. This distribution may be a push type or a pull type, or both (for example, the push distribution at the time of creating the eDoc, and the browsing terminal 104 which is not operated and does not receive at that time receives the pull type distribution). This distribution is performed via the local network 108 in the local system 100.

  (5) The eDoc file received by the viewing terminal 104 cannot be viewed as it is because it is protected by encryption or the like. When the user wants to browse the eDoc file on the browsing terminal 104, the user is authenticated by bringing his / her authentication device 130 close to the card reader unit of the browsing terminal 104, and then browses the eDoc on the screen of the browsing terminal 104. Instruct. The browsing terminal 104 that has received this instruction accesses the management system 200 and requests the metadata of the eDoc. This request includes the DID of the eDoc.

  (6) The management system 200 (metadata server 230) transmits the latest metadata of the eDoc requested from the viewing terminal 104 to the viewing terminal 104.

  (7) When the viewing terminal 104 receives the requested metadata from the management system 200, the delivery destination information included in the metadata includes the viewing terminal 104 and the user (authentication device) currently using the viewing terminal 104 in the delivery destination information. It is determined whether or not the combination with (authenticated in 130) is included. If not included, the user does not have the right to view the eDoc on the viewing terminal 104, so the viewing terminal 104 does not open the eDoc file and displays an error message indicating that there is no viewing right. If so, the user has permission to view the eDoc file at the viewing terminal 104. In this case, the browsing terminal 104 decrypts the eDoc file using the encryption key information included in the metadata and displays the decrypted eDoc file on the screen (that is, outputs the eDoc file in a form corresponding to the information content of the eDoc file).

  An expiration date can be set for the metadata. The expiration date is obtained, for example, by adding a prescribed expiration period or a expiration period designated by a distributor or the like to the date and time when the metadata is transmitted. After the expiration date of the metadata has passed, the viewing terminal 104 cannot open (decrypt and display) the corresponding eDoc file unless the metadata is reacquired from the management system 200 again. If the browsing terminal 104 can communicate with the processing device 110 or the management system 200, the browsing terminal 104 acquires the latest metadata of the eDoc file designated as the browsing target at the time of the designation from the processing device 110 or the management system 200, It is determined whether browsing is possible based on the latest metadata.

  After the metadata is registered in the management system 200 for the first time, the distribution destination information and the access right information included in the meta data are distributed by the distributor or a person authorized to change the distribution destination (for example, possessing the data editing authority). May be changed. Even if the user is designated as the distribution destination when the eDoc is created and registered, if the user is removed from the distribution destination by a subsequent change, the browsing terminal 104 uses the latest metadata acquired from the management system 200. Is detected by the distribution destination information included in the eDoc file, and the eDoc file is not displayed.

  Next, an example of the data content of the eDoc metadata 300 will be described with reference to FIG.

  Of the items included in the metadata 300, “DID” is a document ID assigned by the processing device 110 that has generated the eDoc. “Document name” is the name or title of the eDoc.

  The “distributor ID” is a person who has distributed the eDoc, that is, a person who performs a document registration operation from the creation terminal 102 to the processing device 110 and distributes the document via the processing device 110 (hereinafter, referred to as a distributor). User ID.

  The “encoding date and time” is the date and time when the document from the creating terminal 102 was encoded (protected) and its eDoc was created. “Processing device ID” is identification information of the processing device that has performed the protection process. “Encryption information” is information on encryption at the time of generation of the eDoc, and includes the name of the encryption software used for encryption, the version of the encryption software, and a key for releasing (decrypting) the encryption. Is included. The key information is, for example, information obtained by encrypting a key for decryption with the public key of each distribution destination user. “Keyword information” is a list of keywords extracted from the eDoc (or original data). This keyword information is used, for example, when searching for an eDoc.

  “Distribution destination information” is information indicating the user and the viewing terminal designated by the distributor as the distribution destination of the eDoc. In the example of FIG. 3, the distribution destination information includes, for each distribution destination user, the user ID of the user and the ID (identification information) of the browsing terminal 104 that the user should use for browsing. When the user specifies a plurality of browsing terminals 104 that can be used for browsing the eDoc, a set of the user ID of the user and the IDs of the plurality of browsing terminals 104 is incorporated in the distribution destination information.

  As another example, when a method is adopted in which the distribution destination user can browse the eDoc using any of the browsing terminals 104 designated as the distribution destination, the distribution destination information includes the distribution destination user. And a list of IDs of distribution destination viewing terminals 104 are included. For example, as a candidate of the distribution destination viewing terminal 104, a shared terminal of a department, a terminal provided in a room or a conference room of the department, or the like may be assumed. It is not decided who the users in the organization will use, such as shared terminals and equipment installed in rooms (also a type of shared terminal), but the distributor knows at least what kind of terminal it is, It is also known that it is unlikely that the document will be taken out of the organization without permission, so it is eligible as a distribution destination for confidential documents. In the case of using eDocs with a shared terminal whose characteristics are known in this way, a use form in which the distribution destination user may use any of the browsing terminals 104 designated as the distribution destination is considered. Can be

  The “access right information” is information indicating the use right for the eDoc that the distributor has given to the destination user.

  The “offline valid period” is information indicating the length of the valid period of the metadata. That is, even when the browsing terminal 104 cannot access the management system 200 (offline state), there is metadata that has been acquired and cached at the time of the previous browsing of the eDoc, and the metadata is acquired from the date and time of acquisition of the metadata. If it is within the “offline validity period”, the browsing terminal 104 decrypts and displays the eDoc using the encryption key information in the metadata. On the other hand, if the offline state of the cached metadata for the eDoc for which browsing has been instructed has already passed, the browsing terminal 104 does not decrypt the eDoc and therefore does not display it. When the user instructs browsing of an eDoc while the browsing terminal 104 is accessible to the management system 200 (that is, online), the browsing terminal 104 transmits the latest metadata of the eDoc to the management system 200 (particularly, the metadata server 230). ) And use it.

  The “original data information” includes information indicating whether or not the original data before the eDoc is generated (encoded) is stored, and, if stored, information indicating a storage location of the original data (for example, URL: Uniform Resource Locator). The original data here is, for example, a document (before the protection processing is performed) sent from the creating terminal 102 to the processing device 110, or application data on which the document is based (for example, the document is page description language data). In this case, the data is data of word processing software before conversion into the data) or both.

  The “document acquisition date and time” is the date and time when the browsing terminal 104 acquired the file of the body data of the eDoc (that is, the eDoc file). The “metadata acquisition date and time” is the date and time when the browsing terminal 104 acquired the latest metadata currently cached for the eDoc from the management system 200. The document acquisition date and time and the metadata acquisition date and time are not included in the metadata held in the management system 200, and are added by the viewing terminal 104 to the metadata acquired from the management system 200 for management by the own device. .

  In the metadata items shown in FIG. 3, DID, encoding date and time, processing device ID, encryption information, and keyword information are information generated by the processing device 110. Further, the document name, distributor ID, distribution destination information, access authority information, offline validity period, and original data information are derived from documents and attribute data sent from the creation terminal 102 to the processing device 110.

  Next, data contents of information managed by each of the servers 210 to 250 of the management system 200 will be exemplified.

  First, an example of data content managed by the user ID server 210 will be described with reference to FIG. In the user ID server 210, contractor data 212 of each contractor and user data 214 of each general user are registered.

  The contractor data 212 includes a contractor ID, contract content information, and a user list. The contractor ID is identification information of a contractor (for example, an organization or a department within the organization) that has contracted with the operator of the document management system. The user list is a list of user IDs of general users (for example, members belonging to an organization that is a contractor) who use the document management system according to the contract of the contractor.

  The general user data 214 includes the general user's user ID, password, user ID key information, public key certificate, predetermined processing device ID, predetermined viewing terminal list, and affiliation information. The user ID key information is authentication information of the user used by the authentication device 130 of the user. The public key certificate is a digital certificate that certifies the user's public key. The default processing device ID is the ID of the processing device 110 in which the user is registered. Usually, a user is registered in the processing device 110 located in the office to which the user belongs, and the processing device 110 is a default processing device for the user. The default browsing terminal list is a list of IDs of one or more browsing terminals mainly used by the user. The browsing terminals included in this list are candidates for distribution destination terminals when eDocs are distributed to the user. The affiliation information is information for specifying an organization to which the user belongs, a department thereof, and the like, and is, for example, a contractor ID of the organization or the department.

  Next, an example of data content managed by the DID server 220 will be described with reference to FIG.

  As shown in FIG. 5, the DID server 220 issues, for each issuing authority key issued to the processing device, an issue frame, an assignee processing device, a key assignment date and time, a key end date and time, and information on each item of the issued DID list. Holding.

  The issuance authority key is key information (for example, a character string generated at random) that is given by the DID server 220 to the processing device 110 and that certifies the authority to issue the DID. The processing device 110 certifies that the DID has been issued under valid issuing authority by including the issuing authority key assigned from the DID server 220 in the DID issued by itself.

  The issuance frame is the upper limit of the number of DIDs issued to the processing device 110 together with the issuance authority key (the upper limit of the number of documents to which DID can be assigned). When the pair of the issuing authority key and the issuing slot is assigned from the DID server 220, the processing device 110 can assign a unique DID to each of the eDocs up to the upper limit indicated by the issuing slot.

  The grant destination processing device indicates the ID of the grant destination processing device 110 of the issuing authority key (and the issuing frame). The key assignment date and time is the date and time when the issuing authority key is assigned to the processing device 110. The key end date and time is the date and time when the granting processing device 110 has finished using the issuance authority key. In other words, it is the date and time when the processing device 110 has finished giving DIDs to the upper limit number of eDocs indicated by the issuance space assigned together with the issuance authority key. In the case where the processing apparatus 110 employs a mechanism for requesting the DID server 220 for the next issuance authority key and the next issuance frame after the issuance period is exhausted, the key end of a certain issuance authority key (referred to as a first key) is terminated. Instead of explicitly recording the date and time, the key grant date and time of the issue authority key assigned to the processing device 110 next to the issue authority key may be used as the key end date and time of the first key. The issued DID list is a list of DIDs issued by the processing device 110 of the grant destination using the issuance authority key and the issuance date. Each time the assigning processing apparatus 110 issues a DID using the issuing authority key, the DID server 220 notifies the DID server 220 of the issued DID, and the DID server 220 includes the notified DID and the issue date in the DID. Is added to the issued DID list corresponding to the issuing authority key to be issued.

  The metadata server 230 stores the metadata of each eDoc sent from each processing device 110. The data content of the metadata to be stored is the same as that illustrated in FIG. However, of the metadata items illustrated in FIG. 3, items (document acquisition date and time, metadata acquisition date and time, etc.) used only by the browsing terminal 104 are not managed by the metadata server 230.

  Next, data managed by the processing device management server 240 will be described with reference to FIG. The processing device management server 240 stores a status history 242 of the processing device 110 for each processing device 110 to be managed. The status history includes information on the status 244 of the processing device 110 at the time of creation and individual update (creation / update date and time) in association with the ID of the processing device 110.

  The status 244 at each time includes the installation location, contractor ID, administrator name, administrator contact information, registered user list, software information 246, hardware information 248, free disk space, and security certificate information. It is. The installation location is information indicating the installation location of the processing device 110, and includes, for example, information such as an address, a building name, and the number of floors. The contractor ID is the ID of the contractor using the processing device 110. The administrator name is the name of the administrator of the processing device 110. The administrator is a user who manages the processing device 110 in a department where the processing device 110 is installed. The administrator contact information is contact information (for example, an e-mail address) of the administrator. The registered user list is a list of user IDs of the users registered in the processing device 110 (in other words, users who set the processing device 110 as “predetermined processing device”).

  The software information 246 includes an encoding software name, an encoding software version, an encryption software name, an encryption software version, and names and versions of other software installed in the processing device 110. Here, the encoding software is software that converts (encodes) a document input from the creation terminal 102 into a format dedicated to the document management system. The encryption software is software for encrypting a document (for example, a document converted into a dedicated format).

  The hardware information 248 includes items such as encoding circuit information, an encoding circuit FW version, and a manufacturer name of the processing device 110. The encoding circuit information is information indicating a model of a hardware circuit used for the encoding process. The encoding circuit FW version is a firmware (FW) version of the encoding circuit.

  The disk free space is the free space of the secondary storage device such as a hard disk or a solid state disk of the processing device 110 at that time.

  The security certificate information includes information (for example, a subject (subject: subject) identifier, an issuer (issuer: issuer) identifier, and issue date / time) of each security certificate installed at that time in the processing device 110. Etc.).

  Although not shown for the sake of simplicity, the status 244 includes the type of font (a list of font names) installed in the processing device 110, an address for network communication (for example, an IP address), and the like. Device ID of the secondary storage device (such as a hard disk drive), information indicating the contents of customization for connecting the processing device 110 to the core system of the installation organization, an encryption key (communication path encryption) used by the processing device 110 And the date and time of installation of the signature).

  Next, a database group held by the processing device 110 will be described with reference to FIG. As illustrated, the processing device 110 includes a management information storage unit 112, a user DB 114, and a document DB 116.

  The management information storage unit 112 stores management information 112a. The management information 112a includes items such as host device address information, a security certificate, an encryption key, an encoding software name, an encoding software version, an encryption software name, and an encryption software version. The higher-level device address information is information on each communication address (for example, an IP address, a URL, and the like) of the higher-level device that manages the processing device 110. The management system 200 and the respective servers 210 to 240 therein, or the in-house management system 150 described later and the respective servers 152 to 156 therein are examples of higher-level devices. The security certificate is a digital certificate used when the processing device 110 performs secure communication based on the public key infrastructure with another device on the network. The processing device 110 holds a security certificate of each higher-level device with which communication is frequently performed. Further, the security certificate of each user who uses the creation terminal 102 or the browsing terminal 104 may be held. The encryption key is used for purposes such as encryption and decryption when the processing device 110 communicates with another device on the network, a digital signature by the processing device 110 (or generation of certification information similar thereto), and the like. Is a pair of a secret key and a public key given to the processing device 110 in a public key infrastructure, for example. The encoding software and the encryption software are software for encoding (conversion to a dedicated format) and encryption installed in the processing device 110, respectively.

  The user DB 114 stores user information 114a of each user registered in the processing device 110 (in other words, a user who sets the processing device 110 as a “default processing device”). The user information 114a of each registered user includes items such as a user ID, a password, user ID key information, public key information, and a predetermined viewing terminal list. These items have been described in the description of the data held by the user ID server 210 (see FIG. 4).

  The document DB 116 stores an eDoc file generated by the processing device 110 and metadata corresponding to the eDoc file. Since the eDoc file and the metadata include DID information, they can be associated with each other. In the document DB 116, the original data before being encoded into the eDoc (the data received from the creating terminal 102) may be registered in association with the DID of the eDoc.

  The creating terminal 102 and the browsing terminal 104 provide, for each user who uses the terminal, authentication information (user ID, password, and the like) of the user, an ID of a predetermined processing device, address information of a predetermined processing device, a higher-level device (for example, It stores address information of the management system 200 and an in-house management system 150 (described later), security certificates of processing devices and higher-level devices, encryption keys used for encryption of communication paths, and the like.

<System processing flow>
When the processing device 110 is installed on the local network 108, a maintenance worker who performs maintenance of the processing device 110 can provide the processing device 110 with information of a user who uses the processing device 110 and a user who can use the information. The information of the creation terminal 102 and the browsing terminal 104 which have a possibility is registered. The registered user information is also transferred to and registered in the user ID server 210 (or a local user ID server 152 described later), which is a higher-level device. If the number of users who use the processing device 110 increases or decreases after installation, the maintenance worker newly registers information of the increased user with respect to the processing device 110, Perform operations such as deleting information registration. Such addition or deletion is also notified to a higher-level device such as the user ID server 210, and the information held by the higher-level device is updated accordingly. Further, the maintenance worker installs software (for example, in the form of a device driver of the processing device 110) for performing a process of requesting the processing device 110 to register and distribute a document to each of the creation terminals 102. In addition, the maintenance worker registers information (for example, device name, communication address, wireless access setting) and the like for communication with the processing device 110 in each browsing terminal 104.

  Next, a flow of processing when a document is registered and distributed via the document management system of the present embodiment will be described with reference to FIG.

  (1) -1: When the user (distributor) instructs the creation terminal 102 to register a document, the creation terminal 102 inputs login authentication information (for example, a user ID and password or the authentication device 130). Display the screen you want. When the distributor inputs authentication information in response to the request, the creation terminal 102 transmits the authentication information to the processing device 110 via the local network 108.

  (1) -2: The processing device 110 that has received the login authentication information performs user authentication using the information. Here, it is assumed that the user authentication has been successful (it has been confirmed that the user is correct). In the illustrated example, login authentication is performed using a login ID and a password. However, if the creation terminal 102 supports communication with the authentication device 130, login authentication may be performed using the authentication device 130.

  (2) -1: When the login authentication is successful, the user selects a document to be registered in the document management system (and to be distributed to another user) from the documents held in the creation terminal 102, and sends the document to the processing device 110. Instruct the registration of. Then, software (for example, a device driver) serving as an interface with the processing device 110 is activated, receives input of attribute data of the document from the user, and transmits the received attribute data and data of the document to the processing device 110.

  FIG. 9 shows an example of this attribute data input screen 400. The input screen 400 includes a distribution destination user selection menu 402, a distribution destination user list column 404, a distribution destination terminal selection menu 406, a distribution destination terminal list column 408, an access authority setting column 410, an offline effective period menu 412, and an option setting call. Button 414 is included.

  The distribution destination user selection menu 402 is a pull-down menu that lists options of distribution destination users of the document. The optional users are the users registered in the processing device 110, and a list of the IDs and user names of the optional users may be obtained from the processing device 110. Alternatively, the creation terminal 102 obtains a list of users from a local user ID server 152 (see FIG. 12) described later that manages information of users of the document management system belonging to the organization, and the distributor distributes the list to other users in the organization A user registered in the processing device 110 may be selected as a distribution destination. In this case, in the distribution destination user selection menu 402, each user is displayed in a display form in which the processing device 110 in which each user is registered can be distinguished. For example, the user may be displayed in a different color or font for each processing device 110 with which the user is registered. Alternatively, the menu may have a hierarchical structure, in which the processing device 110 is first selected, a list of users registered in the processing device 110 is called, and a user of the distribution destination is selected from the list. A delivery destination user list field 404 displays a list of delivery destination users selected by the user. When the distributor selects a distribution destination user from the distribution destination user selection menu 402 and presses an “Add” button on the right side, the user ID or user name of the distribution destination user is added to the distribution destination user list field 404. When the distributor selects a distribution destination user in the distribution destination user list field 404 and presses a “delete” button on the right side, the distribution destination user is deleted from the distribution destination user list field 404 (that is, the distribution destination user is no longer a distribution destination). ).

  The distribution destination terminal selection menu 406 is a pull-down menu that lists options of the viewing terminal (viewer) 104 as a distribution destination of the document. The browsing terminals 104 as options are registered in the processing device 110, and a list of IDs and terminal names of the browsing terminals 104 as options may be obtained from the processing device 110. Alternatively, the processing device 110 itself, the local user ID server 152 (see FIG. 12, details will be described later), and the like have a list of the browsing terminals 104 in the organization registered in the document management system. The list may be presented to the distributor so that the browsing terminal 104 of the user registered in another processing device 110 in the organization can be selected as the distribution destination. The distribution destination user list column 404 displays a list of distribution destination viewing terminals 104 selected by the distributor in the distribution destination terminal selection menu 406, as in the case of the distribution destination user list column 404.

  In addition, you may enable it to specify the browsing terminal 104 of the distribution destination corresponding to the user for every distribution destination user. For this purpose, for example, each time a distribution destination user is selected in the distribution destination user list field 404, the creation terminal 102 transmits the user's default from the processing device 110 (or the local user ID server 152 or the user ID server 210). A list of viewing terminals may be obtained, and the list may be set in the distribution destination terminal selection menu 406. If the distributor does not explicitly select the distribution destination viewing terminal 104 for the distribution destination user, a specific one (for example, the top of the list) in the list of default browsing terminals of the user is automatically distributed. The selected terminal 104 is selected.

  The access right setting column 410 is a column for setting the access right (use right) of the distribution destination user to the document. In the illustrated example, check boxes for four authority items of browsing, processing (editing), printing, and copying are shown, and the distributor checks the check boxes of items permitted to the distribution destination user for the document. .

  The offline valid period menu 412 is a pull-down menu showing options for the length of the offline valid period set for the document. The distributor selects a period to be set for the document to be registered and distributed to the system this time from among several stages of the offline valid period shown in the offline valid period menu 412.

  When the option setting call button 414 is pressed, the creation terminal 102 displays an option setting screen 420 illustrated in FIG. The option setting screen 420 includes a processing device designation column 422 and an original data setting column 424. The processing device designation field 422 includes a pull-down menu showing options of the processing device 110 to which the document is to be transmitted. This menu includes a list of processing devices 110 that can be selected from the creation terminal 102. The processing devices 110 included in this list are, first, the processing devices 110 in the local system 100 to which the creation terminal 102 belongs (there is basically one, but there may be more than one). Further, the processing device 110 of another local system 100 in the same organization may be included in the list. In the original data setting column 424, a pull-down menu for accepting a selection as to whether the original data on which the eDoc is based is stored in the processing device 110 is displayed.

  The attribute data sent from the creating terminal 102 to the processing device 110 in step (2) -1 includes distribution destination information (user list and browsing terminal list), access authority information, Information such as an offline validity period and original data information is included.

  Returning to the description of FIG.

  (2) -2: The processing device 110 receives a document (called a target document) and attribute data from the creation terminal 102.

  (3) -1: If the processing device 110 has not received the DID issuing authority and the issuing frame (or has used up the received issuing frame), the processing device 110 issues a new issuing authority to the DID server 220 of the management system 200. And request an issue slot. If there is any remaining in the received issuance slot, the process proceeds to step (4) described later without making this request.

  (3) -2: In response to a request from the processing device 110, the DID server 220 transmits a new issuing authority and an issuing frame to the processing device 110.

  (4) The processing device 110 issues a DID using the issuance authority assigned from the DID server 220, and assigns the DID to an eDoc (generated in the next step) generated from the target document.

  (5) -1: The processing device 110 generates an encryption key for encrypting the target document using, for example, a random number or the like. Further, the processing device 110 converts the target document into an eDoc file. In other words, the eDoc file is generated by encoding the target document into a special format of the document management system and encrypting the encoding result with the encryption key generated earlier. The generated eDoc file includes the information of the DID generated earlier.

  (5) -2: The processing device 110 generates metadata of the generated eDoc. That is, metadata is generated by adding the previously generated DID, encoding date and time, ID of the processing device 110, encryption information, and the like to the attribute data received from the creation terminal 102 (see FIG. 3). Here, the encryption information includes, for each distribution destination user, key information obtained by encrypting the encryption key used for encryption with the public key of the distribution destination user.

  (5) -3: When receiving an instruction to store the original data from the creation terminal 102, the processing device 110 saves the document received from the creation terminal 102 (or the application data from which the document is based). I do.

  (6) -1: The processing device 110 uploads the DID generated earlier to the DID server 220. The DID server 220 stores the DID uploaded from the processing device 110.

  (6) -2: The processing device 110 uploads the generated metadata to the metadata server 230. The metadata server 230 stores the metadata uploaded from the processing device 110.

  (7) The processing device 110 transmits a distribution preparation completion notification for the eDoc to each viewing terminal 104 to which the generated eDoc is distributed. This notification includes the information of the DID and the document name of the eDoc generated earlier. Also, this notification may include a thumbnail image of a representative page of the eDoc (a previously specified page such as the first page).

  Now, the user (referred to as a viewer) who uses the browsing terminal 104 receives user authentication by bringing his / her authentication device 130 close to the card reader unit of the browsing terminal 104. The browsing terminal 104 displays a list screen displaying a list of eDocs distributed to itself. FIG. 11 shows an example of this list screen 500. The list screen 500 in this example includes a notification mark 502, a document name 504 of the eDoc, and a browsability mark 506 for each eDoc. The notification mark 502 is a mark for notifying a viewer of the state of the eDoc. The state of the eDoc represented by the notification mark 502 includes "new arrival" (a state in which the document has not been opened after the document has been distributed from the processing device 110, which is indicated by a "☆" mark in the figure), and "normal" (no mark in the figure). ), "Expired" (access validity period has expired; indicated by "!" In the figure), and the like. Regarding the “expired” state, even if the eDoc file is stored in the browsing terminal 104, the browsing cannot be performed until the latest metadata about the eDoc is acquired from the processing device 110 or the management system 200. For the eDocs in the “normal” state, the metadata that has not expired in the access validity period is stored (cached) in the browsing terminal 104. Even if you are offline, you can browse. The browsing permission / prohibition mark 506 indicates that the combination of the browsing terminal 104 and the user using the same (authentication by the authentication device 130) indicates the distribution destination of the eDoc indicated in the metadata of the eDoc cached in the browsing terminal 104. It indicates whether the combination of the user and the viewing terminal 104 matches. If they match, the eDoc can be browsed (marked with “○” in the figure), and if they do not match, it cannot be browsed (marked with “x” in the figure). For eDocs that have received the distribution preparation completion notification but have not yet received the eDoc file and metadata, the browsing terminal 104 does not have information on the criteria for determining whether or not the combination matches the combination of distribution destinations. The permission / inhibition mark 506 is a “-” mark indicating that it is undecided. In the illustrated example, the three eDocs from the top are new, and the eDoc body (file and metadata) has not yet been acquired, so that the browsing permission / inhibition mark 506 is a mark indicating undecided.

  The viewer selects an eDoc he or she wants to view on the list screen (FIG. 11) by, for example, a touch operation, and gives a browsing instruction. Here, it is assumed that the newly arrived eDoc (the notification mark 502 is a “☆” mark) is selected as the browsing target.

  (8) Return to the description of FIG. Since the viewing terminal 104 does not hold the selected viewing target eDoc file and metadata, it is necessary to acquire the eDoc file from the processing device 110. Therefore, the browsing terminal 104 sends the user ID key, which is the authentication information acquired from the authentication device 130 of the browsing user, to the processing device 110 on the local network 108 to which the browsing terminal 104 is connected. The data is transmitted to the processing device 110 on the network 108. The processing device 110 verifies whether the user ID key proves a user registered in the processing device 110 (user authentication). Here, it is assumed that the user authentication has succeeded. If the user ID key received from the viewing terminal 104 does not correspond to any of the users registered in the processing device 110, the processing device 110 assigns the user ID key to a higher-level device (user ID server 210) related to user authentication. Alternatively, it may be sent to the local user ID server 152) to request user authentication.

  (9) -1: In response to the successful user authentication at the processing device 110, the browsing terminal 104 sends a distribution request including the DID of the eDoc to be browsed selected by the viewer to the processing device 110.

  (9) -2: The processing device 110 returns the eDoc file and the metadata corresponding to the DID included in the distribution request from the viewing terminal 104 to the viewing terminal 104.

  (10) The viewing terminal 104 receives and stores (caches) the eDoc file and the metadata transmitted from the processing device 110.

  (11) The browsing terminal 104 determines that the combination that matches the combination of itself and the browsing user who is currently using the distribution terminal 104 is the distribution destination user and distribution destination indicated in the distribution destination information (see FIG. 3) in the metadata. It is determined whether the terminal is in the terminal combination. If it is determined that there is no eDoc file, the browsing terminal 104 cannot browse the eDoc file. In this case, the browsing terminal 104 displays an error message indicating that browsing cannot be performed. In this case, the viewing terminal 104 may delete the stored eDoc file (and the corresponding metadata). On the other hand, if the browsing terminal 104 determines that the combination of the browsing terminal 104 and the viewer currently using the browsing terminal 104 is included in the distributor information in the metadata, the browsing terminal 104 requests the browsing user to view the eDoc. Allow In this case, the browsing terminal 104 extracts the key corresponding to the viewer from among the encrypted keys corresponding to the respective distribution destination users included in the encryption information in the metadata, and transfers the key to the secret of the viewer. The decryption key required for decrypting the eDoc file is restored by decrypting with the key (for example, the decryption key is held by the authentication device 130).

  (12) The browsing terminal 104 decrypts the eDoc file using the restored decryption key to reproduce a browsable document, and outputs the document (for example, screen display). In addition, the viewing terminal 104 controls whether to accept an operation instruction for the document from the viewer according to the access right information included in the metadata. The viewing terminal 104 does not basically store the decrypted document in a file. That is, after the browsing is completed, the eDoc file and the metadata are stored in the nonvolatile storage device of the browsing terminal 104, but the decrypted document is not stored.

  Next, another example of the document management system according to the present embodiment will be described with reference to FIG. In the example shown in FIG. 12, there are a plurality of local systems 100 in an intra-organization network which is a private network of an organization such as a company. The in-house network is provided with an in-house management system 150. The organization management system 150 manages processing in the organization and information necessary for the processing in the document management system. That is, the management system 200 is operated by a service provider of the document management system, and manages information and processes for a plurality of organizations that use the document management system. The part related to the organization is managed under the management of the management system 200.

  The organization management system 150 includes a local user ID server 152, a local DID server 154, and a local metadata server 156.

  The local user ID server 152 manages information on users who are registered in the document management system among members of the organization. The individual user information held by the local user ID server 152 is the same as the general user information held by the user ID server 210 shown in FIG. When a user who acquires and uses the processing device 110 (that is, a user who sets the processing device 110 as a “default processing device”) is registered in the processing device 110, the processing device 110 acquires information on the registered user. To the local user ID server 152 in the organization. The local user ID server 152 stores the received user information and sends it to the user ID server 210 of the central management system 200 via the wide area network 10. The user ID server 210 stores the received user information. When the information of the user registered in the processing device 110 is changed, an administrator or the like changes the information of the user to the processing device 110. The processing device 110 transmits to the local user ID server 152 information on the content of the change of the user information (for example, including the user ID, the item name of the changed information item, and the value after the change of the item), The local user ID server 152 changes the information of the user stored therein according to the content of the received change. Further, the local user ID server 152 sends the received information of the changed content to the central user ID server 210, and the user ID server 210 changes the information of the user held by the user according to the sent information. .

  The local DID server 154 receives and stores the DID issued by the processing device 110 in each local system 100 belonging to the organization's internal network. The information held by the local DID server 154 is the same as the information held by the DID server 220 shown in FIG. Also, the local DID server 154 sends the DID information received from the processing device 110 to the central DID server 220, and the DID server 220 stores the information. In addition, the local DID server 154 is given a DID issuing authority and an issuing frame from the central DID server 220, and within the range of the issuing frame, sends a DID to each of the managed processing devices 110 based on the issuing authority. Authorization authority and issuance limit are granted.

  The local metadata server 156 receives and stores eDoc metadata generated by the processing device 110 in each local system 100 belonging to the organization's internal network. The information held by the local metadata server 156 is the same as the information held by the metadata server 230. Also, the local metadata server 156 sends the metadata received from the processing device 110 to the central metadata server 230, and the metadata server 230 stores the metadata.

  In the system of FIG. 12, the processing device 110 requests registration (and distribution) of a document from a user who is not registered with itself but registered with another processing device 110 in the same organization, or an eDoc file or meta. When a request such as a data acquisition request is received, the request is responded to via the in-house management system 150.

  As one example, the viewer registered in the processing device # 1 in the first local system 100 in the first department in the organization network can download the eDoc registered and distributed in the processing device # 1. It is assumed that the eDoc is saved in the user's own browsing terminal 104 and then moved to the second department under the control of the processing device # 2 to browse the eDoc. At this point, it is assumed that the metadata of the eDoc stored in the browsing terminal 104 is out of date (that is, the access validity period has passed). In this case, when the viewer performs an operation of opening the eDoc at the browsing terminal 104, the processing illustrated in FIG. 13 is performed.

  First, the viewing terminal 104 searches for the processing device 110 from the local network 108 of the second local system 100 to which the viewing terminal 104 is currently connected. Thereby, the processing device # 2 is found. Since this processing device # 2 is a device different from the processing device # 1 that has delivered the eDoc, it does not have its eDoc file or metadata.

  (1) The viewing terminal 104 reads the user ID key (authentication information) from the authentication device 130 of the viewer.

  (2) The browsing terminal 104 sends the user ID acquired from the authentication device 130 to the processing device # 2 for user authentication to acquire the latest metadata of the eDoc designated as the browsing target. Send the key.

  (3) The browsing terminal 104 requests the metadata of the eDoc from the processing device # 2. This request includes the DID of the eDoc.

  (4) -1: The processing device # 2 checks whether the user ID key received from the browsing terminal 104 belongs to a user registered therein (user authentication). In this example, the viewer is registered in the processing device # 1 and not registered in the processing device # 2. Therefore, the processing device # 2 receives the address of the local user ID server 152 set in advance. Sends an authentication request including the user ID key. Further, the processing device # 2 sends the DID included in the metadata request from the viewing terminal 104 to the preset local DID server 154, and requests authentication.

  (4) -2: The local user ID server 152 verifies whether or not the user ID key received from the processing device # 2 belongs to a user registered therein (user authentication). Since the viewer who owns the user ID key is registered in the processing device # 1, the user is also registered in the local user ID server 152, which is the host device. Therefore, this user authentication succeeds. The local user ID server 152 returns a response indicating that the authentication has succeeded to the processing device # 2.

  Further, the local DID server 154 checks whether or not the DID to be verified sent from the browsing terminal 104 is a valid DID, that is, whether or not the DID is stored by itself. In this example, the DID of the eDoc is issued by the processing device # 1, and is also stored in the local DID server 154 which is a higher-order device relating to the DID of the processing device # 1. Therefore, the DID is authenticated as valid. The local DID server 154 returns a response to the effect that the DID is authenticated to the processing device # 2.

  (5) -1: Since the user authentication and the DID authentication are successful, the processing device # 2 continues the process for responding to the metadata request from the viewing terminal 104. That is, the processing device # 2 sends a metadata request including the DID to a preset address of the local metadata server 156.

  (5) -2: Upon receiving the metadata request from the processing device # 2, the local metadata server 156 returns the metadata corresponding to the DID included in the request to the processing device # 2. When the eDoc metadata is changed by the processing device 110 from the distributor, the change is immediately reflected on the local metadata server 156. Therefore, the metadata returned to the processing device # 2 at this time is Is the latest version of the eDoc metadata.

  (6) The processing device # 2 transmits the metadata received from the local metadata server 156 to the viewing terminal 104.

  (7) The viewing terminal 104 receives the metadata from the processing device # 2 and stores (caches) the metadata.

  (8) The browsing terminal 104 refers to the distribution destination information of the latest metadata received and checks the authority of the combination of the browsing terminal 104 and the viewer. That is, if the combination that matches the combination of the browsing terminal 104 itself and the viewer is in the combination of the distribution destination user and the distribution destination terminal indicated in the distribution destination information (see FIG. 3), it is determined that the user has the browsing authority. Otherwise, it is determined that there is no viewing authority. If it is determined that there is no viewing authority, the viewing terminal 104 displays an error. If the browsing terminal 104 determines that the user has browsing authority, the browsing terminal 104 extracts a key corresponding to the viewer from among the encrypted keys corresponding to each distribution destination user included in the encryption information in the metadata, and extracts the key. Is decrypted with the private key of the viewer (for example, held by the authentication device 130), thereby recovering the decryption key necessary for decrypting the eDoc file.

  (9) Then, the browsing terminal 104 reproduces the browsable document by decrypting the eDoc file using the restored decryption key, and outputs the document (for example, screen display). Then, whether to accept an operation instruction for the document from the viewer is controlled according to the access right information included in the metadata.

  Next, referring to FIG. 14, a user registered in processing device # 1 in first local system 100 sends a document to a document management system in a second department under the control of processing device # 2. Consider the flow of processing for registration. It is assumed that the user (the document distributor) is not registered in the processing device # 2.

  (1) When the user instructs the creation terminal 102 to register a document, the creation terminal 102 displays a screen for requesting input of login authentication information. When the distributor inputs authentication information (for example, a user ID and a password) in response to the request, the creation terminal 102 transmits the authentication information to the processing device 110 via the local network 108.

  (2) The processing device # 2 determines whether the authentication information received from the creation terminal 102 belongs to the user registered in itself. In this case, the distributor is not registered in the processing device # 2. In this case, the processing device # 2 sends the authentication information to the higher-level local user ID server 152 and requests authentication.

  (3) The local user ID server 152 determines whether or not the received authentication information belongs to a user registered therein (user authentication). In this example, since the distributor is a user registered in the processing device # 1, the distributor is also registered in the local user ID server 152, and the user authentication succeeds. The local user ID server 152 returns information indicating that the user authentication has succeeded to the processing device # 2.

  (4) When the processing device # 2 receives a response indicating the success of the authentication from the local user ID server 152, the processing device # 2 responds to the creation terminal 102 that the user authentication is successful.

  (5) When the user authentication is successful, the creation terminal 102 sends the document selected by the user as a registration target and the attribute data input by the user to the processing device # 2.

  (6) The processing device # 2 receives the document and the attribute data from the creation terminal 102.

  (7) -1: When the DID issuing authority and the issuing slot have been used up, the processing device # 2 requests the local DID server 154 for a new issuing authority and an issuing slot. If there is any remaining in the received issuance slot, the process proceeds to step (8) described later without making this request.

  (7) -2: In response to a request from the processing device # 2, the local DID server 154 assigns a new issuing authority and a new issuing frame to the processing device # 2. Note that, when the issuance space assigned by the central DID server 220 is used up, the local DID server 154 requests the DID server 220 for a new issuance authority and issuance space, and in response to the issuance authority and issuance granted Using the frame, the right to issue the DID and the issuing frame are given to the processing device # 2.

  (8) The processing device # 2 issues a DID using the assigned issuing authority, and assigns the DID to an eDoc (generated in the next step) generated from the target document.

  (9) -1: The processing device # 2 generates an encryption key for encrypting the target document, encodes the target document into a dedicated format of the present system, and encrypts the encoding result using the encryption key generated earlier. To generate an eDoc file.

  (9) -2: The processing device # 2 generates eDoc metadata by adding items such as the previously generated DID and encoding date and time to the attribute data received from the creation terminal 102.

  (10) The processing device # 2 uploads the generated DID to the local DID server 154 and uploads the generated metadata to the local metadata server 156. The local DID server 154 adds the DID uploaded from the processing device # 2 to the issued DID list (see FIG. 5) corresponding to the issuing authority key included therein, and uploads the DID to the central DID server 220. . The DID server 220 adds the DID uploaded from the local DID server 154 to the issued DID list (see FIG. 5) corresponding to the issuing authority key. The local metadata server 156 stores the metadata uploaded from the processing device # 2 and uploads the metadata to the central metadata server 230. The metadata server 230 stores metadata uploaded from the local metadata server 156.

  The processing device # 2 distributes the generated eDoc to a distribution destination specified by the distributor. This process is the same as steps (7) to (12) in FIG.

  (11) The processing device # 2 transmits the generated eDoc file and metadata to the creation terminal 102. The processing device # 2 may save the eDoc file and the metadata, or may delete the eDoc file and the metadata without saving. When the eDoc file and the metadata are deleted without being saved, the eDoc file and the metadata are stored only in the processing device # 1 which is the default processing device among the processing devices 110 in the organization by a step (13) described later. Become. Whether or not the processing device 110 that is not the default processing device of the distributor stores the eDoc file and the metadata registered and distributed by the distributor may be set to the processing device 110.

  (12) The creating terminal 102 stores the eDoc file and the metadata received from the processing device 110 for later transfer to the processing device # 1, which is the default processing device of the distributor.

  (13) When the distributor returns to the first department to which the distributor belongs with the creation terminal 102, the creation terminal 102 processes on the first local network 108 as the default processing device of the distributor. Search for device # 1. When finding the processing device # 1, the creation terminal 102 registers the eDoc file and the metadata saved in step (12) in the processing device # 1. Accordingly, when the distributor wants to change the content of the metadata (for example, the distribution destination), the distributor may access the predetermined processing device # 1 and perform the change operation.

  In the document management system according to the present embodiment described above, the body information (that is, the eDoc file) of the document instructed to be distributed from the creation terminal 102 to the processing device 110 is possessed only by the processing device 110 and the distribution destination viewing terminal 104. , And does not appear on other networks or devices. For this reason, the leakage risk of the eDoc file is minimized. In particular, if the distribution destination of the eDoc file is limited to the browsing terminal 104 on the local network 108 that generated the eDoc, the eDoc will not go out of the local network 108 at all.

  On the other hand, the metadata of the eDoc is registered in the central management system 200 and the in-house management system 150 for each organization, so that even if the browsing terminal 104 moves to various places, the wide area network 10 and the organization's private network can be used. Has become available through. When the browsing terminal 104 receives an eDoc browsing instruction from the user, the browsing terminal 104 acquires the latest metadata of the eDoc from the in-house management system 150 or the central management system 200, and distributes destination information included in the latest metadata. , It is determined whether the user can be permitted to browse the eDoc. Even if the user is designated as a distribution destination at the time of registration and distribution of the eDoc, if the user is out of the distribution destination due to a subsequent distribution destination change, browsing is not permitted.

  In the examples of FIGS. 13 and 14, it is assumed that the processing device # 1 and the processing device # 2 are both installed in the same organization, and the user of the distribution destination also belongs to the organization. User authentication was performed by the local user ID server 152 of the organization. On the other hand, if the viewer is a user belonging to an organization different from the processing device # 2, neither the processing device # 2 nor the local user ID server 152 at a higher level can authenticate the distributor. In this case, a higher user ID server 210 may perform user authentication of the distributor.

  In the examples of FIGS. 13 and 14, another processing device # 2 mediates the exchange between the browsing terminal 104 of the user registered in the processing device # 1 and the local user ID server 152 or the local metadata server 156. . However, this is only an example. Alternatively, for example, if the user is not registered in the processing device # 2 based on the authentication information of the user sent from the viewing terminal 104, the processing device # 2 may respond to the browsing terminal 104 with a response indicating that the user cannot be authenticated. Should be performed. In this case, the browsing terminal 104 requests authentication from the local user ID server 152 using the address information of the higher-level device registered in its own device, and if the authentication is successful, accesses the local metadata server 156 to access the necessary information. Get metadata.

  The example of FIG. 13 is an example in which a user browses a document by moving to a local system 100 under the control of a processing device 110 different from his / her default processing device in his / her organization. there were. However, the user may be able to view a document distributed from his or her default processing device outside his / her organization. In this case, the user's browsing terminal 104 is authenticated by the user ID server 210 in the central management system 200, and acquires the metadata of the document to be browsed from the metadata server 230.

<Example of DID>
Next, the configuration of the DID 600 used for the eDoc identification information in the document management system will be described with reference to FIG.

  As illustrated, the DID 600 includes an issuance authority key 602, processing device unique information 604, an issuance date 606, an issuance certification key 608, and an issuance number 610. It should be noted that the illustrated DID 600 and the number of digits of its constituent elements 602 to 610 are merely exemplary.

  The issuance authority key 602 is key information for identifying the issuance authority assigned to the processing device 110 by the DID server 220. When the DID server 220 receives an issuance authority and an issuance frame request from the processing device 110, the DID server 220 generates an issuance authority key 602 and uses the issuance authority key 602 together with the numerical value of the issuance frame (for example, 100 documents). Send to In the case of a system configuration in which the local DID server 154 intervenes between the DID server 220 and the processing device 110, the DID server 220 transmits, for example, a set of an issuance authority key and an issuance frame to the local DID server 154. Multiple sets are given at once. This assignment may be regarded as requesting the local DID server 154 for the DID server 220 to assign the plurality of sets of the issuing authority key and the issuing slot to the processing device 110. When the local DID server 154 receives a request for issuing authority from the processing device 110 under management, the local DID server 154 may assign the assigned plural issuing authority keys and unassigned ones of the issuing slots to the processing device 110. .

  The processing device unique information 604 is information unique to the processing device 110 that has issued the DID. That is, by examining the processing device unique information 604 in the DID 600, the processing device 110 that has issued the DID 600 can be uniquely specified. The processing device unique information 604 is held by the processing device 110.

  The issue date 606 is a character string indicating the date when the DID was issued. The issue date of the DID is also the date when the eDoc to which the DID is assigned is generated (encoded).

  The issuance certification key 608 is key information for certifying that the processing device 110 (specified by the processing device unique information 604) has issued its DID using the issuance authority indicated by the issuance authority key 602. The issuance certification key 608 is a value obtained by encrypting the issuance authority key 602 with the secret key of the processing device 110, for example. In this case, if the value obtained by decrypting the issuance certification key 608 with the public key of the processing device 110 matches the issuance authority key 602, the DID 600 uses the issuance authority key 602 to execute the processing. Is issued. Further, a value obtained by encrypting the value of the portion of the DID 600 excluding the issuing authority key 602 (or a hash value of a predetermined number of digits generated from the value) with the secret key of the processing device 110 may be used as the issuing certification key 608. . In this case, if the value obtained by decrypting the issuance certification key 608 with the public key of the processing device 110 does not contradict the value of the part except the issuance certification key 608 of the DID 600 (for example, the decryption result matches the hash value of the value). The DID 600 is issued by the processing device 110 based on the issuance authority key 602, and it is proved that the portion other than the issuance certification key 608 of the DID 600 has not been tampered with.

  The issue number 610 is a serial number indicating the order of the DID 600 issued by the processing device 110 using the issue authority key 602. The maximum possible value of the issue number 610 of the DID 600 generated using a certain issue authority key 602 is the value of the issue frame (number of documents) assigned by the DID server 220 (or the local DID server 154) together with the issue authority key 602. It is.

<Change of distribution destination after registration>
Now, after registering the eDoc in the document management system, the distributor (or another person who has been given the authority to change the distribution destination) deletes or adds the distribution destination, and changes the access right to the eDoc given to those distribution destinations. You may want to fix it. In such a case, the distributor accesses, for example, a predetermined processing device 110 using the creation terminal 102 or the browsing terminal 104 (hereinafter collectively referred to as a user terminal), specifies the DID of the target eDoc, and specifies the distribution destination ( Or, the user instructs execution of the editing process of the access authority.

  Upon receiving this instruction, the processing device 110 determines that the user who issued the instruction by user authentication is the correct distributor or the like of the target eDoc (general term of the distributor and other persons who have been given the authority to change the distribution destination). If confirmed, an edit screen of the distribution destination and the access authority is provided to the user terminal. The editing screen may be similar to the input screen 400 shown in FIG. On the editing screen, the distributor or the like adds or deletes the distribution destination user and the viewing terminal, and changes the contents of the access authority. When the distributor or the like performs a necessary change on the edit screen and then performs an operation of confirming the change, the processing device 110 reflects the change in the stored metadata of the eDoc, and The contents of the change are notified to the upper-level local metadata server 156 and the metadata server 230. The local metadata server 156 and the metadata server 230 reflect the notified change content in the stored metadata of the eDoc. For example, even if the user is designated as a distribution destination at the time of distribution, if the user is deleted from the distribution destination due to a subsequent change, browsing of the eDoc becomes impossible. In addition, when the distribution destination information in the metadata of the eDoc is changed, the processing device 110 includes the distribution destination information before the change but the distribution destination information after the change. An instruction to delete the eDoc file (and the corresponding metadata) may be sent to the browsing terminal 104 of the distribution destination that does not exist.

  In the above example, the processing device 110 has received an instruction to change the distribution destination or access authority of the eDoc, but instead or in addition to this, the host device, that is, the management system 200 (metadata server 230) or the management within the organization System 150 (local metadata server 156) may receive the change instruction. In this case, the higher-level device transmits new metadata changed according to the change instruction to the processing device 110 (and the local metadata server 156 of the organization to which the processing device 110 belongs) that generated the eDoc. Then, the existing metadata in the processing device 110 is replaced.

<Status management of processing unit>
Next, control based on status management of the processing device 110 will be described.

  The processing device 110 periodically notifies its status to the management system 200. In the management system 200, the processing device management server 240 adds the received status to the status history 242 of the processing device 110 in association with the date and time of the reception. Further, the processing device management server 240 checks the received status, and controls whether the service of the user of the processing device 110 can be provided according to the result of the check.

  The status that the processing device 110 periodically transmits to the processing device management server 240 includes the same items as the status 244 of the processing device illustrated in FIG. 6 (however, the status 244 is not changed by the processing device 110). The installation location, the encoding circuit information, the manufacturer of the processing device, etc. do not need to be transmitted periodically).

  The processing device management server 240 executes, for example, the process illustrated in FIG. 16 based on the status sent from the processing device 110.

  First, when receiving the status from the processing device 110 (S100), the processing device management server 240 checks the value of the inspection target item in the status against the reference of each item (S102). The inspection target items include the name and version of the encryption software, the name and version of the encoding software, the security certificate installed in the processing device 110, and the encryption key (for example, a private key and a public key) installed in the processing device 110. Pair (used for channel encryption, signature purpose, etc.) (for example, identification information of the key, installation date and time, etc.), encoding circuit name and firmware (FW) version, installed font type, disk ( Free space of the next storage). Examples of criteria for individual items include that the encryption software, encoding software, and firmware are the latest version (or that the version is a certain version or later), and that the free space of the disk is not less than a predetermined threshold. That there is no blacklisted security certificate among the installed security certificates, that a predetermined period has not elapsed since the date on which the encryption key of the processing device 110 was installed, (Defined) fonts are installed.

  For example, it is desirable that the encryption key used by the processing device 110 for communication channel encryption, signature, and the like be periodically changed to a new key in order to maintain its security. Determines that the standard is not satisfied, disables the service provision (or issues a warning to the effect), and prompts the exchange of a new key.

  Next, the processing device management server 240 determines whether or not any of the inspection target items of the status received from the processing device 110 does not satisfy the criteria of the item (S104). The processing for the processing device 110 ends. If there is an item that does not satisfy the criterion in S104, the processing device management server 240 notifies the processing device 110 that the service is unavailable (S106). Upon receiving this notification, the processing device 110 stops the document registration (distribution) service for the document management system of the present embodiment. That is, a document registration (distribution) request from the creation terminal 102 is not accepted, and a message indicating that the service is suspended is returned.

  According to such control, the possibility that the processing device 110 generates an eDoc of a quality that does not satisfy the standard is reduced. For example, according to this control, the service of the processing device 110 is stopped before an eDoc with insufficient encryption strength is generated by old encryption software. Further, the service is stopped before an error occurs in the eDoc generation processing due to a small free disk space or outdated firmware, and a document leak occurs due to the error. In addition, the service is stopped before the image quality of the eDoc is reduced by the processing device 110 having no predetermined font replacing the font in the document with another font and encoding. Since the firmware of the encoding circuit is old, the image size of the document supported by the latest firmware is not supported, and the situation that the image size of the eDoc is limited hardly occurs.

  It should be noted that the status inspection target items are provided with a classification of items that affect the security of the eDoc and items that do not, and the processing device 110 may stop the service only when the former item does not satisfy the criteria. . If the latter item does not meet the criteria, a warning is sent to the processing device 110 or its administrator to urge the user to resolve the problem with that item. In response to the warning, the administrator of the processing device 110 repairs the processing device 110 for items that can be dealt with by himself, and dispatches a maintenance worker for items that require the intervention of a specialized maintenance worker. Ask the operator. Further, when it is determined that a specific item among the inspection target items does not satisfy the criteria, the processing device management server 240 may automatically arrange to dispatch a maintenance worker to the processing device 110. Good.

  A modification of the process in FIG. 16 will be described with reference to FIG.

  In the procedure of FIG. 17, an emergency item and other items are classified into levels for the inspection target items of the status of the processing device 110. The urgent item is an item that greatly affects the security quality of the eDoc generated by the processing device 110 and the security of the document management system. If the eDoc generated by the processing device 110 whose item does not satisfy the criterion is not sufficiently secured, or if the processing device 110 whose item does not satisfy the criterion continues to operate, the processing device 110 will be activated by the document management system. It could be a security hole (vulnerability). Examples of such urgent items include a case where a vulnerability is found in the version of the encryption software, the security certificate installed in the processing device 110, and the encryption key installed in the processing device 110. .

  One method of avoiding the problem due to the emergency item not meeting the standard is to shut down the processing device 110 where the emergency item does not meet the standard and dispatch a maintenance worker to correct and repair the emergency item. It is. However, there is an inconvenience that the user cannot use the processing device 110 until the correction is completed.

  Therefore, in the procedure of FIG. 17, when finding an item that does not satisfy the criterion in S104, the processing device management server 240 determines whether the item is an urgent item (S110). If the item is an urgent item, the setting information for correcting the defect of the urgent item is remotely installed from the processing device management server 240 to the processing device 110 via the wide area network 10 (S112). Examples of the setting information for correcting the defect of the urgent item include the latest version of the encryption software, the latest version of the security certificate in which the vulnerability to the security certificate in which the vulnerability was found has been eliminated, and the vulnerability of the processing device 110. There is a new key pair that replaces the secret key / public key pair for which the property has been found.

  For example, in the case of a new key pair, the processing device management server 240 prepares a phrase for generating the new key pair, generates a key pair using the phrase, and processes the generated key pair in a secure manner. It is transmitted to the device 110 and remotely installed.

  As a result, the setting information of the urgent item that does not satisfy the criterion in the processing device 110 is updated to one that satisfies the criterion. Further, in response to this update, the value of the urgent item in the status of the processing device 110 is updated.

  If the determination result of S110 is No (not an emergency item), the processing device management server 240 sends a warning indicating an item that does not satisfy the criterion to the processing device 110 or the administrator, and the processing device 110 A dispatch of a maintenance worker is arranged to correct the item (S114). Regarding items that are not urgent items, even if the processing device 110 continues to operate as it is, a serious security problem does not easily occur. Therefore, the processing device 110 is not stopped and is dealt with by dispatching a maintenance worker. For items other than the urgent items, the processing device management server 240 does not need to perform remote installation, so that an increase in the load on the processing device management server 240 can be avoided.

  In the example of FIG. 17, the setting information on the urgent item is installed in the processing device 110 from the processing device management server 240 from the top down, and the setting information is installed in the processing device 110 in response thereto. Of the urgent item is updated. On the other hand, for the status items other than the urgent items, the values are set or changed by, for example, a maintenance worker in each processing device 110, and the setting information (for example, the latest version of the encryption software) corresponding to the item is set. Version). The setting or change of the status item value performed by the processing device 110 in this way is notified to the higher-level processing device management server 240, and the processing device management server 240 responds to the notification to change the status of its own processing device 110. Change the value of the status corresponding item.

<DID verification>
The management system 200 transmits a DID issued by the processing device 110, transmits a request for metadata from the browsing terminal 104 (this request includes the DID), or sends a request for DID verification to the user or the like. , Verify that the DID is correct.

  In this case, the DID server 220 verifies the following points for the target DID 600 (see FIG. 15).

  (A) There is no contradiction between the issuing authority key 602 in the DID 600 and the processing device specific information 604.

  The DID server 220 records the issuance authority key 602 in its own recorded information (see FIG. 5) as an issuance authority key to which the processing device 110 indicated by the processing device unique information 604 is assigned. Find out if it is. If it is not recorded, the issuance authority key 602 has not been issued to the processing device 110 indicated by the processing device unique information 604, so that both of them are inconsistent. In this case, the DID 600 is an invalid DID.

  (B) The issuing authority key 602 in the DID 600 and the issuing date 606 do not conflict.

  The DID server 220 records the key grant date and time and the key end date and time in association with the issuing authority key (see FIG. 5). When the issue date 606 in the DID 600 is out of the period from the key grant date and time to the key end date and time recorded in association with the issue authority key 602 in the DID 600, the issue authority key 602 and the issue date 606 is inconsistent. In this case, the DID 600 is an invalid DID.

  (C) There is no inconsistency between the issuing authority key 602, the processing device unique information 604, and the issuing certification key 608 in the DID 600.

  The DID server 220 decrypts the issue certification key 608 with the public key of the processing device 110 indicated by the processing device unique information 604, and the result of the decryption matches the issue certification key 608 in the DID 600. Is determined. If they do not match, a contradiction exists between the three, and the DID 600 is found to be incorrect.

  (D) The issue number 610 in the DID 600 does not contradict the issue frame corresponding to the issue authority key 602.

  The DID server 220 records the issue slots assigned to the processing device 110 together with the issue authority key 602 (see FIG. 5). If the issue number 610 in the DID 600 is a number larger than the issue frame recorded corresponding to the issue authority key 602, the DID is invalid.

  (E) The issue number 610 in the DID 600 does not contradict the issue number of the issued DID including the same issue authority key as the issue authority key 602 of the DID 600. This criterion is used for verifying whether or not the DID is inconsistent with an already issued DID when the processing device 110 is notified of a newly issued DID.

  The DID server 220 records, in association with the issuing authority key, information on the DID issued using the issuing authority key and the date and time of the issuance (the issued DID list in FIG. 5). The DID server 220 checks whether any of the issued DIDs having the same issuing authority key as the issuing authority key 602 of the DID 600 to be verified has the same issuing number as the issuing number 610 in the DID 600. If there is such a thing, the DID 600 is determined to be invalid.

  (F) The combination of the issue date 606 and the issue number 610 in the DID 600 does not contradict the combination of the issue date and issue number of the issued DID including the same issue authority key as the issue authority key 602 of the DID 600. thing.

  The DID server 220 determines that the combination of the issue date 606 and the issue number 610 of the DID 600 to be verified includes the issue date and issue number of each issued DID including the same issue authority key as the issue authority key 602 of the DID 600. It is determined whether or not there is a contradiction with the combination of, that is, whether or not there is a case where the context is reversed. For example, if an issued DID with a smaller issue number is found even though the issue date is later than the DID 600, the DID 600 and the issued DID are inconsistent, that is, the context is reversed. When such a contradiction is found, it is determined that only the DID 600 to be verified, or both this and the issued DID are invalid.

  When the DID server 220 determines that a certain DID is invalid by the verification according to the above-described criteria, the DID server 220 notifies the administrator of the processing device 110 related to the invalid DID of a warning by e-mail or the like. . The warning notification includes a message issued by the processing device 110 and a message notifying that the impersonated DID has been found. The administrator takes measures to strengthen security based on the notification. The administrator of the processing device 110 and the contact information may be obtained from the information (see FIG. 6) of the processing device management server 240. The processing device 110 related to the illegal DID that is the destination of the warning notification is the processing device 110 indicated by the processing device specific information 604 included in the DID. Further, the processing device 110 to which the same issuing authority key as the issuing authority key included in the unauthorized DID has been given in the past may be set as the destination of the warning notification.

<Process when vulnerability is found in eDoc encryption>
Now, a description will be given of a process when a vulnerability is found in the encryption software used for encryption when generating the eDoc file. When the operator of the document management system learns that a vulnerability has been found in a specific version of the encryption software used by any of the processing devices 110, the management system 200 issues a vulnerability to each of the processing devices 110. Send notifications. The vulnerability notification includes information on the software name and version of the encryption software in which the vulnerability was found. When the in-house management system 150 exists, the vulnerability notification is passed from the management system 200 to the in-house management system 150, and the in-house management system 150 transmits the vulnerability notification to each of the processing devices 110 under the in-house management system. . In response to this notification, the processing device 110 executes a process illustrated in FIG.

  When the processing device 110 receives the vulnerability notification from the higher-level device (the management system 200 or the in-house management system 150) (S200), the processing device 110 encrypts itself using the version of the encryption software in which the vulnerability indicated by the notification is found. The converted file is specified (S202). The document DB 116 of the processing device 110 stores each eDoc file generated by the processing device 110 and its metadata. The name of the encryption software used to generate each eDoc from the metadata of each eDoc file is stored. The version is known (see the example of the metadata structure shown in FIG. 3). In S202, the processing device 110 specifies an eDoc in which the combination of the encryption software name and the version included in the metadata matches the combination indicated in the vulnerability notification.

  Next, the processing device 110 re-encrypts each of the identified eDoc files with the version of the current encryption software installed in its own device (S204). In this example, it is assumed that the encryption software of the processing device 110 has been appropriately upgraded, and no vulnerability has been found for the version of the current encryption software of the processing device 110. Generally, it is considered that a vulnerability is often found in the version of the encryption software used by the processing device 110 in the past. If the version of the encryption software that is the target of the vulnerability notification is the current version of the encryption software of the processing device 110, the processing device 110 downloads the latest version of the encryption software from a host device or the like, and Re-encrypt using the latest version. If a vulnerability is found in the latest version of encryption software currently in use, the higher-level device must have information on the distribution source of the software to determine whether it has a newer version of encryption software with the vulnerability removed. It can be assumed that it has. In the re-encryption, for example, the target eDoc file is decrypted using the information of the decryption key recorded in the metadata corresponding to the eDoc file, and the decryption result is generated using the newly generated encryption key. Encrypt using a non-vulnerable version of encryption software. It is assumed that the metadata stored in the processing device 110 includes information on the decryption key, for example, encrypted with the public key of the processing device 110 (similarly, the metadata sent to the higher-level device is May include those whose decryption keys are encrypted with the public key of the higher-level device).

  The processing device 110 updates the metadata of the eDoc file according to the re-encryption (S206). That is, the encoding date and time and the encryption information (encryption software name, version information and key information) in the metadata (see FIG. 3) are re-encrypted, the date and time of re-encryption, the name and version of the encryption software used for re-encryption, and It is rewritten with information of a decryption key for decrypting the encryption. Then, the processing device 110 saves the updated metadata (for example, saves it as the latest metadata for the eDoc file) and uploads the updated metadata to the higher-level device. The higher-level device saves the uploaded updated metadata.

  Thereafter, the processing device 110 executes a process for distributing the eDoc file obtained by the re-encryption to each of the viewing terminals 104 of the distribution destination indicated in the distribution destination information of the metadata (S208). That is, for example, a distribution preparation completion notification is sent to each distribution destination viewing terminal 104 (see step (7) in FIG. 8). This notification may include, in addition to the DID and the document name, information indicating that the eDoc to be distributed is an updated version of the already distributed eDoc. When the browsing terminal 104 receives the distribution preparation completion notification, the browsing user designates, on the list screen 500 (see FIG. 11) of the browsing terminal 104, the eDoc for which the distribution preparation completion notification has been received by the re-encryption as a browsing target. The browsing terminal 104 overwrites the eDoc file acquired from the processing device 110 in response to the instruction and the eDoc file in the own device before re-encryption. The browsing terminal 104 also stores the updated metadata received with the eDoc file as the latest metadata of the eDoc. As a result, the eDoc file encrypted with the vulnerable encryption software and the corresponding metadata disappear from the browsing terminal 104, and the eDoc file and the metadata re-encrypted with the vulnerable encryption software have not been found. Is replaced by

  Note that the processing device 110 may explicitly transmit a deletion notification including the DID of the eDoc to each distribution viewing terminal 104 before or before sending a read-ready completion notification of the re-encrypted eDoc. . In this case, in response to the instruction, each viewing terminal 104 deletes the existing eDoc file having the DID (before re-encryption). At this time, the existing metadata may be deleted together.

<Another example of destination terminal designation>
In the example described above, the distribution destination user and the browsing terminal 104 that can be selected by the distributor on the UI screen (the input screen 400 in FIG. 9) of the creation terminal 102 are registered in the processing device 110 in the same local system 100. User and the browsing terminal 104 registered in the in-house management system 150 of the same organization or the registered user and the browsing terminal 104 (in this case, the user and the browsing terminal 104 registered in another processing device 110 are also designated as distribution destinations). Possible).

  However, in a meeting in which a user inside the organization exchanges people (guests) outside the organization, there may be a case where the guest wants to temporarily view a document such as a created meeting memo. In such a case, registering the guest or the portable terminal of the guest in the processing device 110 or a host device thereof, or canceling the registration after the browsing is completed is a complicated operation.

  Therefore, in the present embodiment, the eDoc can be delivered to the browsing terminal 104 that can be determined to be a guest terminal under certain restrictions.

  For example, the terminal of the user near the creation terminal 102 is regarded as a guest terminal, and the guest terminal is added to the options of the distribution destination terminal selection menu 406. Alternatively, the terminal of the user near the processing device 110 is regarded as a guest terminal, and the guest terminal is added to the options of the distribution destination terminal selection menu 406. It is considered that the creation terminal 102 or the processing device 110 is often installed in a room of a building of an organization (for example, a room in a department or a meeting room). It is assumed that the person has entered the room with appropriate permission for the purpose.

  For example, the processing device 110 or the creation terminal 102 searches for a partner terminal that can communicate using short-range wireless communication such as Bluetooth Low Energy (registered trademark), and finds a partner terminal that has been found or, among those partner terminals, a terminal from its own device. A terminal whose distance (some short-range wireless communication can determine the communication distance between the own device and the partner) is equal to or less than a predetermined threshold is determined as a guest terminal near the own device. In the distribution destination terminal selection menu 406, the terminal name of the guest terminal detected by the processing device 110 or the creation terminal 102 is displayed as an option in a display mode different from that of the browsing terminal 104 registered in advance in the organization. Is done. The distributor can select a guest terminal as a distribution destination.

  Here, the processing device 110 or the creation terminal 102 may select, as guest terminals, only those terminals that satisfy a predetermined condition among the terminals in the vicinity of the own device as guest terminals, instead of all the terminals in the vicinity of the own device. For example, the condition may be that the version of the viewer application or other specific software installed on the terminal is higher than a certain version, or that the terminal is not included in a predetermined list of rejected terminals. Conceivable.

  It is generally considered that the user carrying the guest terminal is not registered in the processing device 110, the local user ID server 152, or the like. Therefore, when an eDoc file or metadata is requested from a guest terminal specified as a document distribution destination, the processing device 110 may distribute the data without user authentication. The eDoc metadata to be delivered to the guest terminal incorporates a deletion instruction to delete the eDoc file and the metadata from the guest terminal when the deletion condition is satisfied. The deletion condition is, for example, when the screen display of the eDoc ends, or when a predetermined permission period has elapsed from the time of distribution. When the deletion condition is satisfied, the guest terminal deletes the eDoc file and the metadata from the terminal itself. Thereby, the risk of eDoc leakage by the guest terminal is reduced.

<Response to requests from other than distribution destination terminals>
The example described so far is a push-type distribution mode in which the processing device 110 distributes an eDoc (or a distribution preparation completion notification corresponding thereto) to the viewing terminal 104 designated by the distributor as a distribution destination. Was.

  However, as another example, a list of eDocs held by the processing device 110 is provided to the browsing terminal 104 in response to a request from the browsing terminal 104, and the browsing target selected by the user from the list is distributed to the browsing terminal 104. A pull-type distribution form is also conceivable. In the case of the pull-type distribution mode, the distribution destination user may access the processing device 110 from the browsing terminal 104 that is not designated as the distribution destination and request the eDoc. The following method is available as a measure to be taken by the processing device 110 when such a request is made.

  (Method 1) When the processing device 110 receives an eDoc distribution request from the browsing terminal 104, the browsing terminal 104 is set as the distribution destination by the distribution destination information of the latest metadata of the eDoc. Is determined. If it is determined that the eDoc does not correspond, neither the file (body) nor the metadata of the eDoc is transmitted to the browsing terminal 104. If it is determined that the metadata is applicable, it is further determined whether or not the user (or the combination of the user and the browsing terminal 104) that has made the distribution request is included in the distribution destination information of the metadata. If it is included, distribution may be performed, and if not included, distribution may not be performed.

  As described above, in the method 1, the eDoc (main file and metadata) is not distributed to the viewing terminal 104 that does not correspond to the distribution destination specified by the distributor.

  (Method 2) In this method, even when the viewing terminal 104 that has sent the eDoc distribution request does not correspond to the distribution destination browsing terminal 104 specified in the distribution destination information of the metadata of the eDoc, If the user who issued the request (that is, the user who is using the browsing terminal 104) is included in the distribution destination information as the distribution destination, the eDoc body file and the metadata are transmitted. However, in this case, the processing device 110 incorporates flag information indicating that storage is impossible in the eDoc file and the metadata to be transmitted. The browsing terminal 104 displays the eDoc file and the metadata including the flag information indicating that storage is not possible, but does not accept a save instruction from the user, and when the browsing by the user ends, discards them without saving.

  Note that, instead of a method in which the eDoc file and the metadata transmitted to the viewing terminal 104 not specified as the distribution destination are not stored in the viewing terminal 104, the storage may be once permitted. However, in this case, when the browsing terminal 104 tries to open the eDoc file again thereafter, the browsing terminal 104 requests the latest metadata of the eDoc from the processing device 110 or the like (this is a request for permission of browsing). However, in response to the request, the processing device 110 determines whether or not the combination of the browsing terminal 104 and the requested user is included in the distribution destination information of the metadata. Send an instruction to delete the eDoc. The browsing terminal 104 deletes the stored eDoc file and the corresponding metadata in response to the instruction. Note that the processing device 110 may simply respond with the latest metadata instead of explicitly sending an eDoc deletion instruction to the viewing terminal 104 that has requested the latest metadata. In this case, the browsing terminal 104 determines whether the latest metadata received includes a combination of its own device and the current user, and if not, does not open the eDoc file, and further saves the eDoc file. The eDoc file may be deleted.

  In the example of FIG. 18 described above, the eDoc file after re-encryption inherits the DID of the eDoc file before re-encryption, but the eDoc file after re-encryption is different from the eDoc file before re-encryption. DID may be provided. In this case, the processing device 110 sends an explicit deletion instruction including the DID of the eDoc file before re-encryption to each of the browsing terminals 104 at the distribution destination, so that the vulnerable terminal before re-encryption is transmitted. The eDoc file is not left on the viewing terminal 104. In addition, information on association indicating that the eDoc file after re-encryption and the eDoc file before re-encryption correspond to the same document is used as metadata corresponding to the eDoc file after re-encryption, or It is recorded in the processing device 110 (or in the upper DID server 220 or the local DID server 154). When recording in the metadata corresponding to the eDoc after re-encryption, for example, the DID of the eDoc before re-encryption may be included in the metadata, for example, as an item of “DID before update”.

<Search for protected documents and use search results>
Next, a search process for information stored in the document protection system and a document protection update process using a result of the search will be described.

  When searching for a document distributed by this document protection system, it is first conceivable to search by inputting the contents of the document itself and search conditions for the document metadata 300 (see FIG. 3).

  Here, in the process of generating and distributing an eDoc (protected document), a user such as a distributor or a distribution destination user, a processing device 110 that has executed a protection process for generating an eDoc from an original document, or the like. Various subjects (users and devices) are related. Here, the subject means a person or a device that is involved in the document (for example, a person or a device that has created, edited, processed, or browsed the document). For this reason, depending on the purpose of the document search, there is a case where it is desired to specify a document using a search condition for the subject related to the eDoc (that is, to search for a document satisfying the search condition).

  However, the eDoc metadata 300 merely indicates the attribute information of the eDoc, and the attribute information of the subject (the processing device 110 or the user) involved in the eDoc may include some items thereof. Most items are not included. Therefore, in the search for the content of the eDoc and the metadata 300, it is not possible to perform a search by designating a free search condition with respect to the attribute information of the subject related to the eDoc.

  Therefore, in this example, by referring to the processing device management server 240 and the user ID server 210, it is possible to search for eDocs using search conditions for attribute information items of subjects that are not included in the metadata 300 of eDocs. .

  In this example, which is only an example, a search server 250 is provided in the management system 200 as shown in FIG. The search server 250 provides a user interface screen (referred to as a search screen, for example, in the form of a web page) for inputting search conditions to each of the terminals 106 that can access the management system 200. The eDoc that satisfies the search condition is searched by searching the metadata server 230 and the processing device management server 240 using the searched search condition. In FIG. 19, for simplicity, only the processing device 110 is considered as a subject related to the eDoc, and a processing device management server 240 that holds and manages attribute information of each processing device 110 as a search destination related to the subject. Only shows. The flow of document search in the example of FIG. 19 will be described with reference to the flowchart of FIG.

  (1) In response to a user instruction, the terminal 106 accesses the search server 250, acquires a search screen, and displays the screen. The user inputs search conditions on the search screen (S300). On the search screen, each item of the metadata 300 (see FIG. 3) and the attribute information of each subject (in the example of FIG. 19, the status 244 of each processing device 110 managed by the processing device management server 240 (see FIG. 6)) Search conditions can be entered. For example, only the condition related to the attribute item of the processing device 110 may be received as the search condition, such as the installation location is “fourth floor of the A building” and the firmware version of the encoding circuit is “version 2.02 or less”. Further, a search condition that combines a condition related to an attribute item of the processing device 110 and a condition related to an attribute item of the metadata 300 such as a keyword and access authority information may be acceptable.

  (2) When the search server 250 receives the search conditions input by the user from the terminal 106, the search server 250 includes, in the search conditions, conditions other than the conditions related to the attribute items of the metadata, that is, the attributes related to the subject attribute items such as the processing device 110. It is determined whether or not the condition is included (S302).

  If the determination result in S302 is No (the search condition does not include any condition other than the condition related to the metadata), the search server 250 determines the search condition from the metadata group stored in the metadata server 230. The metadata that satisfies is searched (S304). The search server 250 uses the DDoc DID of the eDoc (and the bibliographic information of the eDoc corresponding to the DID (for example, a document name or a distributor)) included in each metadata searched in S304 as a search result. 106. The terminal 106 displays the search result (S310). Note that, in displaying the search result, bibliographic information such as a document name of a protected document corresponding to the DID and a distributor may be displayed instead of or in addition to the searched DID.

  (3) If the determination result in S302 is Yes, in the example of FIG. 19, the input search condition includes a condition regarding the attribute item of the processing device 110 (referred to as “device condition”). The search server 250 inquires of the processing device management server 240 about the processing device 110 that satisfies the device condition (S306). If the input search condition includes a condition related to the attribute item of the user (referred to as “user condition”), the search server 250 sends a user who satisfies the user condition to the user ID server 210. Contact

  (4) The processing device management server 240 that has received the inquiry specifies the processing device 110 that satisfies the device condition by searching the stored information (for example, status 244) based on the device condition.

  (5) The processing device management server 240 returns information on the specified processing device ID of each processing device 110 to the search server 250. The search server 250 receives the answer.

  The search server 250 searches the metadata server 230 using a condition obtained by combining the processing device ID returned from the processing device management server 240 and the condition of the metadata item in the input search conditions (S308). . The processing device ID is included in one of the items of the metadata, and the item indicates the processing device that has generated (that is, distributed) the eDoc corresponding to the metadata. FIG. 19 shows an example in which the process of S308 is configured by four steps (6) to (9). Hereinafter, these four steps will be described.

  (6) The search server 250 inquires of the metadata server 230 about metadata including each processing device ID received from the processing device management server 240.

  (7) In response to the inquiry, the metadata server 230 searches for metadata including the processing device IDs, and returns a search result metadata group to the search server 250. The search server 250 receives the returned metadata group.

  (8) The search server 250 searches the received metadata group for a metadata item that satisfies the condition of the metadata item among the input search conditions.

  (9) The search server 250 extracts a predetermined item such as DID from the metadata obtained by the search, generates a search result list, and transmits the list to the terminal 106.

  (10) The terminal 106 receives the search result list.

  (11) The terminal 106 displays the received search result list on the screen (S310).

  In the search processing described above, when both the device condition and the user condition are included in the input search condition, the search server 250 transmits the metadata including the processing device ID returned from the processing device management server 240 Is inquired to the metadata server 230, and metadata including the user ID answered from the user ID server 210 as a distribution destination user is inquired to the metadata server 230. Then, a metadata group to be searched is configured by combining the metadata groups obtained by these inquiries in accordance with a combination method (AND condition or OR condition) of the device condition and the user condition in the search condition. Then, from the search target metadata group, metadata that satisfies the condition of the metadata item among the input search conditions is obtained, and a predetermined item such as the DID of the obtained metadata is set as a search result.

  For example, when the input search conditions are only those corresponding to the device conditions, information such as DID is added to the metadata returned from the metadata server 230 in step (7) of FIG. Becomes

  Next, a modified example of the processing flow of FIG. 19 will be described. In this modification, in the search of the processing device management server 240 ((4) in FIG. 19, S306 in FIG. 20), a combination of a processing device ID and a period that satisfies the device condition is searched.

  As illustrated in FIG. 6, the processing device management server 240 accumulates not only the latest status of each processing device 110 but also a status history 242 that is a collection of statuses 244 at the time of each past update. Therefore, not only the processing device ID of the processing device 110 having the status 244 that satisfies the device conditions, but also the date and time of the status 244 from the status history 242 (the status content of the processing device 110 becomes the status 244 due to setting update or the like). Is also required. The period from the date and time to the next status update date and time of the processing device 110 is a period in which the status searched as satisfying the device condition is valid. In this modification, the processing device management server 240 searches for the status 244 that satisfies the device conditions in step (4) described with reference to FIG. 19, and the processing device ID included in the status history 242 including the status 244 and the processing device ID. A period from the date and time of the status 244 to the date and time of the next status 244 of the processing device is obtained as a search result, and the search server 250 is answered.

  At step (6) in FIG. 19, the search server 250 that has received the answer inquires about the metadata corresponding to the combination of the processing device ID and the period included in the answer. In response to this, the metadata server 230 searches for metadata whose processing device ID is included and whose encoding date and time (see FIG. 3) falls within the period, and returns the search result to the search server 250. Subsequent processing may be the same as that illustrated in FIG.

  According to this modification, a protected document (or a protected document that further satisfies other conditions) generated by the processing device 110 having a status at a certain time or period in the past can be searched for. Become.

  Next, with reference to FIG. 21, a further modified example related to the search will be described. In the procedure of FIG. 21, steps S300 to S308 are the same as the steps denoted by the same reference numerals in the procedure of FIG. 20, and the steps after S312 are different from the procedure of FIG.

  In the procedure of FIG. 21, when metadata satisfying the search condition is obtained in S304 or S308, the search server 250 obtains a combination of the DID and the processing device ID included in each of the metadata (S312). Then, for each of the obtained combinations, the processor 110 of the processing device ID included in the combination is instructed to re-encrypt the document having the DID included in the combination (S314). The processing device 110 that has received this instruction may perform the same processing as the processing after S204 in the procedure shown in FIG. That is, the protected document corresponding to the DID included in the instruction is decrypted and the original document is reproduced (or the original document stored in association with the DID is taken out). The encryption is performed again using the latest encryption software installed in the processing device 110 (S204). Then, the metadata is updated (S206), and the new eDoc generated by the encryption is delivered to the viewing terminal 104 of each delivery destination (S208).

  The procedure in FIG. 21 is, for example, when a vulnerability is found in the encryption processing when the processing device 110 has a specific status, the protected document encrypted and generated by the processing device 110 having that status. Is used to identify vulnerabilities and eliminate vulnerabilities.

  In a specific example, for example, a vulnerability is found in the encryption of the processing device 110 using the version Y of the encoding software A and the version Z of the encryption software B in the version X OS (operating system). I do. A combination of the OS version X, the encoding software name A and the version Y, and the encryption software name B and the version Z constitutes a part of the status of the processing device 110. . The administrator of the management system 150 specifies the eDoc encrypted and distributed by the processing device 110 having such a status, and determines that the eDoc needs to be re-encrypted under secure conditions and redistributed. In this case, the administrator inputs a search condition including a combination of the status items of the OS, the encoding software, and the encryption software as the device condition to the search server 250. The search server 250 specifies the DID of the eDoc corresponding to the search condition and the ID of the processing device 110 according to the procedure of FIG. 21, and instructs the processing device 110 to re-encrypt (and re-distribute) the eDoc.

  In the example of FIG. 21, the eDoc that satisfies the search condition is re-encrypted by the processing device 110. However, in order to cause the processing device 110 to execute another re-processing other than the re-encryption, the processing illustrated in FIG. Procedures may be used.

  For example, a department to be abolished due to the integration of departments of an organization occurs, and the access authority for a specific eDoc distributed to a user belonging to the department is changed (for example, the access authority is changed to the content of the access authority corresponding to the integration destination department). Consider when you need to do it. In this case, the eDoc that satisfies the condition is specified, and the access authority information (see the metadata 300 in FIG. 3) set in the eDoc is reset to new contents. In this case, the administrator inputs search conditions including the department as user conditions to the search server 250. The search server 250 queries the user ID server 210 for a user belonging to a department indicated by the user condition included in the search condition. The search server 250 inquires of the metadata server 230 about metadata including the user ID obtained by the inquiry in the distribution destination information. Then, the search server 250 extracts the DID and the processing device ID from the metadata returned from the metadata server 230 in response to the inquiry. Then, for the processing device 110 corresponding to the processing device ID, the access right information of the metadata corresponding to the DID is updated to predetermined contents (this may be specified by the administrator to the search server 250). Instruct The processing device 110 that has received this instruction updates the metadata in response to the instruction, and notifies the host device (the in-house metadata server 156 or the metadata server 230) of the update.

  The procedure shown in FIG. 21 can also be used when it is desired to remove an eDoc delivered to a user who belonged to a department to be abolished from the distribution destination of the eDoc. That is, the search server 250 searches for a user who belonged to the department according to the search condition (department) input by the administrator, and specifies the eDoc distributed to the searched user (S312). Then, for the processing device 110 that has generated the identified eDoc, the retrieved users are deleted from the distribution destination of the eDoc, and the eDoc is regenerated (that is, re-encrypted using a different encryption key, Instructions are given to generate metadata that describes the deleted remaining distribution destination users in the distribution destination information) and re-distribution (distribution to the remaining distribution destination users). At this time, the processing device 110 may be instructed to transmit an instruction to delete the eDoc (before the re-generation) to the user deleted from the distribution destination.

  The embodiments of the present invention have been described above. The creation terminal 102, the browsing terminal 104, the processing device 110, the local user ID server 152, the local DID server 154, the local metadata server 156, the user ID server 210, the DID server 220, the metadata server 230, and the processing device management exemplified above. Each device such as the server 240 is realized by causing a computer to execute the above-described program representing the function of each device. Here, the computer may be, for example, a hardware such as a microprocessor such as a CPU, a memory (primary storage) such as a random access memory (RAM) and a read only memory (ROM), a flash memory or an SSD (solid state drive), and an HDD. A controller for controlling a fixed storage device such as a hard disk drive or the like, various I / O (input / output) interfaces, a network interface for controlling connection to a network such as a local area network, and the like are connected via, for example, a bus. Circuit configuration. A program describing the processing contents of each of these functions is stored in a fixed storage device such as a flash memory via a network or the like, and is installed in a computer. The programs stored in the fixed storage device are read into the RAM and executed by the microprocessor such as the CPU, thereby realizing the functional module group exemplified above.

10 wide area network, 100 local system, 102 creation terminal, 104 viewing terminal, 108 local network, 110 processing device, 112 management information storage unit, 112a management information, 114a user information, 130 authentication device, 150 organization management system, 152 local User ID server, 154 Local DID server, 156 Local metadata server, 200 management system, 210 User ID server, 212 Contractor data, 214 General user data, 220 DID server, 230 Metadata server, 240 Processing device management server, 242 Status history, 244 status, 246 software information, 248 hardware information, 300 metadata, 400 input screen, 402 destination user selection menu, 404 destination user The list field, 406 distribution destination terminal selection menu, 408 distribution destination terminal list field, 410 access authority setting field, 412 offline validity period menu, 414 option setting call button, 420 option setting screen, 422 processing device specification field, 424 original data setting Column, 500 list screen, 502 notification mark, 504 document name, 506 browsability mark, 602 issuing authority key, 604 processing device specific information, 606 issue date, 608 issue certification key, 610 issue number.

Claims (8)

Receiving means for receiving a search request including a first search condition for subject attribute information that is attribute information of the subject and a second search condition for data attribute information that is attribute information of the data;
A first search unit that searches for the subject identification information corresponding to the subject attribute information that satisfies the first search condition from a first management device that manages the subject identification information identifying the subject and the subject attribute information in association with each other When,
From a second management device that associates and manages data, the subject identification information of the subject related to the data, and data attribute information of the data, the subject identification information searched by the first search unit is Second search means for searching for data that is associated data and has data attribute information that satisfies the second search condition;
An information processing apparatus including
The subject related to the data is a processing device that has performed a process on the data,
The information processing device,
Control means for controlling the processing device corresponding to the subject identification information associated with the data searched by the second search means to execute reprocessing on the data;
An information processing apparatus further including: The first management device manages the subject identification information and the attribute information of the subject in the time or the period in association with a time or a period,
The second management device, in association with time or period, manages the subject identification information of the subject related to the data in the time or period in association with the data,
The first search means searches for a time or a period and subject identification information corresponding to the attribute information satisfying the first search condition,
The second search means searches for data corresponding to the time or period searched by the first search means and the subject identification information,
The information processing device according to claim 1. A receiving means for receiving a search condition regarding the attribute information of the subject;
A first search unit that searches for the subject identification information corresponding to the attribute information that satisfies the search condition, from a first management device that manages the subject identification information for identifying the subject in association with the attribute information of the subject;
A second management device that associates and manages data and the subject identification information of the subject related to the data and searches for data associated with the subject identification information searched by the first search unit; 2 search means;
An information processing apparatus including
The first management device manages the subject identification information and the attribute information of the subject in the time or the period in association with a time or a period,
The second management device, in association with time or period, manages the subject identification information of the subject related to the data in the time or period in association with the data,
The first search means searches for a time or a period and subject identification information corresponding to the attribute information satisfying the search condition,
The second search means searches for data corresponding to the time or period and the subject identification information searched by the first search means,
The subject related to the data is a processing device that has performed a process on the data,
The information processing device,
Control means for controlling the processing device corresponding to the subject identification information associated with the data searched by the second search means to execute reprocessing on the data;
Further comprising
The process is a process of generating encrypted data by encrypting the data with encryption software,
The re-processing is a process of re-encrypting the data searched by the second search unit with the latest version of the encryption software.
Information processing device. Receiving means for receiving a search request including a first search condition for subject attribute information that is attribute information of the subject and a second search condition for data attribute information that is attribute information of the data;
A first search unit that searches for the subject identification information corresponding to the subject attribute information that satisfies the first search condition from a first management device that manages the subject identification information identifying the subject and the subject attribute information in association with each other When,
From a second management device that associates and manages data, the subject identification information of the subject related to the data, and data attribute information of the data, the subject identification information searched by the first search unit is Second search means for searching for data that is associated data and has data attribute information that satisfies the second search condition;
An information processing apparatus including
The subject related to the data is a user to whom the data is distributed,
The second management device manages user identification information of a user to whom the data is distributed as the subject identification information of the subject related to the data in association with the data, and further processes the data. Manages the device identification information of the processing device that has executed
The information processing device,
Control means for controlling the processing device corresponding to the device identification information associated with the data searched by the second search means to execute reprocessing on the data;
An information processing apparatus further including: The process is a process of associating metadata including a list of user identification information of a user to which the data is distributed with the data,
The re-processing is processing for deleting, from the list in the metadata associated with the data searched by the second search means, user identification information of a user searched by the first search means,
The information processing device according to claim 4. The process is a process of associating the metadata including information indicating the content of the access authority of the distribution destination user to the data with the data,
The re-processing is processing of updating the content of the access right in the metadata associated with the data searched by the second search unit.
The information processing device according to claim 4. Computer
Receiving means for receiving a search request including a first search condition relating to subject attribute information which is attribute information of the subject and a second search condition relating to data attribute information which is attribute information of the data;
A first search unit that searches for the subject identification information corresponding to the subject attribute information that satisfies the first search condition from a first management device that manages the subject identification information identifying the subject in association with the subject attribute information; ,
From a second management device that associates and manages data, the subject identification information of the subject related to the data, and data attribute information of the data, the subject identification information searched by the first search unit is A second search unit that searches for data that is associated data and that has data attribute information that satisfies the second search condition;
Program to function as
The subject related to the data is a processing device that has performed a process on the data,
The program further controls the computer,
Control means for controlling the processing device corresponding to the subject identification information associated with the data searched by the second search means to execute reprocessing on the data;
A program characterized by functioning as a computer. Computer
A receiving means for receiving a search condition regarding the attribute information of the subject,
A first search unit that searches for the subject identification information corresponding to the attribute information that satisfies the search condition from a first management device that manages the subject identification information for identifying the subject in association with the attribute information of the subject;
A second management device that associates and manages data and the subject identification information of the subject related to the data and searches for data associated with the subject identification information searched by the first search unit; 2 search means,
Program to function as
The first management device manages the subject identification information and the attribute information of the subject in the time or the period in association with a time or a period,
The second management device, in association with time or period, manages the subject identification information of the subject related to the data in the time or period in association with the data,
The first search means searches for a time or a period and subject identification information corresponding to the attribute information satisfying the search condition,
The second search means searches for data corresponding to the time or period and the subject identification information searched by the first search means,
The subject related to the data is a processing device that has performed a process on the data,
The program causes the computer to:
Control means for controlling the processing device corresponding to the subject identification information associated with the data searched by the second search means to execute reprocessing on the data;
To further function as
The process is a process of generating encrypted data by encrypting the data with encryption software,
The re-processing is a process of re-encrypting the data retrieved by the second retrieval unit using the latest version of the encryption software.
program.