WO2006053963A1 - Method for establishing a digital certificate - Google Patents

Method for establishing a digital certificate Download PDF

Info

Publication number
WO2006053963A1
WO2006053963A1 PCT/FR2005/002797 FR2005002797W WO2006053963A1 WO 2006053963 A1 WO2006053963 A1 WO 2006053963A1 FR 2005002797 W FR2005002797 W FR 2005002797W WO 2006053963 A1 WO2006053963 A1 WO 2006053963A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
digital certificate
confidence
index
confidence index
Prior art date
Application number
PCT/FR2005/002797
Other languages
French (fr)
Inventor
Loïc HOUSSIER
Laurent Frisch
Julie Loch
Original Assignee
France Telecom
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by France Telecom filed Critical France Telecom
Publication of WO2006053963A1 publication Critical patent/WO2006053963A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the invention relates to public key management infrastructures and in particular the generation of digital certificates in public key cryptography.
  • a digital certificate is notably intended to guarantee to a user that a public key which has been transmitted to him does not come from an impostor.
  • a digital certificate standard for use on the Internet is defined in the X.509v3 standard. This certificate includes the certified public key, its validity period, the identity of its owner, a list of attributes defining its rights of use (message signature key, secure web server key ...) and a signature cryptographic of this data by the private key of the certification authority.
  • FIG. 1 illustrates an example of public key infrastructure.
  • a user 1 has a private key 9 and a public key 10 and wishes to obtain a digital certificate in order to guarantee to a user 2 that he is indeed the owner of the key 10.
  • a public key management infrastructure 3 manages the creation of certificates and their life (revocation, renewal ). From an organizational point of view, a public key management infrastructure comprises three logical entities: a registration authority 4, a certification operator 5 and a certification authority 6.
  • a key management infrastructure can interact in particular with a publication directory 7 or a certificate database 8.
  • the local registration authority 4 collects requests from users wishing to obtain a certificate.
  • Authority 4 formally checks the validity of these requests;
  • the certification operator 5 processes the certification request and issues certificates by applying the procedures defined by the certification authority 6.
  • the operator 5 generally publishes the certificates in the directory 7 or makes these certificates available in the database 8;
  • the certification authority 6 is a moral authority in the name of which the certificates are issued. Authority 6 establishes and verifies the application of certificate generation procedures.
  • User 1 obtains a certificate according to the following process: -user 1 transmits a request to the registration authority 4. This request contains his public key 10 and other information concerning him (name, email address, etc.);
  • the registration authority 4 collects the request and formally checks its validity.
  • the registration authority 4 records the information on the identity of the user 1 in the database 8;
  • the certification operator 5 recovers the private key of the certification authority 6, the public key 10 and the information supplied by the user 1.
  • the certification operator 5 then creates the certificate by signing the data supplied by the user 1 with the private key of the certification authority 6.
  • the certification operator 5 then transmits the certificate to user 1 or to the database 8, and publishes it on the directory 7.
  • Confidence in the generated certificate is mainly based on trust placed in the certification authority 6.
  • a certification authority cannot systematically have total confidence in the data recorded by its registration authorities 4.
  • certain data e.g. the user's date of birth or address
  • the trust granted by a certification authority 6 manifests itself in binary form: either the certification authority 6 trusts the data recorded and the certificate is generated, or the certification authority 6 does not trust this data and the certificate is not generated.
  • the current certification process also does not make it possible to manage different confidence criteria in a differentiated manner.
  • the invention aims to solve one or more of these drawbacks.
  • the invention thus relates to a method for generating a digital certificate, comprising the steps consisting in:
  • the confidence index may be representative of the confidence to be placed in the method of recording the data of the digital certificate.
  • the confidence index is representative of the confidence to be granted to certain data included in the digital certificate.
  • the invention also relates to a digital certificate comprising data, at least one confidence index to be granted to all or part of the certificate, the data and the confidence index are signed by a private key of a certification authority. public key infrastructure.
  • the confidence index can be representative of the confidence to be placed in the data recording mode.
  • the confidence index is representative of the confidence to be accorded to certain data included in the digital certificate.
  • the invention further relates to an infrastructure for generating a digital certificate, comprising: a device for calculating a confidence index to be granted to all or part of the digital certificate;
  • the infrastructure can include a data storage device to be included in the digital certificate and the calculation device can calculate a confidence index representative of the confidence placed in the data recording mode of the digital certificate.
  • the calculation device calculates a confidence index representative of the confidence to be granted to certain data included in the digital certificate.
  • FIG. 1 illustrates the structure of an example of certification infrastructure
  • FIG. 2 illustrates a first example of a certificate according to the invention
  • FIG. 3 illustrates a second example of a certificate according to the invention
  • FIG. 4 illustrates a third example of a certificate according to the invention.
  • the invention proposes to insert a confidence index to be granted to all or part of a certificate, and to sign the data and the confidence index with a private key of a certification authority of a public key infrastructure. .
  • the confidence index takes a value included in a confidence scale defined in advance. We can also consider a confidence index in the form of cumulative points when certain confidence conditions are met.
  • the data included in the digital certificate notably includes information relating to the identity of the beneficiary of the certificate or information dependent on the certification authority.
  • Information relating to the identity of the beneficiary includes in particular his name, first name, telephone number, e-mail address or postal address.
  • the information dependent on the certification authority notably includes the serial number, the period of validity or the name of the certification authority.
  • the data may also include proprietary information, such as the telephone number of an employee in a company, his fax number or the definition of his position.
  • a confidence index can be used to indicate the confidence given to information in the certificate by the supervisory authority. This index can in particular be defined according to the information recording mode. For example, information recorded online on the Internet and without transmission encryption will have a reduced confidence index. On the other hand, information from the user, recorded by a public authority following a verification of identity documents, will have a high index of confidence.
  • a confidence index associated with the information recording mode can also take into account the reliability of the network between the user and the recording authority, the storage mode used by the recording authority, etc. can thus envisage that certificates generated from the same data but passing through different registration authorities have distinct confidence indices.
  • a confidence index can also indicate the confidence placed in the supervisory authority and its certification chain.
  • a confidence index can also indicate the confidence of the certification authority in a registration authority or the overall confidence in the generated certificate.
  • Figure 2 illustrates the contents of a certificate.
  • the certificate includes several confidence indices 21 to 24. These confidence indices are associated with information relating to the identity of the beneficiary. Each index is placed in the certificate after its associated information. The confidence index associated with the user's place of residence (Paris) is thus 80% in the example.
  • Figure 3 illustrates the content of another certificate structure. In this example, markers 26 are placed after certain information. An object identifier (generally designated by the acronym OID) is inserted in the certificate and contains a list of indices 25. A list of indices 25 is thus associated with the various markers. The order of appearance of the markers in the certificate corresponds to the order of the indices in the list 25. Thus, the second marker of the certificate is associated with the second index in the list 25.
  • OID object identifier
  • Figure 4 illustrates the content of another certificate structure.
  • the indices are only identified in an object identifier placed in the certificate.
  • This object identifier includes a list of couples. Each pair includes on the one hand the identification of the type of information associated with the index and on the other hand the index.
  • the identifier L identifies information of the place of residence type and the associated index is 80%.
  • the process for generating the certificate can be as follows.
  • the public key management infrastructure 3 records data to be included in the certificate, for example the public key 10 or information associated with the user 1. This recording is for example carried out by the local registration authority 4, by any appropriate means such as an online form or an email attachment.
  • the certification operator 5 formats a certificate including recorded data.
  • the certificate is transmitted to the certification authority 6.
  • the certification authority 6 calculates one or more confidence indices described above.
  • the certification authority inserts these confidence indices in the certificate.
  • Certification authority 6 then signs the certificate with its private key, then transmits the certificate signed to the certification operator 5. It can also be provided that the calculation of the confidence indices is delegated to a device other than the certification authority 6.
  • the generated certificate can be transmitted to the user 2, or stored in a database 8 or in a directory accessible online 9.
  • Another user can carry out a test in order to validate or not the certificate 11 of user 1.
  • User 2 verifies the certificate 11 using the public key of l certification authority 6.
  • User 2 compares one or more indices of the certificate with validation thresholds.
  • the user can in particular set a confidence index for the entire certificate or for one or more data contained in the certificate.
  • the user can reject a certificate having at least one confidence index lower than its respective validation threshold or having a missing confidence index.
  • the user is therefore free to set the validation thresholds which he considers preponderant.
  • the validation thresholds can be predefined according to applications executed by user 2, or be defined manually by user 2.
  • the validation test may also require verification of the certificate's chain of trust.
  • connection link to a database containing confidence indices to be associated with the certificate. This link would thus be stored in the certificate in place of the trust index or indices.

Abstract

The invention concerns a method for generating a digital certificate, comprising the following steps: determining a reliability index to be granted to all or part of the digital certificate; writing the reliability index into the digital certificate (11); signing the digital certificate with a private key (12) of a certification authority (6) of a public key infra structure (3). The invention enables in particular certificates to be delivered for users who could not have obtained same previously, while proposing to the recipient of the certificate means for verifying the trust to be put in the certificate.

Description

PROCÉDÉ D'ÉTABLISSEMENT D'UN CERTIFICAT NUMÉRIQUE METHOD FOR ESTABLISHING A DIGITAL CERTIFICATE
L'invention concerne les infrastructures de gestion de clés publiques et en particulier la génération de certificats numériques en cryptographie à clé publique. Un certificat numérique est notamment destiné à garantir à un utilisateur qu'une clé publique qui lui a été transmise ne provient pas d'un imposteur. Un standard de certificat numérique pour une utilisation sur Internet est défini dans la norme X.509v3. Ce certificat comprend la clé publique certifiée, sa période de validité, l'identité de son propriétaire, une liste d'attributs définissant ses droits d'utilisation (clé de signature de message, clé de serveur web sécurisé...) et une signature cryptographique de ces données par la clé privée de l'autorité de certification.The invention relates to public key management infrastructures and in particular the generation of digital certificates in public key cryptography. A digital certificate is notably intended to guarantee to a user that a public key which has been transmitted to him does not come from an impostor. A digital certificate standard for use on the Internet is defined in the X.509v3 standard. This certificate includes the certified public key, its validity period, the identity of its owner, a list of attributes defining its rights of use (message signature key, secure web server key ...) and a signature cryptographic of this data by the private key of the certification authority.
La figure 1 illustre un exemple d'infrastructure à clé publique. Un utilisateur 1 dispose d'une clé privée 9 et d'une clé publique 10 et souhaite obtenir un certificat numérique afin de garantir à un utilisateur 2 qu'il est bien le propriétaire de la clé 10. Une infrastructure de gestion de clés publiques 3 gère la création des certificats ainsi que leur vie (révocation, renouvellement...). D'un point de vue organisationnel, une infrastructure de gestion de clés publiques comprend trois entités logiques : une autorité d'enregistrement 4, un opérateur de certification 5 et une autorité de certification 6. Une infrastructure de gestion de clés peut interagir notamment avec un annuaire de publication 7 ou une base de données de certificats 8.Figure 1 illustrates an example of public key infrastructure. A user 1 has a private key 9 and a public key 10 and wishes to obtain a digital certificate in order to guarantee to a user 2 that he is indeed the owner of the key 10. A public key management infrastructure 3 manages the creation of certificates and their life (revocation, renewal ...). From an organizational point of view, a public key management infrastructure comprises three logical entities: a registration authority 4, a certification operator 5 and a certification authority 6. A key management infrastructure can interact in particular with a publication directory 7 or a certificate database 8.
Les fonctions de ces entités sont les suivantes :The functions of these entities are as follows:
-l'autorité locale d'enregistrement 4 recueille les requêtes des utilisateurs souhaitant obtenir un certificat. L'autorité 4 vérifie formellement la validité de ces requêtes ; -l'opérateur de certification 5 traite la requête de certification et émet des certificats en appliquant les procédures définies par l'autorité de certification 6. L'opérateur 5 publie généralement les certificats dans l'annuaire 7 ou met ces certificats en accès dans la base de données 8 ;the local registration authority 4 collects requests from users wishing to obtain a certificate. Authority 4 formally checks the validity of these requests; the certification operator 5 processes the certification request and issues certificates by applying the procedures defined by the certification authority 6. The operator 5 generally publishes the certificates in the directory 7 or makes these certificates available in the database 8;
-l'autorité de certification 6 est une autorité morale au nom de laquelle sont émis les certificats. L'autorité 6 établit et vérifie l'application des procédures de génération de certificat.the certification authority 6 is a moral authority in the name of which the certificates are issued. Authority 6 establishes and verifies the application of certificate generation procedures.
L'utilisateur 1 obtient un certificat selon le procédé suivant : -l'utilisateur 1 transmet une requête à l'autorité d'enregistrement 4. Cette requête contient sa clé publique 10 et d'autres informations le concernant (nom, adresse courriel...) ;User 1 obtains a certificate according to the following process: -user 1 transmits a request to the registration authority 4. This request contains his public key 10 and other information concerning him (name, email address, etc.);
-l'autorité d'enregistrement 4 recueille la requête et vérifie formellement sa validité. L'autorité d'enregistrement 4 enregistre les informations sur l'identité de l'utilisateur 1 dans la base de données 8 ;-the registration authority 4 collects the request and formally checks its validity. The registration authority 4 records the information on the identity of the user 1 in the database 8;
-l'opérateur de certification 5 récupère la clé privée de l'autorité de certification 6, la clé publique 10 et les informations fournies par l'utilisateur 1. L'opérateur de certification 5 crée ensuite le certificat en signant les données fournies par l'utilisateur 1 avec la clé privée de l'autorité de certification 6. L'opérateur de certification 5 transmet ensuite le certificat à l'utilisateur 1 ou à la base de données 8, et le publie sur l'annuaire 7.the certification operator 5 recovers the private key of the certification authority 6, the public key 10 and the information supplied by the user 1. The certification operator 5 then creates the certificate by signing the data supplied by the user 1 with the private key of the certification authority 6. The certification operator 5 then transmits the certificate to user 1 or to the database 8, and publishes it on the directory 7.
La confiance dans le certificat généré repose principalement sur la confiance placée dans l'autorité de certification 6. Cependant, une autorité de certification ne peut pas systématiquement avoir une confiance totale dans les données enregistrées par ses autorités d'enregistrement 4. Ainsi, certaines données (par exemple la date de naissance de l'utilisateur ou son adresse) peuvent être enregistrées sans pouvoir être vérifiées au préalable ou une autorité d'enregistrement peut ne pas être totalement satisfaisante. La confiance accordée par une autorité de certification 6 se manifeste sous forme binaire : soit l'autorité de certification 6 fait confiance aux données enregistrées et le certificat est généré, soit l'autorité de certification 6 ne fait pas confiance à ces données et le certificat n'est pas généré. Ainsi, une personne n'ayant pas les moyens adéquats pour prouver que ses données sont dignes de confiance ne pourra pas obtenir un certificat. Le procédé de certification actuel ne permet pas non plus de gérer de façon différenciée différents critères de confiance.Confidence in the generated certificate is mainly based on trust placed in the certification authority 6. However, a certification authority cannot systematically have total confidence in the data recorded by its registration authorities 4. Thus, certain data (e.g. the user's date of birth or address) may be registered without being able to be verified beforehand or a registration authority may not be completely satisfactory. The trust granted by a certification authority 6 manifests itself in binary form: either the certification authority 6 trusts the data recorded and the certificate is generated, or the certification authority 6 does not trust this data and the certificate is not generated. Thus, a person who does not have the adequate means to prove that their data is trustworthy will not be able to obtain a certificate. The current certification process also does not make it possible to manage different confidence criteria in a differentiated manner.
L'invention vise à résoudre un ou plusieurs de ces inconvénients. L'invention porte ainsi sur un procédé de génération d'un certificat numérique, comprenant les étapes consistant à :The invention aims to solve one or more of these drawbacks. The invention thus relates to a method for generating a digital certificate, comprising the steps consisting in:
-déterminer un indice de confiance à accorder à tout ou partie du certificat numérique ;-determine an index of confidence to be granted to all or part of the digital certificate;
-inscrire l'indice de confiance déterminé dans le certificat numérique ; -signer le certificat numérique par une clé privée d'une autorité de certification d'une infrastructure à clé publique. L'indice de confiance peut être représentatif de la confiance à accorder au mode d'enregistrement des données du certificat numérique.- enter the confidence index determined in the digital certificate; - sign the digital certificate with a private key from a certification authority of a public key infrastructure. The confidence index may be representative of the confidence to be placed in the method of recording the data of the digital certificate.
Selon une variante, l'indice de confiance est représentatif de la confiance à accorder à certaines données comprises dans le certificat numérique.According to a variant, the confidence index is representative of the confidence to be granted to certain data included in the digital certificate.
L'invention porte également sur un certificat numérique comprenant des données, au moins un indice de confiance à accorder à tout ou partie du certificat, les données et l'indice de confiance sont signés par une clé privée d'une autorité de certification d'une infrastructure à clé publique. L'indice de confiance peut être représentatif de la confiance à accorder au mode d'enregistrement des données.The invention also relates to a digital certificate comprising data, at least one confidence index to be granted to all or part of the certificate, the data and the confidence index are signed by a private key of a certification authority. public key infrastructure. The confidence index can be representative of the confidence to be placed in the data recording mode.
Selon une variante, l'indice de confiance est représentatif de la confiance à accorder à certaines données comprises dans le certificat numérique.According to a variant, the confidence index is representative of the confidence to be accorded to certain data included in the digital certificate.
L'invention porte en outre sur une infrastructure de génération d'un certificat numérique, comprenant : -un dispositif de calcul d'un indice de confiance à accorder à tout ou partie du certificat numérique ;The invention further relates to an infrastructure for generating a digital certificate, comprising: a device for calculating a confidence index to be granted to all or part of the digital certificate;
-une autorité de certification, incluant l'indice de confiance dans le certificat numérique et signant le certificat numérique par sa clé privée. L'infrastructure peut comprendre un dispositif de mémorisation de données à inclure dans le certificat numérique et le dispositif de calcul peut calculer un indice de confiance représentatif de la confiance accordée au mode d'enregistrement des données du certificat numérique.-a certification authority, including the confidence index in the digital certificate and signing the digital certificate with its private key. The infrastructure can include a data storage device to be included in the digital certificate and the calculation device can calculate a confidence index representative of the confidence placed in the data recording mode of the digital certificate.
Selon une variante, le dispositif de calcul calcule un indice de confiance représentatif de la confiance à accorder à certaines données comprises dans le certificat numérique.According to a variant, the calculation device calculates a confidence index representative of the confidence to be granted to certain data included in the digital certificate.
D'autres caractéristiques et avantages de l'invention ressortiront clairement de la description qui en est faite ci-après, à titre indicatif et nullement limitatif, en référence aux dessins annexés, dans lesquels :Other characteristics and advantages of the invention will emerge clearly from the description which is given below, for information and in no way limitative, with reference to the appended drawings, in which:
-la figure 1 illustre la structure d'un exemple d'infrastructure de certification ; -la figure 2 illustre un premier exemple de certificat selon l'invention ;FIG. 1 illustrates the structure of an example of certification infrastructure; FIG. 2 illustrates a first example of a certificate according to the invention;
-la figure 3 illustre un second exemple de certificat selon l'invention ;FIG. 3 illustrates a second example of a certificate according to the invention;
-la figure 4 illustre un troisième exemple de certificat selon l'invention. L'invention propose d'insérer un indice de confiance à accorder à tout ou partie d'un certificat, et de signer les données et l'indice de confiance par une clé privée d'une autorité de certification d'une infrastructure à clé publique.FIG. 4 illustrates a third example of a certificate according to the invention. The invention proposes to insert a confidence index to be granted to all or part of a certificate, and to sign the data and the confidence index with a private key of a certification authority of a public key infrastructure. .
L'indice de confiance prend une valeur comprise dans une échelle de confiance définie à l'avance. On peut également envisager un indice de confiance sous forme de points cumulés lorsque certaines conditions de confiance sont respectées.The confidence index takes a value included in a confidence scale defined in advance. We can also consider a confidence index in the form of cumulative points when certain confidence conditions are met.
De façon connue en soi, les données incluses dans le certificat numérique comprennent notamment des informations relatives à l'identité du bénéficiaire du certificat ou des informations dépendantes de l'autorité de certification. Les informations relatives à l'identité du bénéficiaire comprennent notamment son nom, son prénom, son numéro de téléphone, son adresse électronique ou son adresse postale. Les informations dépendantes de l'autorité de certification comprennent notamment le numéro de série, la période de validité ou le nom de l'autorité de certification. Les données peuvent également inclure des informations propriétaires, telles que le numéro de téléphone d'un employé dans une entreprise, son numéro de fax ou la définition de son poste.In a manner known per se, the data included in the digital certificate notably includes information relating to the identity of the beneficiary of the certificate or information dependent on the certification authority. Information relating to the identity of the beneficiary includes in particular his name, first name, telephone number, e-mail address or postal address. The information dependent on the certification authority notably includes the serial number, the period of validity or the name of the certification authority. The data may also include proprietary information, such as the telephone number of an employee in a company, his fax number or the definition of his position.
Différents types d'indices de confiance peuvent être utilisés. Un indice de confiance peut être utilisé pour indiquer la confiance accordée à une information du certificat par l'autorité de contrôle. Cet indice peut notamment être défini en fonction du mode d'enregistrement des informations. Par exemple, des informations enregistrées en ligne sur Internet et sans cryptage de transmission présenteront un indice de confiance réduit. Par contre, des informations de l'utilisateur, enregistrées par une autorité publique suite à une vérification de papiers d'identité, présenteront un indice de confiance élevé. Un indice de confiance associé au mode d'enregistrement des informations peut également prendre en compte la fiabilité du réseau entre l'utilisateur et l'autorité d'enregistrement, le mode de stockage utilisé par l'autorité d'enregistrement, etc.. On peut ainsi envisager que des certificats générés à partir de mêmes données mais en passant par des autorités d'enregistrement différentes présentent des indices de confiance distincts.Different types of confidence indexes can be used. A confidence index can be used to indicate the confidence given to information in the certificate by the supervisory authority. This index can in particular be defined according to the information recording mode. For example, information recorded online on the Internet and without transmission encryption will have a reduced confidence index. On the other hand, information from the user, recorded by a public authority following a verification of identity documents, will have a high index of confidence. A confidence index associated with the information recording mode can also take into account the reliability of the network between the user and the recording authority, the storage mode used by the recording authority, etc. can thus envisage that certificates generated from the same data but passing through different registration authorities have distinct confidence indices.
Un indice de confiance peut également indiquer la confiance accordée à l'autorité de contrôle et à sa chaîne de certification. Un indice de confiance peut encore indiquer la confiance de l'autorité de certification dans une autorité d'enregistrement ou la confiance globale dans le certificat généré.A confidence index can also indicate the confidence placed in the supervisory authority and its certification chain. A confidence index can also indicate the confidence of the certification authority in a registration authority or the overall confidence in the generated certificate.
La figure 2 illustre le contenu d'un certificat. Dans cet exemple, le certificat comprend plusieurs indices de confiance 21 à 24. Ces indices de confiance sont associés à des informations relatives à l'identité du bénéficiaire. Chaque indice est disposé dans le certificat après son information associée. L'indice de confiance associé au lieu de résidence de l'utilisateur (Paris) est ainsi de 80% dans l'exemple. La figure 3 illustre le contenu d'une autre structure de certificat. Dans cet exemple, des marqueurs 26 sont disposés après certaines informations. Un identificateur d'objet (généralement désigné par l'acronyme OID) est inséré dans le certificat et contient une liste d'indices 25. Une liste d'indices 25 est ainsi associée aux différents marqueurs. L'ordre d'apparition des marqueurs dans le certificat correspond à l'ordre des indices dans la liste 25. Ainsi, le second marqueur du certificat est associé au second indice de la liste 25.Figure 2 illustrates the contents of a certificate. In this example, the certificate includes several confidence indices 21 to 24. These confidence indices are associated with information relating to the identity of the beneficiary. Each index is placed in the certificate after its associated information. The confidence index associated with the user's place of residence (Paris) is thus 80% in the example. Figure 3 illustrates the content of another certificate structure. In this example, markers 26 are placed after certain information. An object identifier (generally designated by the acronym OID) is inserted in the certificate and contains a list of indices 25. A list of indices 25 is thus associated with the various markers. The order of appearance of the markers in the certificate corresponds to the order of the indices in the list 25. Thus, the second marker of the certificate is associated with the second index in the list 25.
La figure 4 illustre le contenu d'une autre structure de certificat. Dans cet exemple, les indices sont uniquement identifiés dans un identificateur d'objet disposé dans le certificat. Cet identificateur d'objet comprend une liste de couples. Chaque couple comprend d'une part l'identification du type d'information associée à l'indice et d'autre part l'indice. Ainsi, l'identifiant L identifie une information du type lieu de résidence et l'indice associé est 80%.Figure 4 illustrates the content of another certificate structure. In this example, the indices are only identified in an object identifier placed in the certificate. This object identifier includes a list of couples. Each pair includes on the one hand the identification of the type of information associated with the index and on the other hand the index. Thus, the identifier L identifies information of the place of residence type and the associated index is 80%.
Le procédé de génération du certificat peut être le suivant. L'infrastructure de gestion de clés publiques 3 enregistre des données à inclure dans le certificat, par exemple la clé publique 10 ou des informations associées à l'utilisateur 1. Cet enregistrement est par exemple effectué par l'autorité locale d'enregistrement 4, par tout moyen approprié tel qu'un formulaire en ligne ou une pièce jointe à un courriel.The process for generating the certificate can be as follows. The public key management infrastructure 3 records data to be included in the certificate, for example the public key 10 or information associated with the user 1. This recording is for example carried out by the local registration authority 4, by any appropriate means such as an online form or an email attachment.
L'opérateur de certification 5 met en forme un certificat incluant des données enregistrées. Le certificat est transmis à l'autorité de certification 6. L'autorité de certification 6 calcule un ou plusieurs indices de confiance décrits précédemment.The certification operator 5 formats a certificate including recorded data. The certificate is transmitted to the certification authority 6. The certification authority 6 calculates one or more confidence indices described above.
L'autorité de certification insère ces indices de confiance dans le certificat. L'autorité de certification 6 signe alors le certificat avec sa clé privée, puis transmet le certificat signé à l'opérateur de certification 5. On peut également prévoir que le calcul des indices de confiance soit délégué à un autre dispositif que l'autorité de certification 6.The certification authority inserts these confidence indices in the certificate. Certification authority 6 then signs the certificate with its private key, then transmits the certificate signed to the certification operator 5. It can also be provided that the calculation of the confidence indices is delegated to a device other than the certification authority 6.
De façon connue en soi, le certificat généré peut être transmis à l'utilisateur 2, ou stocké dans une base de données 8 ou dans un annuaire accessible en ligne 9.In a manner known per se, the generated certificate can be transmitted to the user 2, or stored in a database 8 or in a directory accessible online 9.
Un autre utilisateur (tel que l'utilisateur 2 de la figure 1), peut effectuer un test afin de valider ou non le certificat 11 de l'utilisateur 1. L'utilisateur 2 vérifie le certificat 11 au moyen de la clé publique de l'autorité de certification 6. L'utilisateur 2 compare ensuite un ou plusieurs indices du certificat avec des seuils de validation. L'utilisateur peut notamment fixer un indice de confiance pour l'ensemble du certificat ou pour une ou plusieurs données contenues dans le certificat. L'utilisateur peut rejeter un certificat ayant au moins un indice de confiance inférieur à son seuil de validation respectif ou ayant un indice de confiance manquant. L'utilisateur est donc libre de fixer les seuils de validation qu'il estime prépondérants. Les seuils de validation peuvent être prédéfinis en fonction d'applications exécutées par l'utilisateur 2, ou être définis manuellement par l'utilisateur 2. Ainsi, il sera possible de générer un certificat ne présentant pas un indice de confiance maximal, l'utilisateur destinataire ou ses applications étant alors libres d'accepter ou non ce certificat. Un tel certificat est particulièrement intéressant lorsque des données sont enregistrées en ligne et que leur validité ne peut pas être rigoureusement vérifiée. En outre, en associant différents indices de confiance à différentes informations du certificat, le destinataire du certificat est libre de décider pour quelle information il exige ou non un indice de confiance élevé. L'utilisateur 1 souhaitant obtenir son certificat pourra également obtenir un certificat même s'il n'a pas pu obtenir un indice de confiance élevé pour certaines informations du certificat lors de l'enregistrement.Another user (such as user 2 in FIG. 1) can carry out a test in order to validate or not the certificate 11 of user 1. User 2 verifies the certificate 11 using the public key of l certification authority 6. User 2 then compares one or more indices of the certificate with validation thresholds. The user can in particular set a confidence index for the entire certificate or for one or more data contained in the certificate. The user can reject a certificate having at least one confidence index lower than its respective validation threshold or having a missing confidence index. The user is therefore free to set the validation thresholds which he considers preponderant. The validation thresholds can be predefined according to applications executed by user 2, or be defined manually by user 2. Thus, it will be possible to generate a certificate not having a maximum confidence index, the user recipient or its applications then being free to accept or not to accept this certificate. Such a certificate is particularly advantageous when data is recorded online and its validity cannot be rigorously checked. In addition, by associating different confidence indices with different information of the certificate, the recipient of the certificate is free to decide for what information it requires or not a high confidence index. User 1 wishing to obtain his certificate may also obtain a certificate even if he was unable to obtain a high confidence index for certain information of the certificate during registration.
Le test de validation peut en outre exiger une vérification de la chaîne de confiance du certificat.The validation test may also require verification of the certificate's chain of trust.
On pourrait également prévoir de stocker un lien de connexion à une base de données contenant des indices de confiance à associer au certificat. Ce lien serait ainsi stocké dans le certificat en lieu et place du ou des indices de confiance. One could also plan to store a connection link to a database containing confidence indices to be associated with the certificate. This link would thus be stored in the certificate in place of the trust index or indices.

Claims

REVENDICATIONS
1. Procédé de génération d'un certificat numérique, comprenant les étapes consistant à : -déterminer un indice de confiance à accorder à tout ou partie du certificat numérique, l'indice de confiance étant représentatif de la confiance à accorder au mode d'enregistrement des données du certificat numérique ; -inscrire l'indice de confiance (21, 22, 23, 24, 25) déterminé dans le certificat numérique (11) ; -signer le certificat numérique par une clé privée (12) d'une autorité de certification (6) d'une infrastructure à clé publique (3).1. Method for generating a digital certificate, comprising the steps consisting in: determining a confidence index to be granted to all or part of the digital certificate, the confidence index being representative of the confidence to be granted in the recording mode digital certificate data; register the confidence index (21, 22, 23, 24, 25) determined in the digital certificate (11); - sign the digital certificate with a private key (12) from a certification authority (6) of a public key infrastructure (3).
2. Procédé de génération d'un certificat numérique selon la revendication 1, caractérisé en ce que l'indice de confiance est représentatif de la confiance à accorder à certaines données comprises dans le certificat numérique.2. Method for generating a digital certificate according to claim 1, characterized in that the confidence index is representative of the confidence to be accorded to certain data included in the digital certificate.
3. Certificat numérique comprenant des données, caractérisé en ce qu'il comprend en outre au moins un indice de confiance à accorder à tout ou partie du certificat, l'indice de confiance étant représentatif de la confiance à accorder au mode d'enregistrement des données, et en ce que les données et l'indice de confiance sont signés par une clé privée (12) d'une autorité de certification (6) d'une infrastructure à clé publique (3).3. Digital certificate comprising data, characterized in that it further comprises at least one confidence index to be granted to all or part of the certificate, the confidence index being representative of the confidence to be granted in the method of recording data, and in that the data and the confidence index are signed by a private key (12) of a certification authority (6) of a public key infrastructure (3).
4. Certificat numérique selon la revendication 3, caractérisé en ce que l'indice de confiance est représentatif de la confiance à accorder à certaines données comprises dans le certificat numérique.4. Digital certificate according to claim 3, characterized in that the confidence index is representative of the confidence to be granted to certain data included in the digital certificate.
5. Infrastructure de génération d'un certificat numérique, caractérisé en ce qu'elle comprend : -un dispositif de mémorisation (4) de données à inclure dans le certificat numérique ; -un dispositif de calcul d'un indice de confiance à accorder à tout ou partie du certificat numérique, cet indice de confiance étant représentatif de la confiance accordée au mode d'enregistrement des données du certificat numérique ; -une autorité de certification (6), incluant l'indice de confiance dans le certificat numérique et signant le certificat numérique par sa clé privée (12).5. Infrastructure for generating a digital certificate, characterized in that it comprises: a storage device (4) for data to be included in the digital certificate; a device for calculating a confidence index to be granted to all or part of the digital certificate, this confidence index being representative of the confidence granted to the method of recording the data of the digital certificate; -a certification authority (6), including the confidence index in the digital certificate and signing the digital certificate with its private key (12).
6. Infrastructure selon la revendication 5, caractérisée en ce que le dispositif de calcul calcule un indice de confiance représentatif de la confiance à accorder à certaines données comprises dans le certificat numérique. 6. Infrastructure according to claim 5, characterized in that the calculation device calculates a confidence index representative of the confidence to be granted to certain data included in the digital certificate.
PCT/FR2005/002797 2004-11-16 2005-11-09 Method for establishing a digital certificate WO2006053963A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0412155 2004-11-16
FR0412155A FR2878099A1 (en) 2004-11-16 2004-11-16 METHOD OF ESTABLISHING A DIGITAL CERTIFICATE

Publications (1)

Publication Number Publication Date
WO2006053963A1 true WO2006053963A1 (en) 2006-05-26

Family

ID=34952848

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FR2005/002797 WO2006053963A1 (en) 2004-11-16 2005-11-09 Method for establishing a digital certificate

Country Status (2)

Country Link
FR (1) FR2878099A1 (en)
WO (1) WO2006053963A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11159331B2 (en) 2016-12-16 2021-10-26 Bull Sas Traceability of a multi-actor job string by block chain, allowing at least two levels of confidence in the information stored

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020004901A1 (en) * 2000-07-10 2002-01-10 See-Wai Yip Systems and methods for PKI-enabling applications using application-specific certificates
US20020120848A1 (en) * 2001-02-17 2002-08-29 Marco Casassa Mont Digital certificates
US20030163685A1 (en) * 2002-02-28 2003-08-28 Nokia Corporation Method and system to allow performance of permitted activity with respect to a device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020004901A1 (en) * 2000-07-10 2002-01-10 See-Wai Yip Systems and methods for PKI-enabling applications using application-specific certificates
US20020120848A1 (en) * 2001-02-17 2002-08-29 Marco Casassa Mont Digital certificates
US20030163685A1 (en) * 2002-02-28 2003-08-28 Nokia Corporation Method and system to allow performance of permitted activity with respect to a device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
WINSBOROUGH W H ET AL: "Automated trust negotiation", DARPA INFORMATION SURVIVABILITY CONFERENCE AND EXPOSITION, 2000. DISCEX '00. PROCEEDINGS HILTON HEAD, SC, USA 25-27 JAN. 2000, LAS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US, vol. 1, 25 January 2000 (2000-01-25), pages 88 - 102, XP010371169, ISBN: 0-7695-0490-6 *
YEH Y-S ET AL: "Applying lightweight directory access protocol service on session certification authority", COMPUTER NETWORKS, ELSEVIER SCIENCE PUBLISHERS B.V., AMSTERDAM, NL, vol. 38, no. 5, 5 April 2002 (2002-04-05), pages 675 - 692, XP004342875, ISSN: 1389-1286 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11159331B2 (en) 2016-12-16 2021-10-26 Bull Sas Traceability of a multi-actor job string by block chain, allowing at least two levels of confidence in the information stored

Also Published As

Publication number Publication date
FR2878099A1 (en) 2006-05-19

Similar Documents

Publication Publication Date Title
EP1327345B1 (en) Method for controlling access to internet sites
US20090133107A1 (en) Method and device of enabling a user of an internet application access to protected information
FR2737067A1 (en) SYSTEM AND METHOD FOR PERFORMING COMMUNICATIONS OF THE ELECTRONIC DATA EXCHANGE TYPE ON AN OPEN NETWORK
EP1471682A1 (en) Method for digital signature with delegation mechanism, systems and programs for implementing the method
WO2009130089A1 (en) Method of secure broadcasting of digital data to an authorized third party
FR2930392A1 (en) METHOD AND DEVICE FOR SECURING DATA TRANSFERS
US20120259635A1 (en) Document Certification and Security System
US20080022097A1 (en) Extensible email
FR3058243A1 (en) METHOD FOR CONTROLLING IDENTITY OF A USER USING A PUBLIC DATABASE
EP2070254B1 (en) Method and device for securing data transfers
EP1011223A1 (en) Method and system for creating and managing at least one cryptographic key
WO2006112759A1 (en) Method and device for ensuring information integrity and non-repudiation over time
EP1164529A1 (en) System and method for issuing electronic coupons
FR2814016A1 (en) METHOD FOR GENERATING PROOF OF SENDING AND RECEIVING BY A NETWORK OF DATA TRANSMISSION OF AN ELECTRONIC WRITTEN AND ITS CONTENT
WO2006053963A1 (en) Method for establishing a digital certificate
FR2900013A1 (en) Data transfer securing method for use during e.g. transmission of electronic mail, involves identifying user during which user provides proof of user identity and attributes asymmetrical keys, and transmitting messages from or towards user
WO2020144149A1 (en) Improved platform for secure transmission of personal data
FR2900010A1 (en) Data transfer securing method for use during transmission of e.g. financial document, involves evaluating value of transmission attribute according to observed correspondence anomalies for each attempt of transmission of electronic document
FR2881591A1 (en) Cryptographic operation e.g. digital certificate request, implementing method, involves performing cryptographic operation on data provided by user, and recording information associated to operation
EP3709274B1 (en) System for electronic voting on the internet
EP2351328B1 (en) Method and device for generating information descriptive of the situation of a user
EP4128700A1 (en) Method and device for authenticating a user with an application
WO2023084096A1 (en) Method for authenticating data
EP1992104B1 (en) Authenticating a computer device at user level
FR3129504A1 (en) Methods, terminal and server for managing personal data

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05817423

Country of ref document: EP

Kind code of ref document: A1