WO2023152797A1 - Verification method, verification program, and information processing device - Google Patents

Verification method, verification program, and information processing device Download PDF

Info

Publication number
WO2023152797A1
WO2023152797A1 PCT/JP2022/004893 JP2022004893W WO2023152797A1 WO 2023152797 A1 WO2023152797 A1 WO 2023152797A1 JP 2022004893 W JP2022004893 W JP 2022004893W WO 2023152797 A1 WO2023152797 A1 WO 2023152797A1
Authority
WO
WIPO (PCT)
Prior art keywords
document
organization
user
signature
information
Prior art date
Application number
PCT/JP2022/004893
Other languages
French (fr)
Japanese (ja)
Inventor
洋介 中村
孝一 矢崎
大 山本
Original Assignee
富士通株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 富士通株式会社 filed Critical 富士通株式会社
Priority to PCT/JP2022/004893 priority Critical patent/WO2023152797A1/en
Publication of WO2023152797A1 publication Critical patent/WO2023152797A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling

Definitions

  • the present invention relates to a verification method, a verification program, and an information processing device.
  • a workflow system may be used to support procedures by multiple users.
  • a workflow system supports approval procedures by multiple users in an organization by asking users for approval of documents digitized by a computer according to a predetermined approval route and receiving user approval.
  • document approval procedures may be carried out across multiple organizations such as companies.
  • document approval procedures span multiple organizations, in order to ensure the reliability of documents, each organization requires that documents be approved by users included in appropriate approval routes. Therefore, there is a problem of a mechanism for supporting document approval procedures between organizations while making it possible to verify the reliability of digitized documents using information processing technology.
  • the present invention aims to enable verification of document reliability.
  • a verification method is provided.
  • a computer detects registration of a document to which an electronic signature corresponding to a user belonging to a first organization is attached and to which an electronic signature corresponding to a user belonging to a second organization is not attached. Then, a notification regarding the document is transmitted to a predetermined registered user belonging to the second organization, and in response to the notification, when a list including the users in charge belonging to the second organization is received, the list is stored in the storage unit.
  • a verification program is provided. Also, in one aspect, an information processing apparatus having a storage unit and a processing unit is provided.
  • FIG. 1 illustrates an information processing apparatus according to a first embodiment
  • FIG. It is a figure which shows the example of the information processing system of 2nd Embodiment. It is a figure which shows the hardware example of a control server.
  • FIG. 4 is a diagram illustrating an example of functions of a control server;
  • FIG. 10 is a diagram showing an example of organization X approval route information;
  • FIG. 4 is a diagram showing an example of organization X information;
  • FIG. 10 is a diagram showing an example of WF control;
  • FIG. 10 is a diagram showing a description example of an intra-organizational signature frame in a document;
  • FIG. 4 is a diagram illustrating an example of functions of a control server
  • FIG. 10 is a diagram showing an example of organization X approval route information
  • FIG. 4 is a diagram showing
  • FIG. 10 is a diagram showing an example of WF verification;
  • FIG. 10 is a diagram showing an example of acquisition of WF verification information;
  • FIG. 10 is a diagram showing an example of obtaining a public key based on an intra-organizational signature frame;
  • FIG. 10 illustrates an example of a WF verification method;
  • 10 is a flow chart showing an example of WF verification; It is a figure which shows the example of a signature process.
  • 4 is a flow chart showing an example of signature verification;
  • FIG. 10 is a diagram illustrating an example of document movement;
  • 9 is a flowchart showing a first modified example of WF control;
  • FIG. 10 is a diagram showing an example of document encryption;
  • FIG. 11 is a flow chart showing a second modified example of WF control;
  • FIG. 10 is a diagram showing an example of cooperation with WF management tools of each organization;
  • FIG. 11 is a flow chart showing a third modified example of WF control;
  • FIG. 10 is a diagram showing an example of signature conversion;
  • FIG. 11 is a flowchart showing a fourth modified example of WF control;
  • FIG. 13 is a flow chart showing an example of signature verification in the fourth modified example;
  • FIG. 1 is a diagram illustrating an information processing apparatus according to the first embodiment.
  • the information processing apparatus 10 assists users of each organization in approving an electronic document 20 across a plurality of organizations.
  • multiple tissues include first tissue 50 and second tissue 60 .
  • the name of the first organization is organization X.
  • the name of the second organization is organization Y.
  • the number of tissues may be 3 or more.
  • the first organization 50 has client devices 51, 52, .
  • the client device 51 is used by user X1.
  • Client device 52 is used by user X2.
  • Users X1 and X2 belong to a first organization 50.
  • FIG. Users other than users X1 and X2 also belong to the first organization 50 .
  • the second organization 60 has client devices 61, 62, .
  • the client device 61 is used by user Y1.
  • Client device 62 is used by user Y2.
  • Users Y 1 and Y 2 belong to a second organization 60 .
  • Users other than users Y1 and Y2 also belong to the second organization 60 .
  • the information processing device 10 and the client devices 51 , 52 , 61 , 62 are connected to the network 40 .
  • the network 40 is, for example, the Internet or a WAN (Wide Area Network).
  • the information processing device 10 has a storage unit 11 and a processing unit 12 .
  • the storage unit 11 may be a volatile storage device such as a RAM (Random Access Memory) or a non-volatile storage device such as a HDD (Hard Disk Drive) or flash memory.
  • the processing unit 12 may include a CPU (Central Processing Unit), DSP (Digital Signal Processor), ASIC (Application Specific Integrated Circuit), FPGA (Field Programmable Gate Array), and the like.
  • the processing unit 12 may be a processor that executes programs.
  • a "processor” may include a collection of multiple processors (multiprocessor).
  • the document 20 is an electronic document. Document 20 is subject to approval by users belonging to first organization 50 and users belonging to second organization 60 .
  • An example of the document 20 is a contract.
  • the contract indicates, for example, the details of the contract made by the first organization 50 and the second organization 60 .
  • the document 20 is stored in the storage unit 11.
  • Document 20 may be stored in a device different from information processing device 10 .
  • document 20 may be stored in another information processing device connected to network 40 .
  • the approval path for the document 20 is first to the first organization 50 and then to the second organization 60.
  • the approval path is set in the document 20 itself.
  • the processing unit 12 forwards the workflow according to the approval route information given to the document 20 .
  • the processing unit 12 sets, in the document 20, the specific information of the user to whom the approval is requested in the organization when the workflow reaches the organization.
  • the document 20 includes the approval request destination in the second organization 60. No specific user information is set. Instead, at this stage, information is set in the document 20 indicating that the workflow's next forwarding destination is the second organization 60 .
  • the approval route for the document 20 in each organization can be flexibly determined when the workflow arrives at the organization.
  • the approval path information can be set by the order in which each user's signature frame for the document 20 is written using the "o:signatureline" tag.
  • a signature frame is a frame provided in the document 20 for attaching an image such as a handwritten signature or seal stamp of the user who has performed the approval.
  • the processing unit 12 may acquire information on the approval path indicating the user to whom the approval is requested, which is predetermined for the attribute of the document in each organization, and set the information on the approval path to the document 20 .
  • the processing unit 12 may receive an input of approval path information indicating a user to whom approval is requested in the organization by a user of the organization, and set the information of the approval path in the document 20 .
  • the electronic signature of the user is attached to the document 20 according to the approval of each user.
  • Electronic signatures may also be referred to as digital signatures.
  • document 20 has management information 21 .
  • the management information 21 includes information indicating the users to whom approval of the document 20 is requested and the order of requesting each user.
  • the management information 21 may also include contact information such as the e-mail address of the user to whom the approval is requested.
  • the management information 21 includes the electronic signature of the user who has given the approval.
  • the electronic signature is, for example, data obtained by encrypting a hash value of difference data before and after processing of the document 20 by the user with the private key of the user.
  • Information indicating the state of the document 20 before processing by the user is stored in the document 20 in association with the electronic signature of the user. It should be noted that since the user's electronic signature is attached to the document 20 by the approval of the requested user, it can also be said that the user to whom the approval is requested is the user to which the electronic signature is requested.
  • the users X1 and X2 are set in the document 20 in this order as the users requested for approval within the first organization 50.
  • the information of the user to whom the approval is requested in the second organization 60 is not set in the document 20 while the approval is being performed in the first organization 50 . Instead, information is set in the document 20 indicating that the next organization is the second organization 60 .
  • the information processing apparatus 10 supports each user's approval of the document 20 across organizations while enabling verification of the reliability of the document 20 as follows.
  • the processing unit 12 notifies the user X1 of an approval request for the document 20 .
  • the processing unit 12 sends an approval request message for the document 20 to the email address of the user X1.
  • the processing unit 12 attaches the electronic signature Xa of the user X1 to the document 20 upon receiving an approval input by the user X1 using the client device 51 .
  • the processing unit 12 notifies the user X2 of an approval request for the document 20. For example, the processing unit 12 sends an approval request message for the document 20 to the e-mail address of the user X2. The processing unit 12 attaches the electronic signature Xb of the user X2 to the document 20 upon receiving an approval input by the user X2 using the client device 52 .
  • the processing unit 12 detects that the approval by the first organization 50 is completed. Then, the processing unit 12 notifies the user in charge of workflow management in the second organization 60 that the workflow of the document 20 has been sent. For example, the processing unit 12 may notify the e-mail address or mailing list of the user in charge of managing the workflow of the second organization 60, which is stored in the storage unit 11 in advance. It is assumed that users responsible for managing the workflows of the second organization 60 include user Y1.
  • the processing unit 12 sends the list 30 of trusted users or users authorized for approval in the second organization 60 as approval request destinations input by the user Y1, for example, to the client device 61. , and stored in the storage unit 11 .
  • the processing unit 12 may receive the list 30 from the client device 61 in advance and store it in the storage unit 11 .
  • list 30 may indicate users Y2 and Y3.
  • User Y3 is a user belonging to the second organization 60 .
  • the processing unit 12 accepts, for example, an approval path in the second organization 60 input by another user in the organization Y, and sets it in the document 20.
  • the users Y2 and Y4 are set in the document 20 in this order as the users requested for approval within the second organization 60.
  • FIG. User Y4 is a user belonging to the second organization 60 .
  • the information of the user Y4 to whom the approval is requested set in the document 20 may have been initially set by the user Y1 as the information of the user Y3, but changed to the information of the user Y4 by another user. good.
  • the processing unit 12 notifies the user Y2 of the approval request for the document 20.
  • the processing unit 12 sends an approval request message for the document 20 to the email address of the user Y2.
  • the processing unit 12 attaches the electronic signature Ya of the user Y2 to the document 20 upon receiving the input of approval using the client device 62 by the user Y2.
  • the document 20 has not been given the electronic signature of the user Y4.
  • the processing unit 12 verifies whether or not the document 20 has been approved through an appropriate approval route in the second organization 60 in response to a request from a user belonging to the first organization 50. provide functionality.
  • the processing unit 12 verifies the validity of the electronic signature attached to the document 20. Specifically, the processing unit 12 receives, for example, a verification request from the user X1 from the client device 51 .
  • the verification request may include a designation of the organization whose electronic signature is to be verified. For example, user X1 may specify organization Y as the organization to be verified.
  • the processing unit 12 verifies the electronic signature Ya attached to the document 20 at the time of responding to the verification request using the public keys associated with the users Y2 and Y3 included in the list 30. .
  • the processing unit 12 can obtain the public keys of the users Y2 and Y3 from a predetermined server device that stores the public keys of the users belonging to the second organization 60 .
  • the processing unit 12 successfully verifies the electronic signature Ya using the public key of user Y2. That is, the processing unit 12 obtains a hash value by decrypting the electronic signature Ya using the public key of the user Y2, and the hash value is the difference between the content of the document 20 before processing by the user Y2 and the content of the current document 20. It is assumed that it has been confirmed that the hash value of the difference matches. In this case, the processing unit 12 sends evaluation information to the client device 51 as a response to the verification request, indicating that the current document 20 was signed by the appropriate user Y2. Note that the notification of the evaluation information may be sent to the e-mail address of the user X1.
  • the processing unit 12 sends evaluation information indicating that the document 20 was not signed by an appropriate user to the client. Send to device 51 .
  • the processing unit 12 can verify the validity of the electronic signature attached to the document 20.
  • FIG. In the second example the processing unit 12 verifies the validity of the information of the requested user belonging to the second organization 60, which is given to the document 20 as the requested electronic signature destination.
  • the processing unit 12 receives, for example, a verification request from the user X1 from the client device 51 .
  • the verification request may include the designation of the verification target organization of the requested user.
  • user X1 may specify organization Y as the organization to be verified.
  • the processing unit 12 uses the public key associated with each of the users Y2 and Y3 included in the list 30 to obtain the information of the requested user Y4 attached to the document 20 at the time of responding to the verification request.
  • Validate the public key associated with each of the users Y2 and Y3 included in the list 30 to obtain the information of the requested user Y4 attached to the document 20 at the time of responding to the verification request.
  • the processing unit 12 acquires the public key of the user Y4 from the aforementioned server device, and the public key of the user Y4 acquired based on the document 20 is added to the public keys of the users Y2 and Y3 included in the list 30.
  • the information of the requested user Y4 is verified depending on whether or not it is included.
  • the public key of the requested user Y4 does not match the public keys of any of the users Y2 and Y3. Therefore, the processing unit 12 transmits to the client device 51, as a response to the verification request, evaluation information indicating that the document 20 contains information about the unauthorized requested user Y4.
  • the processing unit 12 determines that the requested user is valid. Then, if no unauthorized request destination user is set in the document 20, the processing unit 12 transmits evaluation information indicating that all the request destination users set in the document 20 are legitimate to the client device 51. do.
  • the processing unit 12 can verify the validity of the requested user's information added to the document 20 before the electronic signature is added to the document 20 by the requested user.
  • the processing unit 12 may perform either one of the first example and the second example, or perform both the first example and the second example, as verification of document reliability. may For example, the processing unit 12 can verify the validity of the electronic signature Ya attached to the document 20 as well as the validity of the information of the requested user Y4 of the electronic signature attached to the document 20. .
  • the user X1 notifies the user of the second organization 60 (for example, user Y1) to that effect.
  • the processing unit 12 receives a change request from the user Y1 to change the requested user Y4 of the document 20 to a valid requested user, and changes the illegal requested user Y4 of the document 20 to a valid requested user. .
  • Processing unit 12 then continues the workflow of document 20 in second organization 60 .
  • processing unit 12 terminates the workflow for document 20 .
  • a document to which an electronic signature corresponding to a user belonging to a first organization is attached and to which an electronic signature corresponding to a user belonging to a second organization is not attached registration is detected.
  • a notification regarding the document is sent to a predetermined registered user belonging to the second organization.
  • the list is stored in the storage unit 11 .
  • the electronic signature attached to the document at the time of responding to the verification request using the public key associated with the user in charge included in the list, and , verification of at least one of the information of the requested user belonging to the second organization, which is attached to the document as the requested destination of the electronic signature. Then, as a response to the verification request, the signature status of the document according to the result of the verification and evaluation information regarding at least one of the requested user is transmitted.
  • the information processing device 10 can verify the reliability of the document 20 .
  • the information processing apparatus 10 can support the approval of the users of each organization across multiple organizations with respect to the document 20 while enabling verification of the reliability of the document 20 .
  • FIG. 2 is a diagram illustrating an example of an information processing system according to the second embodiment.
  • the information processing system of the second embodiment includes a control server 100, client devices 200, 200a, 400, 400a, an organization X server 300, an organization Y server 500, and cloud systems 600, 700.
  • FIG. Control server 100 and cloud systems 600 and 700 are connected to network 70 .
  • Network 70 is, for example, the Internet.
  • the cloud systems 600 and 700 are information processing systems that provide cloud services via the network 70.
  • the cloud systems 600 and 700 have multiple physical machines and storages, and provide the resources of the physical machines and storages to client computers via the network 70 .
  • cloud services performed by cloud systems 600 and 700 include cloud-based storage services.
  • Cloud systems 600 and 700 may be operated by different providers.
  • Client devices 200 and 200a are client computers owned by organization X.
  • Organization X is, for example, a company.
  • the organization X server 300 is a server computer that organization X has.
  • Client devices 200 and 200a and organization X server 300 are used by users belonging to organization X.
  • FIG. Client devices 200 , 200 a and organization X server 300 are connected to network 80 .
  • the network 80 is a LAN (Local Area Network) installed within the organization X.
  • FIG. Network 80 is connected to network 70 .
  • Users belonging to organization X operate client devices 200 and 200 a to use cloud services provided by cloud system 600 .
  • Client devices 400 and 400a are client computers owned by organization Y.
  • Organization Y is a company different from organization X, for example.
  • the organization Y server 500 is a server computer that organization Y has.
  • Client devices 400 and 400a and organization Y server 500 are used by users belonging to organization Y.
  • FIG. Client devices 400 and 400 a and organization Y server 500 are connected to network 90 .
  • a network 90 is a LAN installed within an organization Y.
  • FIG. Network 90 is connected to network 70 .
  • Users belonging to organization Y operate client devices 400 and 400 a to use cloud services provided by cloud system 700 .
  • the control server 100 is a server computer that controls the approval workflow (WF: WorkFlow) of electronic documents across multiple organizations using the cloud systems 600 and 700 .
  • An electronic document is simply called a document.
  • An electronic document may be called document data.
  • the control server 100 provides a function to support cross-organizational approval procedures while enabling verification of document reliability.
  • a service that assists in ensuring the reliability of documents is sometimes called TaaS (Trust as a Service).
  • the control server 100 is an example of the information processing device 10 according to the first embodiment.
  • control server 100 and cloud systems 600 and 700 function as web servers.
  • client devices 200, 200a, 400, and 400a function as web browsers.
  • users of the client devices 200, 200a, 400, 400a can operate a web browser to use a GUI (Graphical User Interface) provided by a web server executed by the control server 100 or the cloud systems 600, 700. be.
  • GUI Graphic User Interface
  • FIG. 3 is a diagram illustrating an example of hardware of a control server.
  • the control server 100 has a CPU 101 , a RAM 102 , an HDD 103 , a GPU (Graphics Processing Unit) 104 , an input interface 105 , a medium reader 106 and a NIC (Network Interface Card) 107 .
  • the CPU 101 is an example of the processing unit 12 of the first embodiment.
  • the RAM 102 or HDD 103 is an example of the storage section 11 of the first embodiment.
  • the CPU 101 is a processor that executes program instructions.
  • the CPU 101 loads at least part of the programs and data stored in the HDD 103 into the RAM 102 and executes the programs.
  • the CPU 101 may include multiple processor cores.
  • the control server 100 may have a plurality of processors. The processing described below may be performed in parallel using multiple processors or processor cores. Also, a set of multiple processors is sometimes called a "multiprocessor" or simply a "processor".
  • the RAM 102 is a volatile semiconductor memory that temporarily stores programs executed by the CPU 101 and data used by the CPU 101 for calculation.
  • the control server 100 may be provided with a type of memory other than the RAM, and may be provided with a plurality of memories.
  • the HDD 103 is a non-volatile storage device that stores software programs such as an OS (Operating System), middleware, and application software, and data.
  • the control server 100 may include other types of storage devices such as flash memory and SSD (Solid State Drive), or may include multiple non-volatile storage devices.
  • the GPU 104 outputs images to the display 71 connected to the control server 100 according to commands from the CPU 101 .
  • the display 71 any type of display such as a CRT (Cathode Ray Tube) display, a liquid crystal display (LCD: Liquid Crystal Display), a plasma display, or an organic EL (OEL: Organic Electro-Luminescence) display can be used.
  • the input interface 105 acquires an input signal from the input device 72 connected to the control server 100 and outputs it to the CPU 101 .
  • the input device 72 a mouse, a touch panel, a touch pad, a pointing device such as a trackball, a keyboard, a remote controller, a button switch, or the like can be used. Also, multiple types of input devices may be connected to the control server 100 .
  • the medium reader 106 is a reading device that reads programs and data recorded on the recording medium 73 .
  • the recording medium 73 for example, a magnetic disk, an optical disk, a magneto-optical disk (MO), a semiconductor memory, or the like can be used.
  • Magnetic disks include flexible disks (FDs) and HDDs.
  • Optical discs include CDs (Compact Discs) and DVDs (Digital Versatile Discs).
  • the medium reader 106 copies, for example, programs and data read from the recording medium 73 to other recording media such as the RAM 102 and the HDD 103.
  • the read program is executed by the CPU 101, for example.
  • the recording medium 73 may be a portable recording medium, and may be used for distribution of programs and data.
  • the recording medium 73 and the HDD 103 may be referred to as a computer-readable recording medium.
  • the NIC 107 is an interface that is connected to the network 70 and communicates with other computers via the network 70 .
  • the NIC 107 is, for example, connected to a communication device such as a switch or router by a cable.
  • NIC 107 may be a wireless communication interface.
  • the client devices 200 , 200 a , 400 , 400 a , the organization X server 300 and the organization Y server 500 are also realized by hardware similar to the control server 100 .
  • Physical machines included in each of the cloud systems 600 and 700 are also realized by hardware similar to the control server 100 .
  • FIG. 4 is a diagram showing an example of the functions of the control server.
  • the control server 100 has a storage unit 110 and a control unit 130 . Storage areas of the RAM 102 and the HDD 103 are used for the storage unit 110 .
  • the control unit 130 is implemented by the CPU 101 executing a program stored in the RAM 102 .
  • the storage unit 110 stores data used by the control unit 130 .
  • Storage unit 110 has organization X approval path information 111 , organization X information 112 , organization Y approval path information 113 , organization Y information 114 , inter-organization approval path information 115 and WF verification information 116 .
  • the organization X approval route information 111 is information that indicates a template for approval routes within organization X according to document attributes.
  • a document attribute is a type of document content such as a contract or an application form.
  • the approval route template is information indicating a plurality of positions of the user who should approve and the order of each position according to the attributes of the document.
  • the organization X information 112 is information indicating the name of the user corresponding to the position of each department within the organization X.
  • the organization Y approval path information 113 is information that indicates a model of an approval path within organization Y according to document attributes.
  • the organization Y information 114 is information indicating the name of the user corresponding to the position of each department within the organization Y.
  • the inter-organizational approval route information 115 is information that indicates the order of organizations that should receive approval for each document.
  • the inter-organization approval path information 115 includes information indicating that a certain document is to be approved by organizations X and Y in this order.
  • the inter-organizational approval route information 115 may include information indicating contact information such as a mailing list of users in charge of managing WFs in the relevant organization.
  • the WF verification information 116 is information used by the control unit 130 to verify the WF set in the document.
  • the WF verification information 116 is a set of public keys of users who are trusted to approve documents in the relevant organization or users who are authorized to approve documents.
  • the storage unit 110 holds cloud service access information for accessing documents stored in the cloud systems 600 and 700.
  • the cloud service access information is cloud service account information for accessing the relevant document.
  • Control unit 130 controls WF across tissues.
  • Control unit 130 has signature frame insertion unit 131 , personal name conversion unit 132 , WF management unit 133 , signature processing unit 134 , notification unit 135 , signature frame updating unit 136 and verification processing unit 137 .
  • the signature frame insertion unit 131 inserts a signature frame into the document.
  • the signature frame is an area where the user who approves the document attaches an image such as a handwritten signature or seal stamp to the document to indicate that the document has been approved by the user himself/herself.
  • an image such as a handwritten signature or seal stamp
  • the document is data in XML format, for example.
  • the signature frame information is described in the document using the "o:signatureline" tag.
  • the order of the users to whom the approval is requested is specified according to the order in which the signature frames of the document are written.
  • the signature frame inserting unit 131 inserts a template of the approval route in the organization X into the document as a signature frame according to the attribute of the document, for example, based on the organization X approval route information 111 .
  • the signature frame is provided with only information on the position, and not with the user's personal name.
  • the signature frame inserting unit 131 adds a signature frame indicating the next organization Y, that is, an inter-organizational signature frame to the document.
  • the signature frame inserting unit 131 for example, identifies the order of organizations that pass the WF for a given document based on the inter-organizational approval path information 115 .
  • the inter-organizational approval path information 115 is preliminarily entered into the storage unit 110 by the user who drafted the relevant document.
  • the personal name conversion unit 132 notifies each post of the approval route template inserted into the document by the signature frame insertion unit 131 with the user's personal name, the user's e-mail address, etc. Give the destination information.
  • the personal name conversion unit 132 takes the drafting user who drafted the document as the starting point of the approval path.
  • the personal name conversion unit 132 acquires the personal name and contact information of the user of the corresponding post in the department to which the drafting user belongs from the organization X information 112 for each post of the template of the approval route, and converts it into the signature frame of the document. , add the person's name and contact information.
  • a signature frame corresponding to each user within a certain organization is called an intra-organizational signature frame.
  • the signature frame insertion unit 131 may accept an input of an approval path including the user's personal name and set an in-house signature frame indicating the approval path in the document. That is, the signature frame insertion unit 131 may set the intra-organizational signature frame in the document without using the personal name conversion unit 132 .
  • the WF management unit 133 manages WFs related to documents.
  • the WF management unit 133 notifies the approval request to the contact information such as the e-mail address of the user who next requests approval, based on the information of the intra-organizational signature frame attached to the document.
  • the signature processing unit 134 adds the user's signature image to the user's intra-organizational signature frame and adds a digital signature to the document.
  • the WF management unit 133 notifies the next approval request destination user of the approval request.
  • the WF management unit 133 starts the next WF of organization Y for that document.
  • the signature frame updating unit 136 sets the approval path of the organization Y to the document.
  • the WF management unit 133 terminates the WF when approval by all users of all organizations is completed.
  • the signature processing unit 134 attaches the signature image of the user who has approved the document to the user's intra-organizational signature frame, and also attaches the user's digital signature to the document.
  • a user's private key used for digital signature is held in the storage unit 110, for example. However, the private key may be held in a client device used by the user or in a predetermined recording medium owned by the user.
  • the notification unit 135 notifies the user who manages the WF of the next organization that the WF has arrived when the approval of all users by the previous organization is completed.
  • the signature frame update unit 136 updates the inter-organization signature frame in the document to the intra-organization signature frame. For example, when the signature frame update unit 136 starts the WF of organization Y after organization X with respect to a certain document, based on the organization Y approval path information 113, the signature frame update unit 136 sets the template of the approval path of organization Y to the document. You may In this case, the user at the starting point of the approval path in organization Y is specified in the signature frame updating unit 136, so that the personal name conversion unit 132 sets a personal name for each position in the template of the approval path in the organization Y. be. However, the signature frame updating unit 136 may accept the input of the approval path including the personal name of the user of the next organization Y, and set the intra-organization signature frame indicating the approval path in the document.
  • the verification processing unit 137 verifies the legitimacy of each user included in the approval path given to the document. For example, the verification processing unit 137 receives a WF verification request from the client device 200 for a document whose WF has passed to organization Y after organization X. Then, the verification processing unit 137 determines whether or not the public key of each user of organization Y included in the approval path of the document is included in the public key of each user of organization Y included in the WF verification information 116 . If the determination is true, the verification processing unit 137 determines that each user of the organization Y included in the document approval path is valid, and responds to the client device 200 to that effect.
  • the verification processing unit 137 determines that an unauthorized user is included in the approval path of the document, and responds to the client device 200 about the unauthorized user. The verification processing unit 137 also verifies each user's digital signature attached to the document.
  • FIG. 5 is a diagram showing an example of organization X approval route information.
  • the organization X approval path information 111 is pre-stored in the storage unit 110 .
  • the organization X approval path information 111 includes items of document attribute, draft, approval, and decision.
  • Document attributes are registered in the document attributes field.
  • the draft item registers the department and position in the company to which the user who drafts the document belongs.
  • the approval item registers the department and position of the user who approves the document.
  • the approval item registers the department and position of the user who approves the document.
  • departments may be omitted in the drafting, approval and approval items. If the department is omitted, it indicates that it is the same department as the user who requested the control server 100 to start the WF, that is, the user who made the proposal.
  • drafting, approval and approval are examples of multiple procedures involving signatures in WF.
  • a series of procedures for drafting, approval and approval should be carried out in this order.
  • Approval represents final approval, and can be considered to be the same procedure as approval.
  • Approval path templates are similarly registered in the organization X approval path information 111 for other document attributes.
  • An approval route template indicated by the organization X approval route information 111 can include two or more sets of departments and positions corresponding to two or more requested users, including the drafter, for a given document attribute.
  • the organization Y approval path information 113 is also implemented by a data structure similar to that of the organization X approval path information 111 .
  • FIG. 6 is a diagram showing an example of organization X information.
  • the organization X information 112 is stored in the storage unit 110 in advance.
  • the organization X information 112 includes items of department, title and name.
  • the name of the department is registered in the department item.
  • the name of a post is registered in the post item.
  • the name of the user is registered in the item of name.
  • the name "name B” is registered for the department “XX department” and the position "manager”. Also, in the organization X information 112, the name "name A” is registered for the department “XX department” and the position "person in charge”.
  • the organization Y information 114 is also realized by a data structure similar to that of the organization X information 112.
  • FIG. 7 is a diagram showing an example of WF control.
  • the control server 100 accepts approval for a document 800 registered by a user of organization X by users belonging to organizations X and Y in turn.
  • the signature frame inserting section 131 acquires the document 800 from the client device 200 .
  • the signature frame insertion unit 131 adds the intra-organizational signature frames 811 and 812 of the organization X to the document 800 based on the organization X approval path information 111 .
  • organization X expects document 800 to be approved by two users.
  • the intra-organizational signature frames 811 and 812 are only registered with positions.
  • the signature frame insertion unit 131 adds an inter-organizational signature frame 813 to the document 800 based on the inter-organizational approval path information 115 .
  • the inter-organizational approval route information 115 for example, the user who drafted the document 800 presets information indicating that the WF for the document 800 is forwarded in the order of organizations X and Y in association with the identification information of the document 800. be done.
  • the signature frame insertion unit 131 stores the document 810 obtained by adding the intra-organization signature frames 811 and 812 and the inter-organization signature frame 813 to the document 800 in the cloud system 600 used by the organization X.
  • the intra-organizational signature frame 811 includes information indicating the position "person in charge”.
  • the intra-organizational signature frame 812 includes information indicating the position "Manager”.
  • In-house signature frames 811 and 812 are described in document 810 in this order. Therefore, the approval path in the organization X is in the order of the user corresponding to the intra-organization signature frame 811 and the user corresponding to the intra-organization signature frame 812 .
  • Inter-organization signature frame 813 includes information indicating organization Y.
  • the personal name conversion unit 132 acquires the document 810 from the cloud system 600, and based on the organization X information 112, inserts the user Inserts the user's personal name according to their job title. At this time, for example, the personal name conversion unit 132 may insert the user's contact information such as an e-mail address together with the user's personal name. The information of the e-mail address may be registered in the organization X information 112 in advance, or may be input by the user operating the client device 200, for example.
  • the personal name conversion unit 132 generates a document 820 for the document 810 and stores it in the cloud system 600.
  • Document 820 has intra-organizational signature frames 821 and 822 and inter-organizational signature frame 823 .
  • the in-house signature frames 821 and 822 correspond to the in-house signature frames 811 and 812, respectively.
  • the intra-organization signature frame 821 contains the personal name of user A who belongs to organization X.
  • the intra-organization signature box 822 contains the personal name of user B belonging to organization X.
  • the inter-organizational signature frame 823 is the same as the inter-organizational signature frame 813 .
  • the WF management unit 133 starts a WF within the organization X based on the document 820 stored in the cloud system 600. For example, the WF management unit 133 sends an approval request to User A's e-mail address. User A, for example, operates the client device 200 , confirms the content of the document 820 via the control server 100 , and inputs approval for the document 820 . Upon receiving the input of user A's approval, the WF management unit 133 notifies the signature processing unit 134 of user A's approval. The signature processing unit 134 adds the signature image of the user A to the intra-organization signature frame 821 in response to user A's approval.
  • the signature processing unit 134 adds the digital signature of user A to the document 820 in response to user A's approval.
  • the WF management unit 133 notifies the user B's e-mail address of the approval request, and adds the signature image of the user B to the in-house signature frame 822 in response to user B's approval.
  • the signature processing unit 134 adds the digital signature of user B to the document 820 in response to user B's approval.
  • the signature processing unit 134 generates a document 830 for the document 820.
  • Signature processing unit 134 stores document 830 in cloud system 600 .
  • Document 830 has signed signature frames 831 and 832 and inter-organizational signature frame 833 .
  • Signed signature frames 831 and 832 correspond to in-house signature frames 821 and 822, respectively.
  • a signed signature frame 831 is obtained by adding a signature image of user A to the in-house signature frame 821 .
  • a signed signature frame 832 is obtained by adding a signature image of User B to the in-house signature frame 822 .
  • the inter-organizational signature frame 833 is the same as the inter-organizational signature frame 823 .
  • the WF management unit 133 moves the document 830 to the inter-organization shared data storage unit 150 of the control server 100 when it detects that all approvals by users A and B in the organization X have been completed.
  • the inter-organization shared data storage unit 150 is a storage area for holding data shared by the organizations X and Y in the control server 100 .
  • storage areas of the RAM 102 and the HDD 103 are used.
  • the notification unit 135 When the notification unit 135 detects that the document 830 has been registered in the inter-organization shared data storage unit 150, based on the inter-organization signature frame 833 included in the document 830, the notification unit 135 adds a message to the mailing list of the user who manages the WF in the organization Y. , to notify that the WF has come around.
  • the user corresponding to the e-mail address included in the mailing list registers the organization Y approval route information 113 in the control server 100 in response to the notification.
  • the signature frame updating unit 136 converts the inter-organization signature frame 833 included in the document 830 into the intra-organization signature frames 843 and 844 of the organization Y based on the organization Y approval path information 113 .
  • organization Y expects document 840 to be approved by two users.
  • the signature frame update unit 136 generates a document 840 for the document 830 and stores the document 840 in the cloud system 700 used by organization Y.
  • Document 840 has signed signature frames 841 and 842 and in-house signature frames 843 and 844 .
  • the signed signature frames 841 and 842 are the same as the signed signature frames 831 and 832, respectively.
  • the intra-organizational signature frame 843 includes information indicating the position "person in charge”.
  • the intra-organizational signature frame 844 includes information indicating the post "section manager”.
  • the in-house signature frames 843 and 844 are described in the document 840 in this order. Therefore, the approval path in organization X is in the order of the user corresponding to the intra-organization signature frame 843 and the user corresponding to the intra-organization signature frame 844 .
  • the personal name conversion unit 132 based on the organization Y information 114, fills the in-organization signature frames 843 and 844 with a user name corresponding to the user's position. generates document 850 by inserting the personal name of
  • the document 850 has signed signature frames 851 and 852 and in-house signature frames 853 and 854.
  • the signed signature frames 851 and 852 are the same as the signed signature frames 841 and 842, respectively.
  • the intra-organization signature frame 853 includes the personal name of user C belonging to organization Y.
  • the intra-organization signature frame 854 includes the personal name of user D belonging to organization Y.
  • Intra-organizational signature boxes 853 and 854 may contain the e-mail addresses of users C and D, respectively.
  • the WF management unit 133 can execute the WF for approval of the document 850 to the organization Y based on the intra-organization signature frames 853 and 854 of the document 850 in the same way as the organization X.
  • FIG. 8 is a diagram showing a description example of an intra-organizational signature frame in a document.
  • Description C1 is a description example of the in-house signature frame 811 in the document 810 .
  • a description C2 is a description example of an in-house signature frame 821 in the document 820 .
  • Descriptions C1 and C2 are descriptions according to the Signatureline format of Office (registered trademark) Open XML.
  • the set signature line (signature frame) is indicated by the "o:signatureline” tag.
  • the name of the signer (approver) is described using the “o:suggestedsigner” tag.
  • Email addresses are listed using the “o:suggestedsigneremail” tag.
  • Job titles are described using the “o:suggestedsigner2" tag.
  • the user's personal name is already set in the in-house signature frame 821. Therefore, in the description C2, for example, "A” is set to “o:suggestedsigner”, “a@x.jp” is set to “o:suggestedsigneremail”, and “responsible” is set to "o:suggestedsigner2".
  • the internal signature frame corresponding to user A and the internal signature frame corresponding to user B are described in order in document 810 and document 820. be.
  • the intra-organizational signature frames 812 and 822 are similarly described using the "o:signatureline" tag.
  • FIG. 9 is a diagram showing a description example of an inter-organizational signature frame in a document.
  • Description C3 is a description example of the inter-organizational signature frame 813 in the document 810 .
  • the inter-organization signature frame 813 is also described using the “o:signatureline” tag, similarly to the intra-organization signature frames 811 and 821 .
  • Description C3 is, for example, the case where the preposition is "_org:”.
  • “_org:Y” is set to "o:suggestedsigner2".
  • "Y" at the end of "_org:Y” is organization identification information.
  • “o:suggestedsigner” and “o:suggestedsigneremail” are not set. If there are a plurality of organizations to which the document is to be sent next, the signature frame inserting unit 131 adds a description corresponding to the inter-organizational signature frame of each organization to the document in the order in which the document is passed.
  • FIG. 10 is a flowchart showing an example of WF control.
  • S10 The signature frame insertion unit 131 acquires the document 800 created by the user A of the organization X in the cloud system 600.
  • FIG. 10 is a flowchart showing an example of WF control.
  • the signature frame insertion unit 131 inserts the approval path of the organization X corresponding to the attributes of the document 800 into the document 800 as the intra-organization signature frames 811 and 812.
  • the signature frame inserting unit 131 identifies the next organization Y according to the document 800 based on the inter-organization approval path information 115, and inserts the inter-organization signature frame 813 corresponding to the organization Y into the document 800.
  • signature frame inserting section 131 generates document 810 from document 800 and stores document 810 in cloud system 600 .
  • the personal name conversion unit 132 converts the post in the approval path of the document 810 into a personal name. That is, the personal name conversion unit 132 adds the personal name and e-mail address of the user A to the intra-organizational signature box 811 . Further, the personal name conversion unit 132 identifies the personal name of the user B corresponding to the in-house signature frame 812 from the organization X information 112 based on the department to which the user A belongs. Add your first name and email address. Thus, the personal name converter 132 generates the document 820 from the document 810 and stores the document 820 in the cloud system 600. FIG.
  • the WF management unit 133 advances the WF within the organization X based on the intra-organization signature frames 821 and 822 in the document 820.
  • the signature processing unit 134 adds signature images to the intra-organizational signature frames 821 and 822 according to the input of signatures by the users A and B.
  • the signature processing unit 134 attaches the digital signatures of the users A and B to the document 820 in response to the input of the signatures by the users A and B.
  • FIG. thus, the signature processing unit 134 generates a document 830 from the document 820.
  • the WF management unit 133 moves the document 830 to the inter-organizational shared data storage unit 150 when approval by the users A and B in the organization X is completed.
  • the notification unit 135 notifies a predetermined mailing list of the organization Y that the WF has been sent to the organization Y.
  • the signature frame update unit 136 receives the registration of the approval route for the organization Y by the user of the organization Y, and adds the approval route to the organization Y approval route information 113 .
  • the signature frame updating section 136 converts the inter-organizational signature frame 833 of the organization Y in the document 830 to the intra-organizational signature frames 843 and 844 of the organization Y based on the attributes of the document 840 and the organization Y approval path information 113. , the approval path of organization Y is inserted into document 830 .
  • signature frame updating section 136 generates document 840 from document 830 .
  • the signature frame updating section 136 moves the document 840 to the cloud system 700 used by the organization Y.
  • the personal name conversion unit 132 converts the post in the approval path of the document 840 into a personal name. For example, the personal name conversion unit 132 receives designation of user C, who is the starting point of the approval path in organization Y, from the user of organization Y. FIG. Then, the personal name conversion unit 132 adds the personal name and e-mail address of the user C to the intra-organizational signature frame 843 . Further, the personal name conversion unit 132 identifies the personal name of user D corresponding to the intra-organization signature frame 844 from the organization Y information 114 based on the department to which user C belongs. Add your first name and email address. Thus, the personal name converter 132 generates the document 850 from the document 840. FIG.
  • the WF management unit 133 advances the WF within the organization Y based on the intra-organization signature frames 853 and 854 in the document 850.
  • the signature processing unit 134 adds signature images to the intra-organizational signature frames 853 and 854 according to the input of signatures by users C and F.
  • the signature processing unit 134 adds the digital signatures of the users C and D to the document 850 in response to the input of the signatures by the users C and D.
  • FIG. thus, the WF control ends.
  • the signature frame update unit 136 may receive the input of the approval path including the user's personal name from the user of the organization Y and set the approval path in the document 830 . Therefore, the control server 100 provides a function of performing WF verification in the process of WF control described above. WF verification is a function of verifying the legitimacy of a request destination user included in an approval path set in a document by a user of organization Y, for example.
  • FIG. 11 is a diagram showing an example of WF verification.
  • the signature frame updating unit 136 receives an instruction from the client device 400 to set the intra-organizational signature frames 853 and 854 for the document 830 moved to the inter-organizational shared data storage unit 150 .
  • the user of organization Y can operate the client device 400 to input an instruction to set the intra-organizational signature frames 853 and 854 to the signature frame update unit 136 .
  • the signature frame update unit 136 generates a document 850 by converting the inter-organization signature frame 833 of the document 830 into the intra-organization signature frames 853 and 854 of the organization Y, and stores it in the cloud system 700 .
  • the verification processing unit 137 Upon receiving a WF verification request from the client device 200 , the verification processing unit 137 verifies the requested user of the organization Y corresponding to the in-house signature frames 853 and 854 of the document 850 based on the WF verification information 116 .
  • a user of organization X can operate the client device 200 to input a WF verification request to the verification processing unit 137 .
  • the WF verification information 116 is a set of public keys of multiple users who are allowed to be set in the approval path in the organization Y.
  • the verification processing unit 137 acquires the public keys of the users of the intra-organization signature frames 853 and 854 from the organization Y server 500, and determines whether or not the acquired public keys are included in the WF verification information 116. Verify the requested user.
  • the verification processing unit 137 responds to the client device 200 with a WF verification result indicating whether or not an unauthorized user is included in the approval path of the document 850 .
  • FIG. 12 is a diagram showing an example of acquisition of WF verification information.
  • the verification processing unit 137 obtains from the organization Y server 500 a list of e-mail addresses of a plurality of users permitted to be set in the approval path in the organization Y (step ST10).
  • the e-mail addresses included in the list are, for example, the e-mail addresses included in the mailing list 501 to which the notification unit 135 notifies the organization Y that the WF has arrived.
  • the list includes, for example, User C's e-mail address "c@xxx" and User D's e-mail address "d@xxx".
  • the client device 400 may provide the list of email addresses of the organization Y to the verification processing unit 137 in step ST10. Further, the provision of the list to the control server 100 by the organization Y server 500 or the client device 400 may be performed in response to the notification from the control server 100 that the WF of the relevant document has been sent to the organization Y.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present disclosure.
  • the verification processing unit 137 issues a temporary ID (IDentifier) to the acquired e-mail address (step ST11).
  • a temporary ID is temporary identification information corresponding to each e-mail address.
  • the temporary ID may be, for example, a hash value of an e-mail address.
  • Verification processing unit 137 stores temporary ID list 117 , which is a list of issued temporary IDs, in storage unit 110 . Also, the verification processing unit 137 transmits the provisional ID corresponding to the obtained e-mail address to the organization Y server 500 .
  • the verification processing unit 137 may discard the acquired e-mail address. By discarding the acquired e-mail address, the verification processing unit 137 does not need to hold the e-mail address of the user of the organization Y.
  • the organization Y server 500 has a public key DB (DataBase) 502.
  • the public key DB 502 stores the user's public key in association with the email address of the organization Y user.
  • the organization Y server 500 associates and manages the public key and the temporary ID in the public key DB 502 .
  • the verification processing unit 137 transmits a public key acquisition request to the organization Y server 500 based on the temporary ID list 117 (step ST12).
  • the public key acquisition request includes a temporary ID corresponding to the e-mail address "c@xxx" and a temporary ID corresponding to the e-mail address "d@xxx”.
  • the organization Y server 500 acquires the user C's public key Kc and the user D's public key Kd from the public key DB 502 based on the temporary ID included in the public key acquisition request, and responds to the control server 100 .
  • the verification processing unit 137 receives the public keys Kc and Kd as a response to the public key acquisition request, and registers the public keys Kc and Kd in the WF verification information 116 of the organization Y (step ST13).
  • the verification processing unit 137 obtains the WF verification information 116.
  • the verification processing unit 137 can obtain the WF verification information 116 without using the user identification information used in the organization Y.
  • FIG. Next, an example of acquisition of a public key based on an intra-organizational signature frame in a document by the control server 100 will be described.
  • FIG. 13 is a diagram showing an example of obtaining a public key based on an intra-organizational signature frame.
  • document 850 has signed signature frames 851 and 852 and organization Y's in-house signature frames 853 and 854 .
  • the intra-organizational signature frame 853 includes User C's e-mail address “c@xxx”.
  • In-house signature box 854 includes User D's e-mail address “d@xxx”.
  • the verification processing unit 137 designates the e-mail addresses of the users C and D, and inquires of the organization Y server 500 about the public key (step ST20).
  • the organization Y server 500 In response to the public key inquiry, the organization Y server 500 refers to the public key DB 502 and responds to the control server 100 with user C's public key Kc and user D's public key Kd (step ST21).
  • the verification processing unit 137 acquires the public keys Kc and Kd based on the in-house signature frames 853 and 854 of the document 850 .
  • a document 860 is illustrated as a comparative example.
  • Document 860 has signed signature frames 861 and 862 and organization Y's in-house signature frames 863 and 864 .
  • Signed signature frames 861 and 862 are the same as signed signature frames 851 and 852 .
  • Intra-organizational signature box 863 includes User C's e-mail address “c@xxx”.
  • Intra-organizational signature box 864 includes User E's e-mail address “e@xxx”.
  • the verification processing unit 137 designates the e-mail addresses of the users C and E, and inquires of the organization Y server 500 about the public key (step ST20a).
  • the organization Y server 500 In response to the public key inquiry, the organization Y server 500 refers to the public key DB 502 and responds to the control server 100 with user C's public key Kc and user E's public key Ke (step ST21a).
  • the verification processing unit 137 acquires the public keys Kc and Ke based on the in-house signature frames 863 and 864 of the document 860 .
  • FIG. 14 is a diagram showing an example of the WF verification method.
  • a first example is WF verification for document 850 based on WF verification information 116 .
  • Verification processing unit 137 determines whether public key Kc obtained based on in-house signature frame 853 of document 850 is included in the set of public keys indicated by WF verification information 116 .
  • WF verification information 116 includes public keys Kc and Kd. Therefore, the verification processing unit 137 determines that the user C corresponding to the in-house signature frame 853 is valid.
  • the verification processing unit 137 also determines whether the public key Kd obtained based on the intra-organizational signature frame 854 of the document 850 is included in the set of public keys indicated by the WF verification information 116 . Public key Kd is included in WF verification information 116 . Therefore, the verification processing unit 137 determines that the user D corresponding to the in-house signature frame 854 is valid.
  • the verification processing unit 137 determines that the approval path set in the document 850 is valid. In this case, the correct WF is being executed for document 850 in organization Y.
  • a second example is WF verification for document 860 based on WF verification information 116 .
  • Verification processing unit 137 determines whether public key Kc obtained based on in-house signature frame 863 of document 860 is included in the set of public keys indicated by WF verification information 116 .
  • Public key Kc is included in WF verification information 116 . Therefore, the verification processing unit 137 determines that the user C corresponding to the in-house signature frame 853 is valid.
  • the verification processing unit 137 also determines whether the public key Ke acquired based on the intra-organizational signature frame 864 of the document 860 is included in the set of public keys indicated by the WF verification information 116 . Public key Ke is not included in WF verification information 116 . Therefore, the verification processing unit 137 determines that the user E corresponding to the in-house signature frame 864 is unauthorized.
  • the verification processing unit 137 determines that the approval route set for the document 860 is incorrect. In this case, an illegal WF is being executed on the document 860 in the organization Y.
  • the verification processing unit 137 can use, for example, a Bloom filter to determine whether a certain public key is included in the set of public keys indicated by the WF verification information 116.
  • FIG. 15 is a flowchart showing an example of WF verification.
  • the verification processing unit 137 receives the document WF verification request.
  • the user of the organization X can operate the client device 200 to input to the control server 100 a WF verification request specifying the WF verification target document 850 .
  • the verification processing unit 137 Based on the WF verification information 116 of organization Y, the verification processing unit 137 verifies the WF set in the document, that is, the validity of each user included in the approval path. As illustrated in FIG. 14, the verification processing unit 137 determines whether the public key of the requested user acquired based on the in-house signature frame of the document is included in the set of public keys indicated by the WF verification information 116. The legitimacy of the requested user is verified depending on whether or not.
  • step S31 the verification processing unit 137 determines whether or not all users included in the WF of the relevant document are valid. If all users are valid, the process proceeds to step S33. If an unauthorized user is included, the process proceeds to step S34.
  • the verification processing unit 137 replies that the WF of the document in question, that is, all users set in the approval path are valid. Then the WF verification ends.
  • the verification processing unit 137 responds with the WF of the document, that is, the information of the user illegally set in the approval path. Then the WF verification ends.
  • control server 100 can verify the legitimacy of the requested user even before the digital signature of the requested user in the organization Y is attached to the documents 850, 860, and the like. For example, even if the control server 100 does not permit the use of the organization Y approval path information 113 in processing for the user of organization X, the control server 100 responds to the verification request of the user of organization X. The legitimacy of the requested user in organization Y can be verified using the key.
  • control server 100 can also verify the digital signatures already attached to the documents 850, 860, and the like. Therefore, the addition of a digital signature by the control server 100 will now be described.
  • FIG. 16 is a diagram showing an example of signature processing.
  • FIG. 16 shows an example in which the digital signatures of users A and B of organization X are attached to a document 820 in order.
  • a document 820 has a text R1 and document format information R2.
  • Text R1 is the text of document 820 and includes in-house signature frames 821 and 822 .
  • the document format information R2 is information indicating the format of the document 820.
  • the signature processing unit 134 adds a digital signature to the extension area of the document format information R2.
  • the WF management unit 133 requests user A to approve the document 820 .
  • Signature processing unit 134 processes document 820 in accordance with the user's approval of document 820 to generate document 820a (step ST30). Specifically, the signature processing unit 134 adds the signature image of the user A to the intra-organization signature frame 821 in response to user A's approval of the document 820 . Further, the signature processing unit 134 attaches the digital signature of user A to the document 820 in response to user A's approval. The signature processing unit 134 stores the document 820 a to which user A's digital signature has been added in the cloud system 600 .
  • the document 820a has a text R1a and document format information R2a.
  • the text R1a has a signed signature frame 821a and an in-house signature frame 822a.
  • the signed signature frame 821a is obtained by adding a signature image of user A to user A's intra-organizational signature frame.
  • the intra-organization signature frame 822 a is the same as the intra-organization signature frame 822 .
  • User A's digital signature is added to the extension area of the document format information R2a as follows.
  • the signature processing unit 134 creates difference information diff1.
  • the difference information diff1 indicates the difference between the contents of the text R1 at the time of the approval request to the user A and the contents of the text R1a immediately after the approval by the user A is performed.
  • the signature processing unit 134 saves the content of the text R1 at the time of the approval request as data "previous.audit" in the extended area of the document format information R2a.
  • the signature processing unit 134 converts the hash value H(diff1) of the difference information diff1 and the value Sig(H(diff1)) obtained by encrypting the hash value H(diff1) with the secret key of the user A into the document format information R2a. add to the extension area of .
  • Sig(H(diff1)) corresponds to user A's digital signature.
  • data in which H(diff1) and Sig(H(diff1)) are put together is described as "1.audit".
  • the WF management unit 133 requests User B to approve the document 820a.
  • the signature processing unit 134 processes the document 820a and generates the document 830 according to the user's approval of the document 820a (step ST31). Specifically, the signature processing unit 134 adds the signature image of the user B to the in-house signature frame 822a in response to user B's approval of the document 820a. Further, the signature processing unit 134 attaches the user B's digital signature to the document 820a in response to user B's approval. The signature processing unit 134 stores the document 830 to which User B's digital signature has been added in the cloud system 600 .
  • the document 830 has a text R1b and document format information R2b.
  • Text R1b has a signed signature frame 831 and a signed signature frame 832 as described above.
  • the signed signature frame 831 is the same as the signed signature frame 821a.
  • the signed signature frame 832 is obtained by adding a signature image of user B to user B's in-house signature frame 822a.
  • User B's digital signature is added to the extension area of the document format information R2b as follows.
  • the signature processing unit 134 creates difference information diff2.
  • the difference information diff2 indicates the difference between the contents of the text R1a at the time of the approval request to the user B and the contents of the text R1b immediately after the approval by the user B is performed.
  • the signature processing unit 134 adds the contents of the text R1a at the time of the approval request to the data "previous.audit" in the extended area of the document format information R2b and saves it. In this way, "previous.audit" holds the update history of text R1b.
  • the signature processing unit 134 converts the hash value H(diff2) of the difference information diff2 and the value Sig(H(diff2)) obtained by encrypting the hash value H(diff2) with the secret key of the user B into the document format information R2b. add to the extension area of .
  • Sig(H(diff2)) corresponds to user B's digital signature.
  • the document 830 is in a state where the digital signatures of users A and B are added.
  • the signature processing unit 134 similarly adds the digital signature of the user of the organization Y to the document when the WF for the document is transferred to the organization Y.
  • the verification processing unit 137 When verifying a digital signature, for example, the verification processing unit 137 obtains a hash value H(diff2) by decrypting Sig(H(diff2)) with user B's public key.
  • the verification processing unit 137 stores the WF verification information of the organization X including the public key of the user B in the organization X server having the public key DB of the organization X in the same manner as the acquisition of the public key of the user of the organization Y illustrated in FIG. 300 available.
  • the verification processing unit 137 acquires the difference between the texts R1a and R1b based on the data "previous.audit" in the document 830 and obtains the hash value. If the hash value matches the hash value H(diff2), the verification processing unit 137 determines that the verification of the user B's digital signature is successful. On the other hand, if Sig(H(diff2)) cannot be decrypted with user B's public key, or if it can be decrypted but the hash value of the difference between texts R1a and R1b does not match hash value H(diff2), Digital signature verification fails.
  • the verification processing unit 137 also verifies the digital signature of the user A on the document 830 by determining whether the hash value of the difference between the texts R1 and R1a based on the data "previous.audit" matches the hash value H (diff1). do. At this time, the verification processing unit 137 obtains a hash value H(diff1) by decrypting Sig(H(diff1)) with user A's public key.
  • the verification processing unit 137 determines whether or not the digital signature has been successfully verified with any of the public keys included in the WF verification information of organization X. Then, if the verification processing unit 137 succeeds in verifying the digital signature with any of the public keys included in the WF verification information of the organization X, the digital signature is signed by an appropriate user of the organization X, Determine that the document is genuine. If the verification of the digital signature fails with any public key included in the WF verification information of organization X, the verification processing unit 137 determines that the digital signature was signed by an unauthorized user and the document is not authentic. I judge. The verification processing unit 137 also verifies the organization Y's digital signature using the organization Y's WF verification information 116 in the same way.
  • FIG. 17 is a flow chart showing an example of signature verification.
  • the verification processing unit 137 receives a verification request for the user's digital signature attached to the document.
  • the user of organization X can operate the client device 200 to input to the control server 100 a request to verify the digital signature of the user of organization Y on the document to which the user of organization Y has attached the digital signature.
  • the verification processing unit 137 verifies each user's digital signature attached to the document.
  • the verification processing unit 137 verifies the digital signature by the method described in FIG. 16, for example.
  • the verification processing unit 137 can acquire the public key used to verify the digital signature of the user of the organization Y in the same way as the WF verification information 116 is acquired.
  • the verification processing unit 137 determines whether verification of all digital signatures attached to the document has been successful. If all digital signatures have been successfully verified, the process proceeds to step S43. If verification of at least one of the digital signatures fails, the process proceeds to step S44.
  • the digital signature to be verified may be only the digital signature of the user of the organization specified by the user (for example, organization Y).
  • the verification processing unit 137 responds that the relevant document is authentic. Then the signature verification ends.
  • the verification processing unit 137 responds that the document is not genuine and that the document has been falsified by a third party. Then the signature verification ends. Note that, for example, if the verification of the digital signature given by the organization Y fails using any public key in the WF verification information 116, the above third party belongs to the organization Y, but the approval request by the WF It may include users who have not previously been formally recognized by organization Y.
  • control server 100 can also verify the reliability of the document by verifying the digital signature attached to the document. In this way, the control server 100 can verify the reliability of WF target documents across organizations.
  • information processing apparatus 10 can support the approval work of users in each organization over a plurality of organizations while enabling the verification of the reliability of the document.
  • control server 100 can dynamically add and update WFs to documents, and implement a service (TaaS) that guarantees data authenticity with digital signatures.
  • the control server 100 can dynamically update the WF for the document. Therefore, by making it possible to verify the legitimacy of a WF based on a document in response to a request from a user other than the WF setter, it is possible to support appropriate approval work by users belonging to different organizations.
  • control server 100 controls the WF appropriately across organizations, thereby making it possible to connect the approval work of each user in each organization as a series of operations by multiple organizations.
  • control server 100 can expand the application range of TaaS not only within one organization but also to multiple organizations.
  • a first modification is an example in which the control server 100 moves the document 830 from the cloud system 600 to the cloud system 700 .
  • FIG. 18 is a diagram showing an example of document movement.
  • the control unit 130 may further have a data moving unit 138 in addition to the functions illustrated in FIG.
  • the storage unit 110 also stores cloud service access information 118 .
  • the cloud service access information 118 holds account information for accessing cloud services available to organization Y in the cloud system 700 .
  • the cloud service access information 118 includes the URL (Uniform Resource Locator) of the cloud service and the ID and password (PW: PassWord) information for accessing the cloud service for the identification information of the organization to which the document is sent. have.
  • the cloud service access information 118 may also include the address of the mailing list to which the notification unit 135 notifies the relevant organization.
  • the cloud service access information 118 may also include information on the organization X account for accessing the cloud system 600 .
  • the data migration unit 138 moves the document 830 from the cloud system 600 to the cloud system 700.
  • the notification unit 135 notifies a predetermined user of organization Y that WF has been sent to organization Y. .
  • the data mover 138 acquires the document 830 from the cloud system 600 and moves the document 830 to the cloud system 700 .
  • the data mover 138 obtains the URL of the cloud service corresponding to the organization Y and the ID and password for accessing the cloud service based on the cloud service access information 118 .
  • the data mover 138 accesses the cloud service and stores the document 830 in the storage on the cloud system 700 provided by the cloud service.
  • the signature frame update unit 136 updates the document 830 on the cloud system 700 to the document 850 by adding, for example, the approval path information received from the client device 400 to the document 830 . Then, the WF management unit 133 starts the WF in the organization Y based on the document 850.
  • FIG. 1 A signature frame update unit 136 updates the document 830 on the cloud system 700 to the document 850 by adding, for example, the approval path information received from the client device 400 to the document 830 . Then, the WF management unit 133 starts the WF in the organization Y based on the document 850.
  • FIG. 19 is a flowchart showing a first modified example of WF control.
  • the signature processing unit 134 sequentially attaches the digital signatures of the users A and B to the document 820 stored in the cloud system 600 according to the approval path of the organization X. As a result, signature processing unit 134 generates document 830 and stores it in cloud system 600 .
  • the notification unit 135 notifies the organization Y's mailing list that the WF has been sent to the organization Y.
  • the data mover 138 moves the document 830 from the cloud system 600 used by the organization X to the cloud system 700 used by the organization Y based on the cloud service access information 118. FIG.
  • the signature frame updating unit 136 accepts registration of the organization Y's approval path by the user of the organization Y for the document 830.
  • FIG. (S 54 ) The signature frame update unit 136 converts the inter-organizational signature frame 833 of the organization Y in the document 830 into intra-organizational signature frames 853 and 854 to generate the document 850 and store it in the cloud system 700 .
  • the signature frame update unit 136 may generate the document 840, and the personal name conversion unit 132 may generate the document 850 based on the document 840.
  • the WF management unit 133 advances the WF according to the approval route set in the document 850.
  • the signature processing unit 134 sequentially adds digital signatures to the document 850 in accordance with the approval of the users C and D of the organization Y. FIG. Then, the WF control ends.
  • control server 100 moves the document 830 that has been approved by the organization X from the cloud system 600 to the cloud system 700 without storing it in the inter-organizational shared data storage unit 150 of the control server 100. good.
  • the control server 100 can accommodate users who do not want to deposit the document 830 with the control server 100 .
  • FIG. 20 is a diagram showing an example of document encryption.
  • the control unit 130 may further have a data moving unit 138, an encryption unit 139 and a decryption unit 140 in addition to the functions illustrated in FIG.
  • the storage unit 110 further stores key information 119 .
  • the storage unit 110 also stores cloud service access information 118 used by the data migration unit 138 .
  • the encryption unit 139 encrypts the document 830 that has been approved by the organization X to generate a document 830 a and store it in the cloud system 600 .
  • a key used to encrypt the document 830 is stored in the key information 119 in advance.
  • the key used to encrypt document 830 is the public key corresponding to organization Y, for example. Since the document 830a is data obtained by encrypting the document 830, it may be called encrypted data.
  • the notification unit 135 When the document 830a is stored in the cloud system 600, the notification unit 135 notifies the user of the organization Y that WF has arrived.
  • the data mover 138 moves the document 830 a instead of the document 830 from the cloud system 600 to the cloud system 700 .
  • the decryption unit 140 decrypts the encrypted document 830a into the document 830 and stores it in the cloud system 700 when accepting the registration of the approval path for the document 830 by the user of the organization Y using the client device 400.
  • a key used for decryption is stored in advance in the key information 119 .
  • the key used for decryption is a private key corresponding to organization Y, for example.
  • the signature frame update unit 136 updates the document 830 on the cloud system 700 to the document 850 by adding the approval path information received from the client device 400 to the document 830 obtained by the decryption unit 140. . Then, the WF management unit 133 starts the WF in the organization Y based on the document 850.
  • FIG. 1 A signature frame update unit 136 updates the document 830 on the cloud system 700 to the document 850 by adding the approval path information received from the client device 400 to the document 830 obtained by the decryption unit 140. . Then, the WF management unit 133 starts the WF in the organization Y based on the document 850.
  • FIG. 21 is a flowchart showing a second modified example of WF control.
  • the control server 100 executes step S50a after step S50, and executes step S53a after step S53. Therefore, steps S50a and S53a will be mainly described here, and description of other steps will be omitted.
  • the encryption unit 139 generates an encrypted document 830a by encrypting the document 830 with the organization Y's public key, and stores it in the cloud system 600. Then, the process proceeds to step S51.
  • step S52 instead of the document 830, the data transfer unit 138 transfers the encrypted document 830a from the cloud system 600 to the cloud system 700 as described above.
  • the decryption unit 140 decrypts the encrypted document 830a moved to the cloud system 700 with the private key of the organization Y to generate the document 830 and store it in the cloud system 700. Then, the process proceeds to step S54.
  • control server 100 sets the document to be moved from the cloud system 600 to the cloud system 700 not as the document 830 but as the encrypted document 830a.
  • the document 830 when the document 830 is sent by the user to a system used by an organization other than the organizations X and Y, the document 830 can be used by an organization unrelated to WF.
  • a user of organization X may use client device 200 to download document 830 from cloud system 600 and send it to a system used by an organization other than organizations X and Y.
  • the control server 100 holds an encryption key for each document destination organization.
  • the control server 100 encrypts the document with the public key of the destination organization specified by the WF, for example, and encrypts the document with the private key of the destination when updating the WF of the destination organization. decrypt the document.
  • the control server 100 can force the organization to use the data in line with the WF, and prevent unauthorized acquisition of the contents of the document 830 .
  • a second modification is an example in which the control server 100 performs WF control in cooperation with the WF management tools of the organizations X and Y, respectively.
  • the WF management tool is a function that executes WF within the relevant organization.
  • FIG. 22 is a diagram showing an example of cooperation with the WF management tools of each organization.
  • organization X server 300 may have organization X approval path storage 310 and WF management tool 320 .
  • the organization X approval path storage unit 310 stores information on approval paths in organization X according to document attributes.
  • the WF management tool 320 refers to the organization X approval path storage unit 310 to acquire the organization X approval path for the WF target document and provides it to the control server 100 . In addition, the WF management tool 320 accepts the approval of the user of the organization X and notifies the control server 100 of the approval by the user.
  • the organization Y server 500 may have an organization Y approval path storage unit 510 and a WF management tool 520.
  • the organization Y approval path storage unit 510 stores information on the approval path in organization Y according to document attributes.
  • the WF management tool 520 refers to the organization Y approval path storage unit 510 to acquire the organization Y approval path for the WF target document and provides it to the control server 100 . Also, the WF management tool 520 accepts the approval of the user of the organization Y, and notifies the control server 100 that the user has given approval.
  • control unit 130 may further have cooperation units 141 and 142 in addition to the functions illustrated in FIG.
  • the cooperation unit 141 cooperates with the WF management tool 320 to support the processing of the signature frame insertion unit 131 and the signature processing unit 134 for documents stored in the cloud system 600 .
  • the cooperation unit 142 cooperates with the WF management tool 520 to support the processing of the signature frame update unit 136 .
  • the control server 100 cooperates with the WF management tools 320 and 520 as follows.
  • the user of the organization X uses the client device 200 to register the document 800 that is the WF target across the organizations X and Y in the cloud system 600 .
  • the signature frame inserting unit 131 acquires the approval path of the organization X for the document 800 from the WF management tool 320 via the cooperation unit 141 .
  • the approval path for organization X includes users A and B.
  • the signature frame inserting unit 131 generates a document 820 by setting an intra-organizational signature frame in the organization X indicating the approval path of the organization X and an inter-organizational signature frame indicating the next organization Y to the document 800. 600.
  • the cooperation unit 141 notifies the WF management tool 320 that the document 820 has been stored in the cloud system 600 .
  • WF management tool 320 starts WF in organization X for document 820 .
  • the WF management tool 320 sequentially receives the approval of the users A and B of the organization X for the document 820, and notifies the control server 100 of the acceptance of approval by the users A and B.
  • FIG. When the signature processing unit 134 is notified via the cooperation unit 141 that the approval by the users A and B has been accepted, it adds the signature image of the corresponding user to the intra-organization signature frame of the document 820. , gives the digital signature of the user in question to the document 820 .
  • the signature processing unit 134 moves the document 830 to which the digital signatures of users A and B are added to the inter-organizational shared data storage unit 150 . Then, the notification unit 135 notifies the user of the organization Y that the WF has arrived. The user of organization Y operates the client device 400 to specify the approval path in organization Y for the document 830 to the WF management tool 520 .
  • the signature frame updating unit 136 acquires the approval path of the organization Y for the document 830 from the WF management tool 520 via the cooperation unit 142 . Assume that the approval path for organization Y includes users C and D.
  • the signature frame update unit 136 generates a document 850 by updating the inter-organization signature frame in the document 830 to an intra-organization signature frame indicating the approval path of the organization Y, and stores it in the cloud system 700 .
  • the WF management tool 520 starts the WF in organization Y for the document 850.
  • the control server 100 cooperates with the WF management tool 520 to sequentially attach the digital signatures of the users C and D to the document 850 according to the approval of the users C and D of the organization Y.
  • FIG. 23 is a flowchart showing a third modified example of WF control.
  • the cooperation unit 141 detects that the document 800 has been saved in the cloud system 600 by the user A of the organization X, and notifies the signature frame insertion unit 131 of the detection.
  • the signature frame insertion unit 131 acquires the approval path of the organization X from the WF management tool 320 of the organization X via the cooperation unit 141, and inserts it into the document 800. Also, the signature frame inserting unit 131 inserts the inter-organizational signature frame indicating the next organization Y into the document 800 . As a result, document 800 is updated to document 820 . In step S61, the signature frame inserting unit 131 may insert the template of the signature frame of the organization X into the document 800 to generate the document 810, and the personal name conversion unit 132 may generate the document 820 from the document 810. . Then, the WF within the organization X is started by the WF management tool 320 for the document 820 .
  • the signature processing unit 134 receives, via the cooperating unit 141, a notification that the user A has been approved for the approval request to the user A by the WF management tool 320 of the organization X. Then, the signature processing unit 134 adds User A's digital signature to the document 820 . As a result, the document 820 is updated to the aforementioned document 820a.
  • the signature processing unit 134 notifies the WF management tool 320 of the organization X via the cooperation unit 141 that the user A's digital signature has been completed.
  • the signature processing unit 134 receives, via the coordinating unit 141, a notification that the user B has been approved for the approval request to the user B by the WF management tool 320 of the organization X. Then, the signature processing unit 134 adds User B's digital signature to the document 820a. As a result, the document 820a is updated to the document 830.
  • the signature processing unit 134 notifies the WF management tool 320 of the organization X via the cooperation unit 141 that the user B's digital signature has been completed. As a result, the WF within the organization X by the WF management tool 320 is terminated.
  • the signature frame updating unit 136 acquires the approval path of the organization Y for the document 830 from the WF management tool 520 of the organization Y via the cooperation unit 142.
  • the signature frame updating unit 136 inserts the approval path of organization Y into the document 830 by converting the inter-organization signature frame of the document 830 into an intra-organization signature frame indicating the approval path of organization Y.
  • FIG. The document 830 is thereby updated to the document 850 .
  • the WF within the organization Y by the WF management tool 520 is started for the document 850 .
  • the approval path for organization Y may be set in document 850 by signature frame update unit 136 and personal name conversion unit 132, as in step S61.
  • the signature processing unit 134 receives, via the cooperation unit 142, a notification that the user of the organization Y has approved the request for approval by the WF management tool 520 of the organization Y to the user. Then, the signature processing unit 134 attaches the digital signature of the user to the document 850 . After that, the control server 100 advances the WF of the organization Y in cooperation with the WF management tool 520 . When the document 850 is given the digital signatures of all the users requested by the organization Y, the WF within the organization Y by the WF management tool 520 ends, and the WF control of the control server 100 also ends.
  • control server 100 can also cooperate with the WF management tools possessed by each organization.
  • control server 100 can flexibly use the WF of cross-organizational documents by each organization.
  • each organization can use existing WF management tools to reduce the burden associated with the introduction of WF for cross-organizational documents.
  • a fourth modification is an example in which the control server 100 converts a plurality of signed signature frames for each user in the document 830 into signed signature frames for each organization. In this case, the control server 100 also converts multiple digital signatures for each user into digital signatures for each organization.
  • FIG. 24 is a diagram showing an example of signature conversion.
  • the control unit 130 may further have a signature conversion unit 143 and a document relationship management unit 144 in addition to the functions illustrated in FIG.
  • the signature conversion unit 143 converts the signed signature frames 831 and 832 of the users A and B in the document 830 into a signed signature frame 831b for each organization X unit.
  • the signed signature frame 831b is, for example, a signature frame to which an image of the seal of the organization X such as the company seal is attached.
  • the signed signature frame 831b like the signed signature frames 831 and 832, is described in the document using, for example, the "o:signatureline" tag.
  • the signature conversion unit 143 converts the digital signatures of the users A and B attached to the document 830 into the digital signature of the organization X.
  • the signature conversion unit 143 may use e-seal, for example, as the digital signature of the organizational unit.
  • the signature conversion unit 143 updates the document 830 to the document 830b.
  • the organization X's digital signature is also retained in the document 830b by the method illustrated in FIG. 16, like the user's personal digital signature.
  • the signature conversion unit 143 leaves the document 830 before signature conversion on the cloud system 600, and adds pointer information 835b indicating the document 830 to the document 830b. That is, the document 830b has a signed signature frame 831b, an inter-organizational signature frame 833b and pointer information 835b.
  • the inter-organization signature frame 833 b is the same as the inter-organization signature frame 833 .
  • the pointer information 835b is the ID of the document 830.
  • the document relationship management unit 144 stores the document correspondence information 120 indicating the correspondence between the ID of the document 830 and the storage location of the document 830 in the cloud system 600 in the storage unit 110. Record.
  • the signature conversion unit 143 moves the document 830b after signature conversion to the inter-organizational shared data storage unit 150. Then, the notification unit 135 notifies the user of the organization Y that the WF has been sent to the organization Y.
  • the signature frame update unit 136 receives the setting of the approval route for the organization Y by the user of the organization Y, and sets the approval route for the organization Y in the document 830b. As a result, the document 830b is updated to the document 850a.
  • Signature frame update unit 136 stores document 850 a in cloud system 700 .
  • the document 850a has a signed signature frame 851a, internal signature frames 853a and 854a, and pointer information 855a.
  • the signed signature frame 851a is the same as the signed signature frame 831b.
  • the in-house signature frames 853a and 854a are the same as the in-house signature frames 853 and 854, respectively.
  • the pointer information 855a is the same as the pointer information 835b.
  • the control server 100 may convert the digital signature for each user of organization X into a digital signature for each organization X when organization X completes approval.
  • the verification processing unit 137 can verify the digital signature of the organization X based on the document 850a, for example. This makes it possible to verify that the content of document 850a is approved by organization X.
  • the verification processing unit 137 can also identify the document 830 based on the pointer information 855 a and the document correspondence information 120 and verify the digital signatures of the users A and B attached to the document 830 .
  • FIG. 25 is a flowchart showing a fourth modified example of WF control.
  • the signature conversion unit 143 detects that the signature processing of each user of the organization X for the document 830 has been completed.
  • the signature conversion unit 143 may detect from the notification from the signature processing unit 134 that the signature processing of each user of the organization X for the document 830 has been completed.
  • the signature conversion unit 143 requests the verification processing unit 137 to verify the organization X's WF.
  • the verification processing unit 137 performs WF verification of the organization X based on the document 830 and returns the WF verification result to the signature conversion unit 143 .
  • the verification processing unit 137 performs WF verification on the tissue X according to the procedure of FIG.
  • the signature conversion unit 143 determines whether or not all users on the approval path of organization X are valid based on the result of organization X's WF verification. If all users on the approval path of organization X are valid, the process proceeds to step S73. If there is an unauthorized user in the approval path of organization X, the process proceeds to step S72.
  • the signature conversion unit 143 stops signature processing. Then, the WF control ends. In this case, the signature conversion unit 143 notifies a predetermined user of the organization X that WF cannot be continued for the document 830 because an unauthorized user is included in the approval path of the organization X.
  • the signature conversion unit 143 updates the document 830 to the document 830b by deleting the personal signature of the organization X in the document 830, that is, the digital signatures of the users A and B, and inserting the signature of the organization X. At this time, signature conversion unit 143 leaves document 830 on cloud system 600 . The signature conversion unit 143 also deletes the signed signature frames 831 and 832 for each user and updates them to the signed signature frame 831b for each organization.
  • the signature conversion unit 143 moves the document 830b after signature conversion to the cloud system 600 used by the organization X.
  • the signature conversion unit 143 sets the pointer information 835b corresponding to the ID of the document 830 before signature conversion to the document 830b after signature conversion.
  • the document relationship management unit 144 stores in the storage unit 110 the document correspondence information 120 indicating the storage destination information of the document 830 on the cloud system 600 corresponding to the pointer information 835b.
  • the signature conversion section 143 moves the document 830 b to the inter-organizational shared data storage section 150 .
  • the notification unit 135 notifies the user of organization Y that WF has arrived.
  • the signature frame updating section 136 receives the approval path of the organization Y for the document 830b by the user of the organization Y, and converts the inter-organization signature frame 833b into the organization Y's intra-organization signature frames 853a and 854a. As a result, document 830b is updated to document 850a.
  • Signature frame update unit 136 stores document 850 a in cloud system 700 .
  • the signature frame update unit 136 may generate a document containing a model of the approval route of the organization Y based on the document 830b, and the personal name conversion unit 132 generates a document 850a based on the document. may be Then, the WF management unit 133 starts the WF in the organization Y. FIG. When the approval of users C and D of organization Y and the addition of digital signatures to document 850a are complete, WF control ends.
  • FIG. 26 is a flow chart showing an example of signature verification in the fourth modification.
  • the verification processing unit 137 receives a personal name verification request for the signed document 850a of the organization X from the user of the organization Y.
  • a user of organization Y can operate the client device 400 to input the personal name verification request to the control server 100 .
  • the verification processing unit 137 refers to the document correspondence information 120 based on the ID indicated by the pointer information 855a recorded in the document 850a, and identifies the document 830 before signature conversion. Verification processing unit 137 accesses document 830 in cloud system 600 .
  • the verification processing unit 137 verifies the digital signature on the document 830 before signature conversion, that is, the digital signatures of users A and B of organization X, and acquires the approval history in organization X.
  • the verification processing unit 137 responds with the approval history of the entire document including the approval history of organization X and the approval history of organization Y. For example, in document 850a, digital signatures of user C and user D of organization Y may also be added. In this case, the verification processing unit 137 also verifies the digital signature of the user of the organization Y, acquires the approval history of the organization Y, and responds to the client device 400 with the approval history combined with the approval history of the organization X. For example, if the verification of the digital signature of any user fails, the verification processing unit 137 notifies the verification requesting user that the document 850a has been modified by an unauthorized user. Then the signature verification ends.
  • the control server 100 converts the signed signature frames 831 and 832 of the organization X unit and the digital signature of the user unit to the document 830 by adding the signed signature frame 831b of the organization X unit and the digital signature of the organization X unit, respectively.
  • the body of the document 830b does not include the personal name of the user who performed the approval in the organization X. Therefore, when the user of the organization Y views the body of the document 850a generated from the document 830b, the personal name of the user approved by the organization X can be made anonymous.
  • the control server 100 can appropriately verify the digital signature of the user who has given approval in the organization X by making it possible to identify the document 830 before signature conversion based on the pointer information 855a included in the document 850a.
  • the control server 100 executes, for example, the following processes.
  • the control server 100 detects registration of a document to which an electronic signature corresponding to a user belonging to the first organization is attached and to which an electronic signature corresponding to a user belonging to the second organization is not attached
  • the control server 100 detects the registration of the document.
  • the control server 100 receives the list including the users in charge belonging to the second organization in response to the notification, the control server 100 stores the list in the storage unit 110 .
  • the control server 100 accepts verification requests from users belonging to the first organization.
  • control server 100 uses the public key associated with the user in charge included in the list to obtain the electronic signature attached to the document at the time of responding to the verification request and the document as the recipient of the electronic signature. at least one of the information of the requested user belonging to the second organization, which is given to the .
  • the control server 100 transmits, as a response to the verification request, the signature status of the document according to the verification result and evaluation information regarding at least one of the requested user.
  • the control server 100 can perform document verification in response to a verification request from another organization. Enable verification of authenticity.
  • the organization X is an example of a first organization.
  • Organization Y is an example of a second organization.
  • the mailing list 501 is an example of the above list. As illustrated in the second embodiment, the control server 100 may convert the mailing list 501 into the temporary ID list 117 and hold it.
  • control server 100 acquires the information of the requested user of the electronic signature on the document in the second organization in response to the notification to the registered user belonging to the second organization, and transmits the information of the requested user to the document. set to
  • control server 100 can suspend the setting of the approval path in the second organization, for example, at the time of starting the WF in the first organization. Therefore, the control server 100 can flexibly set approval paths for documents in the second organization.
  • control server 100 stores the information of the requested user in the document as information of the signature frame to which the signature image of the requested user is added according to the approval of the requested user for the document, that is, information of the in-house signature frame. set.
  • the control server 100 can identify the next approval-requested user based on the signature frame information in the document, and can request approval from the next approval-requested user.
  • the signature image may be a handwritten signature image of the relevant requested user, or may be an image of the seal stamp of the relevant requested user.
  • the control server 100 acquires the first public key corresponding to the information on the requested user included in the document. Then, the control server 100 determines whether or not the requested user in the document is valid, depending on whether or not the first public key is included in the public key associated with the user in charge included in the list. determine whether
  • the control server 100 can appropriately verify the legitimacy of the requested user based on the public key, which is open information disclosed to each user.
  • the public key included in the WF verification information 116 is an example of a public key associated with the responsible users included in the list.
  • the user's public key obtained based on the information of the internal signature frame in the document is an example of the first public key.
  • control server 100 detects that the document has been registered in the first cloud service used by the first organization when detecting registration of the document. Then, the control server 100 registers the document registered in the first cloud service with the second cloud service based on the access information for the second cloud service used by the second organization.
  • the control server 100 can flexibly deal with users who do not want to entrust their documents to the control server 100.
  • the cloud service provided by the cloud system 600 is an example of a first cloud service.
  • the cloud service provided by the cloud system 700 is an example of a second cloud service.
  • control server 100 encrypts the document registered in the first cloud service using the common key corresponding to the second organization or the public key corresponding to the second organization, and converts the encrypted document to You may register with a second cloud service. Then, the control server 100 may decrypt the encrypted document registered in the second cloud service using the common key or the private key corresponding to the second organization.
  • the control server 100 can Unauthorized acquisition of the contents of the document can be prevented.
  • the encryption may be performed using a common key cryptosystem or a public key cryptosystem.
  • the information on the TaaS-related service provided to the organization X by the control server 100 and the information on the TaaS-related service provided to the organization Y may not be shared between the two services. I can think.
  • the control server 100 uses public key cryptography to encrypt the document.
  • control server 100 when the control server 100 is notified from the first information processing device of the first organization that the document has been approved by the user of the first organization, the control server 100 adds the electronic signature of the user of the first organization. may be added to the document. Further, when the control server 100 is notified from the second information processing apparatus of the second organization that the document has been approved by the user of the second organization, the control server 100 adds the electronic signature of the user of the second organization. may be added to the document.
  • control server 100 can add an electronic signature to a document in cooperation with the first information processing device and the second information processing device.
  • the control server 100 can make effective use of the existing assets of each organization and facilitate the start of use of the functions of the control server 100 by each organization.
  • the organization X server 300 is an example of a first information processing device.
  • the organization Y server 500 is an example of a second information processing device.
  • the control server 100 assigns the electronic signature of the user belonging to the first organization attached to the document to the first organization.
  • a document after signature conversion may be generated by converting the signature into an electronic signature.
  • the control server 100 adds identification information indicating the document before signature conversion to the document after signature conversion.
  • the control server 100 receives a request to verify the electronic signature of a user belonging to the first organization for the document after signature conversion, the control server 100 acquires the document before signature conversion based on the identification information. Then, the control server 100 verifies the electronic signature of the user who belongs to the first organization, which is attached to the document before signature conversion.
  • the control server 100 can, for example, be verified by the user of the second organization that the document to be approved is the document approved by the first organization. Also, the control server 100 can remove the information of the users of the first organization from the documents referenced in the second organization. Further, the control server 100 can appropriately verify the electronic signature of the user of the first organization attached to the document before signature conversion by tracing the document before signature conversion from the document after signature conversion.
  • each of the documents 830b and 850a is an example of a document after signature conversion.
  • a document 830 is an example of a document before signature conversion.
  • each of the pointer information 835b and 855a is an example of identification information indicating the document before signature conversion, which is added to the document after signature conversion.
  • control server 100 provides the following functions.
  • the control server 100 predetermines the inter-organizational WF among the intra-organizational WFs indicating the signature order within the organization and the inter-organizational WFs indicating the inter-organizational data delivery order. It is possible to proceed with WF while dynamically deciding when signing with .
  • the control server 100 makes it possible to verify the correctness of the intra-organizational WF determined by each organization based on the WF verification information indicating the user who can be set as the intra-organizational WF.
  • control server 100 may provide an area accessible by the control server 100 on the cloud service used by each organization.
  • the control server 100 moves data directly between cloud services based on the cloud service access information held by the control server 100, thereby transferring data to the control server 100. You can choose not to save it.
  • the control server 100 may also manage pairs of encryption and decryption keys corresponding to each organization.
  • the control server 100 encrypts the data with an encryption key corresponding to the next organization set in the inter-organization WF so that only the next organization can decrypt the data. You can move the data with As a result, the security of the data to be moved can be enhanced.
  • the information processing of the first embodiment can be realized by causing the processing unit 12 to execute a program.
  • Information processing according to the second embodiment can be realized by causing the CPU 101 to execute a program.
  • the program can be recorded on a computer-readable recording medium 73 .
  • the program can be distributed by distributing the recording medium 73 on which the program is recorded.
  • the program may be stored in another computer and distributed via a network.
  • the computer for example, stores (installs) a program recorded on the recording medium 73 or a program received from another computer in a storage device such as the RAM 102 or HDD 103, reads the program from the storage device, and executes it. good.

Abstract

The present invention makes it possible to verify the reliability of a document. When a processing unit (12) detects the registration of a document to which an electronic signature corresponding to a user belonging to a first organization (50) is attached and an electronic signature corresponding to a user belonging to a second organization (60) is not attached, the processing unit (12) transmits a notification pertaining to the document to a registered user belonging to the second organization (60). The processing unit (12), in accordance with the notification, receives a list (30) including a user in charge who belongs to the second organization (60) and stores the list (30) in a storage unit (11). When the processing unit (12) receives a verification request from a user belonging to the first organization (50), the processing unit (12) uses a public key corresponding to the user in charge in the list (30) to verify at least one of the electronic signature, which has been attached to the document at the point in time corresponding to the verification request, and information about a user who is a request receiver for an electronic signature and belongs to the second organization (60). The processing unit (12) responds with evaluation information pertaining to at least one of the status of signatures on the document corresponding to the verification result and a user who is a request receiver therefor.

Description

検証方法、検証プログラムおよび情報処理装置VERIFICATION METHOD, VERIFICATION PROGRAM AND INFORMATION PROCESSING DEVICE
 本発明は検証方法、検証プログラムおよび情報処理装置に関する。 The present invention relates to a verification method, a verification program, and an information processing device.
 複数のユーザによる手続きの支援にワークフローシステムが用いられることがある。ワークフローシステムは、コンピュータによって電子化された文書などを、予め定めた承認ルートに従ってユーザに承認を依頼し、ユーザの承認を受け付けることで、組織内の複数のユーザによる承認手続きを支援する。 A workflow system may be used to support procedures by multiple users. A workflow system supports approval procedures by multiple users in an organization by asking users for approval of documents digitized by a computer according to a predetermined approval route and receiving user approval.
 例えば、社内のある従業員が特定のアイテムの購入を要求し、別の従業員が購入を承認する必要がある場合などに、社内における承認が必要な人々を特定して通知し、承認を得るシステムの提案がある。 Identify, notify, and obtain approval from people in your company who need approval, for example, when one employee in your company requests the purchase of a particular item and another employee needs to approve the purchase. I have a proposal for a system.
米国特許出願公開第2012/0072445号明細書U.S. Patent Application Publication No. 2012/0072445
 ここで、会社などの複数の組織を跨いで文書の承認手続きが行われることがある。文書の承認手続きが複数の組織を跨ぐ場合、文書の信頼性の確保には、各組織において、文書に対し、適正な承認ルートに含まれるユーザにより承認が行われることが求められる。そこで、情報処理技術を用いて、電子化された文書の信頼性に関する検証を可能としながら、組織間における文書の承認手続きを支援する仕組みが問題となる。 Here, document approval procedures may be carried out across multiple organizations such as companies. When document approval procedures span multiple organizations, in order to ensure the reliability of documents, each organization requires that documents be approved by users included in appropriate approval routes. Therefore, there is a problem of a mechanism for supporting document approval procedures between organizations while making it possible to verify the reliability of digitized documents using information processing technology.
 1つの側面では、本発明は、文書の信頼性に関する検証を可能にすることを目的とする。 In one aspect, the present invention aims to enable verification of document reliability.
 1つの態様では、検証方法が提供される。この検証方法では、コンピュータが、第1の組織に所属するユーザに応じた電子署名が付与され、かつ、第2の組織に所属するユーザに応じた電子署名が付与されていない文書の登録を検知すると、第2の組織に所属する所定の登録ユーザに文書に関する通知を送信し、通知に応じて、第2の組織に所属する担当ユーザを含むリストを受信すると、当該リストを記憶部に記憶し、第1の組織に所属するユーザによる検証要求を受け付けると、リストに含まれる担当ユーザに対応付けられた公開鍵を用いて、検証要求に応じた時点で文書に付与されている電子署名、および、電子署名の依頼先として文書に付与されている、第2の組織に所属する依頼先ユーザの情報の少なくとも一方の検証を行い、検証の結果に応じた文書への署名状況、および、依頼先ユーザの少なくとも一方に関する評価情報を、検証要求に対する応答として送信する。 In one aspect, a verification method is provided. In this verification method, a computer detects registration of a document to which an electronic signature corresponding to a user belonging to a first organization is attached and to which an electronic signature corresponding to a user belonging to a second organization is not attached. Then, a notification regarding the document is transmitted to a predetermined registered user belonging to the second organization, and in response to the notification, when a list including the users in charge belonging to the second organization is received, the list is stored in the storage unit. , when a verification request from a user belonging to the first organization is received, the electronic signature attached to the document at the time of responding to the verification request using the public key associated with the user in charge included in the list, and , verifying at least one of the information of the requested user belonging to the second organization, which is attached to the document as the electronic signature requested destination, and the signature status of the document according to the verification result, and the requested destination Reputation information about at least one of the users is sent in response to the verification request.
 また、1つの態様では、検証プログラムが提供される。また、1つの態様では、記憶部と処理部とを有する情報処理装置が提供される。 Also, in one aspect, a verification program is provided. Also, in one aspect, an information processing apparatus having a storage unit and a processing unit is provided.
 1つの側面では、文書の信頼性に関する検証を可能にする。
 本発明の上記および他の目的、特徴および利点は本発明の例として好ましい実施の形態を表す添付の図面と関連した以下の説明により明らかになるであろう。 In one aspect, it allows verification of the authenticity of documents.
The above and other objects, features and advantages of the present invention will become apparent from the following description taken in conjunction with the accompanying drawings which represent exemplary preferred embodiments of the invention.
第1の実施の形態の情報処理装置を説明する図である。1 illustrates an information processing apparatus according to a first embodiment; FIG. 第2の実施の形態の情報処理システムの例を示す図である。It is a figure which shows the example of the information processing system of 2nd Embodiment. 制御サーバのハードウェア例を示す図である。It is a figure which shows the hardware example of a control server. 制御サーバの機能例を示す図である。FIG. 4 is a diagram illustrating an example of functions of a control server; 組織X承認経路情報の例を示す図である。FIG. 10 is a diagram showing an example of organization X approval route information; 組織X情報の例を示す図である。FIG. 4 is a diagram showing an example of organization X information; WF制御例を示す図である。FIG. 10 is a diagram showing an example of WF control; 文書における組織内署名枠の記述例を示す図である。FIG. 10 is a diagram showing a description example of an intra-organizational signature frame in a document; 文書における組織間署名枠の記述例を示す図である。FIG. 10 is a diagram showing a description example of an inter-organizational signature frame in a document; WF制御例を示すフローチャートである。4 is a flowchart showing an example of WF control; WF検証例を示す図である。FIG. 10 is a diagram showing an example of WF verification; WF検証情報の取得例を示す図である。FIG. 10 is a diagram showing an example of acquisition of WF verification information; 組織内署名枠に基づく公開鍵の取得例を示す図である。FIG. 10 is a diagram showing an example of obtaining a public key based on an intra-organizational signature frame; WF検証方法の例を示す図である。FIG. 10 illustrates an example of a WF verification method; WF検証例を示すフローチャートである。10 is a flow chart showing an example of WF verification; 署名処理例を示す図である。It is a figure which shows the example of a signature process. 署名検証例を示すフローチャートである。4 is a flow chart showing an example of signature verification; 文書の移動例を示す図である。FIG. 10 is a diagram illustrating an example of document movement; WF制御の第1の変形例を示すフローチャートである。9 is a flowchart showing a first modified example of WF control; 文書の暗号化例を示す図である。FIG. 10 is a diagram showing an example of document encryption; WF制御の第2の変形例を示すフローチャートである。FIG. 11 is a flow chart showing a second modified example of WF control; FIG. 各組織のWF管理ツールとの連携例を示す図である。FIG. 10 is a diagram showing an example of cooperation with WF management tools of each organization; WF制御の第3の変形例を示すフローチャートである。FIG. 11 is a flow chart showing a third modified example of WF control; FIG. 署名変換例を示す図である。FIG. 10 is a diagram showing an example of signature conversion; WF制御の第4の変形例を示すフローチャートである。FIG. 11 is a flowchart showing a fourth modified example of WF control; FIG. 第4の変形例における署名検証例を示すフローチャートである。FIG. 13 is a flow chart showing an example of signature verification in the fourth modified example; FIG.
 以下、本実施の形態について図面を参照して説明する。
 [第1の実施の形態]
 第1の実施の形態を説明する。 Hereinafter, this embodiment will be described with reference to the drawings.
[First embodiment]
A first embodiment will be described.
 図1は、第1の実施の形態の情報処理装置を説明する図である。
 情報処理装置10は、複数の組織を跨ぐ、電子化された文書20に対する各組織のユーザによる承認を支援する。例えば、複数の組織は、第1の組織50および第2の組織60を含む。第1の組織の名称は組織Xである。第2の組織の名称は組織Yである。組織の数は3以上でもよい。 FIG. 1 is a diagram illustrating an information processing apparatus according to the first embodiment.
The information processing apparatus 10 assists users of each organization in approving an electronic document 20 across a plurality of organizations. For example, multiple tissues include first tissue 50 and second tissue 60 . The name of the first organization is organization X. The name of the second organization is organization Y. The number of tissues may be 3 or more.
 第1の組織50は、クライアント装置51,52,…を有する。クライアント装置51は、ユーザX1により使用される。クライアント装置52は、ユーザX2により使用される。ユーザX1,X2は第1の組織50に所属する。第1の組織50には、ユーザX1,X2以外のユーザも所属する。 The first organization 50 has client devices 51, 52, . The client device 51 is used by user X1. Client device 52 is used by user X2. Users X1 and X2 belong to a first organization 50. FIG. Users other than users X1 and X2 also belong to the first organization 50 .
 第2の組織60は、クライアント装置61,62,…を有する。クライアント装置61は、ユーザY1により使用される。クライアント装置62は、ユーザY2により使用される。ユーザY1,Y2は第2の組織60に所属する。第2の組織60には、ユーザY1,Y2以外のユーザも所属する。 The second organization 60 has client devices 61, 62, . The client device 61 is used by user Y1. Client device 62 is used by user Y2. Users Y 1 and Y 2 belong to a second organization 60 . Users other than users Y1 and Y2 also belong to the second organization 60 .
 情報処理装置10およびクライアント装置51,52,61,62は、ネットワーク40に接続される。ネットワーク40は、例えばインターネットまたはWAN(Wide Area Network)である。 The information processing device 10 and the client devices 51 , 52 , 61 , 62 are connected to the network 40 . The network 40 is, for example, the Internet or a WAN (Wide Area Network).
 情報処理装置10は、記憶部11および処理部12を有する。記憶部11は、RAM(Random Access Memory)などの揮発性記憶装置でもよいし、HDD(Hard Disk Drive)やフラッシュメモリなどの不揮発性記憶装置でもよい。処理部12は、CPU(Central Processing Unit)、DSP(Digital Signal Processor)、ASIC(Application Specific Integrated Circuit)、FPGA(Field Programmable Gate Array)などを含み得る。処理部12はプログラムを実行するプロセッサでもよい。「プロセッサ」は、複数のプロセッサの集合(マルチプロセッサ)を含み得る。 The information processing device 10 has a storage unit 11 and a processing unit 12 . The storage unit 11 may be a volatile storage device such as a RAM (Random Access Memory) or a non-volatile storage device such as a HDD (Hard Disk Drive) or flash memory. The processing unit 12 may include a CPU (Central Processing Unit), DSP (Digital Signal Processor), ASIC (Application Specific Integrated Circuit), FPGA (Field Programmable Gate Array), and the like. The processing unit 12 may be a processor that executes programs. A "processor" may include a collection of multiple processors (multiprocessor).
 文書20は、電子化された文書である。文書20は、第1の組織50に属するユーザおよび第2の組織60に属するユーザによる承認の対象となる。文書20の一例として、契約書が挙げられる。契約書は、例えば第1の組織50および第2の組織60により交わされる契約の内容を示す。 The document 20 is an electronic document. Document 20 is subject to approval by users belonging to first organization 50 and users belonging to second organization 60 . An example of the document 20 is a contract. The contract indicates, for example, the details of the contract made by the first organization 50 and the second organization 60 .
 文書20は、記憶部11に記憶される。文書20は、情報処理装置10とは異なる装置に記憶されてもよい。例えば、文書20は、ネットワーク40に接続された他の情報処理装置に記憶されてもよい。 The document 20 is stored in the storage unit 11. Document 20 may be stored in a device different from information processing device 10 . For example, document 20 may be stored in another information processing device connected to network 40 .
 ここで、文書20の承認経路は、まずは第1の組織50であり、次に第2の組織60であるとする。当該承認経路は、文書20自体に設定される。処理部12は、文書20に付与された承認経路の情報に従って、ワークフローを回送する。処理部12は、組織内で承認の依頼先とする具体的なユーザの情報を、当該組織にワークフローが回ってきた段階で文書20に設定する。例えば、文書20の場合、第1の組織50内の承認経路に従って第1の組織50内のユーザによる承認を受け付けている段階では、文書20には、第2の組織60内で承認の依頼先とする具体的なユーザの情報は設定されていない。その代わり、この段階では、ワークフローの次の回送先が第2の組織60であることを示す情報が文書20に設定される。これにより、各組織における文書20に対する承認経路を、当該組織へのワークフローの到着時に柔軟に決められる。 Here, it is assumed that the approval path for the document 20 is first to the first organization 50 and then to the second organization 60. The approval path is set in the document 20 itself. The processing unit 12 forwards the workflow according to the approval route information given to the document 20 . The processing unit 12 sets, in the document 20, the specific information of the user to whom the approval is requested in the organization when the workflow reaches the organization. For example, in the case of the document 20, at the stage of accepting approval by the user in the first organization 50 according to the approval route in the first organization 50, the document 20 includes the approval request destination in the second organization 60. No specific user information is set. Instead, at this stage, information is set in the document 20 indicating that the workflow's next forwarding destination is the second organization 60 . Thus, the approval route for the document 20 in each organization can be flexibly determined when the workflow arrives at the organization.
 なお、例えば文書20がXML(Extensible Markup Language)形式のデータの場合、承認経路の情報は「o:signatureline」タグを用いた、文書20に対する各ユーザの署名枠の記載順序により設定可能である。署名枠は、承認を行ったユーザの手書きサインや印鑑などの画像を付与するために文書20に設けられる枠である。 For example, if the document 20 is data in XML (Extensible Markup Language) format, the approval path information can be set by the order in which each user's signature frame for the document 20 is written using the "o:signatureline" tag. A signature frame is a frame provided in the document 20 for attaching an image such as a handwritten signature or seal stamp of the user who has performed the approval.
 また、処理部12は、各組織において文書の属性に対して予め定められた承認の依頼先ユーザを示す承認経路の情報を取得し、当該承認経路の情報を文書20に設定してもよい。あるいは、処理部12は、該当の組織のユーザによる当該組織での承認の依頼先ユーザを示す承認経路の情報の入力を受け付け、当該承認経路の情報を文書20に設定してもよい。 In addition, the processing unit 12 may acquire information on the approval path indicating the user to whom the approval is requested, which is predetermined for the attribute of the document in each organization, and set the information on the approval path to the document 20 . Alternatively, the processing unit 12 may receive an input of approval path information indicating a user to whom approval is requested in the organization by a user of the organization, and set the information of the approval path in the document 20 .
 文書20には各ユーザの承認に応じて、当該ユーザの電子署名が付与される。電子署名は、デジタル署名と言われてもよい。例えば、文書20は、管理情報21を有する。管理情報21は、文書20の承認の依頼先ユーザと各ユーザに依頼する順序とを示す情報を含む。また、管理情報21は、承認の依頼先ユーザの電子メールアドレスなどの連絡先の情報を含んでもよい。更に、管理情報21は、承認を行ったユーザの電子署名を含む。電子署名は、例えば、当該ユーザによる文書20の加工前後の差分データのハッシュ値を当該ユーザの秘密鍵で暗号化したデータである。当該ユーザによる文書20の加工前の状態を示す情報は、当該ユーザの電子署名に対応付けて文書20に保持される。なお、依頼先ユーザの承認により、当該ユーザの電子署名が文書20に付与されるので、承認の依頼先ユーザは、電子署名の依頼先ユーザであるとも言える。 The electronic signature of the user is attached to the document 20 according to the approval of each user. Electronic signatures may also be referred to as digital signatures. For example, document 20 has management information 21 . The management information 21 includes information indicating the users to whom approval of the document 20 is requested and the order of requesting each user. The management information 21 may also include contact information such as the e-mail address of the user to whom the approval is requested. Furthermore, the management information 21 includes the electronic signature of the user who has given the approval. The electronic signature is, for example, data obtained by encrypting a hash value of difference data before and after processing of the document 20 by the user with the private key of the user. Information indicating the state of the document 20 before processing by the user is stored in the document 20 in association with the electronic signature of the user. It should be noted that since the user's electronic signature is attached to the document 20 by the approval of the requested user, it can also be said that the user to whom the approval is requested is the user to which the electronic signature is requested.
 ここで、文書20の例では、第1の組織50内での承認の依頼先ユーザとして、ユーザX1,X2がこの順で文書20に設定される。前述のように、第1の組織50内での承認が行われている段階では、第2の組織60内での承認の依頼先ユーザの情報は、文書20に設定されない。その代わり、次の組織が第2の組織60であることを示す情報が文書20に設定される。 Here, in the example of the document 20, the users X1 and X2 are set in the document 20 in this order as the users requested for approval within the first organization 50. As described above, the information of the user to whom the approval is requested in the second organization 60 is not set in the document 20 while the approval is being performed in the first organization 50 . Instead, information is set in the document 20 indicating that the next organization is the second organization 60 .
 情報処理装置10は、次のように、文書20の信頼性に対する検証を可能としながら、文書20に対する組織を跨いだ各ユーザの承認を支援する。
 まず、処理部12は、文書20に対する承認依頼を、ユーザX1に通知する。例えば、処理部12は、ユーザX1の電子メールアドレス宛に、文書20に対する承認依頼のメッセージを送信する。処理部12は、ユーザX1による、クライアント装置51を用いた承認の入力を受け付けると、ユーザX1の電子署名Xaを文書20に付与する。 The information processing apparatus 10 supports each user's approval of the document 20 across organizations while enabling verification of the reliability of the document 20 as follows.
First, the processing unit 12 notifies the user X1 of an approval request for the document 20 . For example, the processing unit 12 sends an approval request message for the document 20 to the email address of the user X1. The processing unit 12 attaches the electronic signature Xa of the user X1 to the document 20 upon receiving an approval input by the user X1 using the client device 51 .
 次に、処理部12は、文書20に対する承認依頼を、ユーザX2に通知する。例えば、処理部12は、ユーザX2の電子メールアドレス宛に、文書20に対する承認依頼のメッセージを送信する。処理部12は、ユーザX2による、クライアント装置52を用いた承認の入力を受け付けると、ユーザX2の電子署名Xbを文書20に付与する。 Next, the processing unit 12 notifies the user X2 of an approval request for the document 20. For example, the processing unit 12 sends an approval request message for the document 20 to the e-mail address of the user X2. The processing unit 12 attaches the electronic signature Xb of the user X2 to the document 20 upon receiving an approval input by the user X2 using the client device 52 .
 処理部12は、ユーザX1,X2による承認が完了すると、第1の組織50での承認が完了したことを検知する。そして、処理部12は、第2の組織60でワークフローの管理を担当するユーザに、文書20のワークフローが回ってきたことを通知する。例えば、処理部12は、記憶部11に予め保持される、第2の組織60のワークフローの管理を担当するユーザの電子メールアドレスまたはメーリングリストに対して当該通知を行ってもよい。第2の組織60のワークフローの管理を担当するユーザには、ユーザY1が含まれるものとする。 When the approval by the users X1 and X2 is completed, the processing unit 12 detects that the approval by the first organization 50 is completed. Then, the processing unit 12 notifies the user in charge of workflow management in the second organization 60 that the workflow of the document 20 has been sent. For example, the processing unit 12 may notify the e-mail address or mailing list of the user in charge of managing the workflow of the second organization 60, which is stored in the storage unit 11 in advance. It is assumed that users responsible for managing the workflows of the second organization 60 include user Y1.
 処理部12は、当該通知に応じて、例えばユーザY1により入力された、承認の依頼先として第2の組織60において信頼済のユーザ、あるいは、承認の権限のあるユーザのリスト30をクライアント装置61から受信し、記憶部11に格納する。ただし、処理部12はリスト30をクライアント装置61からリスト30を予め受信し、記憶部11に格納しておいてもよい。例えば、リスト30は、ユーザY2,Y3を示すものとする。ユーザY3は、第2の組織60に属するユーザである。 In response to the notification, the processing unit 12 sends the list 30 of trusted users or users authorized for approval in the second organization 60 as approval request destinations input by the user Y1, for example, to the client device 61. , and stored in the storage unit 11 . However, the processing unit 12 may receive the list 30 from the client device 61 in advance and store it in the storage unit 11 . For example, list 30 may indicate users Y2 and Y3. User Y3 is a user belonging to the second organization 60 .
 更に、処理部12は、例えば組織Yの他のユーザにより入力された、第2の組織60における承認経路を受け付け、文書20に設定する。文書20の例では、第2の組織60内での承認の依頼先ユーザとして、ユーザY2,Y4がこの順で文書20に設定される。ユーザY4は、第2の組織60に属するユーザである。例えば、文書20に設定される承認の依頼先のユーザY4の情報は、ユーザY1によって当初はユーザY3の情報に設定されていたものが、他のユーザによりユーザY4の情報に改変されたものでもよい。 Furthermore, the processing unit 12 accepts, for example, an approval path in the second organization 60 input by another user in the organization Y, and sets it in the document 20. In the example of the document 20, the users Y2 and Y4 are set in the document 20 in this order as the users requested for approval within the second organization 60. FIG. User Y4 is a user belonging to the second organization 60 . For example, the information of the user Y4 to whom the approval is requested set in the document 20 may have been initially set by the user Y1 as the information of the user Y3, but changed to the information of the user Y4 by another user. good.
 そして、処理部12は、文書20に対する承認依頼を、ユーザY2に通知する。例えば、処理部12は、ユーザY2の電子メールアドレス宛に、文書20に対する承認依頼のメッセージを送信する。処理部12は、ユーザY2による、クライアント装置62を用いた承認の入力を受け付けると、ユーザY2の電子署名Yaを文書20に付与する。この段階では、文書20にはユーザY4の電子署名は付与されていない。 Then, the processing unit 12 notifies the user Y2 of the approval request for the document 20. For example, the processing unit 12 sends an approval request message for the document 20 to the email address of the user Y2. The processing unit 12 attaches the electronic signature Ya of the user Y2 to the document 20 upon receiving the input of approval using the client device 62 by the user Y2. At this stage, the document 20 has not been given the electronic signature of the user Y4.
 ここで、処理部12は、第1の組織50に所属するユーザの要求に応じて、文書20が第2の組織60において適切な承認経路で承認されるか、あるいは、承認されたかを検証する機能を提供する。 Here, the processing unit 12 verifies whether or not the document 20 has been approved through an appropriate approval route in the second organization 60 in response to a request from a user belonging to the first organization 50. provide functionality.
 第1の例では、処理部12は、文書20に付与された電子署名の正当性を検証する。具体的には、処理部12は、例えばユーザX1による検証要求をクライアント装置51から受け付ける。検証要求は、電子署名の検証対象の組織の指定を含んでもよい。例えば、ユーザX1は、検証対象の組織として、組織Yを指定し得る。すると、処理部12は、リスト30に含まれるユーザY2,Y3それぞれに対応付けられた公開鍵を用いて、当該検証要求に応じた時点で文書20に付与されている電子署名Yaの検証を行う。処理部12は、第2の組織60に属する各ユーザの公開鍵を記憶する所定のサーバ装置から、ユーザY2,Y3それぞれの公開鍵を取得し得る。 In the first example, the processing unit 12 verifies the validity of the electronic signature attached to the document 20. Specifically, the processing unit 12 receives, for example, a verification request from the user X1 from the client device 51 . The verification request may include a designation of the organization whose electronic signature is to be verified. For example, user X1 may specify organization Y as the organization to be verified. Then, the processing unit 12 verifies the electronic signature Ya attached to the document 20 at the time of responding to the verification request using the public keys associated with the users Y2 and Y3 included in the list 30. . The processing unit 12 can obtain the public keys of the users Y2 and Y3 from a predetermined server device that stores the public keys of the users belonging to the second organization 60 .
 本例の場合、処理部12は、ユーザY2の公開鍵により電子署名Yaの検証に成功するものとする。すなわち、処理部12は、ユーザY2の公開鍵により電子署名Yaを復号してハッシュ値を取得し、当該ハッシュ値が、ユーザY2による加工前の文書20の内容と現在の文書20の内容との差分のハッシュ値に一致することを確認できたものとする。この場合、処理部12は、検証要求に対する応答として、現在の文書20が適切なユーザY2により署名されたものであることを示す評価情報を、クライアント装置51に送信する。なお、評価情報の通知は、ユーザX1の電子メールアドレス宛に行われてもよい。 In this example, it is assumed that the processing unit 12 successfully verifies the electronic signature Ya using the public key of user Y2. That is, the processing unit 12 obtains a hash value by decrypting the electronic signature Ya using the public key of the user Y2, and the hash value is the difference between the content of the document 20 before processing by the user Y2 and the content of the current document 20. It is assumed that it has been confirmed that the hash value of the difference matches. In this case, the processing unit 12 sends evaluation information to the client device 51 as a response to the verification request, indicating that the current document 20 was signed by the appropriate user Y2. Note that the notification of the evaluation information may be sent to the e-mail address of the user X1.
 一方、仮に、リスト30に含まれるユーザの公開鍵での電子署名Yaの検証に失敗した場合、処理部12は、文書20が適切なユーザにより署名されたものでないことを示す評価情報を、クライアント装置51に送信する。 On the other hand, if the verification of the electronic signature Ya with the public key of the user included in the list 30 fails, the processing unit 12 sends evaluation information indicating that the document 20 was not signed by an appropriate user to the client. Send to device 51 .
 こうして、処理部12は、文書20に付与された電子署名の正当性を検証することができる。
 第2の例では、処理部12は、電子署名の依頼先として文書20に付与されている、第2の組織60に所属する依頼先ユーザの情報の正当性を検証する。具体的には、処理部12は、例えばユーザX1による検証要求をクライアント装置51から受け付ける。検証要求は、依頼先ユーザの検証対象の組織の指定を含んでもよい。例えば、ユーザX1は、検証対象の組織として、組織Yを指定し得る。すると、処理部12は、リスト30に含まれるユーザY2,Y3それぞれに対応付けられた公開鍵を用いて、当該検証要求に応じた時点で文書20に付与されている依頼先ユーザY4の情報の検証を行う。 Thus, the processing unit 12 can verify the validity of the electronic signature attached to the document 20. FIG.
In the second example, the processing unit 12 verifies the validity of the information of the requested user belonging to the second organization 60, which is given to the document 20 as the requested electronic signature destination. Specifically, the processing unit 12 receives, for example, a verification request from the user X1 from the client device 51 . The verification request may include the designation of the verification target organization of the requested user. For example, user X1 may specify organization Y as the organization to be verified. Then, the processing unit 12 uses the public key associated with each of the users Y2 and Y3 included in the list 30 to obtain the information of the requested user Y4 attached to the document 20 at the time of responding to the verification request. Validate.
 ここで、処理部12は、ユーザY4の公開鍵を前述のサーバ装置から取得し、リスト30に含まれるユーザY2,Y3それぞれの公開鍵に、文書20を基に取得したユーザY4の公開鍵が含まれるか否かにより、依頼先ユーザY4の情報の検証を行う。本例の場合、依頼先ユーザY4の公開鍵は、ユーザY2,Y3の何れの公開鍵とも一致しない。よって、処理部12は、検証要求に対する応答として、不正な依頼先ユーザY4の情報が文書20に設定されていることを示す評価情報を、クライアント装置51に送信する。 Here, the processing unit 12 acquires the public key of the user Y4 from the aforementioned server device, and the public key of the user Y4 acquired based on the document 20 is added to the public keys of the users Y2 and Y3 included in the list 30. The information of the requested user Y4 is verified depending on whether or not it is included. In this example, the public key of the requested user Y4 does not match the public keys of any of the users Y2 and Y3. Therefore, the processing unit 12 transmits to the client device 51, as a response to the verification request, evaluation information indicating that the document 20 contains information about the unauthorized requested user Y4.
 一方、仮に、リスト30に含まれる各ユーザの公開鍵の何れかに、依頼先ユーザの公開鍵が一致する場合、処理部12は、当該依頼先ユーザは正当であると判定する。そして、処理部12は、不正な依頼先ユーザが文書20に設定されていなければ、文書20に設定されている全ての依頼先ユーザが正当であることを示す評価情報を、クライアント装置51に送信する。 On the other hand, if the public key of the requested user matches any of the public keys of each user included in the list 30, the processing unit 12 determines that the requested user is valid. Then, if no unauthorized request destination user is set in the document 20, the processing unit 12 transmits evaluation information indicating that all the request destination users set in the document 20 are legitimate to the client device 51. do.
 こうして、処理部12は、依頼先ユーザによる電子署名が文書20に付与される前の段階において、文書20に付与された当該依頼先ユーザの情報の正当性を検証することができる。 In this way, the processing unit 12 can verify the validity of the requested user's information added to the document 20 before the electronic signature is added to the document 20 by the requested user.
 なお、処理部12は、文書の信頼性に対する検証として、上記の第1の例および第2の例の何れか一方を行ってもよいし、第1の例および第2の例の両方を行ってもよい。例えば、処理部12は、文書20に付与されている電子署名Yaの正当性の検証とともに、文書20に付与されている電子署名の依頼先ユーザY4の情報の正当性の検証を行うこともできる。 Note that the processing unit 12 may perform either one of the first example and the second example, or perform both the first example and the second example, as verification of document reliability. may For example, the processing unit 12 can verify the validity of the electronic signature Ya attached to the document 20 as well as the validity of the information of the requested user Y4 of the electronic signature attached to the document 20. .
 こうして、不正な依頼先ユーザY4が文書20に設定されている場合、ユーザX1は、第2の組織60のユーザ(例えば、ユーザY1)に、その旨を通知する。例えば、処理部12は、ユーザY1による、文書20の依頼先ユーザY4を正当な依頼先ユーザに変更する変更依頼を受け付け、文書20の不正な依頼先ユーザY4を正当な依頼先ユーザに変更する。そして、処理部12は、第2の組織60における文書20のワークフローを継続する。最終的に、全ての正当なユーザにより文書20に電子署名が付与されると、処理部12は、文書20に対するワークフローを終了する。 In this way, when an unauthorized requested user Y4 is set in the document 20, the user X1 notifies the user of the second organization 60 (for example, user Y1) to that effect. For example, the processing unit 12 receives a change request from the user Y1 to change the requested user Y4 of the document 20 to a valid requested user, and changes the illegal requested user Y4 of the document 20 to a valid requested user. . Processing unit 12 then continues the workflow of document 20 in second organization 60 . Finally, when electronic signatures are added to document 20 by all authorized users, processing unit 12 terminates the workflow for document 20 .
 このように、情報処理装置10によれば、第1の組織に所属するユーザに応じた電子署名が付与され、かつ、第2の組織に所属するユーザに応じた電子署名が付与されていない文書の登録が検知される。第2の組織に所属する所定の登録ユーザに文書に関する通知が送信される。当該通知に応じて、第2の組織に所属する担当ユーザを含むリストを受信すると、当該リストが記憶部11に記憶される。第1の組織に所属するユーザによる検証要求が受け付けられると、リストに含まれる担当ユーザに対応付けられた公開鍵を用いて、検証要求に応じた時点で文書に付与されている電子署名、および、電子署名の依頼先として文書に付与されている、第2の組織に所属する依頼先ユーザの情報の少なくとも一方の検証が行われる。そして、当該検証の結果に応じた文書への署名状況、および、依頼先ユーザの少なくとも一方に関する評価情報が、検証要求に対する応答として送信される。 As described above, according to the information processing apparatus 10, a document to which an electronic signature corresponding to a user belonging to a first organization is attached and to which an electronic signature corresponding to a user belonging to a second organization is not attached registration is detected. A notification regarding the document is sent to a predetermined registered user belonging to the second organization. Upon receipt of a list including responsible users belonging to the second organization in response to the notification, the list is stored in the storage unit 11 . When a verification request from a user belonging to the first organization is accepted, the electronic signature attached to the document at the time of responding to the verification request using the public key associated with the user in charge included in the list, and , verification of at least one of the information of the requested user belonging to the second organization, which is attached to the document as the requested destination of the electronic signature. Then, as a response to the verification request, the signature status of the document according to the result of the verification and evaluation information regarding at least one of the requested user is transmitted.
 これにより、情報処理装置10は、文書20の信頼性に対する検証を可能にすることができる。また、情報処理装置10は、文書20の信頼性に対する検証を可能にしながら、文書20に対する複数の組織を跨いだ各組織のユーザの承認を支援することができる。 As a result, the information processing device 10 can verify the reliability of the document 20 . In addition, the information processing apparatus 10 can support the approval of the users of each organization across multiple organizations with respect to the document 20 while enabling verification of the reliability of the document 20 .
 以下では、より具体的な情報処理システムを例示して、情報処理装置10に例示される機能を更に詳細に説明する。
 [第2の実施の形態]
 次に、第2の実施の形態を説明する。 In the following, the functions exemplified in the information processing apparatus 10 will be described in more detail by exemplifying a more specific information processing system.
[Second embodiment]
Next, a second embodiment will be described.
 図2は、第2の実施の形態の情報処理システムの例を示す図である。
 第2の実施の形態の情報処理システムは、制御サーバ100、クライアント装置200,200a,400,400a、組織Xサーバ300、組織Yサーバ500およびクラウドシステム600,700を含む。制御サーバ100およびクラウドシステム600,700は、ネットワーク70に接続される。ネットワーク70は、例えばインターネットである。 FIG. 2 is a diagram illustrating an example of an information processing system according to the second embodiment.
The information processing system of the second embodiment includes a control server 100, client devices 200, 200a, 400, 400a, an organization X server 300, an organization Y server 500, and cloud systems 600, 700. FIG. Control server 100 and cloud systems 600 and 700 are connected to network 70 . Network 70 is, for example, the Internet.
 ここで、クラウドシステム600,700は、ネットワーク70を介して、クラウドサービスを提供する情報処理システムである。クラウドシステム600,700は、複数の物理マシンやストレージを有し、物理マシンやストレージのリソースを、ネットワーク70を介してクライアントコンピュータに提供する。例えば、クラウドシステム600,700が実行するクラウドサービスは、クラウドベースのストレージサービスを含む。クラウドシステム600,700は、互いに異なるプロバイダによって運用され得る。 Here, the cloud systems 600 and 700 are information processing systems that provide cloud services via the network 70. The cloud systems 600 and 700 have multiple physical machines and storages, and provide the resources of the physical machines and storages to client computers via the network 70 . For example, cloud services performed by cloud systems 600 and 700 include cloud-based storage services. Cloud systems 600 and 700 may be operated by different providers.
 クライアント装置200,200aは、組織Xが有するクライアントコンピュータである。組織Xは、例えば会社である。組織Xサーバ300は、組織Xが有するサーバコンピュータである。クライアント装置200,200aおよび組織Xサーバ300は、組織Xに属するユーザにより使用される。クライアント装置200,200aおよび組織Xサーバ300は、ネットワーク80に接続されている。ネットワーク80は、組織X内に敷設されたLAN(Local Area Network)である。ネットワーク80は、ネットワーク70に接続される。組織Xに属するユーザはクライアント装置200,200aを操作して、クラウドシステム600が提供するクラウドサービスを使用する。 Client devices 200 and 200a are client computers owned by organization X. Organization X is, for example, a company. The organization X server 300 is a server computer that organization X has. Client devices 200 and 200a and organization X server 300 are used by users belonging to organization X. FIG. Client devices 200 , 200 a and organization X server 300 are connected to network 80 . The network 80 is a LAN (Local Area Network) installed within the organization X. FIG. Network 80 is connected to network 70 . Users belonging to organization X operate client devices 200 and 200 a to use cloud services provided by cloud system 600 .
 クライアント装置400,400aは、組織Yが有するクライアントコンピュータである。組織Yは、例えば組織Xとは異なる会社である。組織Yサーバ500は、組織Yが有するサーバコンピュータである。クライアント装置400,400aおよび組織Yサーバ500は、組織Yに属するユーザにより使用される。クライアント装置400,400aおよび組織Yサーバ500は、ネットワーク90に接続されている。ネットワーク90は、組織Y内に敷設されたLANである。ネットワーク90は、ネットワーク70に接続される。組織Yに属するユーザはクライアント装置400,400aを操作して、クラウドシステム700が提供するクラウドサービスを使用する。 Client devices 400 and 400a are client computers owned by organization Y. Organization Y is a company different from organization X, for example. The organization Y server 500 is a server computer that organization Y has. Client devices 400 and 400a and organization Y server 500 are used by users belonging to organization Y. FIG. Client devices 400 and 400 a and organization Y server 500 are connected to network 90 . A network 90 is a LAN installed within an organization Y. FIG. Network 90 is connected to network 70 . Users belonging to organization Y operate client devices 400 and 400 a to use cloud services provided by cloud system 700 .
 制御サーバ100は、クラウドシステム600,700を用いた複数の組織を跨ぐ、電子化された文書の承認のワークフロー(WF:WorkFlow)を制御するサーバコンピュータである。電子化された文書を、単に文書と言う。電子化された文書は、文書データと言われてもよい。ここで、組織を跨ぐ文書の承認には、承認対象の文書の信頼性が保証されていることが重要となる。そこで、制御サーバ100は、文書の信頼性に関する検証を可能としながら、組織を跨ぐ承認の手続を支援する機能を提供する。なお、文書の信頼性の確保を支援するサービスは、TaaS(Trust as a Service)と呼ばれることがある。制御サーバ100は、第1の実施の形態の情報処理装置10の一例である。 The control server 100 is a server computer that controls the approval workflow (WF: WorkFlow) of electronic documents across multiple organizations using the cloud systems 600 and 700 . An electronic document is simply called a document. An electronic document may be called document data. Here, it is important to ensure the reliability of the document to be approved in order to approve the document across organizations. Therefore, the control server 100 provides a function to support cross-organizational approval procedures while enabling verification of document reliability. A service that assists in ensuring the reliability of documents is sometimes called TaaS (Trust as a Service). The control server 100 is an example of the information processing device 10 according to the first embodiment.
 例えば、制御サーバ100やクラウドシステム600,700は、Webサーバとして機能する。また、クライアント装置200,200a,400,400aは、Webブラウザとして機能する。例えば、クライアント装置200,200a,400,400aのユーザは、Webブラウザを操作して、制御サーバ100やクラウドシステム600,700が実行するWebサーバにより提供されるGUI(Graphical User Interface)を利用可能である。 For example, the control server 100 and cloud systems 600 and 700 function as web servers. Also, the client devices 200, 200a, 400, and 400a function as web browsers. For example, users of the client devices 200, 200a, 400, 400a can operate a web browser to use a GUI (Graphical User Interface) provided by a web server executed by the control server 100 or the cloud systems 600, 700. be.
 図3は、制御サーバのハードウェア例を示す図である。
 制御サーバ100は、CPU101、RAM102、HDD103、GPU(Graphics Processing Unit)104、入力インタフェース105、媒体リーダ106およびNIC(Network Interface Card)107を有する。なお、CPU101は、第1の実施の形態の処理部12の一例である。RAM102またはHDD103は、第1の実施の形態の記憶部11の一例である。 FIG. 3 is a diagram illustrating an example of hardware of a control server.
The control server 100 has a CPU 101 , a RAM 102 , an HDD 103 , a GPU (Graphics Processing Unit) 104 , an input interface 105 , a medium reader 106 and a NIC (Network Interface Card) 107 . Note that the CPU 101 is an example of the processing unit 12 of the first embodiment. The RAM 102 or HDD 103 is an example of the storage section 11 of the first embodiment.
 CPU101は、プログラムの命令を実行するプロセッサである。CPU101は、HDD103に記憶されたプログラムやデータの少なくとも一部をRAM102にロードし、プログラムを実行する。なお、CPU101は複数のプロセッサコアを含んでもよい。また、制御サーバ100は複数のプロセッサを有してもよい。以下で説明する処理は複数のプロセッサまたはプロセッサコアを用いて並列に実行されてもよい。また、複数のプロセッサの集合を「マルチプロセッサ」または単に「プロセッサ」と言うことがある。 The CPU 101 is a processor that executes program instructions. The CPU 101 loads at least part of the programs and data stored in the HDD 103 into the RAM 102 and executes the programs. Note that the CPU 101 may include multiple processor cores. Also, the control server 100 may have a plurality of processors. The processing described below may be performed in parallel using multiple processors or processor cores. Also, a set of multiple processors is sometimes called a "multiprocessor" or simply a "processor".
 RAM102は、CPU101が実行するプログラムやCPU101が演算に用いるデータを一時的に記憶する揮発性の半導体メモリである。なお、制御サーバ100は、RAM以外の種類のメモリを備えてもよく、複数個のメモリを備えてもよい。 The RAM 102 is a volatile semiconductor memory that temporarily stores programs executed by the CPU 101 and data used by the CPU 101 for calculation. Note that the control server 100 may be provided with a type of memory other than the RAM, and may be provided with a plurality of memories.
 HDD103は、OS(Operating System)やミドルウェアやアプリケーションソフトウェアなどのソフトウェアのプログラム、および、データを記憶する不揮発性の記憶装置である。なお、制御サーバ100は、フラッシュメモリやSSD(Solid State Drive)などの他の種類の記憶装置を備えてもよく、複数の不揮発性の記憶装置を備えてもよい。 The HDD 103 is a non-volatile storage device that stores software programs such as an OS (Operating System), middleware, and application software, and data. Note that the control server 100 may include other types of storage devices such as flash memory and SSD (Solid State Drive), or may include multiple non-volatile storage devices.
 GPU104は、CPU101からの命令に従って、制御サーバ100に接続されたディスプレイ71に画像を出力する。ディスプレイ71としては、CRT(Cathode Ray Tube)ディスプレイ、液晶ディスプレイ(LCD:Liquid Crystal Display)、プラズマディスプレイ、有機EL(OEL:Organic Electro-Luminescence)ディスプレイなど、任意の種類のディスプレイを用いることができる。 The GPU 104 outputs images to the display 71 connected to the control server 100 according to commands from the CPU 101 . As the display 71, any type of display such as a CRT (Cathode Ray Tube) display, a liquid crystal display (LCD: Liquid Crystal Display), a plasma display, or an organic EL (OEL: Organic Electro-Luminescence) display can be used.
 入力インタフェース105は、制御サーバ100に接続された入力デバイス72から入力信号を取得し、CPU101に出力する。入力デバイス72としては、マウス、タッチパネル、タッチパッド、トラックボールなどのポインティングデバイス、キーボード、リモートコントローラ、ボタンスイッチなどを用いることができる。また、制御サーバ100に、複数の種類の入力デバイスが接続されていてもよい。 The input interface 105 acquires an input signal from the input device 72 connected to the control server 100 and outputs it to the CPU 101 . As the input device 72, a mouse, a touch panel, a touch pad, a pointing device such as a trackball, a keyboard, a remote controller, a button switch, or the like can be used. Also, multiple types of input devices may be connected to the control server 100 .
 媒体リーダ106は、記録媒体73に記録されたプログラムやデータを読み取る読み取り装置である。記録媒体73として、例えば、磁気ディスク、光ディスク、光磁気ディスク(MO:Magneto-Optical disk)、半導体メモリなどを使用できる。磁気ディスクには、フレキシブルディスク(FD:Flexible Disk)やHDDが含まれる。光ディスクには、CD(Compact Disc)やDVD(Digital Versatile Disc)が含まれる。 The medium reader 106 is a reading device that reads programs and data recorded on the recording medium 73 . As the recording medium 73, for example, a magnetic disk, an optical disk, a magneto-optical disk (MO), a semiconductor memory, or the like can be used. Magnetic disks include flexible disks (FDs) and HDDs. Optical discs include CDs (Compact Discs) and DVDs (Digital Versatile Discs).
 媒体リーダ106は、例えば、記録媒体73から読み取ったプログラムやデータを、RAM102やHDD103などの他の記録媒体にコピーする。読み取られたプログラムは、例えば、CPU101によって実行される。なお、記録媒体73は可搬型記録媒体であってもよく、プログラムやデータの配布に用いられることがある。また、記録媒体73やHDD103を、コンピュータ読み取り可能な記録媒体と言うことがある。 The medium reader 106 copies, for example, programs and data read from the recording medium 73 to other recording media such as the RAM 102 and the HDD 103. The read program is executed by the CPU 101, for example. Note that the recording medium 73 may be a portable recording medium, and may be used for distribution of programs and data. Also, the recording medium 73 and the HDD 103 may be referred to as a computer-readable recording medium.
 NIC107は、ネットワーク70に接続され、ネットワーク70を介して他のコンピュータと通信を行うインタフェースである。NIC107は、例えば、スイッチやルータなどの通信装置とケーブルで接続される。NIC107は、無線通信インタフェースでもよい。 The NIC 107 is an interface that is connected to the network 70 and communicates with other computers via the network 70 . The NIC 107 is, for example, connected to a communication device such as a switch or router by a cable. NIC 107 may be a wireless communication interface.
 なお、クライアント装置200,200a,400,400a、組織Xサーバ300および組織Yサーバ500も制御サーバ100と同様のハードウェアにより実現される。また、クラウドシステム600,700それぞれに含まれる物理マシンも、制御サーバ100と同様のハードウェアにより実現される。 The client devices 200 , 200 a , 400 , 400 a , the organization X server 300 and the organization Y server 500 are also realized by hardware similar to the control server 100 . Physical machines included in each of the cloud systems 600 and 700 are also realized by hardware similar to the control server 100 .
 図4は、制御サーバの機能例を示す図である。制御サーバ100は、記憶部110および制御部130を有する。記憶部110には、RAM102やHDD103の記憶領域が用いられる。制御部130は、RAM102に記憶されたプログラムがCPU101により実行されることで実現される。 FIG. 4 is a diagram showing an example of the functions of the control server. The control server 100 has a storage unit 110 and a control unit 130 . Storage areas of the RAM 102 and the HDD 103 are used for the storage unit 110 . The control unit 130 is implemented by the CPU 101 executing a program stored in the RAM 102 .
 記憶部110は、制御部130に用いられるデータを記憶する。記憶部110は、組織X承認経路情報111、組織X情報112、組織Y承認経路情報113、組織Y情報114、組織間承認経路情報115およびWF検証情報116を有する。 The storage unit 110 stores data used by the control unit 130 . Storage unit 110 has organization X approval path information 111 , organization X information 112 , organization Y approval path information 113 , organization Y information 114 , inter-organization approval path information 115 and WF verification information 116 .
 組織X承認経路情報111は、組織X内における、文書の属性に応じた承認経路のひな形を示す情報である。文書の属性とは、契約書や申請書などの文書内容の種類である。承認経路のひな形とは、文書の属性に応じた、承認を行うべきユーザの複数の役職と、各役職の順序とを示す情報である。組織X情報112は、組織X内の各部門の役職に対応するユーザの氏名を示す情報である。 The organization X approval route information 111 is information that indicates a template for approval routes within organization X according to document attributes. A document attribute is a type of document content such as a contract or an application form. The approval route template is information indicating a plurality of positions of the user who should approve and the order of each position according to the attributes of the document. The organization X information 112 is information indicating the name of the user corresponding to the position of each department within the organization X. FIG.
 組織Y承認経路情報113は、組織Y内における、文書の属性に応じた承認経路のひな形を示す情報である。組織Y情報114は、組織Y内の各部門の役職に対応するユーザの氏名を示す情報である。 The organization Y approval path information 113 is information that indicates a model of an approval path within organization Y according to document attributes. The organization Y information 114 is information indicating the name of the user corresponding to the position of each department within the organization Y. FIG.
 組織間承認経路情報115は、文書ごとの承認を受けるべき組織の順序を示す情報である。例えば、組織間承認経路情報115は、ある文書に関して、組織X,Yとこの順に承認を受けることを示す情報を含む。組織間承認経路情報115は、該当の組織におけるWFの管理を担当するユーザのメーリングリストなどの連絡先を示す情報を含み得る。 The inter-organizational approval route information 115 is information that indicates the order of organizations that should receive approval for each document. For example, the inter-organization approval path information 115 includes information indicating that a certain document is to be approved by organizations X and Y in this order. The inter-organizational approval route information 115 may include information indicating contact information such as a mailing list of users in charge of managing WFs in the relevant organization.
 WF検証情報116は、制御部130による、文書に設定されたWFの検証に用いられる情報である。WF検証情報116は、該当の組織において、文書の承認を行うべき信頼されたユーザ、あるいは、承認の権限のあるユーザの公開鍵の集合である。 The WF verification information 116 is information used by the control unit 130 to verify the WF set in the document. The WF verification information 116 is a set of public keys of users who are trusted to approve documents in the relevant organization or users who are authorized to approve documents.
 また、図示を省略しているが、記憶部110は、クラウドシステム600,700に格納された文書にアクセスするためのクラウドサービスアクセス情報を保持する。クラウドサービスアクセス情報は、該当の文書にアクセスするためのクラウドサービスのアカウントの情報である。 Although not shown, the storage unit 110 holds cloud service access information for accessing documents stored in the cloud systems 600 and 700. The cloud service access information is cloud service account information for accessing the relevant document.
 制御部130は、組織を跨いだWFを制御する。制御部130は、署名枠挿入部131、個人名変換部132、WF管理部133、署名処理部134、通知部135、署名枠更新部136および検証処理部137を有する。 The control unit 130 controls WF across tissues. Control unit 130 has signature frame insertion unit 131 , personal name conversion unit 132 , WF management unit 133 , signature processing unit 134 , notification unit 135 , signature frame updating unit 136 and verification processing unit 137 .
 署名枠挿入部131は、文書に対して署名枠を挿入する。署名枠は、文書を承認するユーザが、自身による承認が行われたことを文書に表記するための手書きのサインや印鑑などの画像を付与するための領域である。以下の例では、署名枠には、手書きのサイン画像が付与されるものとする。ここで、文書は、例えばXML形式のデータである。この場合、署名枠の情報は「o:signatureline」タグを用いて、文書に記載される。また、文書の署名枠の記載順序によって、承認依頼先のユーザの順序が特定される。 The signature frame insertion unit 131 inserts a signature frame into the document. The signature frame is an area where the user who approves the document attaches an image such as a handwritten signature or seal stamp to the document to indicate that the document has been approved by the user himself/herself. In the following example, it is assumed that a handwritten signature image is added to the signature frame. Here, the document is data in XML format, for example. In this case, the signature frame information is described in the document using the "o:signatureline" tag. In addition, the order of the users to whom the approval is requested is specified according to the order in which the signature frames of the document are written.
 署名枠挿入部131は、例えば組織X承認経路情報111に基づき、文書の属性に応じて、組織Xにおける承認経路のひな形を署名枠として、文書に挿入する。この段階では、承認経路のひな形として、署名枠には、役職の情報のみが付与され、ユーザの個人名などは付与されない。また、署名枠挿入部131は、組織Xの次に組織YにWFを回す場合、次の組織Yを示す署名枠、すなわち、組織間署名枠を文書に付与する。署名枠挿入部131は、例えば、ある文書について、WFを回す組織の順序を、組織間承認経路情報115に基づいて特定する。組織間承認経路情報115は、該当の文書を起案したユーザなどにより記憶部110に予め入力される。 The signature frame inserting unit 131 inserts a template of the approval route in the organization X into the document as a signature frame according to the attribute of the document, for example, based on the organization X approval route information 111 . At this stage, as a template for the approval path, the signature frame is provided with only information on the position, and not with the user's personal name. Further, when the WF is transferred to the organization Y after the organization X, the signature frame inserting unit 131 adds a signature frame indicating the next organization Y, that is, an inter-organizational signature frame to the document. The signature frame inserting unit 131 , for example, identifies the order of organizations that pass the WF for a given document based on the inter-organizational approval path information 115 . The inter-organizational approval path information 115 is preliminarily entered into the storage unit 110 by the user who drafted the relevant document.
 個人名変換部132は、例えば組織X情報112に基づき、署名枠挿入部131により文書に挿入された承認経路のひな形の各役職に、ユーザの個人名や当該ユーザの電子メールアドレスなどの連絡先の情報を付与する。具体的には、個人名変換部132は、文書を起案した起案ユーザを承認経路の起点とする。個人名変換部132は、承認経路のひな形の各役職に対して、起案ユーザが属する部門における該当の役職のユーザの個人名と連絡先を組織X情報112から取得して、文書の署名枠に、当該個人名と連絡先とを追加する。ここで、ある組織内における各ユーザに対応する署名枠を、組織内署名枠と言う。 Based on the organization X information 112, for example, the personal name conversion unit 132 notifies each post of the approval route template inserted into the document by the signature frame insertion unit 131 with the user's personal name, the user's e-mail address, etc. Give the destination information. Specifically, the personal name conversion unit 132 takes the drafting user who drafted the document as the starting point of the approval path. The personal name conversion unit 132 acquires the personal name and contact information of the user of the corresponding post in the department to which the drafting user belongs from the organization X information 112 for each post of the template of the approval route, and converts it into the signature frame of the document. , add the person's name and contact information. Here, a signature frame corresponding to each user within a certain organization is called an intra-organizational signature frame.
 なお、署名枠挿入部131は、ユーザの個人名を含む承認経路の入力を受け付けて、当該承認経路を示す組織内署名枠を文書に設定してもよい。すなわち、署名枠挿入部131は、個人名変換部132を用いずに、組織内署名枠を文書に設定してもよい。 It should be noted that the signature frame insertion unit 131 may accept an input of an approval path including the user's personal name and set an in-house signature frame indicating the approval path in the document. That is, the signature frame insertion unit 131 may set the intra-organizational signature frame in the document without using the personal name conversion unit 132 .
 WF管理部133は、文書に関するWFを管理する。WF管理部133は、文書に付与された組織内署名枠の情報に基づいて、次に承認を依頼するユーザの電子メールアドレスなどの連絡先に承認依頼を通知する。WF管理部133は、該当のユーザによる文書に対する承認を受け付けると、署名処理部134による、当該ユーザの組織内署名枠に対する当該ユーザのサイン画像の付与および文書へのデジタル署名の付与を実行させる。WF管理部133は、署名処理部134により文書にデジタル署名が付与されると、次の承認依頼先のユーザに承認依頼を通知する。 The WF management unit 133 manages WFs related to documents. The WF management unit 133 notifies the approval request to the contact information such as the e-mail address of the user who next requests approval, based on the information of the intra-organizational signature frame attached to the document. When the WF management unit 133 accepts the user's approval of the document, the signature processing unit 134 adds the user's signature image to the user's intra-organizational signature frame and adds a digital signature to the document. When the digital signature is added to the document by the signature processing unit 134, the WF management unit 133 notifies the next approval request destination user of the approval request.
 WF管理部133は、例えば、文書に登録された組織Xの全てのユーザによる承認が完了すると、当該文書について、次の組織YのWFを開始する。組織YのWFが開始される直前に、署名枠更新部136により、組織Yの承認経路が文書に設定される。WF管理部133は、全ての組織の全てのユーザによる承認が完了すると、WFを終了する。 For example, when approval by all users of organization X registered in a document is completed, the WF management unit 133 starts the next WF of organization Y for that document. Immediately before the organization Y's WF is started, the signature frame updating unit 136 sets the approval path of the organization Y to the document. The WF management unit 133 terminates the WF when approval by all users of all organizations is completed.
 署名処理部134は、文書に対して、承認を行ったユーザのサイン画像を当該ユーザの組織内署名枠に付与するとともに、当該ユーザのデジタル署名を付与する。デジタル署名に用いられるユーザの秘密鍵は、例えば記憶部110に保持される。ただし、当該秘密鍵は、ユーザが使用するクライアント装置や、ユーザが所持する所定の記録媒体に保持されてもよい。 The signature processing unit 134 attaches the signature image of the user who has approved the document to the user's intra-organizational signature frame, and also attaches the user's digital signature to the document. A user's private key used for digital signature is held in the storage unit 110, for example. However, the private key may be held in a client device used by the user or in a predetermined recording medium owned by the user.
 通知部135は、前の組織による全てのユーザの承認が完了したときに、次の組織のWFを管理するユーザに、WFが回ってきたことを通知する。
 署名枠更新部136は、文書における組織間署名枠を、組織内署名枠に更新する。例えば、署名枠更新部136は、ある文書に関して、組織Xの次に組織YのWFを開始する場合、組織Y承認経路情報113に基づき、組織Yの承認経路のひな形を、当該文書に設定してもよい。この場合、組織Yにおける承認経路の起点のユーザが署名枠更新部136に指定されることで、組織Yの承認経路のひな形の各役職に対し、個人名変換部132により個人名が設定される。ただし、署名枠更新部136は次の組織Yのユーザの個人名を含む承認経路の入力を受け付けて、当該承認経路を示す組織内署名枠を文書に設定してもよい。 The notification unit 135 notifies the user who manages the WF of the next organization that the WF has arrived when the approval of all users by the previous organization is completed.
The signature frame update unit 136 updates the inter-organization signature frame in the document to the intra-organization signature frame. For example, when the signature frame update unit 136 starts the WF of organization Y after organization X with respect to a certain document, based on the organization Y approval path information 113, the signature frame update unit 136 sets the template of the approval path of organization Y to the document. You may In this case, the user at the starting point of the approval path in organization Y is specified in the signature frame updating unit 136, so that the personal name conversion unit 132 sets a personal name for each position in the template of the approval path in the organization Y. be. However, the signature frame updating unit 136 may accept the input of the approval path including the personal name of the user of the next organization Y, and set the intra-organization signature frame indicating the approval path in the document.
 検証処理部137は、WF検証情報116に基づいて、文書に付与された承認経路に含まれる各ユーザの正当性を検証する。例えば、検証処理部137は、組織Xの次に組織YにWFが回った文書について、クライアント装置200からWF検証要求を受信する。すると、検証処理部137は、文書の承認経路に含まれる組織Yの各ユーザの公開鍵が、WF検証情報116に含まれる組織Yの各ユーザの公開鍵に含まれるか否かを判定する。検証処理部137は、当該判定が真の場合、文書の承認経路に含まれる組織Yの各ユーザは正当であると判断し、その旨のクライアント装置200に応答する。一方、検証処理部137は、当該判定が偽の場合、文書の承認経路に不正なユーザが含まれていると判断し、当該不正なユーザをクライアント装置200に応答する。また、検証処理部137は、文書に付与された各ユーザのデジタル署名の検証も行う。 Based on the WF verification information 116, the verification processing unit 137 verifies the legitimacy of each user included in the approval path given to the document. For example, the verification processing unit 137 receives a WF verification request from the client device 200 for a document whose WF has passed to organization Y after organization X. Then, the verification processing unit 137 determines whether or not the public key of each user of organization Y included in the approval path of the document is included in the public key of each user of organization Y included in the WF verification information 116 . If the determination is true, the verification processing unit 137 determines that each user of the organization Y included in the document approval path is valid, and responds to the client device 200 to that effect. On the other hand, if the determination is false, the verification processing unit 137 determines that an unauthorized user is included in the approval path of the document, and responds to the client device 200 about the unauthorized user. The verification processing unit 137 also verifies each user's digital signature attached to the document.
 図5は、組織X承認経路情報の例を示す図である。
 組織X承認経路情報111は、記憶部110に予め記憶される。組織X承認経路情報111は、文書属性、起案、承認、決裁の項目を含む。 FIG. 5 is a diagram showing an example of organization X approval route information.
The organization X approval path information 111 is pre-stored in the storage unit 110 . The organization X approval path information 111 includes items of document attribute, draft, approval, and decision.
 文書属性の項目には、文書の属性が登録される。起案の項目には、文書を起案するユーザが属する企業における部門および役職が登録される。承認の項目には、文書を承認するユーザの部門および役職が登録される。決裁の項目には、文書を決裁するユーザの部門および役職が登録される。ここで、起案、承認および決裁の項目では、部門が省略されることがある。部門が省略される場合、WFの開始を制御サーバ100に依頼したユーザ、すなわち、起案したユーザと同じ部門であることを示す。 Document attributes are registered in the document attributes field. The draft item registers the department and position in the company to which the user who drafts the document belongs. The approval item registers the department and position of the user who approves the document. The approval item registers the department and position of the user who approves the document. Here, departments may be omitted in the drafting, approval and approval items. If the department is omitted, it indicates that it is the same department as the user who requested the control server 100 to start the WF, that is, the user who made the proposal.
 ここで、起案、承認および決裁は、WFにおける署名を伴う複数の手続きの一例である。起案、承認および決裁の一連の手続きは、この順序で行われるべきものである。なお、決裁は、最終的な承認を表しており、承認と同様の手続きであると考えてよい。 Here, drafting, approval and approval are examples of multiple procedures involving signatures in WF. A series of procedures for drafting, approval and approval should be carried out in this order. Approval represents final approval, and can be considered to be the same procedure as approval.
 例えば、組織X承認経路情報111には、文書属性「契約書」、起案「担当」、承認「部長」、決裁「-」のレコードが登録されている。このレコードは、属性「契約書」の文書に対しては、まず、役職「担当」のユーザが起案および承認を行い、次に起案したユーザと同じ部門の「部長」が承認を行うことで、WFが完了することを示す。 For example, in the organization X approval path information 111, records with document attributes "contract", drafting "responsible", approval "department manager", and approval "-" are registered. For this record, the document with the attribute "contract" is first drafted and approved by the user with the position "person in charge", and then approved by the "manager" of the same department as the user who drafted it. Indicates that WF is complete.
 組織X承認経路情報111には、他の文書属性に対しても同様に、承認経路のひな形が登録される。組織X承認経路情報111で示される承認経路のひな形には、ある文書属性に対して、起案者を含む2以上の依頼先ユーザに対応する部門および役職の2以上の組が含まれ得る。 Approval path templates are similarly registered in the organization X approval path information 111 for other document attributes. An approval route template indicated by the organization X approval route information 111 can include two or more sets of departments and positions corresponding to two or more requested users, including the drafter, for a given document attribute.
 なお、組織Y承認経路情報113も、組織X承認経路情報111と同様のデータ構造により実現される。
 図6は、組織X情報の例を示す図である。 The organization Y approval path information 113 is also implemented by a data structure similar to that of the organization X approval path information 111 .
FIG. 6 is a diagram showing an example of organization X information.
 組織X情報112は、記憶部110に予め記憶される。組織X情報112は、部門、役職および氏名の項目を含む。部門の項目には、部門の名称が登録される。役職の項目には、役職の名称が登録される。氏名の項目には、ユーザの氏名が登録される。 The organization X information 112 is stored in the storage unit 110 in advance. The organization X information 112 includes items of department, title and name. The name of the department is registered in the department item. The name of a post is registered in the post item. The name of the user is registered in the item of name.
 例えば、組織X情報112には、部門「XX部」および役職「部長」に対して氏名「氏名B」が登録されている。また、組織X情報112には、部門「XX部」および役職「担当」に対して氏名「氏名A」が登録されている。 For example, in the organization X information 112, the name "name B" is registered for the department "XX department" and the position "manager". Also, in the organization X information 112, the name "name A" is registered for the department "XX department" and the position "person in charge".
 なお、組織Y情報114も、組織X情報112と同様のデータ構造により実現される。
 次に、制御部130によるWF制御例を説明する。
 図7は、WF制御例を示す図である。 The organization Y information 114 is also realized by a data structure similar to that of the organization X information 112. FIG.
Next, an example of WF control by the control unit 130 will be described.
FIG. 7 is a diagram showing an example of WF control.
 ここでは、制御サーバ100は、組織Xのユーザにより登録された文書800に対して、組織X,Yそれぞれに属するユーザにより、順番に承認を受け付ける例を示す。
 まず、署名枠挿入部131は、クライアント装置200から文書800を取得する。署名枠挿入部131は、組織X承認経路情報111に基づいて、組織Xの組織内署名枠811,812を文書800に追加する。本例では、組織Xでは、文書800に対して二人のユーザの承認が予定されるとする。この段階では、組織内署名枠811,812は、役職が登録されるのみである。また、署名枠挿入部131は、組織間承認経路情報115に基づいて、組織間署名枠813を文書800に追加する。組織間承認経路情報115には、例えば、文書800の起案したユーザなどにより、文書800の識別情報に対応付けて、文書800について組織X,Yの順にWFを回送することを示す情報が予め設定される。 Here, an example is shown in which the control server 100 accepts approval for a document 800 registered by a user of organization X by users belonging to organizations X and Y in turn.
First, the signature frame inserting section 131 acquires the document 800 from the client device 200 . The signature frame insertion unit 131 adds the intra-organizational signature frames 811 and 812 of the organization X to the document 800 based on the organization X approval path information 111 . In this example, organization X expects document 800 to be approved by two users. At this stage, the intra-organizational signature frames 811 and 812 are only registered with positions. Also, the signature frame insertion unit 131 adds an inter-organizational signature frame 813 to the document 800 based on the inter-organizational approval path information 115 . In the inter-organizational approval route information 115, for example, the user who drafted the document 800 presets information indicating that the WF for the document 800 is forwarded in the order of organizations X and Y in association with the identification information of the document 800. be done.
 署名枠挿入部131は、文書800に対して組織内署名枠811,812および組織間署名枠813を付与した文書810を、組織Xが使用するクラウドシステム600に格納する。例えば、組織内署名枠811は、役職「担当」を示す情報を含む。組織内署名枠812は、役職「部長」を示す情報を含む。組織内署名枠811,812は、この順に文書810に記載されている。したがって、組織Xにおける承認経路は、組織内署名枠811に対応するユーザ、組織内署名枠812に対応するユーザの順となる。組織間署名枠813は、組織Yを示す情報を含む。 The signature frame insertion unit 131 stores the document 810 obtained by adding the intra-organization signature frames 811 and 812 and the inter-organization signature frame 813 to the document 800 in the cloud system 600 used by the organization X. For example, the intra-organizational signature frame 811 includes information indicating the position "person in charge". The intra-organizational signature frame 812 includes information indicating the position "Manager". In-house signature frames 811 and 812 are described in document 810 in this order. Therefore, the approval path in the organization X is in the order of the user corresponding to the intra-organization signature frame 811 and the user corresponding to the intra-organization signature frame 812 . Inter-organization signature frame 813 includes information indicating organization Y. FIG.
 個人名変換部132は、WF対象の文書810がクラウドシステム600に格納されると、クラウドシステム600から文書810を取得し、組織X情報112に基づいて、組織内署名枠811,812に、ユーザの役職に応じたユーザの個人名を挿入する。このとき、例えば、個人名変換部132は、ユーザの個人名とともに、電子メールアドレスなどのユーザの連絡先の情報を挿入してもよい。当該電子メールアドレスの情報は、組織X情報112に予め登録されてもよいし、例えば、クライアント装置200を操作するユーザにより入力されてもよい。 When the WF target document 810 is stored in the cloud system 600, the personal name conversion unit 132 acquires the document 810 from the cloud system 600, and based on the organization X information 112, inserts the user Inserts the user's personal name according to their job title. At this time, for example, the personal name conversion unit 132 may insert the user's contact information such as an e-mail address together with the user's personal name. The information of the e-mail address may be registered in the organization X information 112 in advance, or may be input by the user operating the client device 200, for example.
 こうして、個人名変換部132は、文書810に対して文書820を生成し、クラウドシステム600に格納する。文書820は、組織内署名枠821,822および組織間署名枠823を有する。組織内署名枠821,822は、それぞれ組織内署名枠811,812に対応する。組織内署名枠821は、組織Xに属するユーザAの個人名を含む。組織内署名枠822は、組織Xに属するユーザBの個人名を含む。組織間署名枠823は、組織間署名枠813と同じである。 Thus, the personal name conversion unit 132 generates a document 820 for the document 810 and stores it in the cloud system 600. Document 820 has intra-organizational signature frames 821 and 822 and inter-organizational signature frame 823 . The in-house signature frames 821 and 822 correspond to the in-house signature frames 811 and 812, respectively. The intra-organization signature frame 821 contains the personal name of user A who belongs to organization X. The intra-organization signature box 822 contains the personal name of user B belonging to organization X. The inter-organizational signature frame 823 is the same as the inter-organizational signature frame 813 .
 WF管理部133は、クラウドシステム600に格納された文書820に基づいて、組織X内におけるWFを開始する。例えば、WF管理部133は、ユーザAの電子メールアドレスに承認依頼を通知する。ユーザAは、例えばクライアント装置200を操作し、制御サーバ100を介して、文書820の内容を確認し、文書820に対する承認の入力を行う。WF管理部133は、ユーザAの承認の入力を受け付けると、ユーザAによる承認を署名処理部134に通知する。署名処理部134は、ユーザAの承認に応じて組織内署名枠821に、ユーザAのサイン画像を追加する。また、署名処理部134は、ユーザAの承認に応じてユーザAのデジタル署名を、文書820に追加する。次に、WF管理部133は、ユーザBの電子メールアドレスに承認依頼を通知し、ユーザBの承認に応じて組織内署名枠822に、ユーザBのサイン画像を追加する。また、署名処理部134は、ユーザBの承認に応じてユーザBのデジタル署名を、文書820に追加する。 The WF management unit 133 starts a WF within the organization X based on the document 820 stored in the cloud system 600. For example, the WF management unit 133 sends an approval request to User A's e-mail address. User A, for example, operates the client device 200 , confirms the content of the document 820 via the control server 100 , and inputs approval for the document 820 . Upon receiving the input of user A's approval, the WF management unit 133 notifies the signature processing unit 134 of user A's approval. The signature processing unit 134 adds the signature image of the user A to the intra-organization signature frame 821 in response to user A's approval. Also, the signature processing unit 134 adds the digital signature of user A to the document 820 in response to user A's approval. Next, the WF management unit 133 notifies the user B's e-mail address of the approval request, and adds the signature image of the user B to the in-house signature frame 822 in response to user B's approval. Also, the signature processing unit 134 adds the digital signature of user B to the document 820 in response to user B's approval.
 こうして、署名処理部134は、文書820に対して文書830を生成する。署名処理部134は、文書830をクラウドシステム600に格納する。文書830は、サイン済署名枠831,832および組織間署名枠833を有する。サイン済署名枠831,832は、それぞれ組織内署名枠821,822に対応する。サイン済署名枠831は、組織内署名枠821に対してユーザAのサイン画像が追加されたものである。サイン済署名枠832は、組織内署名枠822に対してユーザBのサイン画像が追加されたものである。組織間署名枠833は、組織間署名枠823と同じである。 Thus, the signature processing unit 134 generates a document 830 for the document 820. Signature processing unit 134 stores document 830 in cloud system 600 . Document 830 has signed signature frames 831 and 832 and inter-organizational signature frame 833 . Signed signature frames 831 and 832 correspond to in-house signature frames 821 and 822, respectively. A signed signature frame 831 is obtained by adding a signature image of user A to the in-house signature frame 821 . A signed signature frame 832 is obtained by adding a signature image of User B to the in-house signature frame 822 . The inter-organizational signature frame 833 is the same as the inter-organizational signature frame 823 .
 WF管理部133は、文書830を基に、組織XにおけるユーザA,Bによる承認が全て完了したことを検知すると、制御サーバ100の組織間共有データ記憶部150に、文書830を移動させる。組織間共有データ記憶部150は、制御サーバ100で、組織X,Yで共有するデータを保持するための記憶領域である。組織間共有データ記憶部150には、例えば、RAM102やHDD103の記憶領域が用いられる。 Based on the document 830, the WF management unit 133 moves the document 830 to the inter-organization shared data storage unit 150 of the control server 100 when it detects that all approvals by users A and B in the organization X have been completed. The inter-organization shared data storage unit 150 is a storage area for holding data shared by the organizations X and Y in the control server 100 . For the inter-organizational shared data storage unit 150, for example, storage areas of the RAM 102 and the HDD 103 are used.
 通知部135は、組織間共有データ記憶部150に文書830が登録されたことを検知すると、文書830に含まれる組織間署名枠833に基づいて、組織YでWFの管理を行うユーザのメーリングリストに、WFが回ってきたことを通知する。メーリングリストに含まれる電子メールアドレスに対応するユーザは、当該通知に応じて、組織Y承認経路情報113を制御サーバ100に登録する。すると、署名枠更新部136は、組織Y承認経路情報113に基づいて、文書830に含まれる組織間署名枠833を、組織Yの組織内署名枠843,844に変換する。本例では、組織Yでは、文書840に対して二人のユーザの承認が予定されるとする。 When the notification unit 135 detects that the document 830 has been registered in the inter-organization shared data storage unit 150, based on the inter-organization signature frame 833 included in the document 830, the notification unit 135 adds a message to the mailing list of the user who manages the WF in the organization Y. , to notify that the WF has come around. The user corresponding to the e-mail address included in the mailing list registers the organization Y approval route information 113 in the control server 100 in response to the notification. Then, the signature frame updating unit 136 converts the inter-organization signature frame 833 included in the document 830 into the intra-organization signature frames 843 and 844 of the organization Y based on the organization Y approval path information 113 . In this example, organization Y expects document 840 to be approved by two users.
 こうして、署名枠更新部136は、文書830に対して文書840を生成し、組織Yが使用するクラウドシステム700に、文書840を格納する。文書840は、サイン済署名枠841,842および組織内署名枠843,844を有する。サイン済署名枠841,842は、それぞれサイン済署名枠831,832と同じである。例えば、組織内署名枠843は、役職「担当」を示す情報を含む。組織内署名枠844は、役職「課長」を示す情報を含む。組織内署名枠843,844は、この順に文書840に記載されている。したがって、組織Xにおける承認経路は、組織内署名枠843に対応するユーザ、組織内署名枠844に対応するユーザの順となる。 Thus, the signature frame update unit 136 generates a document 840 for the document 830 and stores the document 840 in the cloud system 700 used by organization Y. Document 840 has signed signature frames 841 and 842 and in-house signature frames 843 and 844 . The signed signature frames 841 and 842 are the same as the signed signature frames 831 and 832, respectively. For example, the intra-organizational signature frame 843 includes information indicating the position "person in charge". The intra-organizational signature frame 844 includes information indicating the post "section manager". The in-house signature frames 843 and 844 are described in the document 840 in this order. Therefore, the approval path in organization X is in the order of the user corresponding to the intra-organization signature frame 843 and the user corresponding to the intra-organization signature frame 844 .
 組織Xのときと同様に、個人名変換部132は、文書840がクラウドシステム600に格納されると、組織Y情報114に基づいて、組織内署名枠843,844にユーザの役職に応じたユーザの個人名を挿入することで、文書850を生成する。 As in the case of the organization X, when the document 840 is stored in the cloud system 600, the personal name conversion unit 132, based on the organization Y information 114, fills the in-organization signature frames 843 and 844 with a user name corresponding to the user's position. generates document 850 by inserting the personal name of
 文書850は、サイン済署名枠851,852および組織内署名枠853,854を有する。サイン済署名枠851,852は、それぞれサイン済署名枠841,842と同じである。組織内署名枠853は、組織Yに属するユーザCの個人名を含む。組織内署名枠854は、組織Yに属するユーザDの個人名を含む。組織内署名枠853,854は、それぞれユーザC,Dの電子メールアドレスを含んでもよい。 The document 850 has signed signature frames 851 and 852 and in-house signature frames 853 and 854. The signed signature frames 851 and 852 are the same as the signed signature frames 841 and 842, respectively. The intra-organization signature frame 853 includes the personal name of user C belonging to organization Y. The intra-organization signature frame 854 includes the personal name of user D belonging to organization Y. Intra-organizational signature boxes 853 and 854 may contain the e-mail addresses of users C and D, respectively.
 WF管理部133は、組織Xと同様に、文書850の組織内署名枠853,854に基づいて、組織Yに対して文書850の承認のWFを実行することができる。
 図8は、文書における組織内署名枠の記述例を示す図である。 The WF management unit 133 can execute the WF for approval of the document 850 to the organization Y based on the intra-organization signature frames 853 and 854 of the document 850 in the same way as the organization X.
FIG. 8 is a diagram showing a description example of an intra-organizational signature frame in a document.
 記述C1は、文書810における組織内署名枠811の記述例である。記述C2は、文書820における組織内署名枠821の記述例である。記述C1,C2は、Office(登録商標) Open XMLのSignatureline書式に従った記述である。 Description C1 is a description example of the in-house signature frame 811 in the document 810 . A description C2 is a description example of an in-house signature frame 821 in the document 820 . Descriptions C1 and C2 are descriptions according to the Signatureline format of Office (registered trademark) Open XML.
 例えば、設定した署名欄(署名枠)は、「o:signatureline」タグで示される。例えば、署名者(承認者)の氏名は、「o:suggestedsigner」タグを用いて記載される。電子メールアドレスは、「o:suggestedsigneremail」タグを用いて記載される。役職は、「o:suggestedsigner2」タグを用いて記載される。 For example, the set signature line (signature frame) is indicated by the "o:signatureline" tag. For example, the name of the signer (approver) is described using the "o:suggestedsigner" tag. Email addresses are listed using the "o:suggestedsigneremail" tag. Job titles are described using the "o:suggestedsigner2" tag.
 組織内署名枠811では、ユーザの個人名は未だ設定されていない。したがって、記述C1では、「o:suggestedsigner2」に「担当」が設定されるが、「o:suggestedsigner」および「o:suggestedsigneremail」は、設定なしとなる。 The user's personal name has not yet been set in the in-house signature frame 811. Therefore, in the description C1, "o:suggestedsigner2" is set to "person in charge", but "o:suggestedsigner" and "o:suggestedsigneremail" are not set.
 組織内署名枠821では、ユーザの個人名を設定済である。したがって、記述C2では、例えば「o:suggestedsigner」に「A」、「o:suggestedsigneremail」に「a@x.jp」、「o:suggestedsigner2」に「担当」がそれぞれ設定される。 The user's personal name is already set in the in-house signature frame 821. Therefore, in the description C2, for example, "A" is set to "o:suggestedsigner", "a@x.jp" is set to "o:suggestedsigneremail", and "responsible" is set to "o:suggestedsigner2".
 例えば、組織Xにおいて、ユーザA,Bの順番で署名する場合、ユーザAに対応する組織内署名枠とユーザBに対応する組織内署名枠とが文書810や文書820内に、順番に記載される。例えば、組織内署名枠812,822も同様に「o:signatureline」タグを用いて記述される。 For example, in organization X, when users A and B sign in order, the internal signature frame corresponding to user A and the internal signature frame corresponding to user B are described in order in document 810 and document 820. be. For example, the intra-organizational signature frames 812 and 822 are similarly described using the "o:signatureline" tag.
 図9は、文書における組織間署名枠の記述例を示す図である。
 記述C3は、文書810における組織間署名枠813の記述例である。組織間署名枠813も、組織内署名枠811,821と同様に、「o:signatureline」タグを用いて記述される。 FIG. 9 is a diagram showing a description example of an inter-organizational signature frame in a document.
Description C3 is a description example of the inter-organizational signature frame 813 in the document 810 . The inter-organization signature frame 813 is also described using the “o:signatureline” tag, similarly to the intra-organization signature frames 811 and 821 .
 例えば、役職を示す「o:suggestedsigner2」タグの情報に特定の前置詞を付けた場合に、前置詞の直後の記述が、署名するユーザの役職ではなく、文書を渡す組織を示すものとする。記述C3は、一例として前置詞を「_org:」とした場合である。例えば、記述C3では、「o:suggestedsigner2」に「_org:Y」が設定される。「_org:Y」の最後の「Y」は、組織の識別情報である。記述C3では、例えば「o:suggestedsigner」および「o:suggestedsigneremail」は、設定なしとなる。なお、次以降に文書を回す組織が複数存在する場合、文書を回す順序で、各組織の組織間署名枠に対応する記述が署名枠挿入部131により当該文書に追加される。 For example, if a specific preposition is added to the information in the "o:suggestedsigner2" tag that indicates the job title, the description immediately after the preposition indicates the organization that delivers the document, not the job title of the signing user. Description C3 is, for example, the case where the preposition is "_org:". For example, in description C3, "_org:Y" is set to "o:suggestedsigner2". "Y" at the end of "_org:Y" is organization identification information. In description C3, for example, "o:suggestedsigner" and "o:suggestedsigneremail" are not set. If there are a plurality of organizations to which the document is to be sent next, the signature frame inserting unit 131 adds a description corresponding to the inter-organizational signature frame of each organization to the document in the order in which the document is passed.
 次に、制御サーバ100のWF制御の手順を説明する。
 図10は、WF制御例を示すフローチャートである。
 (S10)署名枠挿入部131は、組織XのユーザAによりクラウドシステム600において作成された文書800を取得する。 Next, the WF control procedure of the control server 100 will be described.
FIG. 10 is a flowchart showing an example of WF control.
(S10) The signature frame insertion unit 131 acquires the document 800 created by the user A of the organization X in the cloud system 600. FIG.
 (S11)署名枠挿入部131は、組織X承認経路情報111に基づいて、文書800の属性に応じた組織Xの承認経路を、組織内署名枠811,812として文書800へ挿入する。 (S11) Based on the organization X approval path information 111, the signature frame insertion unit 131 inserts the approval path of the organization X corresponding to the attributes of the document 800 into the document 800 as the intra-organization signature frames 811 and 812.
 (S12)署名枠挿入部131は、組織間承認経路情報115に基づいて、文書800に応じた次の組織Yを特定し、組織Yに対応する組織間署名枠813を文書800に挿入する。こうして、署名枠挿入部131は、文書800から文書810を生成し、文書810をクラウドシステム600に格納する。 (S12) The signature frame inserting unit 131 identifies the next organization Y according to the document 800 based on the inter-organization approval path information 115, and inserts the inter-organization signature frame 813 corresponding to the organization Y into the document 800. Thus, signature frame inserting section 131 generates document 810 from document 800 and stores document 810 in cloud system 600 .
 (S13)個人名変換部132は、組織X情報112に基づいて、文書810の承認経路の役職を個人名に変換する。すなわち、個人名変換部132は、組織内署名枠811にユーザAの個人名や電子メールアドレスを追加する。また、個人名変換部132は、ユーザAの所属部署を基に、組織X情報112から組織内署名枠812に対応するユーザBの個人名を特定し、組織内署名枠812にユーザBの個人名や電子メールアドレスを追加する。こうして、個人名変換部132は、文書810から文書820を生成し、文書820をクラウドシステム600に格納する。 (S13) Based on the organization X information 112, the personal name conversion unit 132 converts the post in the approval path of the document 810 into a personal name. That is, the personal name conversion unit 132 adds the personal name and e-mail address of the user A to the intra-organizational signature box 811 . Further, the personal name conversion unit 132 identifies the personal name of the user B corresponding to the in-house signature frame 812 from the organization X information 112 based on the department to which the user A belongs. Add your first name and email address. Thus, the personal name converter 132 generates the document 820 from the document 810 and stores the document 820 in the cloud system 600. FIG.
 (S14)WF管理部133は、文書820における組織内署名枠821,822に基づいて、組織X内におけるWFを進める。署名処理部134は、ユーザA,Bによる署名の入力に応じて、組織内署名枠821,822にサイン画像を追加する。また、署名処理部134は、ユーザA,Bによる署名の入力に応じて、ユーザA,Bのデジタル署名を文書820に付与する。こうして、署名処理部134は、文書820から文書830を生成する。 (S14) The WF management unit 133 advances the WF within the organization X based on the intra-organization signature frames 821 and 822 in the document 820. The signature processing unit 134 adds signature images to the intra-organizational signature frames 821 and 822 according to the input of signatures by the users A and B. FIG. Further, the signature processing unit 134 attaches the digital signatures of the users A and B to the document 820 in response to the input of the signatures by the users A and B. FIG. Thus, the signature processing unit 134 generates a document 830 from the document 820. FIG.
 (S15)WF管理部133は、組織X内のユーザA,Bによる承認が完了すると、組織間共有データ記憶部150へ文書830を移動させる。
 (S16)通知部135は、組織Yの所定のメーリングリストに、組織YへWFが回ったことを通知する。 (S15) The WF management unit 133 moves the document 830 to the inter-organizational shared data storage unit 150 when approval by the users A and B in the organization X is completed.
(S16) The notification unit 135 notifies a predetermined mailing list of the organization Y that the WF has been sent to the organization Y. FIG.
 (S17)署名枠更新部136は、組織Yのユーザによる組織Yの承認経路の登録を受け付け、組織Y承認経路情報113に当該承認経路を追加する。
 (S18)署名枠更新部136は、文書840の属性と組織Y承認経路情報113に基づいて文書830における組織Yの組織間署名枠833を組織Yの組織内署名枠843,844に変換することで、組織Yの承認経路を文書830に挿入する。これにより、署名枠更新部136は、文書830から文書840を生成する。署名枠更新部136は、組織Yが使用するクラウドシステム700に文書840を移動させる。 ( S<b>17 ) The signature frame update unit 136 receives the registration of the approval route for the organization Y by the user of the organization Y, and adds the approval route to the organization Y approval route information 113 .
(S18) The signature frame updating section 136 converts the inter-organizational signature frame 833 of the organization Y in the document 830 to the intra-organizational signature frames 843 and 844 of the organization Y based on the attributes of the document 840 and the organization Y approval path information 113. , the approval path of organization Y is inserted into document 830 . As a result, signature frame updating section 136 generates document 840 from document 830 . The signature frame updating section 136 moves the document 840 to the cloud system 700 used by the organization Y. FIG.
 (S19)個人名変換部132は、組織Y情報114に基づいて、文書840の承認経路の役職を個人名に変換する。例えば、個人名変換部132は、組織Yのユーザによる、組織Yにおける承認経路の起点のユーザCの指定を受け付ける。そして、個人名変換部132は、組織内署名枠843にユーザCの個人名や電子メールアドレスを追加する。また、個人名変換部132は、ユーザCの所属部署を基に、組織Y情報114から組織内署名枠844に対応するユーザDの個人名を特定し、組織内署名枠844にユーザDの個人名や電子メールアドレスを追加する。こうして、個人名変換部132は、文書840から文書850を生成する。 (S19) Based on the organization Y information 114, the personal name conversion unit 132 converts the post in the approval path of the document 840 into a personal name. For example, the personal name conversion unit 132 receives designation of user C, who is the starting point of the approval path in organization Y, from the user of organization Y. FIG. Then, the personal name conversion unit 132 adds the personal name and e-mail address of the user C to the intra-organizational signature frame 843 . Further, the personal name conversion unit 132 identifies the personal name of user D corresponding to the intra-organization signature frame 844 from the organization Y information 114 based on the department to which user C belongs. Add your first name and email address. Thus, the personal name converter 132 generates the document 850 from the document 840. FIG.
 (S20)WF管理部133は、文書850における組織内署名枠853,854に基づいて、組織Y内におけるWFを進める。署名処理部134は、ユーザC,Fによる署名の入力に応じて、組織内署名枠853,854にサイン画像を追加する。また、署名処理部134は、ユーザC,Dによる署名の入力に応じて、ユーザC,Dのデジタル署名を文書850に付与する。こうして、WF制御が終了する。 (S20) The WF management unit 133 advances the WF within the organization Y based on the intra-organization signature frames 853 and 854 in the document 850. The signature processing unit 134 adds signature images to the intra-organizational signature frames 853 and 854 according to the input of signatures by users C and F. FIG. Further, the signature processing unit 134 adds the digital signatures of the users C and D to the document 850 in response to the input of the signatures by the users C and D. FIG. Thus, the WF control ends.
 ここで、署名枠更新部136は、組織Yのユーザによるユーザ個人名を含む承認経路の入力を受け付けて、文書830に当該承認経路を設定することもある。そこで、制御サーバ100は、上記のWF制御の過程で、WF検証を行う機能を提供する。WF検証は、例えば組織Yのユーザにより文書に設定された承認経路に含まれる依頼先ユーザの正当性を検証する機能である。 Here, the signature frame update unit 136 may receive the input of the approval path including the user's personal name from the user of the organization Y and set the approval path in the document 830 . Therefore, the control server 100 provides a function of performing WF verification in the process of WF control described above. WF verification is a function of verifying the legitimacy of a request destination user included in an approval path set in a document by a user of organization Y, for example.
 図11は、WF検証例を示す図である。
 署名枠更新部136は、組織間共有データ記憶部150に移動された文書830に対して、クライアント装置400による組織内署名枠853,854の設定指示を受け付ける。例えば、組織Yのユーザは、クライアント装置400を操作して、署名枠更新部136に対し、組織内署名枠853,854の設定指示を入力できる。署名枠更新部136は、文書830の組織間署名枠833を、組織Yの組織内署名枠853,854に変換した文書850を生成し、クラウドシステム700に格納する。 FIG. 11 is a diagram showing an example of WF verification.
The signature frame updating unit 136 receives an instruction from the client device 400 to set the intra-organizational signature frames 853 and 854 for the document 830 moved to the inter-organizational shared data storage unit 150 . For example, the user of organization Y can operate the client device 400 to input an instruction to set the intra-organizational signature frames 853 and 854 to the signature frame update unit 136 . The signature frame update unit 136 generates a document 850 by converting the inter-organization signature frame 833 of the document 830 into the intra-organization signature frames 853 and 854 of the organization Y, and stores it in the cloud system 700 .
 検証処理部137は、クライアント装置200からWF検証要求を受け付けると、WF検証情報116に基づいて、文書850の組織内署名枠853,854に対応する、組織Yの依頼先ユーザの検証を行う。組織Xのユーザは、クライアント装置200を操作して、検証処理部137に対し、WF検証要求を入力できる。 Upon receiving a WF verification request from the client device 200 , the verification processing unit 137 verifies the requested user of the organization Y corresponding to the in-house signature frames 853 and 854 of the document 850 based on the WF verification information 116 . A user of organization X can operate the client device 200 to input a WF verification request to the verification processing unit 137 .
 ここで、WF検証情報116は、組織Yにおいて、承認経路への設定が許容される複数のユーザの公開鍵の集合である。検証処理部137は、組織内署名枠853,854それぞれのユーザの公開鍵を組織Yサーバ500から取得し、取得した公開鍵が、WF検証情報116に含まれるか否かを判定することで、依頼先ユーザの検証を行う。検証処理部137は、文書850の承認経路に不正なユーザが含まれているか否かを示すWF検証結果を、クライアント装置200に応答する。 Here, the WF verification information 116 is a set of public keys of multiple users who are allowed to be set in the approval path in the organization Y. The verification processing unit 137 acquires the public keys of the users of the intra-organization signature frames 853 and 854 from the organization Y server 500, and determines whether or not the acquired public keys are included in the WF verification information 116. Verify the requested user. The verification processing unit 137 responds to the client device 200 with a WF verification result indicating whether or not an unauthorized user is included in the approval path of the document 850 .
 図12は、WF検証情報の取得例を示す図である。
 検証処理部137は、組織Yにおいて承認経路への設定が許容される複数のユーザの電子メールアドレスのリストを、組織Yサーバ500から取得する(ステップST10)。当該リストに含まれる電子メールアドレスは、例えば、通知部135が組織YにWFが回ってきたことを通知する際の宛先のメーリングリスト501に含まれる電子メールアドレスである。当該リストは、例えば、ユーザCの電子メールアドレス「c@xxx」およびユーザDの電子メールアドレス「d@xxx」を含む。 FIG. 12 is a diagram showing an example of acquisition of WF verification information.
The verification processing unit 137 obtains from the organization Y server 500 a list of e-mail addresses of a plurality of users permitted to be set in the approval path in the organization Y (step ST10). The e-mail addresses included in the list are, for example, the e-mail addresses included in the mailing list 501 to which the notification unit 135 notifies the organization Y that the WF has arrived. The list includes, for example, User C's e-mail address "c@xxx" and User D's e-mail address "d@xxx".
 なお、ステップST10における、検証処理部137に対する組織Yの電子メールアドレスのリストの提供は、クライアント装置400により行われてもよい。また、組織Yサーバ500またはクライアント装置400による制御サーバ100への当該リストの提供は、制御サーバ100による該当の文書のWFが組織Yに回ったことの通知に応じて行われてもよい。 The client device 400 may provide the list of email addresses of the organization Y to the verification processing unit 137 in step ST10. Further, the provision of the list to the control server 100 by the organization Y server 500 or the client device 400 may be performed in response to the notification from the control server 100 that the WF of the relevant document has been sent to the organization Y. FIG.
 検証処理部137は、取得した電子メールアドレスに対して、仮ID(IDentifier)を発行する(ステップST11)。仮IDは、各電子メールアドレスに対応する仮の識別情報である。仮IDは、例えば電子メールアドレスのハッシュ値でもよい。検証処理部137は、発行した仮IDのリストである仮IDリスト117を記憶部110に格納する。また、検証処理部137は、取得した電子メールアドレスに対応する仮IDを組織Yサーバ500に送信する。検証処理部137は、取得した電子メールアドレスを破棄してもよい。検証処理部137は、取得した電子メールアドレスを破棄することで、組織Yのユーザの電子メールアドレスを保持せずに済む。 The verification processing unit 137 issues a temporary ID (IDentifier) to the acquired e-mail address (step ST11). A temporary ID is temporary identification information corresponding to each e-mail address. The temporary ID may be, for example, a hash value of an e-mail address. Verification processing unit 137 stores temporary ID list 117 , which is a list of issued temporary IDs, in storage unit 110 . Also, the verification processing unit 137 transmits the provisional ID corresponding to the obtained e-mail address to the organization Y server 500 . The verification processing unit 137 may discard the acquired e-mail address. By discarding the acquired e-mail address, the verification processing unit 137 does not need to hold the e-mail address of the user of the organization Y. FIG.
 組織Yサーバ500は、公開鍵DB(DataBase)502を有する。公開鍵DB502は、組織Yのユーザの電子メールアドレスに対応付けて、当該ユーザの公開鍵を記憶する。組織Yサーバ500は、公開鍵DB502において、公開鍵と仮IDとを紐付けて管理する。 The organization Y server 500 has a public key DB (DataBase) 502. The public key DB 502 stores the user's public key in association with the email address of the organization Y user. The organization Y server 500 associates and manages the public key and the temporary ID in the public key DB 502 .
 検証処理部137は、仮IDリスト117に基づいて、公開鍵取得要求を、組織Yサーバ500に送信する(ステップST12)。例えば、公開鍵取得要求は、電子メールアドレス「c@xxx」に対応する仮ID、および、電子メールアドレス「d@xxx」に対応する仮IDを含む。組織Yサーバ500は、公開鍵取得要求に含まれる仮IDに基づいて、ユーザCの公開鍵KcおよびユーザDの公開鍵Kdを公開鍵DB502から取得し、制御サーバ100に応答する。そして、検証処理部137は、公開鍵取得要求の応答として、公開鍵Kc,Kdを受信し、組織YのWF検証情報116に、公開鍵Kc,Kdを登録する(ステップST13)。 The verification processing unit 137 transmits a public key acquisition request to the organization Y server 500 based on the temporary ID list 117 (step ST12). For example, the public key acquisition request includes a temporary ID corresponding to the e-mail address "c@xxx" and a temporary ID corresponding to the e-mail address "d@xxx". The organization Y server 500 acquires the user C's public key Kc and the user D's public key Kd from the public key DB 502 based on the temporary ID included in the public key acquisition request, and responds to the control server 100 . Then, the verification processing unit 137 receives the public keys Kc and Kd as a response to the public key acquisition request, and registers the public keys Kc and Kd in the WF verification information 116 of the organization Y (step ST13).
 こうして、検証処理部137は、WF検証情報116を得る。検証処理部137は、仮IDを用いることで、組織Y内で用いられるユーザの識別情報を用いずに、WF検証情報116を得られる。次に、制御サーバ100による文書内の組織内署名枠に基づく公開鍵の取得例を説明する。 Thus, the verification processing unit 137 obtains the WF verification information 116. By using the temporary ID, the verification processing unit 137 can obtain the WF verification information 116 without using the user identification information used in the organization Y. FIG. Next, an example of acquisition of a public key based on an intra-organizational signature frame in a document by the control server 100 will be described.
 図13は、組織内署名枠に基づく公開鍵の取得例を示す図である。
 例えば、文書850は、サイン済署名枠851,852および組織Yの組織内署名枠853,854を有する。組織内署名枠853は、ユーザCの電子メールアドレス「c@xxx」を含む。組織内署名枠854は、ユーザDの電子メールアドレス「d@xxx」を含む。検証処理部137は、ユーザC,Dの電子メールアドレスを指定して、組織Yサーバ500に公開鍵を問い合わせる(ステップST20)。 FIG. 13 is a diagram showing an example of obtaining a public key based on an intra-organizational signature frame.
For example, document 850 has signed signature frames 851 and 852 and organization Y's in-house signature frames 853 and 854 . The intra-organizational signature frame 853 includes User C's e-mail address “c@xxx”. In-house signature box 854 includes User D's e-mail address “d@xxx”. The verification processing unit 137 designates the e-mail addresses of the users C and D, and inquires of the organization Y server 500 about the public key (step ST20).
 組織Yサーバ500は、公開鍵の問合せに応じて、公開鍵DB502を参照し、ユーザCの公開鍵KcとユーザDの公開鍵Kdとを制御サーバ100に応答する(ステップST21)。こうして、検証処理部137は、文書850の組織内署名枠853,854に基づいて公開鍵Kc,Kdを取得する。 In response to the public key inquiry, the organization Y server 500 refers to the public key DB 502 and responds to the control server 100 with user C's public key Kc and user D's public key Kd (step ST21). Thus, the verification processing unit 137 acquires the public keys Kc and Kd based on the in-house signature frames 853 and 854 of the document 850 .
 ここで、比較例として、文書860を例示する。文書860は、サイン済署名枠861,862および組織Yの組織内署名枠863,864を有する。サイン済署名枠861,862は、サイン済署名枠851,852と同じである。組織内署名枠863は、ユーザCの電子メールアドレス「c@xxx」を含む。組織内署名枠864は、ユーザEの電子メールアドレス「e@xxx」を含む。検証処理部137は、ユーザC,Eの電子メールアドレスを指定して、組織Yサーバ500に公開鍵を問い合わせる(ステップST20a)。 Here, a document 860 is illustrated as a comparative example. Document 860 has signed signature frames 861 and 862 and organization Y's in-house signature frames 863 and 864 . Signed signature frames 861 and 862 are the same as signed signature frames 851 and 852 . Intra-organizational signature box 863 includes User C's e-mail address “c@xxx”. Intra-organizational signature box 864 includes User E's e-mail address “e@xxx”. The verification processing unit 137 designates the e-mail addresses of the users C and E, and inquires of the organization Y server 500 about the public key (step ST20a).
 組織Yサーバ500は、公開鍵の問合せに応じて、公開鍵DB502を参照し、ユーザCの公開鍵KcとユーザEの公開鍵Keとを制御サーバ100に応答する(ステップST21a)。こうして、検証処理部137は、文書860の組織内署名枠863,864に基づいて公開鍵Kc,Keを取得する。 In response to the public key inquiry, the organization Y server 500 refers to the public key DB 502 and responds to the control server 100 with user C's public key Kc and user E's public key Ke (step ST21a). Thus, the verification processing unit 137 acquires the public keys Kc and Ke based on the in-house signature frames 863 and 864 of the document 860 .
 図14は、WF検証方法の例を示す図である。
 第1の例は、WF検証情報116に基づく、文書850に対するWF検証である。検証処理部137は、文書850の組織内署名枠853に基づいて取得した公開鍵KcがWF検証情報116で示される公開鍵の集合に含まれるか否かを判定する。WF検証情報116は、公開鍵Kc,Kdを含む。よって、検証処理部137は、組織内署名枠853に対応するユーザCが正当であると判断する。 FIG. 14 is a diagram showing an example of the WF verification method.
A first example is WF verification for document 850 based on WF verification information 116 . Verification processing unit 137 determines whether public key Kc obtained based on in-house signature frame 853 of document 850 is included in the set of public keys indicated by WF verification information 116 . WF verification information 116 includes public keys Kc and Kd. Therefore, the verification processing unit 137 determines that the user C corresponding to the in-house signature frame 853 is valid.
 また、検証処理部137は、文書850の組織内署名枠854に基づいて取得した公開鍵KdがWF検証情報116で示される公開鍵の集合に含まれるか否かを判定する。公開鍵Kdは、WF検証情報116に含まれる。よって、検証処理部137は、組織内署名枠854に対応するユーザDが正当であると判断する。 The verification processing unit 137 also determines whether the public key Kd obtained based on the intra-organizational signature frame 854 of the document 850 is included in the set of public keys indicated by the WF verification information 116 . Public key Kd is included in WF verification information 116 . Therefore, the verification processing unit 137 determines that the user D corresponding to the in-house signature frame 854 is valid.
 このため、検証処理部137は、文書850に設定された承認経路が正当であると判断する。この場合、組織Yにおいて文書850に対して正しいWFが実行されていることになる。 Therefore, the verification processing unit 137 determines that the approval path set in the document 850 is valid. In this case, the correct WF is being executed for document 850 in organization Y.
 第2の例は、WF検証情報116に基づく、文書860に対するWF検証である。検証処理部137は、文書860の組織内署名枠863に基づいて取得した公開鍵KcがWF検証情報116で示される公開鍵の集合に含まれるか否かを判定する。公開鍵Kcは、WF検証情報116に含まれる。よって、検証処理部137は、組織内署名枠853に対応するユーザCが正当であると判断する。 A second example is WF verification for document 860 based on WF verification information 116 . Verification processing unit 137 determines whether public key Kc obtained based on in-house signature frame 863 of document 860 is included in the set of public keys indicated by WF verification information 116 . Public key Kc is included in WF verification information 116 . Therefore, the verification processing unit 137 determines that the user C corresponding to the in-house signature frame 853 is valid.
 また、検証処理部137は、文書860の組織内署名枠864に基づいて取得した公開鍵KeがWF検証情報116で示される公開鍵の集合に含まれるか否かを判定する。公開鍵Keは、WF検証情報116に含まれない。よって、検証処理部137は、組織内署名枠864に対応するユーザEが不正であると判断する。 The verification processing unit 137 also determines whether the public key Ke acquired based on the intra-organizational signature frame 864 of the document 860 is included in the set of public keys indicated by the WF verification information 116 . Public key Ke is not included in WF verification information 116 . Therefore, the verification processing unit 137 determines that the user E corresponding to the in-house signature frame 864 is unauthorized.
 このため、検証処理部137は、文書860に設定された承認経路が不正であると判断する。この場合、組織Yにおいて文書860に対して不正なWFが実行されていることになる。 Therefore, the verification processing unit 137 determines that the approval route set for the document 860 is incorrect. In this case, an illegal WF is being executed on the document 860 in the organization Y.
 なお、検証処理部137は、ある公開鍵がWF検証情報116で示される公開鍵の集合に含まれるか否かの判定に、例えばブルームフィルタ(Bloom filter)を用いることができる。 Note that the verification processing unit 137 can use, for example, a Bloom filter to determine whether a certain public key is included in the set of public keys indicated by the WF verification information 116.
 次に、制御サーバ100のWF検証の手順を説明する。
 図15は、WF検証例を示すフローチャートである。
 (S30)検証処理部137は、文書のWF検証要求を受信する。例えば、組織Xのユーザは、クライアント装置200を操作して、WF検証対象の文書850を指定したWF検証要求を、制御サーバ100に入力できる。 Next, a procedure for WF verification of the control server 100 will be described.
FIG. 15 is a flowchart showing an example of WF verification.
(S30) The verification processing unit 137 receives the document WF verification request. For example, the user of the organization X can operate the client device 200 to input to the control server 100 a WF verification request specifying the WF verification target document 850 .
 (S31)検証処理部137は、組織YのWF検証情報116を基に、該当の文書に設定されたWF、すなわち、承認経路に含まれる各ユーザの正当性を検証する。図14で例示したように、検証処理部137は、該当の文書の組織内署名枠に基づいて取得した依頼先ユーザの公開鍵が、WF検証情報116で示される公開鍵の集合に含まれるか否かにより依頼先ユーザの正当性を検証する。 (S31) Based on the WF verification information 116 of organization Y, the verification processing unit 137 verifies the WF set in the document, that is, the validity of each user included in the approval path. As illustrated in FIG. 14, the verification processing unit 137 determines whether the public key of the requested user acquired based on the in-house signature frame of the document is included in the set of public keys indicated by the WF verification information 116. The legitimacy of the requested user is verified depending on whether or not.
 (S32)検証処理部137は、ステップS31において、該当の文書のWFに含まれる全てのユーザが正当であるか否かを判定する。全てのユーザが正当である場合、ステップS33に処理が進む。不正なユーザが含まれる場合、ステップS34に処理が進む。 (S32) In step S31, the verification processing unit 137 determines whether or not all users included in the WF of the relevant document are valid. If all users are valid, the process proceeds to step S33. If an unauthorized user is included, the process proceeds to step S34.
 (S33)検証処理部137は、該当の文書のWF、すなわち、承認経路に設定された全てのユーザが正当であることを応答する。そして、WF検証が終了する。
 (S34)検証処理部137は、該当の文書のWF、すなわち、承認経路に不正に設定されたユーザの情報を応答する。そして、WF検証が終了する。 (S33) The verification processing unit 137 replies that the WF of the document in question, that is, all users set in the approval path are valid. Then the WF verification ends.
(S34) The verification processing unit 137 responds with the WF of the document, that is, the information of the user illegally set in the approval path. Then the WF verification ends.
 このように、制御サーバ100は、文書850や文書860などに対し、組織Yにおける依頼先ユーザのデジタル署名が付与される前の段階でも、当該依頼先ユーザの正当性を検証することができる。例えば、制御サーバ100は、組織Xのユーザに対する処理において、組織Y承認経路情報113の利用を許可しない場合であっても、組織Xのユーザの検証要求に対し、署名検証用に公開される公開鍵を用いて組織Yにおける依頼先ユーザの正当性を検証できる。 In this way, the control server 100 can verify the legitimacy of the requested user even before the digital signature of the requested user in the organization Y is attached to the documents 850, 860, and the like. For example, even if the control server 100 does not permit the use of the organization Y approval path information 113 in processing for the user of organization X, the control server 100 responds to the verification request of the user of organization X. The legitimacy of the requested user in organization Y can be verified using the key.
 一方、制御サーバ100は、文書850や文書860などに対して付与済のデジタル署名の検証を行うこともできる。そこで、次に、制御サーバ100によるデジタル署名の付与について説明する。 On the other hand, the control server 100 can also verify the digital signatures already attached to the documents 850, 860, and the like. Therefore, the addition of a digital signature by the control server 100 will now be described.
 図16は、署名処理例を示す図である。
 図16では、文書820に対して、組織XのユーザA,Bそれぞれのデジタル署名が順番に付与される例を示す。 FIG. 16 is a diagram showing an example of signature processing.
FIG. 16 shows an example in which the digital signatures of users A and B of organization X are attached to a document 820 in order.
 文書820は、本文R1および文書フォーマット情報R2を有する。本文R1は、文書820の本文であり、組織内署名枠821,822を含む。文書フォーマット情報R2は、文書820のフォーマットを示す情報である。本例では、署名処理部134は、文書フォーマット情報R2の拡張領域に、デジタル署名を追加する。 A document 820 has a text R1 and document format information R2. Text R1 is the text of document 820 and includes in-house signature frames 821 and 822 . The document format information R2 is information indicating the format of the document 820. FIG. In this example, the signature processing unit 134 adds a digital signature to the extension area of the document format information R2.
 まず、WF管理部133は、ユーザAに対して文書820に対する承認の依頼を行う。署名処理部134は、文書820に対するユーザの承認に応じて、文書820を加工し、文書820aを生成する(ステップST30)。具体的には、署名処理部134は、文書820に対するユーザAの承認に応じて、組織内署名枠821にユーザAのサイン画像を追加する。また、署名処理部134は、ユーザAの承認に応じて、ユーザAのデジタル署名を文書820に付与する。署名処理部134は、ユーザAのデジタル署名の付与後の文書820aを、クラウドシステム600に格納する。 First, the WF management unit 133 requests user A to approve the document 820 . Signature processing unit 134 processes document 820 in accordance with the user's approval of document 820 to generate document 820a (step ST30). Specifically, the signature processing unit 134 adds the signature image of the user A to the intra-organization signature frame 821 in response to user A's approval of the document 820 . Further, the signature processing unit 134 attaches the digital signature of user A to the document 820 in response to user A's approval. The signature processing unit 134 stores the document 820 a to which user A's digital signature has been added in the cloud system 600 .
 ここで、文書820aは、本文R1aおよび文書フォーマット情報R2aを有する。本文R1aは、サイン済署名枠821aおよび組織内署名枠822aを有する。サイン済署名枠821aは、ユーザAの組織内署名枠に対して、ユーザAのサイン画像が付与されたものである。組織内署名枠822aは、組織内署名枠822と同じである。文書フォーマット情報R2aの拡張領域には、次のようにユーザAのデジタル署名が追加される。 Here, the document 820a has a text R1a and document format information R2a. The text R1a has a signed signature frame 821a and an in-house signature frame 822a. The signed signature frame 821a is obtained by adding a signature image of user A to user A's intra-organizational signature frame. The intra-organization signature frame 822 a is the same as the intra-organization signature frame 822 . User A's digital signature is added to the extension area of the document format information R2a as follows.
 署名処理部134は、差分情報diff1を作成する。差分情報diff1は、ユーザAに対する承認依頼時の本文R1の内容と、ユーザAによる承認が行われた直後の本文R1aの内容との差分を示す。なお、署名処理部134は、承認依頼時の本文R1の内容を、文書フォーマット情報R2aの拡張領域におけるデータ「previous.audit」として保存する。そして、署名処理部134は、差分情報diff1のハッシュ値H(diff1)と、ハッシュ値H(diff1)をユーザAの秘密鍵で暗号化した値Sig(H(diff1))を、文書フォーマット情報R2aの拡張領域に追加する。Sig(H(diff1))は、ユーザAのデジタル署名に相当する。ここで、H(diff1)およびSig(H(diff1))をまとめたデータを、「1.audit」と表記する。 The signature processing unit 134 creates difference information diff1. The difference information diff1 indicates the difference between the contents of the text R1 at the time of the approval request to the user A and the contents of the text R1a immediately after the approval by the user A is performed. Note that the signature processing unit 134 saves the content of the text R1 at the time of the approval request as data "previous.audit" in the extended area of the document format information R2a. Then, the signature processing unit 134 converts the hash value H(diff1) of the difference information diff1 and the value Sig(H(diff1)) obtained by encrypting the hash value H(diff1) with the secret key of the user A into the document format information R2a. add to the extension area of . Sig(H(diff1)) corresponds to user A's digital signature. Here, data in which H(diff1) and Sig(H(diff1)) are put together is described as "1.audit".
 次に、WF管理部133は、ユーザBに対して文書820aに対する承認の依頼を行う。署名処理部134は、文書820aに対するユーザの承認に応じて、文書820aを加工し、文書830を生成する(ステップST31)。具体的には、署名処理部134は、文書820aに対するユーザBの承認に応じて、組織内署名枠822aにユーザBのサイン画像を追加する。また、署名処理部134は、ユーザBの承認に応じて、ユーザBのデジタル署名を文書820aに付与する。署名処理部134は、ユーザBのデジタル署名の付与後の文書830を、クラウドシステム600に格納する。 Next, the WF management unit 133 requests User B to approve the document 820a. The signature processing unit 134 processes the document 820a and generates the document 830 according to the user's approval of the document 820a (step ST31). Specifically, the signature processing unit 134 adds the signature image of the user B to the in-house signature frame 822a in response to user B's approval of the document 820a. Further, the signature processing unit 134 attaches the user B's digital signature to the document 820a in response to user B's approval. The signature processing unit 134 stores the document 830 to which User B's digital signature has been added in the cloud system 600 .
 文書830は、本文R1bおよび文書フォーマット情報R2bを有する。本文R1bは、前述のように、サイン済署名枠831およびサイン済署名枠832を有する。サイン済署名枠831は、サイン済署名枠821aと同じである。サイン済署名枠832は、ユーザBの組織内署名枠822aに対して、ユーザBのサイン画像が付与されたものである。文書フォーマット情報R2bの拡張領域には、次のようにユーザBのデジタル署名が追加される。 The document 830 has a text R1b and document format information R2b. Text R1b has a signed signature frame 831 and a signed signature frame 832 as described above. The signed signature frame 831 is the same as the signed signature frame 821a. The signed signature frame 832 is obtained by adding a signature image of user B to user B's in-house signature frame 822a. User B's digital signature is added to the extension area of the document format information R2b as follows.
 署名処理部134は、差分情報diff2を作成する。差分情報diff2は、ユーザBに対する承認依頼時の本文R1aの内容と、ユーザBによる承認が行われた直後の本文R1bの内容との差分を示す。なお、署名処理部134は、承認依頼時の本文R1aの内容を、文書フォーマット情報R2bの拡張領域におけるデータ「previous.audit」に追加して保存する。こうして、「previous.audit」には、本文R1bの更新履歴が保持される。そして、署名処理部134は、差分情報diff2のハッシュ値H(diff2)と、ハッシュ値H(diff2)をユーザBの秘密鍵で暗号化した値Sig(H(diff2))を、文書フォーマット情報R2bの拡張領域に追加する。Sig(H(diff2))は、ユーザBのデジタル署名に相当する。 The signature processing unit 134 creates difference information diff2. The difference information diff2 indicates the difference between the contents of the text R1a at the time of the approval request to the user B and the contents of the text R1b immediately after the approval by the user B is performed. The signature processing unit 134 adds the contents of the text R1a at the time of the approval request to the data "previous.audit" in the extended area of the document format information R2b and saves it. In this way, "previous.audit" holds the update history of text R1b. Then, the signature processing unit 134 converts the hash value H(diff2) of the difference information diff2 and the value Sig(H(diff2)) obtained by encrypting the hash value H(diff2) with the secret key of the user B into the document format information R2b. add to the extension area of . Sig(H(diff2)) corresponds to user B's digital signature.
 このようにして、文書830は、ユーザA,Bそれぞれのデジタル署名が付与された状態となる。署名処理部134は、文書に対するWFが組織Yに移った場合も同様にして組織Yのユーザのデジタル署名を該当の文書に付与する。 In this way, the document 830 is in a state where the digital signatures of users A and B are added. The signature processing unit 134 similarly adds the digital signature of the user of the organization Y to the document when the WF for the document is transferred to the organization Y. FIG.
 デジタル署名の検証を行う場合、例えば、検証処理部137は、Sig(H(diff2))を、ユーザBの公開鍵で復号することで、ハッシュ値H(diff2)を得る。検証処理部137は、図12で例示した組織Yのユーザの公開鍵の取得と同様に、ユーザBの公開鍵を含む組織XのWF検証情報を、組織Xの公開鍵DBを有する組織Xサーバ300から取得可能である。 When verifying a digital signature, for example, the verification processing unit 137 obtains a hash value H(diff2) by decrypting Sig(H(diff2)) with user B's public key. The verification processing unit 137 stores the WF verification information of the organization X including the public key of the user B in the organization X server having the public key DB of the organization X in the same manner as the acquisition of the public key of the user of the organization Y illustrated in FIG. 300 available.
 例えば、検証処理部137は、文書830におけるデータ「previous.audit」に基づいて、本文R1a,R1bの差分を取得してハッシュ値を求める。検証処理部137は、当該ハッシュ値がハッシュ値H(diff2)に一致していれば、ユーザBのデジタル署名の検証成功と判断する。一方、Sig(H(diff2))を、ユーザBの公開鍵で復号できない場合や、復号できても、本文R1a,R1bの差分のハッシュ値が、ハッシュ値H(diff2)に一致しない場合は、デジタル署名の検証失敗となる。検証処理部137は、文書830におけるユーザAのデジタル署名についても、データ「previous.audit」に基づく本文R1,R1aの差分のハッシュ値が、ハッシュ値H(diff1)に一致するか否かにより検証する。このとき、検証処理部137は、Sig(H(diff1))をユーザAの公開鍵で復号することでハッシュ値H(diff1)を得る。 For example, the verification processing unit 137 acquires the difference between the texts R1a and R1b based on the data "previous.audit" in the document 830 and obtains the hash value. If the hash value matches the hash value H(diff2), the verification processing unit 137 determines that the verification of the user B's digital signature is successful. On the other hand, if Sig(H(diff2)) cannot be decrypted with user B's public key, or if it can be decrypted but the hash value of the difference between texts R1a and R1b does not match hash value H(diff2), Digital signature verification fails. The verification processing unit 137 also verifies the digital signature of the user A on the document 830 by determining whether the hash value of the difference between the texts R1 and R1a based on the data "previous.audit" matches the hash value H (diff1). do. At this time, the verification processing unit 137 obtains a hash value H(diff1) by decrypting Sig(H(diff1)) with user A's public key.
 検証処理部137は、組織Xのユーザのデジタル署名を検証する場合、組織XのWF検証情報に含まれる何れかの公開鍵で、当該デジタル署名の検証に成功したか否かを判定する。そして、検証処理部137は、組織XのWF検証情報に含まれる何れかの公開鍵で、当該デジタル署名の検証に成功した場合、当該デジタル署名が組織Xの適正なユーザにより署名されており、当該文書が真正であると判断する。また、検証処理部137は、組織XのWF検証情報に含まれる何れの公開鍵でも、当該デジタル署名の検証に失敗した場合、デジタル署名が不正なユーザにより署名されており、当該文書が真正でないと判断する。検証処理部137は、組織Yのデジタル署名についても、組織YのWF検証情報116を用いて、同様に検証を行う。 When verifying the digital signature of the user of organization X, the verification processing unit 137 determines whether or not the digital signature has been successfully verified with any of the public keys included in the WF verification information of organization X. Then, if the verification processing unit 137 succeeds in verifying the digital signature with any of the public keys included in the WF verification information of the organization X, the digital signature is signed by an appropriate user of the organization X, Determine that the document is genuine. If the verification of the digital signature fails with any public key included in the WF verification information of organization X, the verification processing unit 137 determines that the digital signature was signed by an unauthorized user and the document is not authentic. I judge. The verification processing unit 137 also verifies the organization Y's digital signature using the organization Y's WF verification information 116 in the same way.
 次に、制御サーバ100の署名検証の手順を説明する。
 図17は、署名検証例を示すフローチャートである。
 (S40)検証処理部137は、文書に付与されたユーザのデジタル署名の検証要求を受信する。例えば、組織Xのユーザは、クライアント装置200を操作して、組織Yのユーザによるデジタル署名が付与された文書に対する当該組織Yのユーザのデジタル署名の検証要求を、制御サーバ100に入力できる。 Next, the signature verification procedure of the control server 100 will be described.
FIG. 17 is a flow chart showing an example of signature verification.
(S40) The verification processing unit 137 receives a verification request for the user's digital signature attached to the document. For example, the user of organization X can operate the client device 200 to input to the control server 100 a request to verify the digital signature of the user of organization Y on the document to which the user of organization Y has attached the digital signature.
 (S41)検証処理部137は、該当の文書に付与された各ユーザのデジタル署名を検証する。検証処理部137は、例えば、図16で説明した方法によりデジタル署名の検証を行う。例えば、検証処理部137は、組織Yのユーザのデジタル署名の検証に用いる公開鍵を、WF検証情報116の取得と同様にして取得することができる。 (S41) The verification processing unit 137 verifies each user's digital signature attached to the document. The verification processing unit 137 verifies the digital signature by the method described in FIG. 16, for example. For example, the verification processing unit 137 can acquire the public key used to verify the digital signature of the user of the organization Y in the same way as the WF verification information 116 is acquired.
 (S42)検証処理部137は、該当の文書に付与された全てのデジタル署名の検証に成功したか否かを判定する。全てのデジタル署名の検証に成功した場合、ステップS43に処理が進む。少なくとも何れかのデジタル署名の検証に失敗した場合、ステップS44に処理が進む。ここで、検証対象のデジタル署名は、ユーザにより指定された組織(例えば、組織Y)のユーザのデジタル署名のみでもよい。 (S42) The verification processing unit 137 determines whether verification of all digital signatures attached to the document has been successful. If all digital signatures have been successfully verified, the process proceeds to step S43. If verification of at least one of the digital signatures fails, the process proceeds to step S44. Here, the digital signature to be verified may be only the digital signature of the user of the organization specified by the user (for example, organization Y).
 (S43)検証処理部137は、該当の文書が真正であることを応答する。そして、署名検証が終了する。
 (S44)検証処理部137は、該当の文書が真正ではなく、第三者による文書の改ざんがあることを応答する。そして、署名検証が終了する。なお、例えば、WF検証情報116の何れの公開鍵を用いても組織Yで付与されたデジタル署名の検証に失敗した場合、上記の第三者は、組織Yに所属するが、WFによる承認依頼先として組織Yにより正式に認められていないユーザを含み得る。 (S43) The verification processing unit 137 responds that the relevant document is authentic. Then the signature verification ends.
(S44) The verification processing unit 137 responds that the document is not genuine and that the document has been falsified by a third party. Then the signature verification ends. Note that, for example, if the verification of the digital signature given by the organization Y fails using any public key in the WF verification information 116, the above third party belongs to the organization Y, but the approval request by the WF It may include users who have not previously been formally recognized by organization Y.
 このように、制御サーバ100は、文書に付与されたデジタル署名の検証を行うことで、文書の信頼性に関する検証を行うこともできる。
 こうして、制御サーバ100は、組織間を跨いだWF対象の文書の信頼性に対する検証を可能にすることができる。また、情報処理装置10は、文書の信頼性に対する検証を可能にしながら、文書に対する複数の組織を跨いだ各組織のユーザの承認作業を支援することができる。 In this way, the control server 100 can also verify the reliability of the document by verifying the digital signature attached to the document.
In this way, the control server 100 can verify the reliability of WF target documents across organizations. In addition, the information processing apparatus 10 can support the approval work of users in each organization over a plurality of organizations while enabling the verification of the reliability of the document.
 また、制御サーバ100は、文書に対して、WFを動的に追加および更新を可能とし、デジタル署名によりデータ真正性を保証するサービス(TaaS)を実現できる。制御サーバ100では、文書に対するWFを動的に更新可能とする。このため、文書を基にWF設定者以外のユーザの要求に応じてWFの正当性を検証可能とすることで、異なる組織に属する各ユーザによる承認作業が適正に行われるように支援できる。 In addition, the control server 100 can dynamically add and update WFs to documents, and implement a service (TaaS) that guarantees data authenticity with digital signatures. The control server 100 can dynamically update the WF for the document. Therefore, by making it possible to verify the legitimacy of a WF based on a document in response to a request from a user other than the WF setter, it is possible to support appropriate approval work by users belonging to different organizations.
 更に、制御サーバ100は、組織間を跨いでWFが適切に行われるよう制御することで、各組織における各ユーザの承認作業を複数の組織による一連の業務としてつなぐことが可能となる。これにより、制御サーバ100は、TaaSの適用範囲を一組織内だけでなく、複数組織に拡大することができる。 Furthermore, the control server 100 controls the WF appropriately across organizations, thereby making it possible to connect the approval work of each user in each organization as a series of operations by multiple organizations. As a result, the control server 100 can expand the application range of TaaS not only within one organization but also to multiple organizations.
 次に、制御サーバ100によるWF制御の変形例を説明する。
 (第1の変形例)
 第1の変形例は、制御サーバ100により文書830をクラウドシステム600からクラウドシステム700へ移動させる例である。 Next, a modified example of WF control by the control server 100 will be described.
(First modification)
A first modification is an example in which the control server 100 moves the document 830 from the cloud system 600 to the cloud system 700 .
 図18は、文書の移動例を示す図である。
 制御部130は、図4で例示した機能に加えて、データ移動部138を更に有してもよい。また、記憶部110は、クラウドサービスアクセス情報118を記憶する。クラウドサービスアクセス情報118は、クラウドシステム700において組織Yが利用可能なクラウドサービスにアクセスするためのアカウントの情報を保持する。例えば、クラウドサービスアクセス情報118は、文書の送信先の組織の識別情報に対して、クラウドサービスのURL(Uniform Resource Locator)やクラウドサービスにアクセスするためのIDおよびパスワード(PW:PassWord)の情報を有する。また、クラウドサービスアクセス情報118は、該当の組織に対する通知部135による通知の宛先となるメーリングリストのアドレスを含んでもよい。なお、図示を省略しているが、クラウドサービスアクセス情報118には、クラウドシステム600にアクセスするための組織Xのアカウントの情報も含まれ得る。 FIG. 18 is a diagram showing an example of document movement.
The control unit 130 may further have a data moving unit 138 in addition to the functions illustrated in FIG. The storage unit 110 also stores cloud service access information 118 . The cloud service access information 118 holds account information for accessing cloud services available to organization Y in the cloud system 700 . For example, the cloud service access information 118 includes the URL (Uniform Resource Locator) of the cloud service and the ID and password (PW: PassWord) information for accessing the cloud service for the identification information of the organization to which the document is sent. have. The cloud service access information 118 may also include the address of the mailing list to which the notification unit 135 notifies the relevant organization. Although illustration is omitted, the cloud service access information 118 may also include information on the organization X account for accessing the cloud system 600 .
 データ移動部138は、クラウドシステム600からクラウドシステム700への文書830の移動を行う。例えば、組織XのユーザA,Bによる承認が完了した文書830がクラウドシステム600に格納されると、通知部135は、組織YにWFが回ってきたことを組織Yの所定のユーザに通知する。それとともに、データ移動部138は、クラウドシステム600から文書830を取得し、クラウドシステム700に文書830を移動する。このとき、データ移動部138は、クラウドサービスアクセス情報118に基づいて、組織Yに対応するクラウドサービスのURLやクラウドサービスにアクセスするためのIDおよびパスワードを得る。データ移動部138は、当該クラウドサービスにアクセスして、当該クラウドサービスが提供するクラウドシステム700上のストレージに文書830を格納する。 The data migration unit 138 moves the document 830 from the cloud system 600 to the cloud system 700. For example, when the document 830 that has been approved by users A and B of organization X is stored in the cloud system 600, the notification unit 135 notifies a predetermined user of organization Y that WF has been sent to organization Y. . At the same time, the data mover 138 acquires the document 830 from the cloud system 600 and moves the document 830 to the cloud system 700 . At this time, the data mover 138 obtains the URL of the cloud service corresponding to the organization Y and the ID and password for accessing the cloud service based on the cloud service access information 118 . The data mover 138 accesses the cloud service and stores the document 830 in the storage on the cloud system 700 provided by the cloud service.
 署名枠更新部136は、例えばクライアント装置400から受け付けた承認経路の情報を文書830に追加することで、クラウドシステム700上の文書830を、文書850に更新する。そして、WF管理部133は、文書850に基づいて組織YにおけるWFを開始する。 The signature frame update unit 136 updates the document 830 on the cloud system 700 to the document 850 by adding, for example, the approval path information received from the client device 400 to the document 830 . Then, the WF management unit 133 starts the WF in the organization Y based on the document 850. FIG.
 図19は、WF制御の第1の変形例を示すフローチャートである。
 (S50)署名処理部134は、組織Xの承認経路に従って、クラウドシステム600に格納されている文書820にユーザA,Bそれぞれのデジタル署名を順次付与する。その結果、署名処理部134は、文書830を生成し、クラウドシステム600に格納する。 FIG. 19 is a flowchart showing a first modified example of WF control.
(S50) The signature processing unit 134 sequentially attaches the digital signatures of the users A and B to the document 820 stored in the cloud system 600 according to the approval path of the organization X. As a result, signature processing unit 134 generates document 830 and stores it in cloud system 600 .
 (S51)通知部135は、組織Yのメーリングリストに、組織YへWFが回ったことを通知する。
 (S52)データ移動部138は、クラウドサービスアクセス情報118に基づいて、組織Xが使用するクラウドシステム600から、組織Yが使用するクラウドシステム700に、文書830を移動させる。 (S51) The notification unit 135 notifies the organization Y's mailing list that the WF has been sent to the organization Y.
(S52) The data mover 138 moves the document 830 from the cloud system 600 used by the organization X to the cloud system 700 used by the organization Y based on the cloud service access information 118. FIG.
 (S53)署名枠更新部136は、文書830に対して、組織Yのユーザによる組織Yの承認経路の登録を受け付ける。
 (S54)署名枠更新部136は、文書830における組織Yの組織間署名枠833を、組織内署名枠853,854に変換することで、文書850を生成し、クラウドシステム700に格納する。なお、ステップS54では、署名枠更新部136により文書840が生成され、個人名変換部132により文書840を基に文書850が生成されてもよい。 (S53) The signature frame updating unit 136 accepts registration of the organization Y's approval path by the user of the organization Y for the document 830. FIG.
(S 54 ) The signature frame update unit 136 converts the inter-organizational signature frame 833 of the organization Y in the document 830 into intra-organizational signature frames 853 and 854 to generate the document 850 and store it in the cloud system 700 . In step S54, the signature frame update unit 136 may generate the document 840, and the personal name conversion unit 132 may generate the document 850 based on the document 840. FIG.
 (S55)WF管理部133は、文書850に設定された承認経路に従ってWFを進める。署名処理部134は、組織YのユーザC,Dの承認に応じて、文書850にデジタル署名を順次付与する。そして、WF制御が終了する。 (S55) The WF management unit 133 advances the WF according to the approval route set in the document 850. The signature processing unit 134 sequentially adds digital signatures to the document 850 in accordance with the approval of the users C and D of the organization Y. FIG. Then, the WF control ends.
 このように、制御サーバ100は、組織Xでの承認が完了した文書830を、制御サーバ100の組織間共有データ記憶部150に格納せずに、クラウドシステム600からクラウドシステム700に移動させてもよい。これにより、制御サーバ100は、制御サーバ100に文書830を預けたくないユーザにも対応することができる。 In this way, the control server 100 moves the document 830 that has been approved by the organization X from the cloud system 600 to the cloud system 700 without storing it in the inter-organizational shared data storage unit 150 of the control server 100. good. As a result, the control server 100 can accommodate users who do not want to deposit the document 830 with the control server 100 .
 (第2の変形例)
 第2の変形例は、制御サーバ100により文書830の暗号化を行う例である。
 図20は、文書の暗号化例を示す図である。 (Second modification)
A second modification is an example in which the control server 100 encrypts the document 830 .
FIG. 20 is a diagram showing an example of document encryption.
 制御部130は、図4で例示した機能に加えて、データ移動部138、暗号化部139および復号部140を更に有してもよい。また、記憶部110は、鍵情報119を更に記憶する。なお、図示を省略しているが、記憶部110は、データ移動部138に用いられるクラウドサービスアクセス情報118も記憶する。 The control unit 130 may further have a data moving unit 138, an encryption unit 139 and a decryption unit 140 in addition to the functions illustrated in FIG. In addition, the storage unit 110 further stores key information 119 . Although not shown, the storage unit 110 also stores cloud service access information 118 used by the data migration unit 138 .
 暗号化部139は、組織Xでの承認が完了した文書830を暗号化することで、文書830aを生成し、クラウドシステム600に格納する。文書830の暗号化に用いられる鍵は、鍵情報119に予め保持される。文書830の暗号化に用いられる鍵は、例えば組織Yに対応する公開鍵である。なお、文書830aは、文書830が暗号化されたデータであるので、暗号化データと言われてもよい。 The encryption unit 139 encrypts the document 830 that has been approved by the organization X to generate a document 830 a and store it in the cloud system 600 . A key used to encrypt the document 830 is stored in the key information 119 in advance. The key used to encrypt document 830 is the public key corresponding to organization Y, for example. Since the document 830a is data obtained by encrypting the document 830, it may be called encrypted data.
 通知部135は、文書830aがクラウドシステム600に格納されると、組織YのユーザにWFが回ってきたことを通知する。データ移動部138は、文書830に代えて、文書830aを、クラウドシステム600からクラウドシステム700に移動させる。 When the document 830a is stored in the cloud system 600, the notification unit 135 notifies the user of the organization Y that WF has arrived. The data mover 138 moves the document 830 a instead of the document 830 from the cloud system 600 to the cloud system 700 .
 復号部140は、文書830に対し、組織Yのユーザによるクライアント装置400を用いた承認経路の登録を受け付ける際に、暗号化された文書830aを文書830に復号し、クラウドシステム700に格納する。復号に用いられる鍵は、鍵情報119に予め保持される。復号に用いられる鍵は、例えば組織Yに対応する秘密鍵である。 The decryption unit 140 decrypts the encrypted document 830a into the document 830 and stores it in the cloud system 700 when accepting the registration of the approval path for the document 830 by the user of the organization Y using the client device 400. A key used for decryption is stored in advance in the key information 119 . The key used for decryption is a private key corresponding to organization Y, for example.
 署名枠更新部136は、復号部140により得られた文書830に対して、クライアント装置400から受け付けた承認経路の情報を追加することで、クラウドシステム700上の文書830を、文書850に更新する。そして、WF管理部133は、文書850に基づいて組織YにおけるWFを開始する。 The signature frame update unit 136 updates the document 830 on the cloud system 700 to the document 850 by adding the approval path information received from the client device 400 to the document 830 obtained by the decryption unit 140. . Then, the WF management unit 133 starts the WF in the organization Y based on the document 850. FIG.
 図21は、WF制御の第2の変形例を示すフローチャートである。
 第2の変形例の手順では、図19で例示した第1の変形例の手順において、制御サーバ100は、ステップS50の次にステップS50aを実行し、ステップS53の次にステップS53aを実行する。そこで、ここではステップS50a,S53aを主に説明し、他のステップの説明を省略する。 FIG. 21 is a flowchart showing a second modified example of WF control.
In the procedure of the second modification, in the procedure of the first modification illustrated in FIG. 19, the control server 100 executes step S50a after step S50, and executes step S53a after step S53. Therefore, steps S50a and S53a will be mainly described here, and description of other steps will be omitted.
 (S50a)暗号化部139は、組織Yの公開鍵で文書830を暗号化することで、暗号化された文書830aを生成し、クラウドシステム600に格納する。そして、ステップS51に処理が進む。 (S50a) The encryption unit 139 generates an encrypted document 830a by encrypting the document 830 with the organization Y's public key, and stores it in the cloud system 600. Then, the process proceeds to step S51.
 なお、ステップS52では前述のように、データ移動部138は、文書830に代えて、暗号化された文書830aを、クラウドシステム600からクラウドシステム700に移動させる。 It should be noted that in step S52, instead of the document 830, the data transfer unit 138 transfers the encrypted document 830a from the cloud system 600 to the cloud system 700 as described above.
 (S53a)復号部140は、クラウドシステム700に移動した、暗号化された文書830aを、組織Yの秘密鍵で復号することで、文書830を生成し、クラウドシステム700に格納する。そして、ステップS54に処理が進む。 (S53a) The decryption unit 140 decrypts the encrypted document 830a moved to the cloud system 700 with the private key of the organization Y to generate the document 830 and store it in the cloud system 700. Then, the process proceeds to step S54.
 このように、制御サーバ100は、クラウドシステム600からクラウドシステム700へ移動させる文書を、文書830ではなく、文書830を暗号化した文書830aとする。 In this way, the control server 100 sets the document to be moved from the cloud system 600 to the cloud system 700 not as the document 830 but as the encrypted document 830a.
 ここで、例えば、文書830が、ユーザにより組織X,Y以外の組織が利用するシステムに送られた場合に、文書830は、WFとは関係ない組織で使用され得る。例えば、組織Xのユーザがクライアント装置200を用いてクラウドシステム600から文書830をダウンロードして、組織X,Y以外の組織が利用するシステムに送信する場合が考えられる。 Here, for example, when the document 830 is sent by the user to a system used by an organization other than the organizations X and Y, the document 830 can be used by an organization unrelated to WF. For example, a user of organization X may use client device 200 to download document 830 from cloud system 600 and send it to a system used by an organization other than organizations X and Y.
 そこで、制御サーバ100は、文書の送信先組織ごとに暗号鍵を保持する。そして、制御サーバ100は、組織を跨ぐデータ移動の際には、例えばWFで指定された送信先組織の公開鍵で文書を暗号化し、送信先組織のWF更新時には送信先の秘密鍵で暗号化された文書を復号する。すると、例えば、暗号化された文書830aは、制御サーバ100を介さなければ復号できないため、組織X,Y以外の組織が利用するシステムでは復号できなくなる。こうして、制御サーバ100は、WFに沿った組織でのデータ利用を強制でき、文書830の内容が不正に取得されることを防げる。 Therefore, the control server 100 holds an encryption key for each document destination organization. When transferring data across organizations, the control server 100 encrypts the document with the public key of the destination organization specified by the WF, for example, and encrypts the document with the private key of the destination when updating the WF of the destination organization. decrypt the document. Then, for example, since the encrypted document 830a can only be decrypted via the control server 100, the system used by the organizations other than the organizations X and Y cannot decrypt it. In this way, the control server 100 can force the organization to use the data in line with the WF, and prevent unauthorized acquisition of the contents of the document 830 .
 (第3の変形例)
 第2の変形例は、制御サーバ100が組織X,YそれぞれのWF管理ツールと連携してWF制御を行う例である。ここで、WF管理ツールは、該当の組織内においてWFを実行する機能である。 (Third modification)
A second modification is an example in which the control server 100 performs WF control in cooperation with the WF management tools of the organizations X and Y, respectively. Here, the WF management tool is a function that executes WF within the relevant organization.
 図22は、各組織のWF管理ツールとの連携例を示す図である。
 例えば、組織Xサーバ300は、組織X承認経路記憶部310およびWF管理ツール320を有してもよい。組織X承認経路記憶部310は、文書の属性に応じた、組織Xにおける承認経路の情報を記憶する。 FIG. 22 is a diagram showing an example of cooperation with the WF management tools of each organization.
For example, organization X server 300 may have organization X approval path storage 310 and WF management tool 320 . The organization X approval path storage unit 310 stores information on approval paths in organization X according to document attributes.
 WF管理ツール320は、組織X承認経路記憶部310を参照して、WF対象の文書に対する組織Xの承認経路を取得し、制御サーバ100に提供する。また、WF管理ツール320は、組織Xのユーザの承認を受け付け、当該ユーザによる承認が行われたことを制御サーバ100に通知する。 The WF management tool 320 refers to the organization X approval path storage unit 310 to acquire the organization X approval path for the WF target document and provides it to the control server 100 . In addition, the WF management tool 320 accepts the approval of the user of the organization X and notifies the control server 100 of the approval by the user.
 また、組織Yサーバ500は、組織Y承認経路記憶部510およびWF管理ツール520を有してもよい。組織Y承認経路記憶部510は、文書の属性に応じた、組織Yにおける承認経路の情報を記憶する。 In addition, the organization Y server 500 may have an organization Y approval path storage unit 510 and a WF management tool 520. The organization Y approval path storage unit 510 stores information on the approval path in organization Y according to document attributes.
 WF管理ツール520は、組織Y承認経路記憶部510を参照して、WF対象の文書に対する組織Yの承認経路を取得し、制御サーバ100に提供する。また、WF管理ツール520は、組織Yのユーザの承認を受け付け、当該ユーザによる承認が行われたことを制御サーバ100に通知する。 The WF management tool 520 refers to the organization Y approval path storage unit 510 to acquire the organization Y approval path for the WF target document and provides it to the control server 100 . Also, the WF management tool 520 accepts the approval of the user of the organization Y, and notifies the control server 100 that the user has given approval.
 ここで、制御部130は、図4で例示した機能に加えて、連携部141,142を更に有してもよい。連携部141は、WF管理ツール320と連携して、クラウドシステム600に格納された文書に対する署名枠挿入部131や署名処理部134の処理を支援する。また、連携部142は、WF管理ツール520と連携して、署名枠更新部136の処理を支援する。例えば、制御サーバ100は、次のようにWF管理ツール320,520と連携する。 Here, the control unit 130 may further have cooperation units 141 and 142 in addition to the functions illustrated in FIG. The cooperation unit 141 cooperates with the WF management tool 320 to support the processing of the signature frame insertion unit 131 and the signature processing unit 134 for documents stored in the cloud system 600 . Also, the cooperation unit 142 cooperates with the WF management tool 520 to support the processing of the signature frame update unit 136 . For example, the control server 100 cooperates with the WF management tools 320 and 520 as follows.
 まず、組織Xのユーザは、クライアント装置200を用いて、組織X,Yを跨ぐWF対象である文書800をクラウドシステム600に登録する。
 すると、署名枠挿入部131は、連携部141を介してWF管理ツール320から文書800に対する組織Xの承認経路を取得する。組織Xの承認経路はユーザA,Bを含むとする。署名枠挿入部131は、組織Xの承認経路を示す組織Xにおける組織内署名枠と、次の組織Yを示す組織間署名枠とを文書800に設定することで文書820を生成し、クラウドシステム600に格納する。連携部141は、文書820がクラウドシステム600に格納されたことをWF管理ツール320に通知する。 First, the user of the organization X uses the client device 200 to register the document 800 that is the WF target across the organizations X and Y in the cloud system 600 .
Then, the signature frame inserting unit 131 acquires the approval path of the organization X for the document 800 from the WF management tool 320 via the cooperation unit 141 . Assume that the approval path for organization X includes users A and B. The signature frame inserting unit 131 generates a document 820 by setting an intra-organizational signature frame in the organization X indicating the approval path of the organization X and an inter-organizational signature frame indicating the next organization Y to the document 800. 600. The cooperation unit 141 notifies the WF management tool 320 that the document 820 has been stored in the cloud system 600 .
 WF管理ツール320は文書820に対する組織XにおけるWFを開始する。WF管理ツール320は、文書820に対する組織XのユーザA,Bそれぞれの承認を順次受け付け、ユーザA,Bによる承認を受け付けたことを制御サーバ100に通知する。署名処理部134は、連携部141を介して、ユーザA,Bによる承認を受け付けたことが通知されると、文書820の組織内署名枠に対して、該当のユーザのサイン画像を付与するとともに、該当のユーザのデジタル署名を文書820に付与する。 WF management tool 320 starts WF in organization X for document 820 . The WF management tool 320 sequentially receives the approval of the users A and B of the organization X for the document 820, and notifies the control server 100 of the acceptance of approval by the users A and B. FIG. When the signature processing unit 134 is notified via the cooperation unit 141 that the approval by the users A and B has been accepted, it adds the signature image of the corresponding user to the intra-organization signature frame of the document 820. , gives the digital signature of the user in question to the document 820 .
 こうして、組織XのユーザA,Bの承認が完了すると、署名処理部134は、ユーザA,Bのデジタル署名が付与された文書830を組織間共有データ記憶部150に移動させる。すると、通知部135は、組織YのユーザにWFが回ってきたことを通知する。組織Yのユーザは、クライアント装置400を操作して、文書830に対する組織Yにおける承認経路をWF管理ツール520に対して指定する。 When the approval of users A and B of organization X is completed in this way, the signature processing unit 134 moves the document 830 to which the digital signatures of users A and B are added to the inter-organizational shared data storage unit 150 . Then, the notification unit 135 notifies the user of the organization Y that the WF has arrived. The user of organization Y operates the client device 400 to specify the approval path in organization Y for the document 830 to the WF management tool 520 .
 すると、署名枠更新部136は、連携部142を介してWF管理ツール520から文書830に対する組織Yの承認経路を取得する。組織Yの承認経路はユーザC,Dを含むとする。署名枠更新部136は、文書830における組織間署名枠を、組織Yの承認経路を示す組織内署名枠に更新することで文書850を生成し、クラウドシステム700に格納する。 Then, the signature frame updating unit 136 acquires the approval path of the organization Y for the document 830 from the WF management tool 520 via the cooperation unit 142 . Assume that the approval path for organization Y includes users C and D. The signature frame update unit 136 generates a document 850 by updating the inter-organization signature frame in the document 830 to an intra-organization signature frame indicating the approval path of the organization Y, and stores it in the cloud system 700 .
 そして、WF管理ツール520は文書850に対する組織YにおけるWFを開始する。以降、制御サーバ100は、WF管理ツール520と連携して、組織YのユーザC,Dの承認に応じて、ユーザC,Dそれぞれのデジタル署名を文書850に順次付与する。 Then, the WF management tool 520 starts the WF in organization Y for the document 850. After that, the control server 100 cooperates with the WF management tool 520 to sequentially attach the digital signatures of the users C and D to the document 850 according to the approval of the users C and D of the organization Y. FIG.
 図23は、WF制御の第3の変形例を示すフローチャートである。
 (S60)連携部141は、組織XのユーザAによりクラウドシステム600に文書800が保存されたことを検知し、当該検知したことを署名枠挿入部131に通知する。 FIG. 23 is a flowchart showing a third modified example of WF control.
(S60) The cooperation unit 141 detects that the document 800 has been saved in the cloud system 600 by the user A of the organization X, and notifies the signature frame insertion unit 131 of the detection.
 (S61)署名枠挿入部131は、連携部141を介して、組織XのWF管理ツール320から組織Xの承認経路を取得し、文書800に挿入する。また、署名枠挿入部131は、次の組織Yを示す組織間署名枠を文書800に挿入する。これにより、文書800は文書820に更新される。なお、ステップS61では、署名枠挿入部131により組織Xの署名枠のひな形が文書800に挿入されて文書810が生成され、個人名変換部132により文書810から文書820が生成されてもよい。そして、文書820に対し、WF管理ツール320による組織X内のWFが開始される。 (S61) The signature frame insertion unit 131 acquires the approval path of the organization X from the WF management tool 320 of the organization X via the cooperation unit 141, and inserts it into the document 800. Also, the signature frame inserting unit 131 inserts the inter-organizational signature frame indicating the next organization Y into the document 800 . As a result, document 800 is updated to document 820 . In step S61, the signature frame inserting unit 131 may insert the template of the signature frame of the organization X into the document 800 to generate the document 810, and the personal name conversion unit 132 may generate the document 820 from the document 810. . Then, the WF within the organization X is started by the WF management tool 320 for the document 820 .
 (S62)署名処理部134は、組織XのWF管理ツール320によるユーザAへの承認依頼に対してユーザAの承認が行われたことの通知を、連携部141を介して受け付ける。すると、署名処理部134は、文書820にユーザAのデジタル署名を付与する。これにより、文書820は、前述の文書820aに更新される。 (S62) The signature processing unit 134 receives, via the cooperating unit 141, a notification that the user A has been approved for the approval request to the user A by the WF management tool 320 of the organization X. Then, the signature processing unit 134 adds User A's digital signature to the document 820 . As a result, the document 820 is updated to the aforementioned document 820a.
 (S63)署名処理部134は、連携部141を介して、ユーザAのデジタル署名完了を、組織XのWF管理ツール320に通知する。
 (S64)署名処理部134は、組織XのWF管理ツール320によるユーザBへの承認依頼に対してユーザBの承認が行われたことの通知を、連携部141を介して受け付ける。すると、署名処理部134は、文書820aにユーザBのデジタル署名を付与する。これにより、文書820aは、文書830に更新される。 (S63) The signature processing unit 134 notifies the WF management tool 320 of the organization X via the cooperation unit 141 that the user A's digital signature has been completed.
(S64) The signature processing unit 134 receives, via the coordinating unit 141, a notification that the user B has been approved for the approval request to the user B by the WF management tool 320 of the organization X. Then, the signature processing unit 134 adds User B's digital signature to the document 820a. As a result, the document 820a is updated to the document 830. FIG.
 (S65)署名処理部134は、連携部141を介して、ユーザBのデジタル署名完了を、組織XのWF管理ツール320に通知する。これにより、WF管理ツール320による組織X内のWFが終了される。 (S65) The signature processing unit 134 notifies the WF management tool 320 of the organization X via the cooperation unit 141 that the user B's digital signature has been completed. As a result, the WF within the organization X by the WF management tool 320 is terminated.
 (S66)署名処理部134は、組織Xで依頼先となる全てのユーザA,Bのデジタル署名が文書830に付与されていることを検知すると、文書830を組織間データ共有領域へ文書830を移動させる。すると、通知部135は、組織YにWFが回ってきたことを、組織Yの所定のメーリングリストに通知する。 (S66) When the signature processing unit 134 detects that the document 830 has the digital signatures of all the users A and B who are the request recipients in the organization X, it transfers the document 830 to the inter-organizational data sharing area. move. Then, the notification unit 135 notifies a predetermined mailing list of the organization Y that the WF has been sent to the organization Y. FIG.
 (S67)署名枠更新部136は、連携部142を介して、組織YのWF管理ツール520から、文書830に対する組織Yの承認経路を取得する。署名枠更新部136は、文書830の組織間署名枠を、組織Yの承認経路を示す組織内署名枠に変換することで、組織Yの承認経路を文書830に挿入する。これにより、文書830は、文書850に更新される。そして、文書850に対し、WF管理ツール520による組織Y内のWFが開始される。なお、ステップS61と同様に、組織Yの承認経路は、署名枠更新部136および個人名変換部132により文書850に設定されてもよい。 (S67) The signature frame updating unit 136 acquires the approval path of the organization Y for the document 830 from the WF management tool 520 of the organization Y via the cooperation unit 142. The signature frame updating unit 136 inserts the approval path of organization Y into the document 830 by converting the inter-organization signature frame of the document 830 into an intra-organization signature frame indicating the approval path of organization Y. FIG. The document 830 is thereby updated to the document 850 . Then, the WF within the organization Y by the WF management tool 520 is started for the document 850 . Note that the approval path for organization Y may be set in document 850 by signature frame update unit 136 and personal name conversion unit 132, as in step S61.
 (S68)署名処理部134は、組織YのWF管理ツール520による組織Yのユーザへの承認依頼に対して当該ユーザの承認が行われたことの通知を、連携部142を介して受け付ける。すると、署名処理部134は、文書850に該当のユーザのデジタル署名を付与する。以降、制御サーバ100は、WF管理ツール520と連携して、組織YのWFを進める。そして、組織Yの依頼先の全てのユーザのデジタル署名が文書850に付与されると、WF管理ツール520による組織Y内のWFが終了し、制御サーバ100のWF制御も終了する。 (S68) The signature processing unit 134 receives, via the cooperation unit 142, a notification that the user of the organization Y has approved the request for approval by the WF management tool 520 of the organization Y to the user. Then, the signature processing unit 134 attaches the digital signature of the user to the document 850 . After that, the control server 100 advances the WF of the organization Y in cooperation with the WF management tool 520 . When the document 850 is given the digital signatures of all the users requested by the organization Y, the WF within the organization Y by the WF management tool 520 ends, and the WF control of the control server 100 also ends.
 このように、制御サーバ100は、各組織が有するWF管理ツールと連携することもできる。これにより、制御サーバ100は、各組織による、組織を跨ぐ文書のWFの利用を柔軟化できる。例えば、各組織では、既存のWF管理ツールを利用可能にすることで、組織を跨ぐ文書のWFの導入に伴う負担が軽減される。 In this way, the control server 100 can also cooperate with the WF management tools possessed by each organization. As a result, the control server 100 can flexibly use the WF of cross-organizational documents by each organization. For example, each organization can use existing WF management tools to reduce the burden associated with the introduction of WF for cross-organizational documents.
 (第4の変形例)
 第4の変形例は、制御サーバ100により、文書830におけるユーザ単位の複数のサイン済署名枠を、組織単位のサイン済署名枠に変換する例である。この場合、制御サーバ100は、ユーザ単位の複数のデジタル署名についても、組織単位のデジタル署名に変換する。 (Fourth modification)
A fourth modification is an example in which the control server 100 converts a plurality of signed signature frames for each user in the document 830 into signed signature frames for each organization. In this case, the control server 100 also converts multiple digital signatures for each user into digital signatures for each organization.
 図24は、署名変換例を示す図である。
 制御部130は、図4で例示した機能に加えて、署名変換部143および文書関係管理部144を更に有してもよい。 FIG. 24 is a diagram showing an example of signature conversion.
The control unit 130 may further have a signature conversion unit 143 and a document relationship management unit 144 in addition to the functions illustrated in FIG.
 署名変換部143は、文書830におけるユーザA,Bそれぞれのサイン済署名枠831,832を、組織X単位のサイン済署名枠831bに変換する。ここで、サイン済署名枠831bは、例えば、署名枠に対して、社印などの組織Xの印章の画像などが付与されたものである。サイン済署名枠831bは、サイン済署名枠831,832と同様に、例えば「o:signatureline」タグを用いて文書に記載される。 The signature conversion unit 143 converts the signed signature frames 831 and 832 of the users A and B in the document 830 into a signed signature frame 831b for each organization X unit. Here, the signed signature frame 831b is, for example, a signature frame to which an image of the seal of the organization X such as the company seal is attached. The signed signature frame 831b, like the signed signature frames 831 and 832, is described in the document using, for example, the "o:signatureline" tag.
 更に、署名変換部143は、文書830に付与されているユーザA,Bそれぞれのデジタル署名を、組織Xのデジタル署名に変換する。署名変換部143は、組織単位のデジタル署名として、例えばe-sealを用いてもよい。これにより、署名変換部143は、文書830を文書830bに更新する。なお、組織Xのデジタル署名も、ユーザ個人のデジタル署名と同様に、図16で例示した方法により文書830bに保持される。 Furthermore, the signature conversion unit 143 converts the digital signatures of the users A and B attached to the document 830 into the digital signature of the organization X. The signature conversion unit 143 may use e-seal, for example, as the digital signature of the organizational unit. As a result, the signature conversion unit 143 updates the document 830 to the document 830b. The organization X's digital signature is also retained in the document 830b by the method illustrated in FIG. 16, like the user's personal digital signature.
 このとき、署名変換部143は、署名変換前の文書830をクラウドシステム600上に残し、当該文書830を示すポインタ情報835bを、文書830bに付与する。すなわち、文書830bは、サイン済署名枠831b、組織間署名枠833bおよびポインタ情報835bを有する。組織間署名枠833bは、組織間署名枠833と同じである。 At this time, the signature conversion unit 143 leaves the document 830 before signature conversion on the cloud system 600, and adds pointer information 835b indicating the document 830 to the document 830b. That is, the document 830b has a signed signature frame 831b, an inter-organizational signature frame 833b and pointer information 835b. The inter-organization signature frame 833 b is the same as the inter-organization signature frame 833 .
 例えば、ポインタ情報835bは、文書830のIDである。文書830bへのポインタ情報835bの付与に応じて、文書関係管理部144は、文書830のIDとクラウドシステム600における文書830の格納場所との対応関係を示す文書対応情報120を、記憶部110に記録する。 For example, the pointer information 835b is the ID of the document 830. In response to the assignment of the pointer information 835b to the document 830b, the document relationship management unit 144 stores the document correspondence information 120 indicating the correspondence between the ID of the document 830 and the storage location of the document 830 in the cloud system 600 in the storage unit 110. Record.
 署名変換部143は、署名変換後の文書830bを、組織間共有データ記憶部150に移動する。すると、通知部135は、組織Yのユーザに組織YにWFが回ってきたことを通知する。署名枠更新部136は、組織Yのユーザによる組織Yの承認経路の設定を受け付けて、文書830bに組織Yの承認経路を設定する。これにより、文書830bは、文書850aに更新される。署名枠更新部136は、クラウドシステム700に文書850aを格納する。 The signature conversion unit 143 moves the document 830b after signature conversion to the inter-organizational shared data storage unit 150. Then, the notification unit 135 notifies the user of the organization Y that the WF has been sent to the organization Y. FIG. The signature frame update unit 136 receives the setting of the approval route for the organization Y by the user of the organization Y, and sets the approval route for the organization Y in the document 830b. As a result, the document 830b is updated to the document 850a. Signature frame update unit 136 stores document 850 a in cloud system 700 .
 文書850aは、サイン済署名枠851a、組織内署名枠853a,854aおよびポインタ情報855aを有する。サイン済署名枠851aは、サイン済署名枠831bと同じである。組織内署名枠853a,854aは、組織内署名枠853,854と同じである。ポインタ情報855aは、ポインタ情報835bと同じである。 The document 850a has a signed signature frame 851a, internal signature frames 853a and 854a, and pointer information 855a. The signed signature frame 851a is the same as the signed signature frame 831b. The in-house signature frames 853a and 854a are the same as the in-house signature frames 853 and 854, respectively. The pointer information 855a is the same as the pointer information 835b.
 このように、制御サーバ100は、組織Xで承認が完了した際に、組織Xのユーザ単位のデジタル署名を、組織X単位のデジタル署名に変換してもよい。この場合、検証処理部137は、例えば文書850aに基づいて、組織Xのデジタル署名の検証を行える。これにより、文書850aの内容が組織Xにより認められたものであることを検証可能である。また、検証処理部137は、ポインタ情報855aおよび文書対応情報120に基づいて、文書830を特定し、文書830に付与されたユーザA,Bそれぞれのデジタル署名の検証も行える。 In this way, the control server 100 may convert the digital signature for each user of organization X into a digital signature for each organization X when organization X completes approval. In this case, the verification processing unit 137 can verify the digital signature of the organization X based on the document 850a, for example. This makes it possible to verify that the content of document 850a is approved by organization X. The verification processing unit 137 can also identify the document 830 based on the pointer information 855 a and the document correspondence information 120 and verify the digital signatures of the users A and B attached to the document 830 .
 図25は、WF制御の第4の変形例を示すフローチャートである。
 (S70)署名変換部143は、クラウドシステム600に文書830が格納されると、文書830に対する組織Xの各ユーザの署名処理が完了したことを検知する。署名変換部143は、署名処理部134からの通知により、文書830に対する組織Xの各ユーザの署名処理が完了したことを検知してもよい。 FIG. 25 is a flowchart showing a fourth modified example of WF control.
(S70) When the document 830 is stored in the cloud system 600, the signature conversion unit 143 detects that the signature processing of each user of the organization X for the document 830 has been completed. The signature conversion unit 143 may detect from the notification from the signature processing unit 134 that the signature processing of each user of the organization X for the document 830 has been completed.
 (S71)署名変換部143は、検証処理部137に対して、組織XのWF検証を要求する。検証処理部137は、文書830に基づいて、組織XのWF検証を行い、WF検証の結果を署名変換部143に応答する。検証処理部137は、図15の手順により組織Xに対するWF検証を行う。署名変換部143は、組織XのWF検証の結果を基に、組織Xの承認経路の全てのユーザが正当であるか否かを判定する。組織Xの承認経路の全てのユーザが正当である場合、ステップS73に処理が進む。組織Xの承認経路に不正なユーザが存在する場合、ステップS72に処理が進む。 (S71) The signature conversion unit 143 requests the verification processing unit 137 to verify the organization X's WF. The verification processing unit 137 performs WF verification of the organization X based on the document 830 and returns the WF verification result to the signature conversion unit 143 . The verification processing unit 137 performs WF verification on the tissue X according to the procedure of FIG. The signature conversion unit 143 determines whether or not all users on the approval path of organization X are valid based on the result of organization X's WF verification. If all users on the approval path of organization X are valid, the process proceeds to step S73. If there is an unauthorized user in the approval path of organization X, the process proceeds to step S72.
 (S72)署名変換部143は、署名処理を停止する。そして、WF制御が終了する。この場合、署名変換部143は、組織Xの承認経路に不正なユーザが含まれるため、文書830に対してWFを継続することはできないことを組織Xの所定のユーザに通知する。 (S72) The signature conversion unit 143 stops signature processing. Then, the WF control ends. In this case, the signature conversion unit 143 notifies a predetermined user of the organization X that WF cannot be continued for the document 830 because an unauthorized user is included in the approval path of the organization X.
 (S73)署名変換部143は、文書830における組織Xの個人署名、すなわち、ユーザA,Bのデジタル署名を削除し、組織Xの署名を挿入することで、文書830を文書830bに更新する。このとき、署名変換部143は、クラウドシステム600上に文書830を残す。また、署名変換部143は、ユーザ単位のサイン済署名枠831,832についても削除し、組織単位のサイン済署名枠831bに更新する。 (S73) The signature conversion unit 143 updates the document 830 to the document 830b by deleting the personal signature of the organization X in the document 830, that is, the digital signatures of the users A and B, and inserting the signature of the organization X. At this time, signature conversion unit 143 leaves document 830 on cloud system 600 . The signature conversion unit 143 also deletes the signed signature frames 831 and 832 for each user and updates them to the signed signature frame 831b for each organization.
 (S74)署名変換部143は、署名変換後の文書830bを、組織Xが使用するクラウドシステム600に移動させる。
 (S75)署名変換部143は、署名変換前の文書830のIDに相当するポインタ情報835bを、署名変換後の文書830bに設定する。また、文書関係管理部144は、ポインタ情報835bに対応する、クラウドシステム600上の文書830の格納先の情報を示す文書対応情報120を、記憶部110に保存する。 (S74) The signature conversion unit 143 moves the document 830b after signature conversion to the cloud system 600 used by the organization X.
(S75) The signature conversion unit 143 sets the pointer information 835b corresponding to the ID of the document 830 before signature conversion to the document 830b after signature conversion. In addition, the document relationship management unit 144 stores in the storage unit 110 the document correspondence information 120 indicating the storage destination information of the document 830 on the cloud system 600 corresponding to the pointer information 835b.
 (S76)署名変換部143は、組織間共有データ記憶部150へ文書830bを移動させる。
 (S77)通知部135は、組織YのユーザにWFが回ってきたことを通知する。署名枠更新部136は、組織Yのユーザによる、文書830bに対する組織Yの承認経路を受け付け、組織間署名枠833bを、組織Yの組織内署名枠853a,854aに変換する。これにより、文書830bは文書850aに更新される。署名枠更新部136は、文書850aをクラウドシステム700に格納する。なお、ステップS77では、署名枠更新部136により文書830bに基づいて組織Yの承認経路のひな形を含む文書が生成されてもよく、個人名変換部132により当該文書を基に文書850aが生成されてもよい。そして、WF管理部133は、組織YにおけるWFを開始する。文書850aに対し、組織YのユーザC,Dの承認およびデジタル署名の付与が完了すると、WF制御が終了する。 ( S<b>76 ) The signature conversion section 143 moves the document 830 b to the inter-organizational shared data storage section 150 .
(S77) The notification unit 135 notifies the user of organization Y that WF has arrived. The signature frame updating section 136 receives the approval path of the organization Y for the document 830b by the user of the organization Y, and converts the inter-organization signature frame 833b into the organization Y's intra-organization signature frames 853a and 854a. As a result, document 830b is updated to document 850a. Signature frame update unit 136 stores document 850 a in cloud system 700 . In step S77, the signature frame update unit 136 may generate a document containing a model of the approval route of the organization Y based on the document 830b, and the personal name conversion unit 132 generates a document 850a based on the document. may be Then, the WF management unit 133 starts the WF in the organization Y. FIG. When the approval of users C and D of organization Y and the addition of digital signatures to document 850a are complete, WF control ends.
 図26は、第4の変形例における署名検証例を示すフローチャートである。
 (S80)検証処理部137は、組織Yのユーザによる組織Xの署名済の文書850aに対する個人名検証要求を受信する。例えば、組織Yのユーザは、クライアント装置400を操作して、当該個人名検証要求を制御サーバ100に入力できる。 FIG. 26 is a flow chart showing an example of signature verification in the fourth modification.
(S80) The verification processing unit 137 receives a personal name verification request for the signed document 850a of the organization X from the user of the organization Y. For example, a user of organization Y can operate the client device 400 to input the personal name verification request to the control server 100 .
 (S81)検証処理部137は、文書850aに記録されたポインタ情報855aで示されるIDを基に文書対応情報120を参照し、署名変換前の文書830を特定する。検証処理部137は、クラウドシステム600における文書830にアクセスする。 (S81) The verification processing unit 137 refers to the document correspondence information 120 based on the ID indicated by the pointer information 855a recorded in the document 850a, and identifies the document 830 before signature conversion. Verification processing unit 137 accesses document 830 in cloud system 600 .
 (S82)検証処理部137は、署名変換前の文書830におけるデジタル署名、すなわち、組織XのユーザA,Bのデジタル署名を検証し、組織Xにおける承認履歴を取得する。 (S82) The verification processing unit 137 verifies the digital signature on the document 830 before signature conversion, that is, the digital signatures of users A and B of organization X, and acquires the approval history in organization X.
 (S83)検証処理部137は、組織Xの承認履歴および組織Yの承認履歴を含む文書全体の承認履歴を応答する。例えば、文書850aにおいて、組織YのユーザCやユーザDのデジタル署名も付与されている場合もある。この場合、検証処理部137は、組織Yのユーザのデジタル署名の検証も行って、組織Yの承認履歴を取得し、組織Xの承認履歴と合わせた承認履歴をクライアント装置400に応答する。例えば、何れかのユーザのデジタル署名の検証に失敗した場合、検証処理部137は、文書850aに対して不正なユーザによる変更がある旨を検証要求元のユーザに通知する。そして、署名検証が終了する。 (S83) The verification processing unit 137 responds with the approval history of the entire document including the approval history of organization X and the approval history of organization Y. For example, in document 850a, digital signatures of user C and user D of organization Y may also be added. In this case, the verification processing unit 137 also verifies the digital signature of the user of the organization Y, acquires the approval history of the organization Y, and responds to the client device 400 with the approval history combined with the approval history of the organization X. For example, if the verification of the digital signature of any user fails, the verification processing unit 137 notifies the verification requesting user that the document 850a has been modified by an unauthorized user. Then the signature verification ends.
 このように、制御サーバ100は、文書830における組織Xのユーザ単位のサイン済署名枠831,832およびユーザ単位のデジタル署名を、それぞれ組織X単位のサイン済署名枠831bおよび組織X単位のデジタル署名に変換してもよい。この場合、文書830bの本文には、組織Xにおいて承認を行ったユーザの個人名が記載されない。したがって、文書830bから生成された文書850aの本文を組織Yのユーザが閲覧する場合に、組織Xにおいて承認を行ったユーザの個人名を秘匿化できる。また、制御サーバ100は、文書850aに含まれるポインタ情報855aに基づいて署名変換前の文書830を特定可能にすることで、組織Xにおいて承認を行ったユーザのデジタル署名の検証を適切に行える。 In this way, the control server 100 converts the signed signature frames 831 and 832 of the organization X unit and the digital signature of the user unit to the document 830 by adding the signed signature frame 831b of the organization X unit and the digital signature of the organization X unit, respectively. can be converted to In this case, the body of the document 830b does not include the personal name of the user who performed the approval in the organization X. Therefore, when the user of the organization Y views the body of the document 850a generated from the document 830b, the personal name of the user approved by the organization X can be made anonymous. Also, the control server 100 can appropriately verify the digital signature of the user who has given approval in the organization X by making it possible to identify the document 830 before signature conversion based on the pointer information 855a included in the document 850a.
 なお、制御部130は、図4で例示した機能に加えて、第2~第4変形例で示したデータ移動部138、暗号化部139、復号部140、連携部141,142、署名変換部143および文書関係管理部144の全てを有してもよい。 Note that, in addition to the functions illustrated in FIG. 143 and the document relationship management unit 144 may be included.
 以上で説明したように、制御サーバ100は、例えば次の処理を実行する。
 制御サーバ100は、第1の組織に所属するユーザに応じた電子署名が付与され、かつ、第2の組織に所属するユーザに応じた電子署名が付与されていない文書の登録を検知すると、第2の組織に所属する所定の登録ユーザに文書に関する通知を送信する。制御サーバ100は、当該通知に応じて、第2の組織に所属する担当ユーザを含むリストを受信すると、当該リストを記憶部110に記憶する。制御サーバ100は、第1の組織に所属するユーザによる検証要求を受け付ける。すると、制御サーバ100は、当該リストに含まれる担当ユーザに対応付けられた公開鍵を用いて、検証要求に応じた時点で文書に付与されている電子署名、および、電子署名の依頼先として文書に付与されている、第2の組織に所属する依頼先ユーザの情報の少なくとも一方の検証を行う。制御サーバ100は、検証の結果に応じた文書への署名状況、および、依頼先ユーザの少なくとも一方に関する評価情報を、検証要求に対する応答として送信する。 As described above, the control server 100 executes, for example, the following processes.
When the control server 100 detects registration of a document to which an electronic signature corresponding to a user belonging to the first organization is attached and to which an electronic signature corresponding to a user belonging to the second organization is not attached, the control server 100 detects the registration of the document. Send a notification about the document to a predetermined registered user belonging to the organization No. 2. When the control server 100 receives the list including the users in charge belonging to the second organization in response to the notification, the control server 100 stores the list in the storage unit 110 . The control server 100 accepts verification requests from users belonging to the first organization. Then, the control server 100 uses the public key associated with the user in charge included in the list to obtain the electronic signature attached to the document at the time of responding to the verification request and the document as the recipient of the electronic signature. at least one of the information of the requested user belonging to the second organization, which is given to the . The control server 100 transmits, as a response to the verification request, the signature status of the document according to the verification result and evaluation information regarding at least one of the requested user.
 これにより、制御サーバ100は、複数の組織を跨ぐWFにおいて、ある組織で設定された承認経路により当該組織内での文書のWFが行われる場合に、別組織からの検証要求に応じた文書の信頼性に関する検証を可能にする。なお、組織Xは第1の組織の一例である。組織Yは、第2の組織の一例である。また、メーリングリスト501は、上記リストの一例である。第2の実施の形態で例示したように、制御サーバ100は、メーリングリスト501を、仮IDリスト117に変換して保持してもよい。 As a result, in a WF across a plurality of organizations, when WFing of a document within the organization is performed through an approval route set by a certain organization, the control server 100 can perform document verification in response to a verification request from another organization. Enable verification of authenticity. Note that the organization X is an example of a first organization. Organization Y is an example of a second organization. Also, the mailing list 501 is an example of the above list. As illustrated in the second embodiment, the control server 100 may convert the mailing list 501 into the temporary ID list 117 and hold it.
 また、制御サーバ100は、第2の組織に所属する登録ユーザへの通知に応じて、文書に対する第2の組織における電子署名の依頼先ユーザの情報を取得し、当該依頼先ユーザの情報を文書に設定する。 In addition, the control server 100 acquires the information of the requested user of the electronic signature on the document in the second organization in response to the notification to the registered user belonging to the second organization, and transmits the information of the requested user to the document. set to
 これにより、制御サーバ100は、例えば、第1の組織におけるWFの開始時点では、第2の組織での承認経路の設定を保留できる。このため、制御サーバ100は、第2の組織における文書に対する承認経路の設定を柔軟化できる。 As a result, the control server 100 can suspend the setting of the approval path in the second organization, for example, at the time of starting the WF in the first organization. Therefore, the control server 100 can flexibly set approval paths for documents in the second organization.
 また、制御サーバ100は、文書に対する依頼先ユーザの承認に応じて依頼先ユーザの署名画像が付与される署名枠の情報、すなわち、組織内署名枠の情報として、依頼先ユーザの情報を文書に設定する。 In addition, the control server 100 stores the information of the requested user in the document as information of the signature frame to which the signature image of the requested user is added according to the approval of the requested user for the document, that is, information of the in-house signature frame. set.
 これにより、制御サーバ100は、文書における署名枠の情報に基づいて、次の承認依頼先ユーザを特定し、次の承認依頼先ユーザに対する承認の依頼を行える。署名画像は、該当の依頼先ユーザの手書きのサイン画像でもよいし、該当の依頼先ユーザの印鑑の画像などでもよい。 As a result, the control server 100 can identify the next approval-requested user based on the signature frame information in the document, and can request approval from the next approval-requested user. The signature image may be a handwritten signature image of the relevant requested user, or may be an image of the seal stamp of the relevant requested user.
 また、制御サーバ100は、依頼先ユーザの情報の検証を行う場合、文書に含まれる依頼先ユーザの情報に対応する第1公開鍵を取得する。そして、制御サーバ100は、第1公開鍵が、上記リストに含まれる担当ユーザに対応付けられた公開鍵に含まれるか否かの判定に応じて、文書における依頼先ユーザが正当であるか否かを決定する。 Also, when verifying information on the requested user, the control server 100 acquires the first public key corresponding to the information on the requested user included in the document. Then, the control server 100 determines whether or not the requested user in the document is valid, depending on whether or not the first public key is included in the public key associated with the user in charge included in the list. determine whether
 これにより、制御サーバ100は、各ユーザに対して公開されたオープンな情報である公開鍵を基に、当該依頼先ユーザの正当性を適切に検証できる。WF検証情報116に含まれる公開鍵は、上記リストに含まれる担当ユーザに対応付けられた公開鍵の一例である。文書における組織内署名枠の情報に基づいて取得されるユーザの公開鍵は、第1公開鍵の一例である。 As a result, the control server 100 can appropriately verify the legitimacy of the requested user based on the public key, which is open information disclosed to each user. The public key included in the WF verification information 116 is an example of a public key associated with the responsible users included in the list. The user's public key obtained based on the information of the internal signature frame in the document is an example of the first public key.
 また、制御サーバ100は、文書の登録の検知では、文書が第1の組織により使用される第1クラウドサービスに登録されたことを検知する。すると、制御サーバ100は、第2の組織により使用される第2クラウドサービスに対するアクセス情報に基づいて、第1クラウドサービスに登録された文書を、第2クラウドサービスに登録する。 Also, the control server 100 detects that the document has been registered in the first cloud service used by the first organization when detecting registration of the document. Then, the control server 100 registers the document registered in the first cloud service with the second cloud service based on the access information for the second cloud service used by the second organization.
 これにより、制御サーバ100は、制御サーバ100に文書を預けたくないユーザにも柔軟に対応することができる。なお、クラウドシステム600が提供するクラウドサービスは、第1クラウドサービスの一例である。また、クラウドシステム700が提供するクラウドサービスは、第2クラウドサービスの一例である。 As a result, the control server 100 can flexibly deal with users who do not want to entrust their documents to the control server 100. Note that the cloud service provided by the cloud system 600 is an example of a first cloud service. Also, the cloud service provided by the cloud system 700 is an example of a second cloud service.
 このとき、制御サーバ100は、第1クラウドサービスに登録された文書を、第2の組織に対応する共通鍵または第2の組織に対応する公開鍵を用いて暗号化し、暗号化済の文書を第2クラウドサービスに登録してもよい。そして、制御サーバ100は、第2クラウドサービスに登録された暗号化済の文書を、当該共通鍵または第2の組織に対応する秘密鍵を用いて復号してもよい。 At this time, the control server 100 encrypts the document registered in the first cloud service using the common key corresponding to the second organization or the public key corresponding to the second organization, and converts the encrypted document to You may register with a second cloud service. Then, the control server 100 may decrypt the encrypted document registered in the second cloud service using the common key or the private key corresponding to the second organization.
 これにより、制御サーバ100は、第1クラウドサービスの文書を、第2クラウドサービスに登録し直す際に、仮に文書が第三者に漏洩したとしても、当該文書が暗号化されていることにより、文書の内容が不正に取得されることを防げる。なお、暗号化は、共通鍵暗号方式により行われてもよいし、公開鍵暗号方式により行われてもよい。 As a result, even if the document is leaked to a third party when re-registering the document of the first cloud service to the second cloud service, the control server 100 can Unauthorized acquisition of the contents of the document can be prevented. The encryption may be performed using a common key cryptosystem or a public key cryptosystem.
 例えば、第2の実施の形態において、制御サーバ100により組織Xに提供されるTaaSに関するサービスの情報と、組織Yに提供されるTaaSに関するサービスの情報とを両サービスで共有しないようにすることも考えらえる。この場合、制御サーバ100は、文書の暗号化に公開鍵暗号方式を用いる。 For example, in the second embodiment, the information on the TaaS-related service provided to the organization X by the control server 100 and the information on the TaaS-related service provided to the organization Y may not be shared between the two services. I can think. In this case, the control server 100 uses public key cryptography to encrypt the document.
 また、制御サーバ100は、第1の組織が有する第1情報処理装置から第1の組織のユーザによる文書に対する承認が行われたことが通知されると、第1の組織のユーザの電子署名を文書に追加してもよい。また、制御サーバ100は、第2の組織が有する第2情報処理装置から第2の組織のユーザによる文書に対する承認が行われたことが通知されると、第2の組織のユーザの電子署名を文書に追加してもよい。 Further, when the control server 100 is notified from the first information processing device of the first organization that the document has been approved by the user of the first organization, the control server 100 adds the electronic signature of the user of the first organization. may be added to the document. Further, when the control server 100 is notified from the second information processing apparatus of the second organization that the document has been approved by the user of the second organization, the control server 100 adds the electronic signature of the user of the second organization. may be added to the document.
 このように、制御サーバ100は、第1情報処理装置および第2情報処理装置と連携して、文書に対して電子署名を追加することもできる。これにより、制御サーバ100は、各組織が有する既存の資産を有効利用して、各組織による制御サーバ100の機能の使用開始を容易化できる。なお、組織Xサーバ300は、第1情報処理装置の一例である。組織Yサーバ500は、第2情報処理装置の一例である。 In this way, the control server 100 can add an electronic signature to a document in cooperation with the first information processing device and the second information processing device. As a result, the control server 100 can make effective use of the existing assets of each organization and facilitate the start of use of the functions of the control server 100 by each organization. The organization X server 300 is an example of a first information processing device. The organization Y server 500 is an example of a second information processing device.
 更に、制御サーバ100は、第2の組織に所属する登録ユーザへの通知を送信する前に、文書に付与された第1の組織に所属するユーザの電子署名を、第1の組織に対応する電子署名に変換する署名変換を行うことで、署名変換後の文書を生成してもよい。この場合、制御サーバ100は、署名変換後の文書に、署名変換前の文書を示す識別情報を付与する。そして、制御サーバ100は、署名変換後の文書に対する、第1の組織に所属するユーザの電子署名の検証要求を受け付けると、当該識別情報に基づいて署名変換前の文書を取得する。そして、制御サーバ100は、署名変換前の文書に付与されている、第1の組織に所属するユーザの電子署名を検証する。 Furthermore, before sending the notification to the registered users belonging to the second organization, the control server 100 assigns the electronic signature of the user belonging to the first organization attached to the document to the first organization. A document after signature conversion may be generated by converting the signature into an electronic signature. In this case, the control server 100 adds identification information indicating the document before signature conversion to the document after signature conversion. When the control server 100 receives a request to verify the electronic signature of a user belonging to the first organization for the document after signature conversion, the control server 100 acquires the document before signature conversion based on the identification information. Then, the control server 100 verifies the electronic signature of the user who belongs to the first organization, which is attached to the document before signature conversion.
 これにより、制御サーバ100は、例えば、第2の組織のユーザにより、承認対象の文書が、第1の組織で認められた文書であることを検証可能になる。また、制御サーバ100は、第2の組織で参照される文書から、第1の組織のユーザの情報を除去できる。更に、制御サーバ100は、署名変換後の文書から署名変換前の文書を辿ることで、署名変換前の文書に付与されている、第1の組織のユーザの電子署名の検証を適切に行える。なお、文書830b,850aそれぞれは、署名変換後の文書の一例である。また、文書830は、署名変換前の文書の一例である。また、ポインタ情報835b,855aそれぞれは、署名変換後の文書に付与される、署名変換前の文書を示す識別情報の一例である。 As a result, the control server 100 can, for example, be verified by the user of the second organization that the document to be approved is the document approved by the first organization. Also, the control server 100 can remove the information of the users of the first organization from the documents referenced in the second organization. Further, the control server 100 can appropriately verify the electronic signature of the user of the first organization attached to the document before signature conversion by tracing the document before signature conversion from the document after signature conversion. Note that each of the documents 830b and 850a is an example of a document after signature conversion. A document 830 is an example of a document before signature conversion. Further, each of the pointer information 835b and 855a is an example of identification information indicating the document before signature conversion, which is added to the document after signature conversion.
 また、制御サーバ100は、次のような機能を提供するとも言える。制御サーバ100は、組織内での署名順序を示す組織内WFと組織間でのデータ受渡順序を示す組織間WFからなるWFにおいて、組織間WFを事前に決めることで、組織内WFを各組織で署名を行う際に動的に決めながらWFを進めることを可能とする。このとき、制御サーバ100は、組織内WFに設定可能なユーザを示すWF検証情報を基に各組織で決めた組織内WFの正しさを検証可能にする。 It can also be said that the control server 100 provides the following functions. The control server 100 predetermines the inter-organizational WF among the intra-organizational WFs indicating the signature order within the organization and the inter-organizational WFs indicating the inter-organizational data delivery order. It is possible to proceed with WF while dynamically deciding when signing with . At this time, the control server 100 makes it possible to verify the correctness of the intra-organizational WF determined by each organization based on the WF verification information indicating the user who can be set as the intra-organizational WF.
 また、制御サーバ100は、各組織の利用するクラウドサービス上に制御サーバ100がアクセス可能な領域を設けてもよい。制御サーバ100は、組織のクラウドサービス間でデータを移動させる際に、制御サーバ100が保持するクラウドサービスアクセス情報を基にクラウドサービス間で直接データを移動させることで、制御サーバ100上にデータを保存しないようにしてもよい。 Also, the control server 100 may provide an area accessible by the control server 100 on the cloud service used by each organization. When moving data between cloud services of an organization, the control server 100 moves data directly between cloud services based on the cloud service access information held by the control server 100, thereby transferring data to the control server 100. You can choose not to save it.
 また、制御サーバ100は、各組織に対応する暗号鍵・復号鍵のペアを管理してもよい。制御サーバ100は、組織のクラウドサービス間でデータを移動させる際に、組織間WFで設定された次の組織に対応する暗号鍵でデータを暗号化し、次の組織でのみ復号できるようにした上でデータを移動させてもよい。これにより、移動させるデータに対するセキュリティ性を高められる。 The control server 100 may also manage pairs of encryption and decryption keys corresponding to each organization. When moving data between cloud services of organizations, the control server 100 encrypts the data with an encryption key corresponding to the next organization set in the inter-organization WF so that only the next organization can decrypt the data. You can move the data with As a result, the security of the data to be moved can be enhanced.
 また、第1の実施の形態の情報処理は、処理部12にプログラムを実行させることで実現できる。また、第2の実施の形態の情報処理は、CPU101にプログラムを実行させることで実現できる。プログラムは、コンピュータ読み取り可能な記録媒体73に記録できる。 Further, the information processing of the first embodiment can be realized by causing the processing unit 12 to execute a program. Information processing according to the second embodiment can be realized by causing the CPU 101 to execute a program. The program can be recorded on a computer-readable recording medium 73 .
 例えば、プログラムを記録した記録媒体73を配布することで、プログラムを流通させることができる。また、プログラムを他のコンピュータに格納しておき、ネットワーク経由でプログラムを配布してもよい。コンピュータは、例えば、記録媒体73に記録されたプログラムまたは他のコンピュータから受信したプログラムを、RAM102やHDD103などの記憶装置に格納し(インストールし)、当該記憶装置からプログラムを読み込んで実行してもよい。 For example, the program can be distributed by distributing the recording medium 73 on which the program is recorded. Alternatively, the program may be stored in another computer and distributed via a network. The computer, for example, stores (installs) a program recorded on the recording medium 73 or a program received from another computer in a storage device such as the RAM 102 or HDD 103, reads the program from the storage device, and executes it. good.
 上記については単に本発明の原理を示すものである。更に、多数の変形や変更が当業者にとって可能であり、本発明は上記に示し、説明した正確な構成および応用例に限定されるものではなく、対応する全ての変形例および均等物は、添付の請求項およびその均等物による本発明の範囲とみなされる。 The above merely shows the principle of the present invention. Furthermore, many variations and modifications will occur to those skilled in the art, and the present invention is not limited to the precise construction and applications shown and described above, and all corresponding variations and equivalents are and the equivalents thereof.
 10 情報処理装置
 11 記憶部
 12 処理部
 20 文書
 21 管理情報
 30 リスト
 40 ネットワーク
 50 第1の組織
 51,52,61,62 クライアント装置
 60 第2の組織 10 information processing device 11 storage unit 12 processing unit 20 document 21 management information 30 list 40 network 50 first organization 51, 52, 61, 62 client device 60 second organization

Claims (10)

  1.  コンピュータが、
     第1の組織に所属するユーザに応じた電子署名が付与され、かつ、第2の組織に所属するユーザに応じた電子署名が付与されていない文書の登録を検知すると、前記第2の組織に所属する所定の登録ユーザに前記文書に関する通知を送信し、
     前記通知に応じて、前記第2の組織に所属する担当ユーザを含むリストを受信すると、前記リストを記憶部に記憶し、
     前記第1の組織に所属するユーザによる検証要求を受け付けると、前記リストに含まれる前記担当ユーザに対応付けられた公開鍵を用いて、前記検証要求に応じた時点で前記文書に付与されている電子署名、および、電子署名の依頼先として前記文書に付与されている、前記第2の組織に所属する依頼先ユーザの情報の少なくとも一方の検証を行い、
     前記検証の結果に応じた前記文書への署名状況、および、前記依頼先ユーザの少なくとも一方に関する評価情報を、前記検証要求に対する応答として送信する、
     検証方法。     the computer
    Upon detection of registration of a document to which an electronic signature corresponding to a user belonging to a first organization is attached and to which an electronic signature corresponding to a user belonging to a second organization is not attached, is detected, the second organization send a notification regarding said document to a predetermined registered user to which it belongs;
    when receiving a list including the users in charge belonging to the second organization in response to the notification, storing the list in a storage unit;
    When a verification request from a user belonging to the first organization is received, the public key associated with the user in charge included in the list is used and attached to the document at the time of responding to the verification request. verifying at least one of an electronic signature and information of a requestee user belonging to the second organization, which is attached to the document as a requestee for the electronic signature;
    Sending, as a response to the verification request, the signature status of the document according to the verification result and evaluation information regarding at least one of the requested user;
    Method of verification.
  2.  前記通知に応じて、前記文書に対する前記第2の組織における前記依頼先ユーザの情報を取得し、前記依頼先ユーザの情報を前記文書に設定する、
     請求項1記載の検証方法。     Acquiring information of the requested user in the second organization for the document in response to the notification, and setting the information of the requested user in the document;
    The verification method according to claim 1.
  3.  前記文書に対する前記依頼先ユーザの承認に応じて前記依頼先ユーザの署名画像が付与される署名枠の情報として、前記依頼先ユーザの情報を前記文書に設定する、
     請求項2記載の検証方法。     setting the information of the requested user in the document as information of a signature frame to which the signature image of the requested user is attached in accordance with the approval of the requested user for the document;
    The verification method according to claim 2.
  4.  前記依頼先ユーザの情報の検証を行う場合、前記文書に含まれる前記依頼先ユーザの情報に対応する第1公開鍵を取得し、前記第1公開鍵が、前記リストに含まれる前記担当ユーザに対応付けられた公開鍵に含まれるか否かの判定に応じて、前記依頼先ユーザが正当であるか否かを決定する、
     請求項1記載の検証方法。     When verifying the information of the requested user, a first public key corresponding to the information of the requested user included in the document is acquired, and the first public key is provided to the user in charge included in the list. Determining whether the requested user is valid according to the determination of whether or not it is included in the associated public key;
    The verification method according to claim 1.
  5.  前記文書の登録の検知では、前記文書が前記第1の組織により使用される第1クラウドサービスに登録されたことを検知し、前記第2の組織により使用される第2クラウドサービスに対するアクセス情報に基づいて、前記第1クラウドサービスに登録された前記文書を、前記第2クラウドサービスに登録する、
     請求項1記載の検証方法。     Detecting registration of the document includes detecting that the document has been registered in a first cloud service used by the first organization, and obtaining access information for a second cloud service used by the second organization. Registering the document registered in the first cloud service in the second cloud service based on
    The verification method according to claim 1.
  6.  前記第1クラウドサービスに登録された前記文書を、前記第2の組織に対応する共通鍵または前記第2の組織に対応する公開鍵を用いて暗号化し、暗号化済の前記文書を前記第2クラウドサービスに登録し、
     前記第2クラウドサービスに登録された暗号化済の前記文書を、前記共通鍵または前記第2の組織に対応する秘密鍵を用いて復号する、
     請求項5記載の検証方法。     encrypting the document registered in the first cloud service using a common key corresponding to the second organization or a public key corresponding to the second organization; Register for cloud services
    decrypting the encrypted document registered in the second cloud service using the common key or a private key corresponding to the second organization;
    The verification method according to claim 5.
  7.  前記第2の組織が有する情報処理装置から前記第2の組織のユーザによる前記文書に対する承認が行われたことが通知されると、前記第2の組織のユーザの電子署名を前記文書に追加する、
     請求項1記載の検証方法。     adding an electronic signature of the user of the second organization to the document when the information processing device of the second organization notifies that the document has been approved by the user of the second organization; ,
    The verification method according to claim 1.
  8.  前記通知を送信する前に、前記文書に付与された前記第1の組織に所属するユーザの電子署名を、前記第1の組織に対応する電子署名に変換する署名変換を行うことで、署名変換後の前記文書を生成し、署名変換後の前記文書に、署名変換前の前記文書を示す識別情報を付与し、
     署名変換後の前記文書に対する、前記第1の組織に所属するユーザの電子署名の前記検証要求を受け付けると、前記識別情報に基づいて署名変換前の前記文書を取得し、署名変換前の前記文書に付与されている、前記第1の組織に所属するユーザの電子署名を検証する、
     請求項1記載の検証方法。     Before transmitting the notification, signature conversion is performed to convert the electronic signature of the user belonging to the first organization attached to the document into an electronic signature corresponding to the first organization. generating the document after signature conversion, adding identification information indicating the document before signature conversion to the document after signature conversion,
    receiving the verification request of the electronic signature of the user belonging to the first organization for the document after signature conversion, obtaining the document before signature conversion based on the identification information, and acquiring the document before signature conversion based on the identification information; verifying the electronic signature of a user belonging to the first organization, attached to
    The verification method according to claim 1.
  9.  コンピュータに、
     第1の組織に所属するユーザに応じた電子署名が付与され、かつ、第2の組織に所属するユーザに応じた電子署名が付与されていない文書の登録を検知すると、前記第2の組織に所属する所定の登録ユーザに前記文書に関する通知を送信し、
     前記通知に応じて、前記第2の組織に所属する担当ユーザを含むリストを受信すると、前記リストを記憶部に記憶し、
     前記第1の組織に所属するユーザによる検証要求を受け付けると、前記リストに含まれる前記担当ユーザに対応付けられた公開鍵を用いて、前記検証要求に応じた時点で前記文書に付与されている電子署名、および、電子署名の依頼先として前記文書に付与されている、前記第2の組織に所属する依頼先ユーザの情報の少なくとも一方の検証を行い、
     前記検証の結果に応じた前記文書への署名状況、および、前記依頼先ユーザの少なくとも一方に関する評価情報を、前記検証要求に対する応答として送信する、
     処理を実行させる検証プログラム。     to the computer,
    Upon detection of registration of a document to which an electronic signature corresponding to a user belonging to a first organization is attached and to which an electronic signature corresponding to a user belonging to a second organization is not attached, is detected, the second organization send a notification regarding said document to a predetermined registered user to which it belongs;
    when receiving a list including the users in charge belonging to the second organization in response to the notification, storing the list in a storage unit;
    When a verification request from a user belonging to the first organization is received, the public key associated with the user in charge included in the list is used and attached to the document at the time of responding to the verification request. verifying at least one of an electronic signature and information of a requestee user belonging to the second organization, which is attached to the document as a requestee for the electronic signature;
    Sending, as a response to the verification request, the signature status of the document according to the verification result and evaluation information regarding at least one of the requested user;
    Validation program that runs the process.
  10.  文書に対する電子署名の依頼先として許容されるユーザのリストを記憶する記憶部と、
     第1の組織に所属するユーザに応じた電子署名が付与され、かつ、第2の組織に所属するユーザに応じた電子署名が付与されていない前記文書の登録を検知すると、前記第2の組織に所属する所定の登録ユーザに前記文書に関する通知を送信し、前記通知に応じて、前記第2の組織に所属する担当ユーザを含む前記リストを受信すると、前記リストを前記記憶部に格納し、前記第1の組織に所属するユーザによる検証要求を受け付けると、前記リストに含まれる前記担当ユーザに対応付けられた公開鍵を用いて、前記検証要求に応じた時点で前記文書に付与されている電子署名、および、電子署名の依頼先として前記文書に付与されている、前記第2の組織に所属する依頼先ユーザの情報の少なくとも一方の検証を行い、前記検証の結果に応じた前記文書への署名状況、および、前記依頼先ユーザの少なくとも一方に関する評価情報を、前記検証要求に対する応答として送信する処理部と、
     を有する情報処理装置。     a storage unit that stores a list of users who are permitted to request electronic signatures for documents;
    When the registration of the document to which the electronic signature corresponding to the user belonging to the first organization is attached and to which the electronic signature corresponding to the user belonging to the second organization is not attached is detected, the second organization sending a notification regarding the document to a predetermined registered user belonging to the second organization, and receiving the list including the user in charge belonging to the second organization in response to the notification, storing the list in the storage unit; When a verification request from a user belonging to the first organization is received, the public key associated with the user in charge included in the list is used and attached to the document at the time of responding to the verification request. verifying at least one of an electronic signature and information of a requested user belonging to the second organization attached to the document as a destination of the electronic signature, and transferring the document according to the result of the verification; and a processing unit that transmits, as a response to the verification request, the signature status of and evaluation information regarding at least one of the requested user;
    Information processing device having
PCT/JP2022/004893 2022-02-08 2022-02-08 Verification method, verification program, and information processing device WO2023152797A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/004893 WO2023152797A1 (en) 2022-02-08 2022-02-08 Verification method, verification program, and information processing device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/004893 WO2023152797A1 (en) 2022-02-08 2022-02-08 Verification method, verification program, and information processing device

Publications (1)

Publication Number Publication Date
WO2023152797A1 true WO2023152797A1 (en) 2023-08-17

Family

ID=87563785

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/004893 WO2023152797A1 (en) 2022-02-08 2022-02-08 Verification method, verification program, and information processing device

Country Status (1)

Country Link
WO (1) WO2023152797A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000029963A (en) * 1998-07-09 2000-01-28 Ntt Data Corp Electronic settlement system
JP2002139997A (en) * 2000-11-02 2002-05-17 Dainippon Printing Co Ltd Electronic sealing system
JP2005135072A (en) * 2003-10-29 2005-05-26 Ricoh System Kaihatsu Co Ltd Secure document exchange system, document approval method, document exchange management method and program therefor
JP2005148917A (en) * 2003-11-12 2005-06-09 Ntt Data Itec Corp Document work flow system
JP2013536651A (en) * 2010-08-24 2013-09-19 コーニンクレッカ フィリップス エヌ ヴェ Attribute-based digital signature
WO2022003841A1 (en) * 2020-06-30 2022-01-06 富士通株式会社 Signature control method, signature control program, and information processing device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000029963A (en) * 1998-07-09 2000-01-28 Ntt Data Corp Electronic settlement system
JP2002139997A (en) * 2000-11-02 2002-05-17 Dainippon Printing Co Ltd Electronic sealing system
JP2005135072A (en) * 2003-10-29 2005-05-26 Ricoh System Kaihatsu Co Ltd Secure document exchange system, document approval method, document exchange management method and program therefor
JP2005148917A (en) * 2003-11-12 2005-06-09 Ntt Data Itec Corp Document work flow system
JP2013536651A (en) * 2010-08-24 2013-09-19 コーニンクレッカ フィリップス エヌ ヴェ Attribute-based digital signature
WO2022003841A1 (en) * 2020-06-30 2022-01-06 富士通株式会社 Signature control method, signature control program, and information processing device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YOSUKE NAKAMURA, RIKUDA KOJIMA, TADANOBU TSUNODA, KOICHI YAZAKI, DAI YAMAMOTO, KAZUAKI FUTAMURA: "2C1-1 Trust as a Service (TaaS) that guarantees the authenticity of digital data exchanged between companies", PROCEEDINGS OF 2021 CRYPTOGRAPHY AND INFORMATION SECURITY SYMPOSIUM (SCIS 2021), IEICE, JP, 22 January 2021 (2021-01-22) - 22 January 2021 (2021-01-22), JP, pages 1 - 8, XP009548612 *

Similar Documents

Publication Publication Date Title
AU2021206913B2 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
US10999063B2 (en) Methods and apparatus for verifying a user transaction
US6959382B1 (en) Digital signature service
US20070079139A1 (en) Signature authentication
CN113056741A (en) Profile verification based on distributed ledger
JP2017033339A (en) Service provision system, information processing device, program and service use information creation method
JP2007110377A (en) Network system
JP2017225054A (en) Profile data distribution control device, profile data distribution control method, and profile data distribution control program
JP5383838B2 (en) Authentication linkage system, ID provider device, and program
JP6819748B2 (en) Information processing equipment, information processing systems and programs
US20230186241A1 (en) Generation method, storage medium, and information processing device
JP5991143B2 (en) Information processing apparatus, system, and information registration method
WO2022070414A1 (en) Control method, control program, and information processing device
JP2015026889A (en) Account generation support program, account generation support device, and account generation support method
JP4007781B2 (en) Electronic document transmission program, electronic document reception program, electronic document transmission method, electronic document reception method, electronic document transmission apparatus, and electronic document reception apparatus
WO2023152797A1 (en) Verification method, verification program, and information processing device
JP2001202436A (en) Electronic application system, document storage device, and computer-readable recording medium
WO2019163040A1 (en) Access management system and program thereof
JP7102461B2 (en) Digital certificate introduction / operation system, digital certificate introduction / operation method, and certificate application device
JP6777213B2 (en) Information processing equipment and programs
WO2023203664A1 (en) Evaluation method, evaluation program, and information processing device
WO2023233658A1 (en) Workflow control method, workflow control program, and information processing device
JP4071482B2 (en) Originality assurance system and program
JP2005020536A (en) Electronic data signature device and program for signature device
WO2022130507A1 (en) User information management system, user information management method, user agent, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22925819

Country of ref document: EP

Kind code of ref document: A1