How to Verify an E-Certificate Japan Patent Office June 2008

How to Verify an E-Certificate
June 2008
Japan Patent Office
CONTENTS
1.
Preface ........................................................................................................................................ 1
2.
Verifying the Root Certificate ....................................................................................................... 4
3.
Verifying E-certificate Validity ...................................................................................................... 5
<<Trademark notice>>
• The names of corporations and products described in this document are the trademarks or
registered trademarks of respective corporations.
1. Preface
1.1 Overview
An e-certificate (*1) is attached to an e-signature to authenticate the identity of the person who
appended the e-signature. The e-certificate is issued by a reliable organization (known as a
“certification authority” or CA). The certification authority for official publications via the
Internet is the Government Certification Authority of the Ministry of Internal Affairs and
Communications.
The user of a document with an e-signature appended must perform both e-signature
verification (*2) and e-certificate verification. Note that e-certificate verification verifies the
validity of an e-certificate.
This document describes how to verify the e-certificates of e-signatures appended to official
publications that the Japan Patent Office issues via the Internet.
*1
*2
E-certificate issued by the Government Certification Authority of the Ministry of Internal
Affairs and Communications to authenticate the Commissioner of the Japan Patent Office
(The exclusive use for official publication based on the law)
Refer to "How to Use the Japan Patent Office E-signature Publication File Verification
Program Version 2.0."
1.2 Configuration of E-certificates
The figure below shows the hierarchy of e-certificates. A higher-order certificate is used to
certify a subordinate certificate.
E-certificate hierarchy for official publications via the Internet
Root Certificate (*3) (for the Certification
Authority of the Ministry of Internal Affairs and
Communications)
A certificate one level higher than the
subordinate certificate is used to certify
said subordinate certificate.
Government Post Certificate (for the
Commissioner of the Japan Patent Office
*3 The root certificate is the self-signed, highest-level certificate that certifies itself.
1
1.3 E-certificate Verification
E-certificate verification consists of the two verification processes below.
• Verifying the root certificate
• Verifying e-certificate validity
E-certificate verification uses the files output as the result of E-signature Publication File
Verification by the Japan Patent Office E-signature Publication File Verification program.
Therefore, perform E-signature Publication File Verification using the E-signature Publication
File Verification program prior to e-certificate verification.
Samples of files output by E-signature Publication File Verification
①-1
②-1
①-2
②-2
The numbers of files for each of (1) the file name "finger.txt" with e-signature and (2) the file
name "verifyresult.txt" with e-signature used for verification are output corresponding to the
numbers of downloaded files with e-signature appended. Each output file should be verified
during verification process.
In the sample of files output, two downloaded files (JPD_2007001_01-02_ZIPP7 and
JPD_2007001_02-02_ZIPP7) with e-signature appended can be found and two items used for
2
verification were output for each of the downloaded files.
- For "verifying the root certification", "JPD_2007001_01-02_finger.txt<1>-1" and
"JPD_2007001_02-02_finger.txt<1>-2" in the sample of files output are used.
- For "verifying e-certificate validity", "JPD_2007001_01-02_verifyresult.txt<2>-1" and
"JPD_2007001_02-02_ verifyresult.txt <2>-2" in the sample of files output, are used
The two verification processes are described below
3
2. Verifying the Root Certificate
Use a text editor (e.g., Notepad, Wordpad) to open the JPD_2007001_01-02_finger.txt<1>-1.
The text editor window displays the file content as shown below. The top line shows a
fingerprint value (enclosed in red lines in the figure below) after "Fingerprint=".
Sample of JPD_2007001_01-02_finger.txt
Compare the shown fingerprint value with the fingerprint value indicated on “the fingerprint for
self-signature certification of the Government Certification Authority” at the web page listed
below to check whether the two fingerprint values match.
http://www.gpki.go.jp/selfcert/finger_print.html
http://www.e-gov.go.jp/fingerprint/gpki.html
If the two fingerprint values do not match, the E-signature Publication File downloaded from
"Official Publication via the Internet" may have been damaged during downloading or the
publication file being verified may not be a normal E-signature Publication File distributed from
the Japan Patent Office.
In case of two different fingerprint values, confirm that the verification procedure has been done
correctly, and then download the relevant E-signature Publication File from "Official Publication
via the Internet".
The same verification process is also implemented on the JPD_2007001_02-02_finger.txt<1>-2.
4
3. Verifying E-certificate Validity
The verification of e-certificate validity consists of the three verification processes below.
• Verifying that the e-certificate has not expired
• Verifying that the e-certificate has not been invalidated
• Verifying that the certificate policy (CP) described in the e-certificate matches the
predetermined policy and meets the predetermined restrictions
Use
a
text
editor
(e.g.,
Notepad,
Wordpad)
to
open
the
JPD_2007001_01-02_verifyresult.text<2>-1. The text editor window displays the file content as
shown below.
Sample of JPD_2007001_01-02_ verifyresult.text
Note that each e-certificate for official publications of the Japan Patent Office via the Internet
contains the following three certificates:
• Root certificate
5
• Government post certificate
The JPD_2007001_01-02_verifyresult.text<2>-1 contains the root, and government post
certificates in this order.
6
3.1 Verifying That the E-certificate Has Not Expired
(1) Part to be verified
In the sample JPD_2007001_01-02_verifyresult.text, check the dates described for "Not
Before" and "Not After" below the "Validity" line. [See the sample shown in item (2)
below.]
(2) Verification content
Check that the date and time when you performed E-signature Publication File Verification
is within the period from the "Not Before" date and time to the "Not After" date and time.
(If the date and time of E-signature Publication File Verification is not within said period,
you cannot fetch the archived publication file.)
When multiple certificates exist, check each certificate for its valid period.
Sample of JPD_2007001_01-02_ verifyresult.text
In this sample, the valid period of the certificate begins at 15:00:00 (hour: minute: second) on
September 26, 2007, and ends at 15:00:00 on September 26, 2017 (based on Greenwich
Mean Time).
You must verify the E-signature Publication File within the valid period of the e-certificate(s)
attached to the E-signature Publication File.
The
same
verification
process
JPD_2007001_02-02_verifyresult.text<2>-2.
7
is
also
implemented
on
the
3.2 Verifying That the E-certificate Has Not Been Invalidated
(1) Part to be verified
In the sample JPD_2007001_01-02_verifyresult.text, check the contents of the line
beginning with "Issuer:" and the line beginning with "Subject:" [The parts are enclosed in
red lines in the sample file shown in item (3).]
(2) Verification content
Access the web page listed below, and confirm that the government posts described for
"Issuer:"<1> and "Subject:"<2> in the sample verifyresult.txt file are not withdrew in the
information above.
http://www.gpki.go.jp/documents/maintenance.html
When multiple certificates exist, check each certificate for the information above.
* The "Issuer"<1> indicates the person who issued the certificate.
* The "Subject"<2> indicates the person who is certified by the certificate.
* Note that the web page above describes the information in Japanese, but the
verifyresult.txt file describes the information in English.
(3) Samples of certificates
Display samples of the root, and government post certificates that are used for official
publications via the Internet are shown below.
(a) Root certificate
Sample of JPD_2007001_01-02_ verifyresult.text
<1>
<2>
Both "Issuer:"<1> and "Subject:"<2> are "C=JP, O=Japanese
OfficialStatusCA," thus indicating the Government Certification Authority.
8
Government,
OU=
(b) Government post certificate
Sample of JPD_2007001_01-02_ verifyresult.text
<1>
<2>
"Issuer:"<1> is "C=JP, O=Japanese Government, OU= OfficialStatusCA", thus indicating The
Government Certification Authority.
"Subject:"<2> is " C=JP, O=Japanese Government, OU=Ministry of Economy, Trade and
Industry, OU= The Law for, OU= Exclusive use of official publication based on the law, and
CN=Commissioner, Japan Patent Office," thus indicating the Commissioner of the Japan
Patent Office (Exclusive use of official publication based on the law).
As described above, the items of information to be checked are ”the Government Certification
Authority” and “the Commissioner of the Japan Patent Office (Exclusive use of official
publication based on the law)”. However, because the Government Certification Authority is
actually in a position to decertify other authorities, you need only confirm that the
Commissioner of the Japan Patent Office (Exclusive use of official publication based on the
law,) have not been decertified.
The verification process (1) through (3) described above is also implemented on
JPD_2007001_02-02_verifyresult.text.
9
3.3 Verifying That the Certificate Policy (CP) Described in the E-certificate
Matches the Predetermined Policy and Meets the Predetermined Restrictions
(1) Parts to be verified
Check the following parts of the JPD_2007001_01-02_verifyresult.text:
• Line below "X509v3 Certificate Policies: critical" [See the sample shown in item (3)
below.]
• Line below "X509v3 Basic Constraints: critical" [See the sample shown in item (4)
below.]
[The parts to be checked are enclosed in red lines in the samples in items (3) and (4).]
(2) Verification content
• X509v3 Certificate Policies: critical
The content of the line (below "X509v3 Certificate Policies: critical") beginning with
"Policy:" fully matches the predetermined policy.
• X509v3 Basic Constraints: critical
The line below "X509v3 Basic Constraints: critical" is "CA: TRUE."
* Each part to be checked exists at multiple positions (e.g., two positions in the sample).
Verify the parts to be checked at all positions.
* The certificate policy is a set of instructions or rules concerning the use of certificates
predetermined by the certification authority. Please refer to the web page listed below
for more details concerning the above matters.
http://www.gpki.go.jp/osca/cpcps/index.html
10
(3) Samples of "X509v3 Certificate Policies: critical" description
The description of "X509v3 Certificate Policies: critical" exists in the government post
certificate.
Sample of JPD_2007001_01-02_ verifyresult.text
In the samples above, the same description of "X509v3 Certificate Policies: critical" below
exists in government post certificates.
Policy: .2.440.100145.8.3.1.1.10
CPS: http://www.gpki.go.jp/osca/cpcps/index.html
(4) Samples of "X509v3 Basic Constraints: critical" description
The description of "X509v3 Basic Constraints: critical" exists in the root CA certificate.
Sample of JPD_2007001_01-02_ verifyresult.text
In the samples above, the description of " X509v3 Basic Constraints: critical" is "CA: TRUE" in
both the root.
The verification process (1) through (4) described above is also implemented on
JPD_2007001_02-02_verifyresult.text.
11