How to Verify an E-Certificate June 2008 Japan Patent Office CONTENTS 1. Preface ........................................................................................................................................ 1 2. Verifying the Root Certificate ....................................................................................................... 4 3. Verifying E-certificate Validity ...................................................................................................... 5 <<Trademark notice>> • The names of corporations and products described in this document are the trademarks or registered trademarks of respective corporations. 1. Preface 1.1 Overview An e-certificate (*1) is attached to an e-signature to authenticate the identity of the person who appended the e-signature. The e-certificate is issued by a reliable organization (known as a “certification authority” or CA). The certification authority for official publications via the Internet is the Government Certification Authority of the Ministry of Internal Affairs and Communications. The user of a document with an e-signature appended must perform both e-signature verification (*2) and e-certificate verification. Note that e-certificate verification verifies the validity of an e-certificate. This document describes how to verify the e-certificates of e-signatures appended to official publications that the Japan Patent Office issues via the Internet. *1 *2 E-certificate issued by the Government Certification Authority of the Ministry of Internal Affairs and Communications to authenticate the Commissioner of the Japan Patent Office (The exclusive use for official publication based on the law) Refer to "How to Use the Japan Patent Office E-signature Publication File Verification Program Version 2.0." 1.2 Configuration of E-certificates The figure below shows the hierarchy of e-certificates. A higher-order certificate is used to certify a subordinate certificate. E-certificate hierarchy for official publications via the Internet Root Certificate (*3) (for the Certification Authority of the Ministry of Internal Affairs and Communications) A certificate one level higher than the subordinate certificate is used to certify said subordinate certificate. Government Post Certificate (for the Commissioner of the Japan Patent Office *3 The root certificate is the self-signed, highest-level certificate that certifies itself. 1 1.3 E-certificate Verification E-certificate verification consists of the two verification processes below. • Verifying the root certificate • Verifying e-certificate validity E-certificate verification uses the files output as the result of E-signature Publication File Verification by the Japan Patent Office E-signature Publication File Verification program. Therefore, perform E-signature Publication File Verification using the E-signature Publication File Verification program prior to e-certificate verification. Samples of files output by E-signature Publication File Verification ①-1 ②-1 ①-2 ②-2 The numbers of files for each of (1) the file name "finger.txt" with e-signature and (2) the file name "verifyresult.txt" with e-signature used for verification are output corresponding to the numbers of downloaded files with e-signature appended. Each output file should be verified during verification process. In the sample of files output, two downloaded files (JPD_2007001_01-02_ZIPP7 and JPD_2007001_02-02_ZIPP7) with e-signature appended can be found and two items used for 2 verification were output for each of the downloaded files. - For "verifying the root certification", "JPD_2007001_01-02_finger.txt<1>-1" and "JPD_2007001_02-02_finger.txt<1>-2" in the sample of files output are used. - For "verifying e-certificate validity", "JPD_2007001_01-02_verifyresult.txt<2>-1" and "JPD_2007001_02-02_ verifyresult.txt <2>-2" in the sample of files output, are used The two verification processes are described below 3 2. Verifying the Root Certificate Use a text editor (e.g., Notepad, Wordpad) to open the JPD_2007001_01-02_finger.txt<1>-1. The text editor window displays the file content as shown below. The top line shows a fingerprint value (enclosed in red lines in the figure below) after "Fingerprint=". Sample of JPD_2007001_01-02_finger.txt Compare the shown fingerprint value with the fingerprint value indicated on “the fingerprint for self-signature certification of the Government Certification Authority” at the web page listed below to check whether the two fingerprint values match. http://www.gpki.go.jp/selfcert/finger_print.html http://www.e-gov.go.jp/fingerprint/gpki.html If the two fingerprint values do not match, the E-signature Publication File downloaded from "Official Publication via the Internet" may have been damaged during downloading or the publication file being verified may not be a normal E-signature Publication File distributed from the Japan Patent Office. In case of two different fingerprint values, confirm that the verification procedure has been done correctly, and then download the relevant E-signature Publication File from "Official Publication via the Internet". The same verification process is also implemented on the JPD_2007001_02-02_finger.txt<1>-2. 4 3. Verifying E-certificate Validity The verification of e-certificate validity consists of the three verification processes below. • Verifying that the e-certificate has not expired • Verifying that the e-certificate has not been invalidated • Verifying that the certificate policy (CP) described in the e-certificate matches the predetermined policy and meets the predetermined restrictions Use a text editor (e.g., Notepad, Wordpad) to open the JPD_2007001_01-02_verifyresult.text<2>-1. The text editor window displays the file content as shown below. Sample of JPD_2007001_01-02_ verifyresult.text Note that each e-certificate for official publications of the Japan Patent Office via the Internet contains the following three certificates: • Root certificate 5 • Government post certificate The JPD_2007001_01-02_verifyresult.text<2>-1 contains the root, and government post certificates in this order. 6 3.1 Verifying That the E-certificate Has Not Expired (1) Part to be verified In the sample JPD_2007001_01-02_verifyresult.text, check the dates described for "Not Before" and "Not After" below the "Validity" line. [See the sample shown in item (2) below.] (2) Verification content Check that the date and time when you performed E-signature Publication File Verification is within the period from the "Not Before" date and time to the "Not After" date and time. (If the date and time of E-signature Publication File Verification is not within said period, you cannot fetch the archived publication file.) When multiple certificates exist, check each certificate for its valid period. Sample of JPD_2007001_01-02_ verifyresult.text In this sample, the valid period of the certificate begins at 15:00:00 (hour: minute: second) on September 26, 2007, and ends at 15:00:00 on September 26, 2017 (based on Greenwich Mean Time). You must verify the E-signature Publication File within the valid period of the e-certificate(s) attached to the E-signature Publication File. The same verification process JPD_2007001_02-02_verifyresult.text<2>-2. 7 is also implemented on the 3.2 Verifying That the E-certificate Has Not Been Invalidated (1) Part to be verified In the sample JPD_2007001_01-02_verifyresult.text, check the contents of the line beginning with "Issuer:" and the line beginning with "Subject:" [The parts are enclosed in red lines in the sample file shown in item (3).] (2) Verification content Access the web page listed below, and confirm that the government posts described for "Issuer:"<1> and "Subject:"<2> in the sample verifyresult.txt file are not withdrew in the information above. http://www.gpki.go.jp/documents/maintenance.html When multiple certificates exist, check each certificate for the information above. * The "Issuer"<1> indicates the person who issued the certificate. * The "Subject"<2> indicates the person who is certified by the certificate. * Note that the web page above describes the information in Japanese, but the verifyresult.txt file describes the information in English. (3) Samples of certificates Display samples of the root, and government post certificates that are used for official publications via the Internet are shown below. (a) Root certificate Sample of JPD_2007001_01-02_ verifyresult.text <1> <2> Both "Issuer:"<1> and "Subject:"<2> are "C=JP, O=Japanese OfficialStatusCA," thus indicating the Government Certification Authority. 8 Government, OU= (b) Government post certificate Sample of JPD_2007001_01-02_ verifyresult.text <1> <2> "Issuer:"<1> is "C=JP, O=Japanese Government, OU= OfficialStatusCA", thus indicating The Government Certification Authority. "Subject:"<2> is " C=JP, O=Japanese Government, OU=Ministry of Economy, Trade and Industry, OU= The Law for, OU= Exclusive use of official publication based on the law, and CN=Commissioner, Japan Patent Office," thus indicating the Commissioner of the Japan Patent Office (Exclusive use of official publication based on the law). As described above, the items of information to be checked are ”the Government Certification Authority” and “the Commissioner of the Japan Patent Office (Exclusive use of official publication based on the law)”. However, because the Government Certification Authority is actually in a position to decertify other authorities, you need only confirm that the Commissioner of the Japan Patent Office (Exclusive use of official publication based on the law,) have not been decertified. The verification process (1) through (3) described above is also implemented on JPD_2007001_02-02_verifyresult.text. 9 3.3 Verifying That the Certificate Policy (CP) Described in the E-certificate Matches the Predetermined Policy and Meets the Predetermined Restrictions (1) Parts to be verified Check the following parts of the JPD_2007001_01-02_verifyresult.text: • Line below "X509v3 Certificate Policies: critical" [See the sample shown in item (3) below.] • Line below "X509v3 Basic Constraints: critical" [See the sample shown in item (4) below.] [The parts to be checked are enclosed in red lines in the samples in items (3) and (4).] (2) Verification content • X509v3 Certificate Policies: critical The content of the line (below "X509v3 Certificate Policies: critical") beginning with "Policy:" fully matches the predetermined policy. • X509v3 Basic Constraints: critical The line below "X509v3 Basic Constraints: critical" is "CA: TRUE." * Each part to be checked exists at multiple positions (e.g., two positions in the sample). Verify the parts to be checked at all positions. * The certificate policy is a set of instructions or rules concerning the use of certificates predetermined by the certification authority. Please refer to the web page listed below for more details concerning the above matters. http://www.gpki.go.jp/osca/cpcps/index.html 10 (3) Samples of "X509v3 Certificate Policies: critical" description The description of "X509v3 Certificate Policies: critical" exists in the government post certificate. Sample of JPD_2007001_01-02_ verifyresult.text In the samples above, the same description of "X509v3 Certificate Policies: critical" below exists in government post certificates. Policy: .2.440.100145.8.3.1.1.10 CPS: http://www.gpki.go.jp/osca/cpcps/index.html (4) Samples of "X509v3 Basic Constraints: critical" description The description of "X509v3 Basic Constraints: critical" exists in the root CA certificate. Sample of JPD_2007001_01-02_ verifyresult.text In the samples above, the description of " X509v3 Basic Constraints: critical" is "CA: TRUE" in both the root. The verification process (1) through (4) described above is also implemented on JPD_2007001_02-02_verifyresult.text. 11
© Copyright 2024