JP2008040796A - Program, device, and system for document output control - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technique for restricting output of an electronic document in accordance with an electronic document generator's will and a transmission line security. <P>SOLUTION: An electronic document deliverer generates an electronic document for delivery by adding print restriction information wherein print restrictions are described per transmission security level, to the electronic document by a delivery document generation application 17. In the case that a user who has acquired the electronic document for delivery indicates printing of the electronic document on a computer 10, a printer driver 11 obtains a security level which can be established on a transmission line between the computer 10 and a printer 14 being an output destination, and obtains print restrictions corresponding to the security level in the print restriction information and permits printing in the case of a print condition meeting the print restrictions. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique for outputting an electronic document from a computer to an output device via a transmission path.

  In recent years, documents are often distributed in the form of data, that is, electronic documents. In response to this, users are increasingly sending distributed electronic documents to output devices such as printers and facsimile machines to perform output such as printing or facsimile transmission. When an electronic document is sent from a computer to an output device via a network for output, the security of the transmission path from the computer to the output device becomes a problem. In contrast, conventionally, print data sent from a computer to an output device is encrypted. If the electronic document to be printed has been distributed, the distribution side (creator, distributor, etc.) of the electronic document has the right to the electronic document. Consideration is necessary.

  Japanese Patent Application Laid-Open No. 2004-133867 describes a means for acquiring the attributes of a user who prints a document file, a means for acquiring the attributes of the document file, and print permission / rejection and printing requirements based on the acquired attributes of the user and the document file. A document printing apparatus including means for retrieving a printing requirement by searching a security policy that defines the above and a means for forcing the acquired printing requirement at the time of printing is disclosed.

  The security policy in the method of Patent Document 1 prescribes printing requirements in relation to a document file and a user who wants to print it, and the intention of the creator of each document file is accurately reflected. Is not limited. In this method, no consideration is given to the security of the transmission path from the computer to the printer.

JP 2004-152263 A

  One aspect of the present invention provides a technique for restricting output of an electronic document in accordance with the intention of the electronic document creation side and transmission path security.

  (1) In one aspect of the present invention, a program for causing a computer to execute a process for outputting an electronic document to an output device, wherein the process determines an output restriction based on a transmission path security level. A first step of reading out the output restriction information from the electronic document to be output; a second step of obtaining a transmission path security level that can be established between the computer and an output device designated as an output destination of the electronic document to be output; There is provided a program comprising a third step of obtaining an output restriction corresponding to the established transmission path security level from the output restriction information, and controlling the output of the output electronic document from the output device according to the output restriction. .

  (2) In one aspect, when the output condition designated by the user satisfies an output restriction corresponding to the transmission security level that can be established, the third step is a sub-step of permitting output under the output condition. Have.

  (3) In another aspect, when the output condition specified by the user deviates from the output limit corresponding to the transmission security level that can be established, the third step is to output in accordance with the output limit? A sub-step for inquiring the user whether or not, and a sub-step for permitting output in accordance with the output restriction when the user replies to the inquiry.

  (4) In still another aspect, in the third step, output data obtained by qualitatively or quantitatively degrading an electronic document according to an output restriction corresponding to the transmission path security level that can be established is created, and the output device stores the output data. Send.

  (5) In still another aspect, the output restriction defines image quality, and in the third step, output data of the image quality defined by the output restriction is created from the electronic document, and the output Send to device.

  (6) In still another aspect, the output restriction defines a portion of the electronic document that is permitted to be output, and in the third step, the output restriction is defined by the output restriction of the electronic document. Output data representing the image of the portion permitted to be output is created and transmitted to the output device.

  (7) According to another aspect of the present invention, there is provided a document output control apparatus for executing processing for causing an output device to output an electronic document, and output restriction information for determining output restriction based on a transmission path security level. From the electronic document to be output, means for obtaining a transmission line security level that can be established between the computer and an output device designated as the output destination of the electronic document to be output, and the transmission line security level that can be established There is provided a document output control apparatus comprising: a unit that obtains a corresponding output restriction from the output restriction information and controls output of the electronic document to be output from the output device according to the output restriction.

  (8) In still another aspect of the present invention, there is provided a document output control system including an electronic document creation apparatus and a document output control apparatus that executes processing for causing an output device to output an electronic document. The creation device includes means for receiving input of output restriction information for determining output restriction based on a transmission line security level, means for incorporating the input output restriction information into an electronic document, and the document output control apparatus includes: , Means for reading out output restriction information for determining output restriction based on the transmission path security level, from the electronic document to be output, established between the computer and the output device designated as the output destination of the electronic document to be output Means for determining a possible transmission path security level, and output restriction corresponding to the established transmission path security level. Determined from limited information, it means for controlling the output from the output device of the electronic document of the output target in accordance with the output restriction, comprises, providing a document output control system.

  According to the configuration (1), (7), or (8), the distributor of the electronic document incorporates output restriction information into the electronic document, so that the electronic document is output to the user who intends to output the electronic document from the output device. The output restriction can be controlled according to the transmission path security level that can be established in the transmission path between the user's computer and the output device.

  According to the configuration (2), when the output condition specified by the user satisfies the output restriction corresponding to the transmission security level that can be established, the program automatically permits output under the output condition. , The operation burden on the user can be reduced.

  According to the configuration (3), it is possible to reduce waste of outputting an electronic document from the output device under an output condition that is not desired by the user.

  According to the configuration (4), for example, the lower the transmission line security level that can be established between the computer and the output device, the more the output data transmitted from the former to the latter is further deteriorated, thereby leaking the output data. If this happens, damage can be reduced.

  According to the configuration (5), for example, the image quality of the output data is further deteriorated as the output data is more easily leaked, so that damage when the output data is leaked can be reduced.

  According to the configuration (6), for example, by reducing the portion of the electronic document that is allowed to be output as the output data is more likely to leak, damage caused when the output data leaks can be reduced.

  Hereinafter, embodiments of the present invention (hereinafter referred to as “embodiments”) will be described with reference to the drawings.

  FIG. 1 is a diagram illustrating an example of a configuration of a system according to an embodiment. In this system, computers 10 and 16 such as personal computers and a printer 14 are connected to a network 12 for data communication such as a LAN (local area network) and the Internet. The computer 16 is a computer of a user who distributes an electronic document (hereinafter collectively referred to as “distributor”) such as a creator, owner, distributor, or copyright holder of an electronic document to be printed. is there. A computer 10 is a computer of a user who intends to acquire and print the electronic document. Although only one computer 10 and 16 and one printer 14 are shown in FIG. 1, a plurality of computers 10 and 16 may be combined.

  The computer 16 is installed with application software (distributed document creation application 17) for creating electronic documents for distribution. The electronic document here is a document in a file format of application software (hereinafter simply referred to as an application) such as a word processor or spreadsheet software. The electronic document for distribution is obtained by adding print restriction information designated by the distributor to an electronic document created by such an application. The print restriction information is information representing restrictions when printing the electronic document. The print restriction information includes one or more print restrictions having different levels, and each print restriction is associated with a security level of the transmission path. The printing restriction is a restriction on printing conditions at the time of printing. The printing conditions include various conditions for printing electronic documents such as the number of copies to be printed, distinction between double-sided / single-sided printing, distinction between color and monochrome printing, image quality in terms of resolution, printing range (page designation, etc.), etc. Is included. Setting a print restriction on an electronic document means that the distributor allows the electronic document to be printed if the printing conditions satisfy the print restriction. The distributor can set several levels of printing restrictions depending on the security level of the transmission path between the computer 10 of the person who intends to print the electronic document and the printer 14 of the output destination. The distribution document creation application 17 has a function of adding such print restriction information to an electronic document.

  The electronic document for distribution is, for example, a document in a file format suitable for distribution (for example, a PDF (Portable Document Format) document or a DocuWorks (registered trademark) document (xdw format) of Fuji Xerox Co., Ltd.)). In this case, the distribution document creation application 17 is an application different from a word processor that creates the original electronic document. Further, by incorporating a print restriction information addition function into an application such as a word processor, the application itself can be used as the distribution document creation application 17.

  A printer driver 11 for causing the printer 14 to print an electronic document is installed in the computer 10. The printer driver 11 creates print data indicating a print image of the electronic document from the electronic document in the file format of the application, and sends the print data to the printer 14. The print data is described in a page description language (PDL) that can be interpreted by the printer 14, for example. Further, the printer driver 11 creates attribute data describing printing attributes such as the number of copies to be printed, the paper size, the user name of the user who has instructed printing, and the print instruction time in a predetermined language such as PJL (Printer Job Language). And a function of sending the data to the printer 14 in association with the print data. A combination of attribute data and print data becomes print job data.

  The printer driver 11 according to the present embodiment has a function of controlling printing of an electronic document based on printing restriction information included in the electronic document for distribution and a security level that can be established in a transmission path between the computer 10 and the printer 14. Prepare. That is, the printer driver 11 obtains a print restriction corresponding to the security level that can be established in the transmission path from the print restriction information, and controls printing of the electronic document according to the print restriction.

  Some printers have a “direct print” function for receiving and printing an electronic document in a file format of the application for a specific type of application. When the electronic document to be printed is in a file format that can be directly printed by the printer 14, the printer driver 11 does not change the electronic document to PDL print data, but adds attribute data to the electronic document and transmits it to the printer. You can also

  An electronic signature can be attached to the electronic document using the private key information of the distributor of the electronic document. For example, software that can embed digital signatures in created documents, such as Microsoft's word processor software “Word” and Adobe Systems ’“ Acrobat ”(registered trademark), has become widespread. An electronic signature can be added by such software.

  The electronic signature is generated by encrypting the hash value of the electronic document with the signer's private key. As is well known for XML signatures and the like, information for electronic signatures generally incorporated in electronic documents includes verification values for verifying the signature value in addition to the signature value of the electronic signature (that is, the encryption result of the hash value). Information for identifying the key (ie, the signer's public key) is included. This information may be the verification key itself, the signer's public key certificate, or both.

  The distribution document creation application 17 has a function of attaching an electronic signature to an electronic document. With this function, an electronic signature of a distributor can be attached to an electronic document for distribution. When distributing an electronic document, the distributor of the electronic document can attach the electronic signature of the electronic document for the purpose of ensuring that the electronic document is a person who has correctly distributed the electronic document.

  Next, the distribution document creation application 17 and the print restriction information will be described in detail.

  As shown in FIG. 2, the distribution document creation application 17 includes, for example, a target document input unit 172, a print restriction information input unit 174, and a signature addition unit 176. The target document input unit 172 receives an input of an electronic document to be distributed from the user. When the distribution document creation application 17 is a word processor or the like, the target document input unit 172 may not be provided.

  The print restriction information input unit 174 receives input of print restriction information added to the electronic document to be distributed. An example of the print restriction information is shown in FIG. In this example, the print restriction information includes three levels of print restrictions, restriction levels 1, 2, and 3. Each level of print restriction includes “security level range” and “print restriction”. “Security level range” indicates a range of a transmission line security level to which the print restriction should be applied. For example, the security level range of restriction level 1 is that when SSL (Secure Socket Layer) with a key length of xxx bits or more is used for protection of the transmission line, the security level of restriction level 2 is the key length yyy for protection of the transmission line. This corresponds to the case where SSLs of not less than bits and not more than xxx bits are used. The longer the SSL key length, the higher the security level.

  In the illustrated example, the transmission path protection by SSL is assumed. However, when the transmission path between the computer 10 and the printer 14 is protected by means other than SSL, the security level range may be similarly defined. Even when a PKI-based secure communication protocol other than SSL is used, the security level can be determined based on the strength of the encryption method used in the protocol and the key length of the protocol that can be actually established between the computer and the printer. If data protection by encryption using a common key encryption method can be realized between the computer and the printer, the security level of the transmission path can be obtained based on the encryption strength, key length, etc. of the encryption method. The level of security between different protocols may be determined by the system administrator from theoretical or empirical knowledge. In any case, the secure communication protocol (and the key length of the encryption key to be used) corresponding to the security level can be associated with each security level. A plurality of communication protocols can be associated with one security level, such as the 128-bit key length of SSL and the 128-bit key length of the common key cryptosystem. Such correspondence information between the security level and each secure communication protocol (and key length) is provided to the distribution document creation application 17 and the printer driver 11 or from the distribution document creation application 17 and the printer driver 11. Place it in an accessible storage location. Hereinafter, the security level that can be actually established on the transmission path between the computer and the printer is referred to as an establishable security level. When there are a plurality of security levels that can be actually established, the highest level may be set as the security level that can be established.

  As shown in FIG. 3, for example, “printability”, “number of copies”, “color mode”, “print mode”, “print page”, “security print” are included in the “print restriction” corresponding to each restriction level. Etc. are included. Each of these items is selected from items that can be designated as printing conditions. The values of these items are values that are applied when the security level that can be established falls within the “security level range” of the restriction level. The meaning of each item is as follows, for example. “Printability” is information indicating whether or not printing of the electronic document is permitted. “Number of copies” indicates the maximum number of copies when printing is permitted. “Color mode” and “print mode” are modes relating to image quality at the time of printing. “Color mode” indicates whether full color printing is permitted or only monochrome printing is permitted. “Print mode” is an image to be printed. The fineness (for example, resolution) is shown. The “print mode” has several levels such as “high image quality”, “standard”, and “draft” in the fine order. “Print page” is information indicating the range of pages that are allowed to be printed in the electronic document. “Security print” means confidential box print. If this value is “ON”, it means that confidential box print is designated. Items other than “Printability” are valid when the value of “Printability” is “Yes”. If “Printability” is “No”, the value of each item is set. It is not necessary.

  The print restriction information input unit 174 provides, for example, a user interface screen for inputting an upper limit value and / or a lower limit value that define the “security level range”, and values of each item of “print restriction”. Then, the input of a value from the user to this screen is accepted. The value may be input as a numerical value or a character string from a keyboard or the like, or may be selected from the presented options. By inputting each item of “security level range” and “printing restriction”, information about one restriction level can be obtained. When setting a plurality of restriction levels, the user may set a security level range and a print restriction for each restriction level.

  For example, the lower the security level of the transmission path (that is, the weaker the protection), the more severe the print restriction. The tighter the printing restrictions, the worse the range of printing allowed for the electronic document in terms of quality and / or quantity. The print restriction information input unit 174 sets a range of values that can be set for each item in the print restriction input user interface corresponding to a certain security level range to the print restriction of the security level range of each restriction level that has already been set. The relationship may be such that the lower the security level, the more restrictive the relationship is satisfied.

  The signature adding unit 176 adds the print restriction information input to the print restriction information input unit 174 to the electronic document input to the target document input unit 172, and also applies to the electronic document to which the print restriction information is added. The electronic signature of the distributor is attached. For example, the printing restriction information can be added to the electronic document by adding the printing restriction information as attribute information of the electronic document.

  FIG. 4 shows an example of the procedure of processing performed by the distributor's computer 16. In this procedure, first, an application on the computer 16 creates an electronic document in accordance with a user operation (S101). Next, the distribution document creation application 17 creates printing restriction information for the electronic document according to the user's operation (S102), and adds the printing restriction information and the electronic signature of the distributor to the electronic document. An electronic document for distribution is generated (S103). The generated electronic document for distribution is distributed to each user (S104).

Next, the printer driver 11 will be described in more detail. As illustrated in FIG. 5, the printer driver 11 includes a print restriction information reading unit 112, a security level determination unit 114, a job data generation unit 116, and a UI (user interface) processing unit 118. The printing restriction information reading unit 112 reads printing restriction information from an electronic document designated as a printing target. The security level determination unit 114 determines a transmission path security level that can be established with the printer 14 designated as the printing destination. For example, the security level determination unit 114 inquires about the SSL key length that can be supported by the printer 14, and determines the transmission path security level that can be established between the two from the key length and the SSL key length that the computer 10 corresponds to. judge. The job data generation unit 116 generates job data for causing the printer 14 to print the electronic document. The job data includes print data in which the document content of the electronic document is expressed in a language (for example, a page description language) that can be interpreted by the printer 14, and attribute data indicating a print condition. The job data generation unit 116 generates print data from the electronic document and also generates attribute data based on the value of the print condition item input by the user who has instructed printing.
Here, for example, the job data generation unit 116 selects the print restriction indicated in the print restriction information corresponding to the security level that can be established, presents the print restriction to the user, and then prints with the print restriction. A process of inquiring the user as to whether or not the user wants to be performed may be performed. As another example, it is determined whether each item of the attribute data indicating the printing condition specified by the user satisfies the printing restriction information based on the security level that can be established and the printing restriction information. Then, a process for inquiring the user as to whether or not to perform printing according to the satisfied printing restriction may be performed. The UI processing unit 118 generates UI screen information for such an inquiry, displays it on a display connected to the computer 10, and accepts a user's answer to the inquiry. Note that the UI processing unit 118 may generate other UI screen information about the printer driver 11 and accept a user input for the UI screen information.

If the response to the inquiry indicates that the user does not want to print with the satisfied print restriction, the job generation unit 116 discards the created job data and cancels the print instruction to the printer 14. If there is a reply that the user desires to print with the satisfied print restriction, the content of the attribute data is changed according to the print restriction, and then transmitted to the printer 14. Note that the print restriction items that are satisfied include the content to be printed (for example, the range of pages to be printed, color / monochrome distinction, and fineness) compared to the case in which the printing conditions specified by the user are followed. There may be items that change the print quality). If there is such an item, the job data generating unit 116 may regenerate the print data itself according to the value of the item. In addition, when the print restriction according to the security level that can be established indicates that printing is not possible, the job data generation unit 116 discards the job data and cancels the print instruction to the printer.

  Next, processing executed by the printer driver 11 will be described with reference to FIG. When printing of an electronic document is instructed by the user, the printer driver 11 generates print data indicating a print image of the electronic document (S201). The printer driver 11 extracts printing restriction information from the electronic document (S202), and obtains a security level that can be established on the transmission path between the computer 10 and the printer 14 (S203). The execution order of steps S201 to S203 is not limited to the order shown. Next, the printer driver 11 obtains a restriction level having a security level range corresponding to the security level that can be established from the printing restrictions of each restriction level included in the printing restriction information (S204). Then, UI screen information displaying the contents of the print restriction corresponding to the restriction level is generated and displayed on the computer screen (S205). In the UI screen displayed at this time, a message for inquiring whether or not printing is desired with the printing restriction (in other words, printing conditions) displayed on the UI screen, and a GUI for inputting an answer to the inquiry are displayed. Parts (for example, a button for indicating whether or not printing is desired) are included. Using such a screen, the user inquires whether to accept the printing restriction (S206).

  Next, the printer driver 11 determines whether or not the user's answer to this inquiry is to accept printing restrictions (S207). If the answer is that the print restriction is accepted, the printer driver 11 generates attribute data corresponding to the contents of the print restriction, and generates job data by combining this attribute data with the print data generated in step S201. (S208). Then, a transmission path having a security level that can be established is established with the printer 14 (S209), and job data is transmitted to the printer 14 via the transmission path (S210).

  If it is determined in step S207 that the answer from the user does not accept the printing conditions, the printer driver 11 performs processing for canceling the printing of the electronic document (S211), and deletes the job data created so far. (S212).

  In the inquiry in step S206 in the procedure of FIG. 6, it may be simply inquired whether or not the printing condition corresponding to the printing restriction is accepted, but instead, each item of the printing condition is changed within the range satisfying the printing restriction. You may make it receive and the printing condition of the change result.

  Next, another example of the processing procedure executed by the printer driver 11 will be described with reference to FIG. In FIG. 7, steps representing the same processes as in FIG.

  In the procedure of FIG. 7, first, when an instruction to print an electronic document is given, the printer driver 11 receives designation of printing conditions from the user, and based on this, generates job data composed of print data and attribute data of the electronic document ( S201a). The processing in steps S202 to S204 may be the same as in the procedure of FIG. Next, the printer driver 11 determines whether or not the printing conditions designated by the user in step S201a satisfy the printing restriction at the restriction level obtained in step S204 (S220). If satisfied, a transmission path of the security level that can be established is established with the printer 14 (S221), and job data is transmitted to the printer 14 through the transmission path (S222). In this case, job data transmitted on the transmission path is protected by encryption or the like. When performing the processes of steps S221 and S222, the printer driver 11 displays on the UI screen, for example, “The printing conditions specified by the user satisfy the printing restrictions corresponding to the transmission path security level that can be established between the computer and the printer 10”. By displaying a message meaning “printing has been approved”, the security consciousness of the user who instructed printing may be raised.

  If it is determined in step S220 that the printing condition specified by the user does not satisfy the printing restriction of the obtained restriction level (that is, deviates from the restriction), the printer driver 11 has the restriction level. The user is inquired whether to accept the printing conditions corresponding to the printing restriction (S223). At this time, for example, an explanation may be displayed that the printing conditions designated by the user do not satisfy the printing restrictions designated by the distributor of the electronic document. Further, a printing condition that satisfies the printing restriction may be displayed, and a screen including a GUI (graphical user interface) part for inputting whether or not to print under this condition may be displayed. The printer driver 11 determines whether or not the user's answer to this inquiry is to accept printing restrictions (S224). If the answer is to accept printing restrictions, the printer driver 11 determines in step S201a. The attribute data in the job data generated in the above is changed according to the contents of the printing restriction (S225). Then, a transmission path having a security level that can be established is established with the printer 14 (S221), and job data is transmitted to the printer 14 via the transmission path (S222). In step S224, if the answer from the user is that the print condition is not accepted, the printer driver 11 performs a process of canceling the printing of the electronic document (S226), and deletes the job data created so far. (S227).

  The procedure shown in FIG. 6 is a flow of creating job data in S201 and correcting it as necessary. However, the flow of creating job data after the printing conditions are determined by the determination in step S205 or step S209. Good.

  In the foregoing, the flow in which the printer driver 11 generates job data and transmits it to the printer 14 has been described. Next, a processing procedure of the printer 14 that has received job data from the computer 10 will be described with reference to FIG.

  When the printer 14 receives job data from the computer 10 (S301), the printer 14 determines whether the job data is encrypted (S302), and if it is encrypted, decrypts it (S303). This decoding may be performed according to a transmission path protection protocol established with the computer 10. When the printer 14 receives unencrypted job data, the printer 14 simply performs printing based on the received job data.

  The printer 14 verifies the electronic signature attached to the received job data. If the electronic signature is found to be invalid as a result of the verification (for example, the electronic signature and the job data do not match), the printer 14 A corresponding process may be performed. Examples of this process include a process for canceling printing of job data, a process for executing printing after recording in the log that the signature is invalid. Which one is to be adopted may be determined according to the security policy (policy) of the operator of the printer 14. In combination with any of these processes, the administrator of the printer 14 may be notified that job data having an invalid electronic signature has been sent.

  Then, the printer 14 obtains print data and attribute data from the decrypted job data, and prints the print data according to the attribute data (S304). When printing is completed, the decrypted print data is deleted from the storage device in the printer 14 (S305). The attribute data may also be deleted. By this deletion, the contents of the printed electronic document do not remain in the printer 14.

  Next, another example of the processing procedure of the printer driver 11 will be described. In this example, in addition to the printing restriction information, the strength of the electronic signature attached to the electronic document to be output is used for control. In this example, when the security level corresponding to the strength of the electronic signature attached to the electronic document can be established on the transmission path between the computer 10 and the printer 14, the user (the person who instructed printing) specified it. Allow printing under printing conditions. In other words, the distributor of an electronic document defines a transmission path security level as a standard for allowing users who use the electronic document to print without restriction on the printing conditions, and an electronic signature having a strength corresponding to that level. Is attached to the electronic document for distribution.

  Here, the strength of the electronic signature is, for example, the strength of an electronic certificate for verifying the electronic signature (that is, a certificate proving the public key corresponding to the private key used for the electronic signature). The strength of the electronic certificate can be defined by the key length of the public key indicated in the electronic certificate, for example. The longer the key length, the higher the strength.

  The strength of the electronic certificate can also be determined according to the reliability of the CA (certificate authority) that issued the electronic certificate. For example, it can be said that the strength of an electronic certificate issued by a “trusted CA” having a root certificate such as VeriSign is high, whereas an electronic certificate issued by an in-house CA established by a company is “trusted”. It can be said that the strength is lower than that of the “certified CA” certificate. It is conceivable to increase the strength of encryption as the strength of the electronic certificate determined from such a viewpoint is higher. It is also possible to define the strength for a combination of CA reliability and key length. In this case, a strength value may be assigned to a combination of CA and key length.

  A security level is associated with each value or rank of the electronic certificate strength (that is, electronic signature strength) defined in this way. In this example, the higher the signature strength of an electronic document, the higher the level of security required for the transmission path between the computer and the printer. In this way, the security level corresponding to the strength of the electronic signature is referred to as a necessary security level. Information on the correspondence between the strength of the electronic signature and the required security level is given to the printer driver 11 or placed in a storage location accessible from the printer driver 11.

  When the necessary security level corresponding to the strength of the electronic signature attached to the electronic document can be established on the transmission path between the computer 10 and the printer 14, the printer driver 11 prints designated by the user. Allow printing under conditions. On the other hand, if the necessary security level cannot be established on the transmission path, the printer driver 11 refers to the print restriction information included in the electronic document and performs the same processing as in the example of FIG. 6 or FIG.

  In this example, when the required security level is satisfied on the transmission path, the printing condition specified by the user is allowed. From another viewpoint, the printing condition is set to the security range of “required security level or higher”. Is “unlimited”, which can be regarded as a kind of printing restriction. If the angle is changed, the condition of unlimited can be regarded as a printing restriction in which each value of the printing condition has a value that is most advantageous to the user who can provide the printer 14 as a limiting value.

  An example of the processing procedure of the printer driver 11 in accordance with the concept of this example will be described with reference to FIGS.

  For example, the printer driver 11 is activated when a printing instruction is input from a user while an electronic document is opened with an editing or browsing application. The electronic document is to be printed. The printer driver 11 provides a user interface screen for designating various print setting items (print attributes) such as a print destination printer, a page range to be printed, the number of copies, and the like to the user. When the user inputs necessary print setting items on the screen, the printer driver 11 acquires the value of each input print setting item, the name of the user who instructed printing, the current time, and the like from the application or operating system. By describing in PJL, attribute data is created (S401). Further, the printer driver 11 creates print data by describing the print image of the electronic document to be printed in PDL that can be interpreted by the printer at the print destination (S402).

  Then, the printer driver 11 determines whether or not an electronic signature is attached to the electronic document to be printed (S403). If not attached, the printer driver 11 encrypts the attribute data (S404), and transmits the print data to the printer 14 without encryption (S413). The attribute data is encrypted by a predetermined encryption method that can be decrypted by the printer 14. The attribute data is encrypted here because the attribute data may include personal information such as a user name. Even when the electronic document does not have an electronic signature, the print data may be protected by encryption or the like on the transmission path between the computer 10 and the printer 14.

  When the electronic signature is attached to the electronic document to be printed, the printer driver 11 checks the strength of the electronic certificate corresponding to the electronic signature (S405). As is well known in the XML signature or the like, the digital signature data includes a public key certificate for verifying the digital signature or identification information uniquely indicating the certificate. If the certificate is included, the printer driver can determine the strength of the certificate (ie, the strength of the signature) based on the key length of the public key in the certificate and / or information on the issuer of the certificate. ). If the certificate is not included, the printer driver 11 may obtain a certificate corresponding to the identification information in the data of the electronic signature from the CA or the directory server, and obtain the strength of the certificate.

  When the strength of the certificate can be confirmed, the printer driver 11 obtains the necessary security level of the transmission path between the computer and the printer according to the strength (S406).

  Next, the printer driver 11 obtains a security level that can be established on the transmission path to the printer 14 (S408). The security level of the transmission line can be distinguished by the presence or absence of protection by SSL (Secure Socket Layer), for example. Even when protected by the same SSL, the strength is higher when the key length is 128 bits than when the key length is 40 bits. Based on the presence / absence of SSL and the SSL key length, the value of the security strength of the transmission path is defined. In step S408, the printer driver 11 inquires of the printer 14 whether or not communication is possible using various secure communication protocols (and / or usable key lengths) that can be used by the computer 10, and the printer 14 determines that communication is possible. The security level corresponding to (and / or key length) is set as the security level that can be established. When a plurality of such security levels are required, the highest level may be set as the security level that can be established. Then, it is determined whether or not the security level that can be established is equal to or higher than the necessary security level corresponding to the electronic signature of the electronic document (S409). If the security level that can be established is equal to or higher than the necessary security level, the printer driver 11 reflects the encryption strength and confidential print attribute values automatically set in step S407 on the user interface screen for setting print attributes. It is displayed (S411). Note that this step S411 is also unnecessary when adopting a procedure that does not automatically set confidential print attributes. Then, by establishing a communication session with the printer 14 using a communication protocol corresponding to the security level that can be established, a protected transmission path that satisfies the required security level is formed (S412). Then, the attribute data and the print data are transmitted (S413).

  On the other hand, if it is determined in step S409 that the security level that can be established does not satisfy the required security level, the process proceeds to step S420 in FIG. In step S420, the printer driver 11 may not be able to establish the required security level requested by the distributor of the electronic document between the computer and the printer on the display of the computer 10, and may not be able to print under the specified printing conditions. A driver UI (user interface) screen indicating that there is, etc. is displayed. On this UI screen, a GUI component (for example, a button) for instructing whether to stop printing or continue is displayed, and the user who has instructed printing uses the GUI component to instruct to stop or continue printing. can do. In step S421, an instruction from the user is determined.

  When receiving an instruction to cancel printing, the printer driver 11 performs processing for canceling printing of the electronic document (S422), and deletes the print job data (eg, attribute data and print data) created so far (S423). ).

  Conversely, when receiving an instruction to continue printing, the printer driver 11 executes the same processing as in FIG. That is, the printing restriction information is extracted from the electronic document to be printed (S424), and the restriction level corresponding to the security level that can be established in step S408 is obtained from the restriction levels indicated therein (S425). Then, UI screen information displaying the contents of the printing restriction corresponding to the restriction level is generated and displayed on the computer screen (S426), and the user is inquired whether to accept the printing restriction (S427). The printer driver 11 determines whether or not the user's answer to this inquiry is to accept printing restrictions (S428). If the answer is to accept, the printer driver 11 prints the attribute data generated in step S401. It changes according to the content of restriction (S429). Then, a transmission path having a security level that can be established is established with the printer 14 (S430), and job data is transmitted to the printer 14 via the transmission path (S431). Note that when the user accepts a printing condition that satisfies the printing restriction, the print data may be regenerated according to the printing condition. In other words, in this case, when the printing conditions according to the printing restrictions are lower than the printing conditions specified by the user, the image quality such as color and fineness is reduced, or the number of pages allowed to be printed is reduced. If the answer from the user does not accept the print restriction in step S428 for creating the print data indicating the image quality or the page image according to the print condition, the printer driver 11 stops printing the electronic document. (S422), and the job data created so far is deleted (S423).

  Next, a modified example of the procedure of FIG. 10 will be described with reference to FIG. In this procedure, steps S401 to S425 are the same as those shown in FIG. In this procedure, after step S425, the printer driver 11 determines whether or not the printing conditions specified by the user satisfy the printing restriction of the restriction level (S440), and if satisfied, transmission at the security level that can be established. A path is established (S444), and print data and attribute data are transmitted to the printer 14 via the transmission path (S445). If the designated printing conditions do not satisfy the printing restrictions, the user is inquired whether printing under the printing conditions satisfying the printing restrictions is acceptable (S441), and the answer to the inquiry is examined (S442). When the user accepts a printing condition that satisfies the printing restriction, the attribute data is changed according to the printing condition (S443), a transmission path is established (S444), and the attribute data and the printing data are transmitted to the printer 14. (S445). At this time, the print data may be regenerated according to the print restriction and transmitted to the printer 14. . If the print restriction is not accepted, processing for canceling printing is executed (S422), and the print job is deleted (S423).

  In each of the examples shown above, the security level that can be established on the transmission path between the computer 10 and the printer 14 of the user's computer 10 by the distributor of the electronic document that allows the user who wants to print the electronic document. Can be limited according to

  When the printing conditions specified by the user do not satisfy the printing restrictions according to the security level that can be established, printing may be performed after the printing conditions are forcibly changed according to the printing restrictions. However, since the user may determine that printing is not required under the degraded printing condition according to the printing restriction, in the above example, the user is inquired whether to accept the printing condition according to the printing restriction, and the inquiry result is included in the inquiry result. Accordingly, it was determined whether or not to perform printing.

  Also, when the user accepts printing under printing conditions that meet the printing restrictions according to the security level that can be established, print data is created that restricts the image quality of the image to be printed and the page range to be printed according to the printing conditions. By doing so, it is possible to control the quality and quantity of print data flowing through the transmission line according to the security level of the transmission line. Accordingly, for example, in the case of a transmission line with a low security level, only a relatively low level of qualitatively or quantitatively print data can flow through the transmission line. For example, in an environment where the security of the transmission path is relatively low, such as when a user uses a printer installed in a convenience store or home, the print data sent to the printer may be deteriorated qualitatively or quantitatively. The damage to the electronic document distributor when the print data is leaked can be reduced.

  In the above, the printer driver 11 has been taken as an example. However, there are programs that can send print data to the printer for printing other than the printer driver. This method is applicable.

  In the above, a printer is taken as an example, but there are various output devices for outputting an electronic document transmitted from a computer, such as a digital copying machine, a facsimile machine, and a digital multifunction machine, in addition to the printer. The methods of the above examples can be applied to general programs for creating job data necessary for outputting an electronic document to such an output device on a computer.

  As shown in FIG. 12, a computer 10 that executes a program such as a printer driver and a computer 16 that executes a distribution document creation application 17 include, as hardware, a CPU (central processing unit) 20, A memory (primary storage) 22, various I / O (input / output) interfaces 24, etc. are connected via a bus 26. Also, a drive 30 for reading portable non-volatile recording media of various standards such as an HDD (Hard Disk Drive) 28, a CD, a DVD, a flash memory, etc. is connected to the bus 26 via, for example, the I / O interface 24. Is done. Such a drive 28 or 30 functions as an external storage device for the memory 22. A program describing the processing contents of the above-described embodiment is stored in such an external storage device and installed in a computer. The program may be held in a ROM (read only memory) accessible from the CPU 20. The program stored in the external storage device is read into the memory 22 and executed by the CPU 20, or the program on the ROM is executed from the CPU 20, whereby the computer 10 or 16 process of the above-described embodiment is realized. The

It is a figure which shows the example of a structure of the system of embodiment. It is a figure which shows the function structure of a distribution document preparation application. It is a figure which shows the example of printing restriction information. It is a flowchart which shows an example of the process sequence of a distribution document preparation application. 2 is a diagram illustrating a functional configuration of a printer driver. FIG. 3 is a flowchart illustrating an example of a processing procedure of a printer driver. 6 is a flowchart illustrating another example of the processing procedure of the printer driver. 3 is a flowchart illustrating a processing procedure of a printer. 10 is a flowchart illustrating a part of another example of the processing procedure of the printer driver. 10 is a flowchart showing a continuation of the procedure of FIG. 9. 10 is a flowchart showing another example of a continuation of the procedure in FIG. 9. It is a figure which shows an example of the hardware constitutions of a computer.

Explanation of symbols

  10, 16 Computer, 11 Printer driver, 12 Network, 14 Printer, 17 Distribution document creation application.

Claims (8)

A program for causing a computer to execute a process for outputting an electronic document to an output device, wherein the process includes:
A first step of reading out output restriction information for determining output restriction based on a transmission path security level from an electronic document to be output;
A second step of obtaining a transmission path security level that can be established between a computer and an output device designated as an output destination of the electronic document to be output;
A third step of obtaining an output restriction corresponding to the established transmission path security level from the output restriction information, and controlling the output of the electronic document to be output from the output device according to the output restriction;
Having a program. The program according to claim 1,
The third step includes
If the output condition specified by the user satisfies the output restriction corresponding to the transmission security level that can be established, a sub-step for permitting output under the output condition;
The program characterized by having. The program according to claim 1,
The third step includes
If the output condition specified by the user deviates from the output limit corresponding to the transmission security level that can be established, a sub-step for inquiring the user whether or not an output according to the output limit is desired;
A sub-step that allows output according to the output restriction when the user replies to the inquiry,
The program characterized by having. The program according to claim 1,
In the third step, output data obtained by qualitatively or quantitatively degrading an electronic document according to an output limit corresponding to the transmission path security level that can be established is generated and transmitted to the output device.
A program characterized by that. The program according to claim 4,
The output limit defines the image quality,
In the third step, output data of image quality specified by the output restriction is created from the electronic document and transmitted to the output device.
A program characterized by that. The program according to claim 4,
The output restriction defines a portion of the electronic document that is permitted to be output,
In the third step, output data representing an image of a portion of the electronic document that is permitted to be output specified by the output restriction is created and transmitted to the output device.
A program characterized by that. A document output control apparatus that executes processing for causing an output device to output an electronic document,
Means for reading out output restriction information for determining output restriction based on a transmission line security level from an electronic document to be output;
Means for determining a transmission path security level that can be established between a computer and an output device designated as an output destination of the electronic document to be output;
Means for obtaining an output restriction corresponding to the transmission path security level that can be established from the output restriction information, and controlling the output of the output electronic document from the output device according to the output restriction;
A document output control device comprising: A document output control system comprising an electronic document creation device and a document output control device that executes processing for causing an output device to output an electronic document,
The electronic document creation device includes:
Means for receiving input of output restriction information for determining output restriction based on a transmission line security level;
Means for incorporating the input output restriction information into the electronic document;
With
The document output control device includes:
Means for reading out output restriction information for determining output restriction based on a transmission line security level from an electronic document to be output;
Means for determining a transmission path security level that can be established between a computer and an output device designated as an output destination of the electronic document to be output;
Means for obtaining an output restriction corresponding to the transmission path security level that can be established from the output restriction information, and controlling the output of the output electronic document from the output device according to the output restriction;
A document output control system.

Images