Apparatus and method for managing digital certificates

US 10,630,489 B2
Filed: 01/15/2016
Issued: 04/21/2020
Est. Priority Date: 03/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method for managing user identity, the method comprising:

establishing a connection secured with Transport Layer Security (TLS) from a client device to an Identity Registration Protocol (IRP) server;

authenticating, at the IRP server, user login via the client device, with Strong Client Authentication (SCA) or Username/Password Authentication (UPA);

upon request from the client device via the secured connection, registering or retrieving at the IRP server user identity information comprising user information, and an Internet Protocol (IP) address of the client device;

upon request from the client device via the secure connection, registering or retrieving at the IRP server one or more digital certificate;

sending as part of a request from the client device to the IRP server a Certificate Signing Request (CSR) via the secured connection;

upon request from the client device via the secured connection, returning a signed digital certificate from the IRP server to the client device via the secured connection;

sending a PKCS #12 package as part of a request from the client device to the IRP server via the secured connection;

upon request from the client device via the secured connection, returning the PKCS #12 package from the IRP server to the client device via the secured connection;

upon a request for certificate validity status or revocation status of the digital certificate from the client device via the secured connection, determining at the IRP server a user identifier from a user'"'"'s digital certificate;

determining at the IRP server a domain name of a second IRP server from the user identifier;

performing at the IRP server a Domain Name Server (DNS) SRV look up based on the domain name of the second IRP server;

obtaining from the DNS SRV look up a hostname of the second IRP server at the IRP server;

establishing a connection secured with TLS from the IRP server to the second IRP server;

authenticating at the second IRP server user login via the IRP server;

forwarding from the IRP server the request for certificate validity status or revocation status of the digital certificate to the second IRP server;

sending the certificate validity status or revocation status of the digital certificate from the second IRP server to the IRP server; and

sending the certificate validity status or revocation status of the digital certificate from IRP server to the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and a method for managing user identity, the method comprising: establishing a connection secured with Transport Layer Security (TLS) from a client device to an IRP server; authenticating, at the IRP server, user login via the client device, with Strong Client Authentication (SCA) or Username/Password Authentication (UPA); upon request from the client device, registering or retrieving at the IRP server user identity information comprising user information, and an Internet Protocol (IP) address of the client device; upon request from the client device, registering or retrieving at the IRP server one or more digital certificate; sending from the client device to the IRP server a Certificate Signing Request (CSR) via the secured connection; upon request from the client device, returning a signed digital certificate from the IRP server to the client device; sending a PKCS #12 package from the client device to the IRP server; and upon request from the client device, returning a PKCS #12 package from the IRP server to the client device.

Citations

13 Claims

1. A method for managing user identity, the method comprising:
- establishing a connection secured with Transport Layer Security (TLS) from a client device to an Identity Registration Protocol (IRP) server;
  
  authenticating, at the IRP server, user login via the client device, with Strong Client Authentication (SCA) or Username/Password Authentication (UPA);
  
  upon request from the client device via the secured connection, registering or retrieving at the IRP server user identity information comprising user information, and an Internet Protocol (IP) address of the client device;
  
  upon request from the client device via the secure connection, registering or retrieving at the IRP server one or more digital certificate;
  
  sending as part of a request from the client device to the IRP server a Certificate Signing Request (CSR) via the secured connection;
  
  upon request from the client device via the secured connection, returning a signed digital certificate from the IRP server to the client device via the secured connection;
  
  sending a PKCS #12 package as part of a request from the client device to the IRP server via the secured connection;
  
  upon request from the client device via the secured connection, returning the PKCS #12 package from the IRP server to the client device via the secured connection;
  
  upon a request for certificate validity status or revocation status of the digital certificate from the client device via the secured connection, determining at the IRP server a user identifier from a user'"'"'s digital certificate;
  
  determining at the IRP server a domain name of a second IRP server from the user identifier;
  
  performing at the IRP server a Domain Name Server (DNS) SRV look up based on the domain name of the second IRP server;
  
  obtaining from the DNS SRV look up a hostname of the second IRP server at the IRP server;
  
  establishing a connection secured with TLS from the IRP server to the second IRP server;
  
  authenticating at the second IRP server user login via the IRP server;
  
  forwarding from the IRP server the request for certificate validity status or revocation status of the digital certificate to the second IRP server;
  
  sending the certificate validity status or revocation status of the digital certificate from the second IRP server to the IRP server; and
  
  sending the certificate validity status or revocation status of the digital certificate from IRP server to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 10, 11)
- - 2. The method as claimed in claim 1, wherein messages exchanged between the IRP server and the client device via the secured connection are semantically defined in Extensible Markup Language (XML) format.
  - 3. The method as claimed in claim 1, wherein the method comprises:
    - sending as part of a request from the client device to the IRP server a request to revoke a digital certificate.
  - 4. The method as claimed in claim 1, wherein the method comprises:
    - upon request from the client device via the secured connection, sending validity status or revocation status of a digital certificate from the IRP server to the client device via the secured connection.
  - 5. The method as claimed in claim 1, wherein the method comprises:
    - if the SCA is unsuccessful, enabling UPA at the IRP server upon request to allow authentication of the user login via UPA.
  - 6. The method as claimed in claim 1, wherein the method comprises:
    - disabling UPA at the IRP server for user authentication when a digital certificate for SCA is obtained by the client device from the IRP server.
  - 7. The method as claimed in claim 1, wherein the method comprises:
    - enabling UPA at the IRP server for a predetermined time period; and
      
      disabling the UPA at the IRP server after the predetermined time period.
  - 10. The method as claimed in claim 1, wherein the method comprises:
    - upon a request for user identity information from the client device via the secured connection, determining at the IRP server a user identifier from the requested user identity information;
      
      determining at the IRP server a domain name of a third IRP server from the user identifier;
      
      performing at the IRP server a Domain Name Server (DNS) SRV look up based on the domain name of the third IRP server;
      
      obtaining from the DNS SRV look up a hostname of the third IRP server at the IRP server;
      
      establishing a connection secured with TLS from the IRP server to the third IRP server;
      
      authenticating at the third IRP server user login via the IRP server;
      
      forwarding from the IRP server the request for user identity information to the third IRP server;
      
      sending the user identity information from the third IRP server to the IRP server; and
      
      sending the user identity information from IRP server to the client device.
  - 11. The method as claimed in claim 1, wherein the method comprises:
    - upon request from the client device via the secured connection, returning from the IRP server to the client device a list of Certificate hierarchies on a Certification Authority via the secured connection; and
      
      upon request from the client device via the secured connection, returning from the IRP server to the client device Certification Authority certificates via the secured connection.

8. The method as claimed in 6, wherein the method comprises:
- encrypting a password used for the UPA when the UPA is disabled; and
  
  decrypting the password used for the UPA when the UPA is enabled.

9. The method as claimed in 7, wherein the method comprises:
- encrypting a password used for the UPA when the UPA is disabled; and
  
  decrypting the password used for the UPA when the UPA is enabled.

12. An apparatus for managing user identity, the apparatus comprising:
- one or more hardware processors configured to execute program codes to control the apparatus to;
  
  establish a connection secured with Transport Layer Security (TLS) from a client device to the apparatus;
  
  authenticate user login via the client device, with Strong Client Authentication (SCA) or Username/Password Authentication (UPA);
  
  upon request from the client device via the secured connection, register or retrieve user identity information comprising user information, and an Internet Protocol (IP) address of the client device;
  
  upon request from the client device via the secure connection, register or retrieve one or more digital certificate;
  
  receive as part of a request from the client device a Certificate Signing Request (CSR) via the secured connection;
  
  upon request from the client device via the secured connection, return a signed digital certificate to the client device via the secured connection;
  
  receive a PKCS #12 package as part of a request from the client device via the secured connection; and
  
  upon request from the client device via the secured connection, return the PKCS #12 package to the client device via the secured connections;
  
  upon a request for certificate validity status or revocation status of the digital certificate from the client device via the secured connection, determining at the IRP server a user identifier from a user'"'"'s digital certificate;
  
  determining at the IRP server a domain name of a second IRP server from the user identifier;
  
  performing at the IRP server a Domain Name Server (DNS) SRV look up based on the domain name of the second IRP server;
  
  obtaining from the DNS SRV look up a hostname of the second IRP server at the IRP server;
  
  establishing a connection secured with TLS from the IRP server to the second IRP server;
  
  authenticating at the second IRP server user login via the IRP server;
  
  forwarding from the IRP server the request for certificate validity status or revocation status of the digital certificate to the second IRP server;
  
  sending the certificate validity status or revocation status of the digital certificate from the second IRP server to the IRP server; and
  
  sending the certificate validity status or revocation status of the digital certificate from IRP server to the client device.

13. A non-transitory computer-readable medium storing a program causing a computer to execute a method for managing user identity, the method comprising:
- establishing a connection secured with Transport Layer Security (TLS) from a client device to an Identity Registration Protocol (IRP) server;
  
  authenticating, at the IRP server, user login via the client device, with Strong Client Authentication (SCA) or Username/Password Authentication (UPA);
  
  upon request from the client device via the secured connection, registering or retrieving at the IRP server user identity information comprising user information, and an Internet Protocol (IP) address of the client device;
  
  upon request from the client device via the secure connection, registering or retrieving at the IRP server one or more digital certificate;
  
  sending as part of a request from the client device to the IRP server a Certificate Signing Request (CSR) via the secured connection;
  
  upon request from the client device via the secured connection, returning a signed digital certificate from the IRP server to the client device via the secured connection;
  
  sending a PKCS #12 package as part of a request from the client device to the IRP server via the secured connection; and
  
  upon request from the client device via the secured connection, returning the PKCS #12 package from the IRP server to the client device via the secured connection;
  
  upon a request for certificate validity status or revocation status of the digital certificate from the client device via the secured connection, determining at the IRP server a user identifier from a user'"'"'s digital certificate;
  
  determining at the IRP server a domain name of a second IRP server from the user identifier;
  
  performing at the IRP server a Domain Name Server (DNS) SRV look up based on the domain name of the second IRP server;
  
  obtaining from the DNS SRV look up a hostname of the second IRP server at the IRP server;
  
  establishing a connection secured with TLS from the IRP server to the second IRP server;
  
  authenticating at the second IRP server user login via the IRP server;
  
  forwarding from the IRP server the request for certificate validity status or revocation status of the digital certificate to the second IRP server;
  
  sending the certificate validity status or revocation status of the digital certificate from the second IRP server to the IRP server; and
  
  sending the certificate validity status or revocation status of the digital certificate from IRP server to the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sixscape Communications Pte Ltd.
Original Assignee
Sixscape Communications Pte Ltd.
Inventors
Hughes, Lawrence
Primary Examiner(s)
Nipa, Wasika

Application Number

US15/767,112
Publication Number

US 20190074982A1
Time in Patent Office

1,558 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/0863   involving passwords or one-...

H04L 9/3242   involving keyed hash functi...

H04L 9/3249   using RSA or related signat...

H04L 9/3268   using certificate validatio...

Apparatus and method for managing digital certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for managing digital certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links