System and method for shortening certificate chains
First Claim
1. A certification method, comprising the steps of:
- acquiring a chain of linked certificates extending from a first entity, through at least one intermediate entity, to a second entity, the chain of linked certificates including a certificate signed by the intermediate entity vouching for predetermined information associated with the second entity; and
generating, from the chain of linked certificates, a collapsed certificate signed by the first entity vouching for the predetermined information associated with the second entity and including an identification of the at least one intermediate entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for shortening a certificate chain to form a collapsed certificate. The certificate chain comprises a plurality of linked certificates issued by a corresponding plurality of entities. The certificate chain extends from a first entity, through at least one intermediate entity, to a target entity associated with certain predetermined information. The plurality of linked certificates in the certificate chain is converted by the first entity into a collapsed certificate that is signed by the first entity and includes the predetermined information and an identification of the at least one intermediate entity. By utilizing the collapsed certificate in place of the plurality of linked certificates in the certificate chain, bandwidth utilization within a network and certificate processing overhead are reduced.
-
Citations
23 Claims
-
1. A certification method, comprising the steps of:
-
acquiring a chain of linked certificates extending from a first entity, through at least one intermediate entity, to a second entity, the chain of linked certificates including a certificate signed by the intermediate entity vouching for predetermined information associated with the second entity; and
generating, from the chain of linked certificates, a collapsed certificate signed by the first entity vouching for the predetermined information associated with the second entity and including an identification of the at least one intermediate entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19)
-
-
12. A method of determining whether access to a resource at a first node in a computer network should be granted to a client at a second node in the network in response to a request for access to the resource by the client, the method comprising the steps of:
-
receiving the request for access to the resource at the first node from the client at the second node, the request including a collapsed certificate signed by a first certification authority vouching for predetermined information of the client and including an identification of an intermediate certification authority that vouches for the client'"'"'s predetermined information;
determining whether the identification of the intermediate certification authority matches an identifier contained in a certificate revocation list; and
in the event the identification of the intermediate certification authority matches an identifier contained in the certificate revocation list, receiving an indication at the first node that a certificate for the intermediate certification authority has been revoked and denying the client access to the resource.
-
-
14. A system for generating a collapsed certificate, the system comprising:
-
a memory including a computer program for acquiring a chain of linked certificates and for generating a collapsed certificate based on the respective linked certificates in the chain; and
a processor operative to execute the computer program, the computer program including program code for;
acquiring the chain of linked certificates extending from a first entity, through at least one intermediate entity, to a second entity, the chain of linked certificates including a certificate signed by the intermediate entity vouching for predetermined information of the second entity; and
generating, from the chain of linked certificates, the collapsed certificate signed by the first entity vouching for the predetermined information of the second entity and including an identification of the at least one intermediate entity.
-
-
16. A system for determining whether access to a resource at a first node in a computer network should be granted to a client at a second node in the network in response to a request for access to the resource by the client, the system comprising:
a server operative to;
receive the request for access to the resource at the first node from the client at the second node, the request including a collapsed certificate signed by a first certification authority vouching for predetermined information of the client and including an identification of an intermediate certification authority that vouches for the client'"'"'s predetermined information;
determine whether the identification of the intermediate certification authority matches an identifier contained in a certificate revocation list; and
in the event the identification of the intermediate certification authority matches an identifier contained in the certificate revocation list, receive an indication at the first node that a certificate for the intermediate certification authority has been revoked and deny the client access to the resource.
-
18. A computer program product including a computer readable medium, the computer readable medium having a computer program stored thereon for generating a collapsed certificate, the computer program being executable by a processor and comprising:
program code operative to;
acquire a chain of linked certificates extending from a first entity, through at least one intermediate entity, to a second entity, the chain of linked certificates including a certificate signed by the intermediate entity vouching for predetermined information of the second entity; and
generate, from the chain of linked certificates, a collapsed certificate signed by the first entity vouching for the predetermined information of the second entity and including an identification of the at least one intermediate entity.
-
20. A computer data signal, the computer data signal including a computer program for use in generating a collapsed certificate, the computer program comprising:
program code operative to;
acquire a chain of linked certificates extending from a first entity, through at least one intermediate entity, to a second entity, the chain of linked certificates including a certificate signed by the intermediate entity vouching for predetermined information of the second entity; and
generate, from the chain of linked certificates, a collapsed certificate signed by the first entity vouching for the predetermined information of the second entity and including an identification of the at least one intermediate entity. - View Dependent Claims (21)
-
22. An apparatus for generating a collapsed certificate, comprising:
-
means for acquiring a chain of linked certificates extending from a first entity, through at least one intermediate entity, to a second entity, the chain of linked certificates including a certificate signed by the intermediate entity vouching for predetermined information of the second entity; and
means for generating, from the chain of linked certificates, a collapsed certificate signed by the first entity vouching for the predetermined information of the second entity and including an identification of the at least one intermediate entity. - View Dependent Claims (23)
-
Specification