Root certificate management system and method

US 20030014629A1
Filed: 07/16/2001
Published: 01/16/2003
Est. Priority Date: 07/16/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for validating a certificate comprising:

maintaining a multi-subscriber root certificate store containing subscriber identification data for a plurality of subscribers and data representing a plurality of root certificates associated with each of the plurality of subscribers;

receiving data representing a first certificate to be validated;

receiving first user identification data in connection with a request to validate the first certificate for a first user; and

obtaining, based on the received first user identification data, those root certificates trusted by the first user from the multi-root certificate store.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for validating a certificate maintains a multi-subscriber root certificate store, containing subscriber identification data for a plurality of subscribers along with data representing a plurality of root certificates, such as an index to root certificates or the root certificates themselves, associated with each of the plurality of subscribers. In one example, a table is stored containing specified root CA certificates for a plurality of subscribers in a network such as stored by a network element in a wireless radiotelephone network, or any other suitable wireless network. Subscriber units do not have a root CA store that contains pre-stored root CA certificates. Accordingly, memory is saved in the subscriber units. In addition, a separate server that stores the multi-subscribers root certificate store preferably carries out certificate path validation on behalf of the mobile units so that the wireless mobile unit need not carry out certificate path construction. Instead, a wireless mobile unit simply sends a certificate to be validated along with its subscriber ID data identifying the mobile unit or application to the multi-subscriber root certificate store server and waits for a “yes” or “no” answer from the server to determine whether the certificate is valid.

Citations

26 Claims

1. A method for validating a certificate comprising:
- maintaining a multi-subscriber root certificate store containing subscriber identification data for a plurality of subscribers and data representing a plurality of root certificates associated with each of the plurality of subscribers;
  
  receiving data representing a first certificate to be validated;
  
  receiving first user identification data in connection with a request to validate the first certificate for a first user; and
  
  obtaining, based on the received first user identification data, those root certificates trusted by the first user from the multi-root certificate store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 including the step of providing data representing whether validation of the first certificate was successful based on a root certificate from those trusted by the first user as obtained from the multi-user root certificate store.
  - 3. The method of claim 1 including the step of validating, by a party other than the first user, the first certificate using a first root certificate from those obtained from the multi-root certificate store.
  - 4. The method of claim 3 wherein validating the first certificate includes constructing a certificate chain between the first certificate and the first root certificate and validating the integrity and correctness of each certificate in the chain.
  - 5. The method of claim 1 including providing a trusted first certificate validation response indicating whether the first certificate is valid.
  - 6. The method of claim 1 including the step of sending, by a client unit, user identification data for use in obtaining those root certificates trusted by the first user from the multi-root certificate store and sending the data representing a first certificate to be validated.
  - 7. The method of claim 1 including the step of sending, by a client unit, user identification data for use in obtaining those root certificates trusted by the first user from the multi-root certificate store and sending data representing an address associated with the multi-user root certificate store.
  - 8. The method of claim 1 wherein the step of maintaining the multi-user root certificate store containing user identification data for the plurality of subscribers and data representing the plurality of root certificates associated with each of the plurality of subscribers includes the step of storing a table containing user identification data for the plurality of subscribers and data representing the plurality of different classes of root certificates associated with each of the plurality of subscribers.
  - 9. The method of claim 5 including the step of verifying, by the first user, the trusted first certificate validation response indicating whether the first certificate is valid, without accessing a local root certificate store.
  - 10. The method of claim 5 wherein the trusted first certificate validation response is digitally signed by a server containing the multi-user root certificate store.
  - 11. The method of claim 1 including the step of sending a root certification authority certificate selection form containing a list of a plurality of root certification authority certificates, to the first user to allow the first user to select which root certificates in the list should be associated with the identification data of the first user.
  - 12. The method of claim 1 wherein the step of maintaining the multi-user root certificate store containing user identification data for the plurality of subscribers and data representing the plurality of root certificates associated with each of the plurality of subscribers includes the step of removing common root certificates for a plurality of listed users in response to a compromise of the root certificate.
  - 15. The method of claim 14 including the step of validating, by a party other than the first user, the first certificate using a first root certificate from those obtained from the multi-root certificate store.
  - 16. The method of claim 15 wherein validating the first certificate includes constructing a certificate chain between the first certificate and the first root certificate and validating the integrity and correctness of each certificate in the chain.
  - 17. The method of claim 14 wherein the step of maintaining the a multi-user root certificate store containing user identification data for the plurality of subscribers and data representing the plurality of root certificates associated with each of the plurality of subscribers includes the step of storing a table containing user identification data for the plurality of subscribers and data representing the plurality of different classes of root certificates associated with each of the plurality of subscribers.
  - 18. The method of claim 14 wherein the trusted first certificate validation response is digitally signed by a server containing the multi-user root certificate store.
  - 19. The method of claim 17 including the step of sending a root certification authority certificate selection form containing a list of a plurality of root certification authority certificates, to the first user to allow the first user to select which root certificates in the list should be associated with the identification data of the first user.

13. A method for validating a certificate comprising:
- sending, by a first wireless mobile unit, data representing a first certificate to be validated and unit identification data representing the first wireless mobile unit;
  
  receiving, by the first wireless mobile unit, a trusted first certificate validation response indicating whether the first certificate is valid based on a multi-user root certificate store containing user identification data for a plurality of wireless mobile units and data representing a plurality of root certificates associated with each of the wireless mobile units; and
  
  verifying, by the first wireless mobile unit, the trusted first certificate validation response indicating whether the first certificate is valid, without accessing a local root certificate store.

14. A method for validating a certificate comprising:
- maintaining a multi-user root certificate store containing user identification data for a plurality of subscribers and data representing a plurality of root certificates associated with each of the plurality of subscribers;
  
  sending, by a first user, a request to validate a first certificate that includes data representing the first certificate to be validated and user identification data for the fist user;
  
  receiving the request to validate the first certificate containing the data representing the first certificate to be validated and the user identification data;
  
  obtaining, based on the received first user identification data, those root certificates trusted by the first user from the multi-root certificate store; and
  
  receiving, by the first user, a trusted first certificate validation response indicating whether the first certificate is valid based on the multi-user root certificate store containing user identification data for a plurality of subscriber and data representing a plurality of root certificates associated with each of the users; and
  
  verifying, by the first user, the trusted first certificate validation response to determine whether the first certificate is valid, without accessing a local root certificate store.

20. A server comprising:
- a central root certificate managing module; and
  
  memory containing a multi-user root certificate store containing user identification data for a plurality of subscribers and data representing a plurality of root certificates associated with each of the plurality of subscribers;
  
  wherein the central root certificate managing module maintains the multi-user root certificate store by at least responding to subscriber requests to change root CA entries.
- View Dependent Claims (21, 22, 23, 25, 26)
- - 21. The server of claim 20 wherein the central root certificate managing module maintains the multi-user root certificate store by removing unacceptable root certificates that are common for a plurality of subscribers.
  - 22. The server of claim 20 including an interface operative to communicate with a wireless access protocol based gateway.
  - 23. The server of claim 20 including an interface operative to communicate with a third party root certificate validation provider.
  - 25. The wireless mobile unit of claim 24 wherein the cryptographic engine includes a digital signature verifier and wherein the memory contains a public key certificate associated with the central root certificate managing unit.
  - 26. The wireless mobile unit of claim 25 wherein the cryptographic engine sends data representing the certificate to be validated and unit identification data representing a user for the central root certificate managing unit;
    - receives a trusted first certificate validation response indicating whether the first certificate is valid based on a multi-user root certificate store containing user identification data for a plurality of wireless mobile units and data representing a plurality of root certificates associated with each of the wireless mobile units; and
      
      verifies the trusted first certificate validation response using the stored verification key associated with the central root certificate managing unit indicating whether the first certificate is valid, without accessing a local root certificate store.

24. A wireless mobile unit comprising:
- a cryptographic engine operative to determine whether a received certificate is valid without referencing a local root certificate store; and
  
  memory, operatively coupled to the cryptographic engine, containing at least data representing a verification key associated with a central root certificate managing unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Technologies Limited
Original Assignee
Entrust Technologies Limited
Inventors
Zuccherato, Robert J.

Application Number

US09/906,504
Publication Number

US 20030014629A1
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 2209/80 Wireless

H04L 9/3268 using certificate validatio...

Root certificate management system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Root certificate management system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links