Method and system for computing digital certificate trust paths using transitive closures
First Claim
1. A method for processing digital certificates within a data processing system, the method comprising:
- determining a set of trust relations between a set of certificate authorities (CAs) in a trust web;
representing the set of trust relations in an adjacency matrix, wherein a cell in the adjacency matrix corresponds to a pair of certificate authorities;
performing a transitive closure computation on the adjacency matrix to generate a set of inter-CA trust path indicators that represent whether a trust path exists between a pair of certificate authorities; and
performing an all-pairs-shortest-paths computation on the adjacency matrix to generate multiple sets of shortest trust paths between the certificate authorities.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, apparatus, and computer program product are presented for managing digital certificates. When entities need to engage in a secure transaction or open a secure communication link, they may exchange digital certificates in order to provide a public key or reference information to a public key for the opposing entity, thereby requiring validation of a received certificate. Rather than construct a trust path for each validation event, hierarchical certifications and peer-to-peer cross-certifications among a set of certificate authorities are represented by a set of trust relations, and trust path information is generated using a transitive closure computation and an “all pairs shortest paths” computation over the set of trust relations and then incrementally updated as the set of trust relations changes. Computations related to trust paths can be delegated to a central agent in a trust web.
-
Citations
36 Claims
-
1. A method for processing digital certificates within a data processing system, the method comprising:
-
determining a set of trust relations between a set of certificate authorities (CAs) in a trust web;
representing the set of trust relations in an adjacency matrix, wherein a cell in the adjacency matrix corresponds to a pair of certificate authorities;
performing a transitive closure computation on the adjacency matrix to generate a set of inter-CA trust path indicators that represent whether a trust path exists between a pair of certificate authorities; and
performing an all-pairs-shortest-paths computation on the adjacency matrix to generate multiple sets of shortest trust paths between the certificate authorities. - View Dependent Claims (2, 3)
-
-
4. An apparatus for processing digital certificates within a data processing system, the apparatus comprising:
-
means for determining a set of trust relations between a set of certificate authorities (CAs) in a trust web;
means for representing the set of trust relations in an adjacency matrix, wherein a cell in the adjacency matrix corresponds to a pair of certificate authorities;
means for performing a transitive closure computation on the adjacency matrix to generate a set of inter-CA trust path indicators that represent whether a trust path exists between a pair of certificate authorities; and
means for performing an all-pairs-shortest-paths computation on the adjacency matrix to generate multiple sets of shortest trust paths between the certificate authorities. - View Dependent Claims (5, 6)
-
-
7. A computer program product in a computer-readable medium for use in a data processing system for processing digital certificates, the computer program product comprising:
-
instructions for determining a set of trust relations between a set of certificate authorities (CAs) in a trust web;
instructions for representing the set of trust relations in an adjacency matrix, wherein a cell in the adjacency matrix corresponds to a pair of certificate authorities;
instructions for performing a transitive closure computation on the adjacency matrix to generate a set of inter-CA trust path indicators that represent whether a trust path exists between a pair of certificate authorities; and
instructions for performing an all-pairs-shortest-paths computation on the adjacency matrix to generate multiple sets of shortest trust paths between the certificate authorities. - View Dependent Claims (8, 9)
-
-
10. A method for operating certificate authorities within a data processing system, the method comprising:
-
establishing at a first certificate authority (CA) a trust relation with a second certificate authority; and
sending a trust relation update message to a central trust web agent, wherein the central trust web agent processes trust relation information for a set of certificate authorities within a trust web. - View Dependent Claims (11, 12, 13)
-
-
14. An apparatus for processing information related to operations of certificate authorities within a data processing system, the apparatus comprising:
-
means for establishing at a first certificate authority (CA) a trust relation with a second certificate authority; and
means for sending a trust relation update message to a central trust web agent, wherein the central trust web agent processes trust relation information for a set of certificate authorities within a trust web. - View Dependent Claims (15, 16, 17)
-
-
18. A computer program product in a computer-readable medium for use in a data processing system for processing information related to operations of certificate authorities within a data processing system, the computer program product comprising:
-
instructions for establishing at a first certificate authority (CA) a trust relation with a second certificate authority; and
instructions for sending a trust relation update message to a central trust web agent, wherein the central trust web agent processes trust relation information for a set of certificate authorities within a trust web. - View Dependent Claims (19, 20, 21)
-
-
22. A method for operating certificate authorities within a data processing system, the method comprising:
-
receiving at a central trust web agent from a certificate authority (CA) a trust relation update message, wherein the central trust web agent processes trust relation information for a set of certificate authorities within a trust web, and wherein the trust relation update message indicates a change in a set of trust relations for the certificate authority; and
modifying a set of trust relations for the set of certificate authorities within the trust web based on an indicated request in the trust relation update message. - View Dependent Claims (23, 24)
-
-
25. An apparatus for processing information related to operations of certificate authorities within a data processing system, the apparatus comprising:
-
means for receiving at a central trust web agent from a certificate authority (CA) a trust relation update message, wherein the central trust web agent processes trust relation information for a set of certificate authorities within a trust web, and wherein the trust relation update message indicates a change in a set of trust relations for the certificate authority; and
means for modifying a set of trust relations for the set of certificate authorities within the trust web based on an indicated request in the trust relation update message. - View Dependent Claims (26, 27)
-
-
28. A computer program product in a computer-readable medium for use in a data processing system for processing information related to operations of certificate authorities within a data processing system, the computer program product comprising:
-
instructions for receiving at a central trust web agent from a certificate authority (CA) a trust relation update message, wherein the central trust web agent processes trust relation information for a set of certificate authorities within a trust web, and wherein the trust relation update message indicates a change in a set of trust relations for the certificate authority; and
instructions for modifying a set of trust relations for the set of certificate authorities within the trust web based on an indicated request in the trust relation update message. - View Dependent Claims (29, 30)
-
-
31. A method for operating certificate authorities within a data processing system, the method comprising:
-
generating trust paths at a central trust web agent for certificate authorities in a trust web using a greed algorithm; and
disseminating the generated trust paths by the central trust web agent to the certificate authorities. - View Dependent Claims (32)
-
-
33. An apparatus for operating certificate authorities within a data processing system, the apparatus comprising:
-
means for generating trust paths at a central trust web agent for certificate authorities in a trust web using a greed algorithm; and
means for disseminating the generated trust paths by the central trust web agent to the certificate authorities. - View Dependent Claims (34)
-
-
35. A computer program product in a computer-readable medium for use in a data processing system for processing information related to operations of certificate authorities within a data processing system, the computer program product comprising:
-
instructions for generating trust paths at a central trust web agent for certificate authorities in a trust web using a greed algorithm; and
instructions for disseminating the generated trust paths by the central trust web agent to the certificate authorities. - View Dependent Claims (36)
-
Specification