Credentials and digitally signed objects

US 20040162985A1
Filed: 02/19/2003
Published: 08/19/2004
Est. Priority Date: 02/19/2003
Status: Active Grant

First Claim

Patent Images

1. A method for managing objects through credentials, the method comprising actions of:

signing an object with a credential to produce a signed object;

storing at least one entry in a database, the at least one entry linking an object identifier representing the signed object to at least one aspect of the credential;

accessing the database at the at least one entry using the object identifier to retrieve the at least one aspect of the credential; and

causing the credential to be revoked using the at least one aspect of the credential.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Object management is facilitated by signing objects with credentials and through noting and/or using an association between the signed objects and the signing credentials. In an exemplary method implementation, actions include: signing an object with a credential to produce a signed object and noting an association between an object identifier that represents the signed object and the credential. In another exemplary method implementation, actions include: receiving a revocation request for a signed object; accessing a database at an entry for the signed object to retrieve an associated credential, the associated credential having been used to sign an object to produce the signed object; and causing the associated credential to be revoked. In an exemplary electronically-accessible media implementation, a data structure thereof includes: at least one entry that associates a credential with an object identifier, the object identifier representing a signed object that was signed by the credential.

55 Citations

View as Search Results

87 Claims

1. A method for managing objects through credentials, the method comprising actions of:
- signing an object with a credential to produce a signed object;
  
  storing at least one entry in a database, the at least one entry linking an object identifier representing the signed object to at least one aspect of the credential;
  
  accessing the database at the at least one entry using the object identifier to retrieve the at least one aspect of the credential; and
  
  causing the credential to be revoked using the at least one aspect of the credential.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, further comprising the actions of:
    - receiving a sign object request from a submitter; and
      
      providing the signed object to the submitter.
  - 3. The method as recited in claim 1, wherein the at least one aspect of the credential comprises a credential identifier of the credential.
  - 4. The method as recited in claim 3, wherein the credential identifier of the credential comprises a serial number that comports with an X.509-compliant standard.
  - 5. The method as recited in claim 1, wherein the action of causing comprises the action of:
    - sending a credential revocation request that includes the at least one aspect of the credential to a credential authority.
  - 6. The method as recited in claim 1, further comprising the actions of:
    - receiving a signed object cancellation request from a submitter; and
      
      providing a signed object cancellation confirmation to the submitter.
  - 7. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic apparatus to perform the method as recited in claim 1.

8. One or more electronically-accessible media comprising a data structure, the data structure comprising:
- a plurality of fields that are directed to multiple credentials; and
  
  a plurality of fields that are directed to multiple object identifiers, each object identifier of the multiple object identifiers corresponding to a signed object that has been signed by a credential of the multiple credentials;
  
  wherein each field of the plurality of fields that are directed to the multiple object identifiers is associated with a field of the plurality of fields that are directed to the multiple credentials.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The one or more electronically-accessible media comprising the data structure as recited in claim 8, wherein each field of the plurality of fields that are directed to the multiple credentials is associated with at least one field of the plurality of fields that are directed to the multiple object identifiers.
  - 10. The one or more electronically-accessible media comprising the data structure as recited in claim 8, wherein the data structure comprises a database;
    - and wherein (i) a field of the plurality of fields that are directed to the multiple credentials and (ii) an associated field of the plurality of fields that are directed to the multiple object identifiers together comprise an entry of the database.
  - 11. The one or more electronically-accessible media comprising the data structure as recited in claim 8, wherein there is a one-to-one correspondence between each field of the plurality of fields that are directed to the multiple object identifiers and each associated field of the plurality of fields that are directed to the multiple credentials.
  - 12. The one or more electronically-accessible media comprising the data structure as recited in claim 8, wherein there is a one-to-one correspondence between each object identifier of the multiple object identifiers and each credential of the multiple credentials.
  - 13. The one or more electronically-accessible media comprising the data structure as recited in claim 8, wherein at least one field of the plurality of fields that are directed to the multiple credentials includes a credential identifier.
  - 14. The one or more electronically-accessible media comprising the data structure as recited in claim 8, wherein at least one field of the plurality of fields that are directed to the multiple credentials includes at least one of a time span, an entity name, and a public key.
  - 15. The one or more electronically-accessible media comprising the data structure as recited in claim 8, wherein at least one field of the plurality of fields that are directed to the multiple object identifiers includes a hash value of a signed object that the object identifier of the at least one field represents.
  - 16. The one or more electronically-accessible media comprising the data structure as recited in claim 8, wherein at least one field of the plurality of fields that are directed to the multiple object identifiers includes at least one of a title of a signed object that the object identifier of the at least one field represents, the entirety of the signed object, a textual abstract of the signed object, and a reference to the signed object.

17. One or more electronically-accessible media comprising a data structure, the data structure comprising:
- at least one entry that associates a credential with an object identifier, the object identifier representing a signed object that was signed by the credential.
- View Dependent Claims (18)
- - 18. The one or more electronically-accessible media comprising the data structure as recited in claim 17, wherein the credential comprises a certificate that comports with an X.509-compliant standard.

19. A method for enabling object management, the method comprising actions of:
- signing an object with a credential to produce a signed object; and
  
  noting an association between an object identifier that represents the signed object and the credential.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The method as recited in claim 19, wherein the method is effectuated using a computing system.
  - 21. The method as recited in claim 19, wherein the object comprises at least one of software code, a program, a routine, a document, a transaction, a contract, a driver, an active web control, a file, and any executable component.
  - 22. The method as recited in claim 19, wherein the action of signing comprises the action of:
    - digitally signing the object with a private key that corresponds to a public key of the credential.
  - 23. The method as recited in claim 19, wherein the action of noting comprises the action of:
    - noting the association between the object identifier and at least a credential identifier of the credential.
  - 24. The method as recited in claim 19, wherein the action of noting comprises the action of:
    - recording the association between the object identifier and the credential in at least one data structure.
  - 25. The method as recited in claim 19, wherein the action of noting comprises the action of:
    - sending the association between the object identifier and the credential over at least one transmission media.
  - 26. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic apparatus to perform the method as recited in claim 19.

27. A method for enabling object management, the method comprising actions of:
- receiving a sign object request from a submitter;
  
  signing an object with a credential to produce a signed object responsive to the sign object request;
  
  storing at least one entry in a database, the at least one entry linking the signed object to the credential; and
  
  providing the signed object to the submitter.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The method as recited in claim 27, wherein the method is performed by a security unit that is part of an entity.
  - 29. The method as recited in claim 28, wherein the submitter is also part of the entity.
  - 30. The method as recited in claim 27, wherein the action of receiving involves at least one security protocol.
  - 31. The method as recited in claim 27, wherein the action of receiving comprises the action of:
    - receiving the object from the submitter along with or as part of the sign object request.
  - 32. The method as recited in claim 27, further comprising the action of:
    - requisitioning the credential from a pool of unused credentials.
  - 33. The method as recited in claim 27, further comprising the action of:
    - requesting the credential from a credential authority responsive to the action of receiving.
  - 34. The method as recited in claim 27, wherein the action of signing comprises the action of:
    - signing the object with a private key that corresponds to a public key of the credential to produce the signed object.
  - 35. The method as recited in claim 27, wherein the action of signing comprises the action of:
    - signing the object with at least a credential identifier of the credential to produce the signed object.
  - 36. The method as recited in claim 27, further comprising the action of:
    - determining a hash value by applying a hashing function to at least one of the object and the signed object;
      
      wherein the action of storing comprises the action of;
      
      storing the hash value in the at least one entry in the database.
  - 37. The method as recited in claim 27, wherein the action of storing comprises the action of:
    - storing in the at least one entry an object identifier that represents the signed object and a credential identifier of the credential.
  - 38. The method as recited in claim 27, wherein the action of storing comprises the action of:
    - storing in the at least one entry (i) an object identifier that represents the signed object and (ii) a credential identifier, a time span, and at least one key of the credential.
  - 39. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic apparatus to perform the method as recited in claim 27.

40. A method for enabling object management, the method comprising actions of:
- receiving a revocation request for a signed object;
  
  accessing a database at an entry for the signed object to retrieve an associated credential, the associated credential having been used to sign an object to produce the signed object; and
  
  causing the associated credential to be revoked.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 41. The method as recited in claim 40, wherein the method is performed by a security unit that is part of an entity.
  - 42. The method as recited in claim 40, wherein the action of receiving comprises the action of:
    - receiving the revocation request electronically from a submitter.
  - 43. The method as recited in claim 42, wherein the method is performed by a security unit that is part of an entity;
    - and wherein the submitter is also part of the entity.
  - 44. The method as recited in claim 40, wherein the revocation request comprises a request to cancel the viability of the signed object.
  - 45. The method as recited in claim 40, further comprising the actions of:
    - discovering that the viability of the signed object should be terminated; and
      
      sending the revocation request for the signed object responsive to the discovering.
  - 46. The method as recited in claim 40, wherein the revocation request includes an object identifier that represents the signed object;
    - and wherein the action of accessing comprises the action of;
      
      locating the entry for the signed object in the database using the object identifier.
  - 47. The method as recited in claim 46, wherein the object identifier comprises at least one of (i) a title of the object or the signed object, (ii) a description/abstract/summary/table of contents/index of the object or the signed object, (iii) the entirety of the object or the signed object, and (iv) a hash value resulting from application of a hashing function to the object or the signed object.
  - 48. The method as recited in claim 40, wherein the action of causing comprises the action of:
    - sending a revocation request for the associated credential to a credential authority, the revocation request including at least a credential identifier of the associated credential.
  - 49. The method as recited in claim 48, wherein the credential identifier of the associated credential comprises a serial number that comports with an X.509-compliant standard.
  - 50. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic apparatus to perform the method as recited in claim 40.

51. An arrangement for creating a signed object, the arrangement comprising:
- signing means for signing an object with a credential to produce a signed object; and
  
  storing means for storing an object identifier that represents the signed object in association with the credential.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 52. The arrangement as recited in claim 51, wherein the arrangement comprises at least one computer.
  - 53. The arrangement as recited in claim 51, wherein the arrangement comprises at least one electronically-accessible media.
  - 54. The arrangement as recited in claim 51, wherein the signing means comprises one or more processors that are programmed to implement at least one public-key infrastructure (PKI) mechanism.
  - 55. The arrangement as recited in claim 51, wherein the signing means utilizes at least one private key of a public-private key pair.
  - 56. The arrangement as recited in claim 51, wherein the storing means comprises one or more storage media.
  - 57. The arrangement as recited in claim 51, wherein the storing means comprises at least one database.
  - 58. The arrangement as recited in claim 51, wherein the storing means comprises at least one database that includes a plurality of entries, at least one entry of the plurality of entries linking the object identifier that represents the signed object to the credential.
  - 59. The arrangement as recited in claim 51, further comprising:
    - acquiring means for acquiring the credential.
  - 60. The arrangement as recited in claim 59, wherein the acquiring means comprises:
    - requesting means for requesting the credential from a credential authority.
  - 61. The arrangement as recited in claim 59, wherein the acquiring means comprises:
    - requisitioning means for requisitioning the credential from a pool of unused credentials.

62. An arrangement for managing objects, the arrangement comprising:
- ascertaining means for ascertaining a credential that is associated with a signed object, the credential associated with the signed object because the credential was used to sign an object to produce the signed object; and
  
  revoking means for causing the credential to be revoked.
- View Dependent Claims (63, 64, 65, 66, 67, 68, 69, 70, 71)
- - 63. The arrangement as recited in claim 62, further comprising:
    - signing means for signing the object with the credential to produce the signed object; and
      
      storing means for storing an object identifier that represents the signed object in association with the credential.
  - 64. The arrangement as recited in claim 62, wherein the ascertaining means comprises database means for storing associations between credentials and signed objects.
  - 65. The arrangement as recited in claim 62, wherein the object and the signed object comprise at least one of software code, a program, a routine, a document, a transaction, a contract, a driver, an active web control, a file, and any executable component.
  - 66. The arrangement as recited in claim 62, wherein the ascertaining means comprises database means for retrieving the credential that is associated with the signed object.
  - 67. The arrangement as recited in claim 62, wherein the ascertaining means comprises database means for retrieving the credential that is associated with the signed object using an object identifier that represents the signed object.
  - 68. The arrangement as recited in claim 67, wherein the object identifier comprises at least one of (i) a title of the object or the signed object, (ii) a description/abstract/summary/table of contents/index of the object or the signed object, (iii) the entirety of the object or the signed object, and (iv) a hash value resulting from application of a hashing function to the object or the signed object.
  - 69. The arrangement as recited in claim 62, wherein the arrangement comprises at least one server computer.
  - 70. The arrangement as recited in claim 62, wherein the arrangement comprises at least one electronically-accessible media.
  - 71. The arrangement as recited in claim 62, further comprising:
    - transmission media interface means for interfacing with at least one of (i) a central authority and (ii) a submitter of a revocation request, the revocation request identifying the signed object.

72. A system for managing object viability through credentials, the system comprising:
- one or more media, the one or more media including signed-object-canceller electronically-executable instructions and a database linking credentials to signed objects; and
  
  one or more processors, the one or more processors capable of executing the electronically-executable instructions to perform actions comprising;
  
  accessing the database using an object identifier that represents a signed object to retrieve a credential that is linked thereto; and
  
  causing the credential to be revoked.
- View Dependent Claims (73, 74, 75, 76, 77, 78)
- - 73. The system as recited in claim 72, wherein the credential comprises a credential identifier.
  - 74. The system as recited in claim 72, wherein the credential comprises a credential identifier and an entity name.
  - 75. The system as recited in claim 72, wherein the credential comprises a credential identifier, an entity name, and an indication of a credential authority that issued the credential.
  - 76. The system as recited in claim 72, wherein the one or more media comprise at least one of (i) one or more storage media and (ii) one or more transmission media and/or transmission media adapters.
  - 77. The system as recited in claim 72, wherein the one or more media further include object-signer electronically-executable instructions;
    - and wherein the one or more processors are further capable of executing the electronically-executable instructions to perform an action comprising;
      
      signing an object using the credential to produce the signed object.
  - 78. The system as recited in claim 72, wherein the one or more media further include signed-object-creator electronically-executable instructions;
    - and wherein the one or more processors are further capable of executing the electronically-executable instructions to perform an action comprising;
      
      storing the object identifier as linked to the credential in at least one entry of the database.

79. A method for individual signed object management, the method comprising actions of:
- removing a sign object request from a request queue, the sign object request including or referencing an object;
  
  minting a new credential, the new credential including a credential identifier;
  
  signing the object with the new credential to produce a signed object; and
  
  recording the signed object in association with the new credential in a data structure.
- View Dependent Claims (80, 81, 82, 83, 84, 85, 86, 87)
- - 80. The method as recited in claim 79, wherein the new credential comprises a certificate that comports with an X.509-compliant standard.
  - 81. The method as recited in claim 79, wherein the action of recording comprises the action of:
    - linking an object identifier for the signed object to at least the credential identifier of the new credential in a database.
  - 82. The method as recited in claim 79, wherein the action of minting comprises the actions of:
    - requesting the new credential from a credential authority; and
      
      receiving the new credential from the credential authority.
  - 83. One or more electronically-accessible media comprising electronically-executable instructions that, when executed, direct an electronic apparatus to perform the method as recited in claim 79.
  - 84. The method as recited in claim 79, wherein the action of minting comprises the action of:
    - issuing, by a credential authority, the new credential.
  - 85. The method as recited in claim 79, wherein the action of minting comprises the action of:
    - selecting the new credential.
  - 86. The method as recited in claim 79, further comprising the action of:
    - receiving a sign object request.
  - 87. The method as recited in claim 86, further comprising the actions of:
    - determining whether the received sign object request can be validated;
      
      if so, adding the received sign object request to the request queue; and
      
      if not, rejecting the received sign object request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Freeman, Trevor W., Lambert, John J.

Granted Patent

US 7,290,138 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 2209/80 Wireless network architectu...

H04L 9/3247 involving digital signatures

Credentials and digitally signed objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

87 Claims

Specification

Solutions

Use Cases

Quick Links

Credentials and digitally signed objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

87 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links