Delegating certificate validation

US 20050021969A1
Filed: 07/01/2003
Published: 01/27/2005
Est. Priority Date: 07/01/2003
Status: Active Grant

First Claim

Patent Images

1. In a receiving computer system that is network connectable to a server computer system over a trusted link, the receiving computer system being configured to receive electronic messages, a method for checking the validity of a digital certificate in manner that conserves the resources of the receiving computer system, the method comprising:

an act of receiving an electronic message, the electronic message including electronic message data that was sent from an sending entity to a recipient entity, the electronic message being transferred to the receiving computer system at the request of the recipient entity;

an act of receiving a digital signature corresponding to the electronic message, the digital signature having been generated from at least one private key;

an act of sending a certificate validation request to the server computer system over the trusted link, the certificate validation request including certificate information representative of a digital certificate that binds the sending entity to the private key, the certificate information being at least enough information for a certificate authority to identify the represented digital certificate that binds the sending entity to the private key; and

an act of receiving a certificate status indication from the server computer system over the trusted link, the certificate status indication indicating the status of the represented digital certificate that binds the sending entity to the private key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The principles of the present invention provide for delegating certificate validation. A client computer system sends a certificate validation request to a server computer system over a trusted link. The certificate validation request includes at least enough certificate information for a certificate authority to identify a digital certificate that binds a sending entity to a private key. The server computer system checks a validation path to determine if the digital certificate is valid and at least one certificate revocation list to determine if the certificate has been compromised. The server computer system sends a certificate status indication to the client computer system over the trusted link. Accordingly, the resources of the server computer system, instead of the client computer system, are utilized to validate a digital certificate. Further, digital certificate validation can be delegated to a server computer system that attempts to pre-validate a digital certificate.

Citations

45 Claims

1. In a receiving computer system that is network connectable to a server computer system over a trusted link, the receiving computer system being configured to receive electronic messages, a method for checking the validity of a digital certificate in manner that conserves the resources of the receiving computer system, the method comprising:
- an act of receiving an electronic message, the electronic message including electronic message data that was sent from an sending entity to a recipient entity, the electronic message being transferred to the receiving computer system at the request of the recipient entity;
  
  an act of receiving a digital signature corresponding to the electronic message, the digital signature having been generated from at least one private key;
  
  an act of sending a certificate validation request to the server computer system over the trusted link, the certificate validation request including certificate information representative of a digital certificate that binds the sending entity to the private key, the certificate information being at least enough information for a certificate authority to identify the represented digital certificate that binds the sending entity to the private key; and
  
  an act of receiving a certificate status indication from the server computer system over the trusted link, the certificate status indication indicating the status of the represented digital certificate that binds the sending entity to the private key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein the act of receiving an electronic message comprises an act of receiving an electronic mail message.
  - 3. The method as recited in claim 1, wherein the act of receiving a digital signature corresponding to the electronic message comprises an act of receiving an electronic message that contains the corresponding digital signature.
  - 4. The method as recited in claim 1, further comprising:
    - an act of comparing a sending side message data hash value to a receiving side message data hash value to determine if the message data was altered.
  - 5. The method as recited in claim 1, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request that contains a certificate hash value created from a certificate that binds the sending entity to the private key.
  - 6. The method as recited in claim 1, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request that contains a certificate that binds the sending entity to the private key.
  - 7. The method as recited in claim 1, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request that contains identifiers for one or more certificate C authorities included in the validation path for a certificate that binds the sending entity to the private key.
  - 8. The method as recited in claim 1, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request that contains certificate information from the digital signature.
  - 9. The method as recited in claim 1, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request over a mutually authenticated connection between the server computer system and the receiving compute system.
  - 10. The method as recited in claim 1, wherein the act of receiving a certificate status indication from the server computer system over the trusted link comprises an act of receiving a certificate status indication indicating the status of the represented digital certificate wherein the status of the represented digital certificate is valid and non-compromised, non-valid and non-compromised, valid and compromised, non-valid and non-compromised, unknown and non-compromised, or unknown and compromised.

11. The method as recited in claim 11, further comprising:
- an act of presenting the status of the represented digital certificate to the recipient entity.

12. In a receiving computer system that is network connectable to a server computer system over a trusted link, the receiving computer system being configured to receive electronic messages, a method for checking the validity of a digital certificate in manner that conserves the resources of the receiving computer system, the method comprising:
- an act of receiving an electronic message, the electronic message including electronic message data that was sent from an sending entity to a recipient entity, the electronic message being transferred to the receiving computer system at the request of the recipient entity;
  
  an act of receiving a digital signature corresponding to the electronic message, the digital signature having been generated from at least one private key; and
  
  a step for offloading validation of a digital certificate that binds the sending entity to the private key to the server computer system such that resources of the server computer system are consumed during certificate validation.

13. In a server computer system that is network connectable over a trusted link to a receiving computer system, a method for checking the validity of a digital certificate in a manner that conserves the resources of the receiving computer system, the method comprising:
- an act of receiving a certificate validation request from the receiving computer system over the trusted link, the certificate validation request including certificate information representative of a digital certificate, the certificate information being at least enough information for a certificate authority to identify the represented digital certificate;
  
  an act of checking a validation path to determine if the represented digital certificate is valid;
  
  an act of checking at least one certificate revocation list to determine if the represented digital certificate has been compromised; and
  
  an act of sending a certificate status indication to the receiving computer system over the trusted link, the certificate status indication indicating the status of the represented digital certificate.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method as recited in claim 13, wherein the act of receiving a certificate validation request from the receiving computer system over the trusted link comprises an act of receiving a certificate validation request over a mutually authenticated connection between the server computer system and the receiving compute system.
  - 15. The method as recited in claim 13, wherein the act of receiving a certificate validation request from the receiving computer system over the trusted link comprises an act of receiving a certificate validation request that includes a certificate hash value for the represented digital certificate
  - 16. The method as recited in claim 13, wherein the act of receiving a certificate validation request from the receiving computer system over the trusted link comprises an act of receiving a certificate validation request that includes the represented digital certificate.
  - 17. The method as recited in claim 13, wherein the act of receiving a certificate validation request from the receiving computer system over the trusted link comprises an act of receiving a certificate validation request that includes identifiers for one or more certificate authorities in the validation path for the represented digital certificate.
  - 18. The method as recited in claim 13, wherein the act of sending a certificate status indication to the receiving computer system over the trusted link comprises an act of sending the certificate status indication over a mutually authenticated connection between the server computer system and the receiving compute system.
  - 19. The method as recited in claim 13, wherein the act of an act of sending a certificate status indication to the receiving computer system over the trusted link comprises an act of sending a certificate status indication indicating the status of the represented digital certificate wherein the status of the represented digital certificate is valid and non-compromised, non-valid and non-compromised, valid and compromised, non-valid and non-compromised, unknown and non-compromised, or unknown and compromised.

20. In a server computer system that is network connectable over a trusted link to a receiving computer system, a method for checking the validity of a digital certificate in a manner that conserves the resources of the receiving computer system, the method comprising:
- an act of receiving a certificate validation request from the receiving computer system over the trusted link, the certificate validation request including certificate information representative of a digital certificate, the certificate information being at least enough information for a certificate authority to identify the represented digital certificate;
  
  a step for validating the status of the represented digital certificate for the receiving computer system so as to reduce the consumption of receiving computer system resources and reduce the workload associated with configuring the receiving computer system; and
  
  an act of sending a certificate status indication to the receiving client computer system over the trusted link, the certificate status indication indicating the status of the represented digital certificate.

21. In a sending computer system that is network connectable over a trusted link to a server computer system, the sending computer system being configured to send electronic messages, a method for checking the validity of a digital certificate before using the digital certificate to generate a digital signature based on the digital certificate, the method comprising:
- an act of receiving an indication that a private key is to be used to digitally sign an electronic message, the electronic message including electronic message data that a sending entity intends to be delivered to a recipient entity;
  
  an act of identifying a digital certificate that binds the sending entity to the private key;
  
  an act of sending a certificate validation request to the server computer system over the trusted link, the certificate validation request including certificate information representative of the identified digital certificate, the certificate information being at least enough information for a certificate authority to identify the identified digital certificate; and
  
  an act of receiving a certificate status indication from the server computer system over the trusted link, the certificate status indication indicating the status of the identified digital certificate.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method as recited in claim 21, wherein the act of receiving an indication that a private key is to be used to digitally sign an electronic message comprises an act of receiving input at an input device coupled to the sending computer system.
  - 23. The method as recited claim 21, wherein the act of identifying a digital certificate that binds the sending entity to the private key comprises an act of identifying a certificate stored at the sending computer system.
  - 24. The method as recited in claim 21, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request that contains a certificate hash value created from the identified digital certificate.
  - 25. The method as recited in claim 21, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request that contains the identified digital certificate.
  - 26. The method as recited in claim 21, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request that contains identifiers for one or more certificate authorities included in the validation path for the identified digital certificate.
  - 27. The method as recited in claim 21, wherein the act of sending a certificate validation request to the server computer system over the trusted link comprises an act of sending a certificate validation request over a mutually authenticated connection between the sending computer system and the server computer system.
  - 28. The method as recited in claim 21, wherein the act of receiving a certificate status indication from the server computer system over the trusted link comprises an act of receiving a certificate status indication indicating the status of the represented digital certificate wherein the status of the represented digital certificate is valid and non-compromised, non-valid and non-compromised, valid and compromised, non-valid and non-compromised, unknown and non-compromised, or unknown and compromised.
  - 29. The method as recited in claim 21, further comprising:
    - an act of preventing a digital signature from being generated with the private key.
  - 30. The method as recited in claim 21, further comprising:
    - an act of including a validation token in a digital signature generated with the private key.

31. In a sending computer system that is network connectable over a trusted link to a server computer system, the sending computer system being configured to send electronic messages, a method for checking the validity of a digital certificate before using the digital certificate to generate a digital signature based on the digital certificate, the method comprising:
- an act of receiving an indication that a private key is to be used to digitally sign an electronic message, the electronic message including electronic message data that a sending entity intends to be delivered to a recipient entity;
  
  an act of identifying a digital certificate that binds the sending entity to the private key; and
  
  a step for delegating validation of the identified digital certificate to a trusted computer system such that the status of the identified digital certificate can be pre-validated.

32. In a server computer system that is network connectable over a trusted link to a sending computer system, the sending computer system being configured to send electronic messages, a method for checking the validity of a digital certificate before using the digital certificate to generate a digital signature based on the digital certificate, the method comprising:
- an act of receiving a certificate validation request from the sending computer system over the trusted link, the certificate validation request including certificate information representative of an identified digital certificate, the certificate information being at least enough information for a certificate authority to identify the identified digital certificate;
  
  an act of checking a validation path to determine if the identified digital certificate is valid;
  
  an act of checking at least one certificate revocation list to determine if the identified digital certificate has been compromised; and
  
  an act of sending a certificate status indication to the sending computer system over the trusted link, the certificate status indication indicating the status of the identified digital certificate.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40)
- - 33. The method as recited in claim 32, wherein the act of receiving a certificate validation request from the sending computer system over the trusted link comprises an act of receiving a certificate validation request over a mutually authenticated connection between the server computer system and the sending computer system.
  - 34. The method as recited in claim 32, wherein the act of receiving a certificate validation request from the sending computer system over the trusted link comprises an act of receiving a certificate validation request that includes a certificate hash value for the identified digital certificate
  - 35. The method as recited in claim 32, wherein the act of receiving a certificate validation request from the sending computer system over the trusted link comprises an act of receiving a certificate validation request that includes the identified digital certificate.
  - 36. The method as recited in claim 32, wherein the act of receiving a certificate validation request from the sending computer system over the trusted link comprises an act of receiving a certificate validation request that includes identifiers for one or more certificate authorities in the validation path for the identified digital certificate.
  - 37. The method as recited in claim 32, wherein the act of sending a certificate status indication to the sending computer system over the trusted link comprises an act of sending the certificate status indication over a mutually authenticated connection between the server computer system and the sending computer system.
  - 38. The method as recited in claim 32, wherein the act of an act of sending a certificate status indication to the sending computer system over the trusted link comprises an act of sending a certificate status indication indicating the status of the identified digital certificate wherein the status of the represented digital certificate is valid and non-compromised, non-valid and non-compromised, valid and compromised, non-valid and non-compromised, unknown and non-compromised, or unknown and compromised.
  - 39. The method as recited in claim 32, further comprising:
    - an act of preventing a digital signature from being generated with a private key that corresponds to the identified digital certificate.
  - 40. The method as recited in claim 32, further comprising:
    - an act of including a validation token in a digital signature generated with a private key that corresponds to the digital certificate.

41. In a server computer system that is network connectable over a trusted link to a sending computer system, the sending computer system being configured to send electronic messages, a method for checking the validity of a digital certificate before using the digital certificate to generate a digital signature based on the digital certificate, the method comprising:
- an act of receiving a certificate validation request from the sending computer system over the trusted link, the certificate validation request including certificate information representative of an identified digital certificate, the certificate information being at least enough information for a certificate authority to identify the identified digital certificate;
  
  a step for pre-validating the status of the identified digital certificate for the sending computer system such that receiving side validation is more efficient; and
  
  an act of sending a certificate status indication to the sending computer system over the trusted link, the certificate status indication indicating the status of the identified digital certificate.

42. A computer program product for use in a receiving computer system that is network connectable to a server computer system over a trusted link, the receiving computer system being configured to receive electronic messages, the computer program product for implementing a method for checking the validity of a digital certificate in manner that conserves the resources of the receiving computer system, the computer program product comprising one or more computer-readable media having stored thereon computer executable instructions that, when executed by a processor, cause the receiving computer system to perform the following:
- receive an electronic message, the electronic message including electronic message data that was sent from an sending entity to a recipient entity, the electronic message being transferred to the receiving computer system at the request of the recipient entity;
  
  receive a digital signature corresponding to the electronic message, the digital signature having been generated from at least one private key;
  
  send a certificate validation request to the server computer system over the trusted link, the certificate validation request including certificate information representative of a digital certificate that binds the sending entity to the private key, the certificate information being at least enough information for a certificate authority to identify the represented digital certificate that binds the sending entity to the private key;
  
  receive a certificate status indication from the server computer system over the trusted link, the certificate status indication indicating the status of the represented digital certificate that binds the sending entity to the private key.

43. A computer program product for use in a server computer system that is network connectable over a trusted link to a receiving computer system, the computer program product for implementing a method for checking the validity of a digital certificate in a manner that conserves the resources of the receiving computer system, the computer program product comprising one or more computer-readable media having stored thereon computer executable instructions that, when executed by a processor, cause the server computer system to perform the following:
- receive a certificate validation request from the receiving computer system over the trusted link, the certificate validation request including certificate information representative of a digital certificate, the certificate information being at least enough information for a certificate authority to identify the represented digital certificate;
  
  check a validation path to determine if the represented digital certificate is valid;
  
  check at least one certificate revocation list to determine if the represented digital certificate has been compromised; and
  
  send a certificate status indication to the receiving computer system over the trusted link, the certificate status indication indicating the status of the represented digital certificate.

44. A computer program product for use in a sending computer system that is network connectable over a trusted link to a server computer system, the sending computer system being configured to send electronic messages, the computer program product for implanting a method for checking the validity of a digital certificate before using the digital certificate to generate a digital signature based on the digital certificate, the computer program product comprising one or more computer-readable media having stored thereon computer executable instructions that, when executed by a processor, cause the sending computer system to perform the following:
- receive an indication that a private key is to be used to digitally sign an electronic message, the electronic message including electronic message data that a sending entity intends to be delivered to a recipient entity;
  
  identify a digital certificate that binds the sending entity to the private key;
  
  send a certificate validation request to the server over the trusted link, the certificate validation request including certificate information representative of the identified digital certificate, the certificate information being at least enough information for a certificate authority to identify the identified digital certificate; and
  
  receive a certificate status indication from the server computer system over the trusted link, the certificate status indication indicating the status of the identified digital certificate.

45. A computer program product for use in a server computer system that is network connectable over a trusted link to a sending computer system, the sending computer system being configured to send electronic messages, the computer program product for implementing a method for checking the validity of a digital certificate before using the digital certificate to generate a digital signature based on the digital certificate, the computer program product comprising one or more computer-readable media having stored thereon computer executable instructions that, when executed by a processor, cause the server computer system to perform the following:
- receive a certificate validation request from the sending computer system over the trusted link, the certificate validation request including certificate information representative of an identified digital certificate, the certificate information being at least enough information for a certificate authority to identify the identified digital certificate;
  
  check a validation path to determine if the identified digital certificate is valid;
  
  check at least one certificate revocation list to determine if the identified digital certificate has been compromised; and
  
  send a certificate status indication to the sending computer system over the trusted link, the certificate status indication indicating the status of the identified digital certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Williams, Roy, Pereira, Jorge, Batthish, Karim Michel

Granted Patent

US 7,395,428 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 2209/805 Lightweight hardware, e.g. ...

H04L 9/3268 using certificate validatio...

Delegating certificate validation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Delegating certificate validation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links