Distributed delegated path discovery and validation

US 20050154918A1
Filed: 11/19/2004
Published: 07/14/2005
Est. Priority Date: 11/19/2003
Status: Active Grant

First Claim

Patent Images

1. A method of providing path validation information for a system, comprising:

determining paths between a subset of certificates of the system and at least one trust root;

storing each of the paths in a table prior to a request for path validation information; and

fetching the validation information stored in the table in response to a request for path validation information.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing path validation information for a system includes determining paths between a subset of certificate of the system and at least one trust root, storing each of the paths in a table prior to a request for path validation information, and fetching the validation information stored in the table in response to a request for path validation information. Providing path validation information may also include digitally signing the validation information. Providing path validation information may also include applying constraints to the validation information and only providing validation information that is consistent with the constraints. Determining paths may include constructing a directed graph of trusted roots and the subset of certificates and performing a depth-first acyclic search of the graph.

136 Citations

View as Search Results

54 Claims

1. A method of providing path validation information for a system, comprising:
- determining paths between a subset of certificates of the system and at least one trust root;
  
  storing each of the paths in a table prior to a request for path validation information; and
  
  fetching the validation information stored in the table in response to a request for path validation information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. A method, according to claim 1, further comprising:
    - digitally signing the validation information.
  - 3. A method, according to claim 1, further comprising:
    - applying constraints to the validation information and only providing validation information that is consistent with the constraints.
  - 4. A method, according to claim 1, wherein determining paths includes constructing a directed graph of trusted roots and the subset of certificates and performing a depth-first acyclic search of the graph.
  - 5. A method, according to claim 1, wherein the table is indexed using the trusted roots.
  - 6. A method, according to claim 1, wherein the table is indexed using the certificates.
  - 7. A method, according to claim 1, further comprising:
    - receiving proofs of revocation status for the subset of certificates;
      
      storing the proofs prior to a request for path validation information; and
      
      fetching the proofs along with the validation information in response to a request for path validation information.
  - 8. A method, according to claim 7, further comprising:
    - digitally signing the validation information and the proofs.
  - 9. A method, according to claim 7, further comprising:
    - applying constraints to the validation information and only providing validation information that is consistent with the constraints.
  - 10. A method, according to claim 7, wherein determining paths includes constructing a directed graph of trusted roots and the subset of certificates and performing a depth-first acyclic search of the graph.
  - 11. A method, according to claim 7, wherein the proofs are stored in the table that contains the validation information.
  - 12. A method, according to claim 11, wherein the table is indexed using the trusted roots.
  - 13. A method, according to claim 11, wherein the table is indexed using the certificates.
  - 14. A method, according to claim 7, wherein the proofs are stored in an other table that is separate from the table that contains the validation information.
  - 15. A method, according to claim 14, wherein the other table is indexed using the trusted roots.
  - 16. A method, according to claim 14, wherein the other table is indexed using the certificates.
  - 17. A method, according to claim 1, wherein the subset of certificates includes trusted roots, authorities that issue end user certificates, and authorities that vouch for other authorities.
  - 18. A method, according to claim 17, wherein the subset of certificates further includes end user certificates.

19. A computer program product that provides path validation information for a system, comprising:
- a storage medium that contains executable code for the computer program product;
  
  executable code that determines paths between a subset of certificates of the system and at least one trust root;
  
  executable code that stores each of the paths in a table prior to a request for path validation information; and
  
  executable code that fetches the validation information stored in the table in response to a request for path validation information.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. A computer program product, according to claim 19, further comprising:
    - executable code that digitally signs the validation information.
  - 21. A computer program product, according to claim 19, further comprising:
    - executable code that applies constraints to the validation information and that only provides validation information that is consistent with the constraints.
  - 22. A computer program product, according to claim 19, wherein executable code that determines paths constructs a directed graph of trusted roots and the subset of certificates and performs a depth-first acyclic search of the graph.
  - 23. A computer program product, according to claim 19, wherein the table is indexed using the trusted roots.
  - 24. A computer program product, according to claim 19, wherein the table is indexed using the certificates.
  - 25. A computer program product, according to claim 19, further comprising:
    - executable code that receives proofs of revocation status for the subset of certificates;
      
      executable code that stores the proofs prior to a request for path validation information; and
      
      executable code that fetches the proofs along with the validation information in response to a request for path validation information.
  - 26. A computer program product, according to claim 25, further comprising:
    - executable code that digitally signs the validation information and the proofs.
  - 27. A computer program product, according to claim 25, further comprising:
    - executable code that applies constraints to the validation information and only provides validation information that is consistent with the constraints.
  - 28. A computer program product, according to claim 25, wherein executable code that determines paths constructs a directed graph of trusted roots and certificates in the system and performs a depth-first acyclic search of the graph.
  - 29. A computer program product, according to claim 25, wherein the proofs are stored in the table that contains the validation information.
  - 30. A computer program product, according to claim 29, wherein the table is indexed using the trusted roots.
  - 31. A computer program product, according to claim 29, wherein the table is indexed using the certificates.
  - 32. A computer program product, according to claim 25, wherein the proofs are stored in an other table that is separate from the table that contains the validation information.
  - 33. A computer program product, according to claim 32, wherein the other table is indexed using the trusted roots.
  - 34. A computer program product, according to claim 32, wherein the other table is indexed using the certificates.
  - 35. A computer program product, according to claim 19, wherein the subset of certificates includes trusted roots, authorities that issue end user certificates, and authorities that vouch for other authorities.
  - 36. A computer program product, according to claim 35, wherein the subset of certificates further includes end user certificates.

37. A server, comprising:
- a processor;
  
  internal storage coupled to the processor;
  
  executable code, provided on the internal storage, that determines paths between a subset of certificates of the system and at least one trust root;
  
  executable code, provided on the internal storage, that stores each of the paths in a table prior to a request for path validation information; and
  
  executable code, provided on the internal storage, that fetches the validation information stored in the table in response to a request for path validation information.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 38. A server, according to claim 37, further comprising:
    - executable code, provided on the internal storage, that digitally signs the validation information.
  - 39. A server, according to claim 37, further comprising:
    - executable code, provided on the internal storage that applies constraints to the validation information and that only provides validation information that is consistent with the constraints.
  - 40. A server, according to claim 37, wherein executable code that determines paths constructs a directed graph of trusted roots and the subset of certificates and performs a depth-first acyclic search of the graph.
  - 41. A server, according to claim 37, wherein the table is indexed using the trusted roots.
  - 42. A server, according to claim 37, wherein the table is indexed using the certificates.
  - 43. A server, according to claim 37, further comprising:
    - executable code, provided on the internal storage, that receives proofs of revocation status for the subset of certificates;
      
      executable code, provided on the internal storage, that stores the proofs prior to a request for path validation information; and
      
      executable code, provided on the internal storage, that fetches the proofs along with the validation information in response to a request for path validation information.
  - 44. A server, according to claim 43, further comprising:
    - executable code, provided on the internal storage, that digitally signs the validation information and the proofs.
  - 45. A server, according to claim 43, further comprising:
    - executable code, provided on the internal storage, that applies constraints to the validation information and only provides validation information that is consistent with the constraints.
  - 46. A server, according to claim 43, wherein executable code that determines paths constructs a directed graph of trusted roots and the subset of certificates and performs a depth-first acyclic search of the graph.
  - 47. A server, according to claim 43, wherein the proofs are stored in the table that contains the validation information.
  - 48. A server, according to claim 47, wherein the table is indexed using the trusted roots.
  - 49. A server, according to claim 47, wherein the table is indexed using the certificates.
  - 50. A server, according to claim 43, wherein the proofs are stored in an other table that is separate from the table that contains the validation information.
  - 51. A server, according to claim 50, wherein the other table is indexed using the trusted roots.
  - 52. A server, according to claim 50, wherein the other table is indexed using the certificates.
  - 53. A server, according to claim 37, wherein the subset of certificates includes trusted roots, authorities that issue end user certificates, and authorities that vouch for other authorities.
  - 54. A server, according to claim 53, wherein the subset of certificates further includes end user certificates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Assa Abloy AB
Inventors
Engberg, David

Granted Patent

US 8,707,030 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 9/3265 using certificate chains, t...

H04L 9/3268 using certificate validatio...

Distributed delegated path discovery and validation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed delegated path discovery and validation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links