Public key infrastructure scalability certificate revocation status validation
First Claim
1. A method for authenticating a user certificate received from a user requesting access to a secure web service, said user certificate including user certificate data, said method comprising:
- retrieving revoked certificate data from a plurality of certificate issuers, wherein the revoked certificate data identifies one or more revoked certificates;
storing the revoked certificate data in a central location;
receiving a request from a user for access to the web service, said request including the user certificate;
comparing the user certificate data included in the user certificate to the revoked certificate data stored in the central location;
selectively authenticating the user as a function of the comparing; and
providing the user access to the requested web service when the user is authenticated.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for retrieving certificate of trust information for a certificate validation process. Fetching servers periodically retrieve certificate revocation lists (CRLs) from servers maintained by various certificate issuers. The revoked certificate data included in the retrieved CRLs are stored in a central database. An authentication server receives a request from a client for access to a secure service and initiates a validation process. The authentication server retrieves revoked certificate data from the central database and compares the retrieved revoked certificate data to certificate of trust information received from the client along with the request. The authentication server denies access to the secure information if the certificate of trust information matches revoked certificate data from the central database, allows access if the certificate of trust information does not match revoked certificate data from the central database.
-
Citations
22 Claims
-
1. A method for authenticating a user certificate received from a user requesting access to a secure web service, said user certificate including user certificate data, said method comprising:
-
retrieving revoked certificate data from a plurality of certificate issuers, wherein the revoked certificate data identifies one or more revoked certificates;
storing the revoked certificate data in a central location;
receiving a request from a user for access to the web service, said request including the user certificate;
comparing the user certificate data included in the user certificate to the revoked certificate data stored in the central location;
selectively authenticating the user as a function of the comparing; and
providing the user access to the requested web service when the user is authenticated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for adding additional revoked certificate data from a plurality of certificate issuers to revoked certificate data stored in a central location, said stored revoked certificate data identifying one or more certificate issuers publishing revoked certificate data for a plurality of revoked certificates, comprising:
-
retrieving the stored revoked certificate data from the central location;
determining an update time for each of the one or more certificate issuers from the retrieved revoked certificate data, said update times each specifying a time updated revoked certificate data is published by each of the one or more certificate issuer;
organizing the retrieved revoked certificate data in a sequence according to the determined update time for each of the one or more certificate issuers;
identifying an address of each of the one or more certificate issuers from the retrieved revoked certificate data; and
retrieving additional revoked certificate data from the identified addresses according to update times in the organized sequence. - View Dependent Claims (10)
-
-
11. A system for retrieving revoked certificate data in response to a client request, said client request requesting access to a secure web service and including user certificate data, comprising:
-
a central database;
a fetching server for retrieving revoked certificate data from a plurality of certificate authority servers for storage in said central database, wherein the revoked certificate data identifies one or more revoked certificates; and
an authentication server responsive to the client request for executing a certificate revocation provider component, said certificate revocation provider component loading the revoked certificate data in the central database into a memory associated with the authentication server, and wherein the certificate revocation provider component is responsive to the client request and loaded revoked certificate data to determine if the client request is authentic. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system for managing certificate revocation status data, comprising:
-
a fetching server for identifying a list of addresses corresponding to a plurality of certificate issuers, said fetching server retrieving revoked certificate status data from a content server corresponding to the list of addresses; and
a central database responsive to the retrieved revoked certificate status data for storing a list of revoked certificates.
-
-
18. A computer-readable medium comprising computer-executable instructions for authenticating a user requesting access to a web service, comprising
retrieving instructions for retrieving revoked certificate data from a plurality of certificate issuers, wherein the revoked certificate data identifies one or more revoked certificates; -
storing instructions for storing the revoked certificate data for each of the identified one or more revoked certificates in a central location;
receiving instructions for receiving a request from a user for access to the web service, said request including a user certificate including user certificate data;
comparing instructions for comparing the user certificate data to the revoked certificate data stored in the central location;
authenticating instructions for selectively authenticating the user as a function of the comparison; and
providing instructions for providing the user access to the requested web service when the user is authenticated. - View Dependent Claims (19, 20, 21)
-
-
22. A computer readable medium for adding additional revoked certificate data to revoked certificate data stored in a central location, said stored revoked certificate data identifying one or more certificate issuers publishing revoked certificate data for a plurality of revoked certificates, comprising:
-
retrieving instructions for retrieving the stored revoked certificate data from the central location;
determining instructions for determining an update time for each of the one or more certificate issuers from the retrieved revoked certificate data, said update times each specifying a time updated revoked certificate data is published by each of the one or more certificate issuer;
organizing instructions for organizing the retrieved revoked certificate data in a sequence according to the determined update time for each of the plurality of certificate issuers;
identifying instructions for identifying an address of each of the one or more certificate issuers from the organized revoked certificate data; and
retrieving instructions for retrieving additional revoked certificate data from the identified addresses according to update times in the organized sequence.
-
Specification