Chain of Trust Processing

US 20070234039A1
Filed: 05/24/2007
Published: 10/04/2007
Est. Priority Date: 09/01/2000
Status: Active Grant

First Claim

Patent Images

1. A method of automatically obtaining a second certificate for a user in a Public Key Infrastructure (PKI) enterprise using a first certificate, the method comprising:

accessing a server platform using a user'"'"'s server and the first certificate of the user to create a connection that authenticates both the user'"'"'s server identity via a server certificate of the user server and the user'"'"'s identity via the user'"'"'s first certificate;

tracking a pedigree of the user'"'"'s first certificate;

accessing a registration web page having a level of security that is commensurate with the pedigree of the user'"'"'s first certificate;

creating a secure data channel between the server platform and the user server;

forwarding a request for the second certificate from the user server to the server platform;

and generating at the server platform the second certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for automatically obtaining a second certificate for a user using a first certificate includes accessing a server platform using a user'"'"'s server and the first certificate of the user to create a connection that authenticates both the user'"'"'s server identity via a server certificate of the user server and the user'"'"'s identity via the user'"'"'s first certificate. A secure data channel is then created between the server platform and the user platform. A request for the second certificate is forwarded by the user from the user server to the server platform and the sever platform then generates the second certificate. The first certificate may be a signature certificate and the second certificate may be an encryption certificate.

Citations

25 Claims

1. A method of automatically obtaining a second certificate for a user in a Public Key Infrastructure (PKI) enterprise using a first certificate, the method comprising:
- accessing a server platform using a user'"'"'s server and the first certificate of the user to create a connection that authenticates both the user'"'"'s server identity via a server certificate of the user server and the user'"'"'s identity via the user'"'"'s first certificate;
  
  tracking a pedigree of the user'"'"'s first certificate;
  
  accessing a registration web page having a level of security that is commensurate with the pedigree of the user'"'"'s first certificate;
  
  creating a secure data channel between the server platform and the user server;
  
  forwarding a request for the second certificate from the user server to the server platform;
  
  and generating at the server platform the second certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first certificate comprises a signature certificate.
  - 3. The method of claim 1, wherein the second certificate comprises an encryption certificate.
  - 4. The method of claim 1, wherein the first certificate comprises an expiring signature certificate and the second certificate comprises a replacement signature certificate.
  - 5. The method of claim 1, wherein the first certificate comprises a signature certificate and the second certificate comprises a replacement encryption certificate.
  - 6. The method of claim 1, wherein the first certificate comprises a signature certificate and the second certificate comprises one of either the user'"'"'s current encryption certificate or an expired encryption certificate of the user.
  - 7. The method of claim 1, wherein the server platform is a key recovery authority, and wherein the second certificate is one of a current encryption certificate and an expired encryption certificate.
  - 8. The method of claim 1, further comprising determining in the server platform that the user is entitled to the second certificate by ensuring that the user is still a member of the PKI enterprise and ensuring that the user does not already have the second certificate.
  - 9. The method of claim 8, further comprising revoking the first certificate upon determining that the user if entitled to the second certificate.
  - 10. The method of claim 9, further comprising signaling both a directory and a certificate authority that the first certificate has been revoked.
  - 11. The method of claim 1, wherein the second certificate is an encryption certificate, and wherein creating a secure data channel comprises encrypting a transmission between registration server and the user server using the signature certificate.

12. An apparatus for automatically obtaining a replacement certificate for a user in a Public Key Infrastructure (PKI) enterprise using a signature certificate the apparatus comprising:
- a user server and a registration server, the user server accessing the registration server using the signature certificate of the user to create a connection that authenticates both the user'"'"'s server identity via a server certificate of the user server and the user'"'"'s identity via the user'"'"'s signature certificate;
  
  a secure data channel, the secure data channel being disposed between the registration server and the user server, the user server forwarding a request for the replacement certificate to the registration server through the secure data channel;
  
  a first authority, the registration server determining that the user is entitled to the replacement certificate and, upon said determination, revoking a certificate which the replacement certificate is replacing and forwarding a request to the first authority sending the private/public key pair associated with the replacement certificate, the first authority sending the private key to the user via the secure data channel;
  
  a second authority, the first authority sending the public key to the second authority to be signed; and
  
  a directory, the second authority forwarding the replacement certificate to the directory.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 12, wherein the first certificate comprises an expiring signature certificate and the second certificate comprises a replacement signature certificate.
  - 14. The apparatus of claim 12, wherein the second certificate comprises a replacement encryption certificate.
  - 15. The apparatus of claim 12, wherein the registration server comprises a plurality of registration web pages, each of the plurality of registration web pages having a level of security, a given one of the plurality of registration web pages being accessible to a given user in the PKI enterprise upon a pedigree of the given user'"'"'s signature certificate being commensurate with the respective level of security.
  - 16. The apparatus of claim 12, wherein the secure data channel is encrypted using the signature certificate.

17. An apparatus for automatically obtaining a second certificate for a user in a Public Key Infrastructure (PKI) enterprise using a signature certificate, the apparatus comprising:
- a user server and a server platform, the user server accessing the server platform using the signature certificate of the user to create a connection that authenticates both the user'"'"'s server identity via a server certificate of the user server and the user'"'"'s identity via the user'"'"'s signature certificate;
  
  a secure data channel, the secure data channel being disposed between the server platform and the user server and being encrypted using the signature certificate;
  
  the user server forwarding a request for the second certificate to the server platform; and
  
  the server platform generating the second certificate.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The apparatus of claim 17, wherein the second certificate comprises an encryption certificate.
  - 19. The apparatus of claim 17, wherein the signature certificate comprises an expiring signature certificate and the second certificate comprises a replacement signature certificate.
  - 20. The apparatus of claim 17, wherein the second certificate comprises a replacement encryption certificate.
  - 21. The apparatus of claim 17, wherein the second certificate comprises one of either the user'"'"'s current encryption certificate or an expired encryption certificate of the user.
  - 22. The apparatus of claim 17, wherein the server platform comprises a plurality of registration web pages, each of the plurality of registration web pages having a level of security, a given one of the plurality of registration web pages being accessible to a given user in the PKI enterprise upon a pedigree of the given user'"'"'s signature certificate being commensurate with the respective level of security.
  - 23. The apparatus of claim 17, wherein the server platform determines whether the user is entitled to the second certificate by ensuring that the user is still a member of the PKI enterprise and by ensuring that the user does not already have the second certificate upon the user server forwarding the request for the second certificate.
  - 24. The apparatus of claim 17, wherein the server platform revokes the signature certificate upon the server platform generating the second certificate.
  - 25. The apparatus of claim 17, wherein the server platform is a key recovery authority, and wherein the second certificate is one of a current encryption certificate and an expired encryption certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Inventors
Aull, Kenneth

Granted Patent

US 7,747,852 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 63/0823   using certificates cryptogr...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/006   involving public key infras...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04L 9/3265   using certificate chains, t...

H04L 9/3268   using certificate validatio...

Chain of Trust Processing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Chain of Trust Processing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links