Policy-based security certificate filtering
First Claim
1. A computer-implemented policy-based security certificate filtering method, comprising steps of:
- receiving, by a first entity in a communications network, a security certificate of a second entity; and
determining whether the first entity will treat the security certificate as though it has been authenticated, comprising steps of;
locating at least one policy specification that is applicable to resolving the determination; and
evaluating each of the at least one located policy specifications until reaching a conclusion about how to treat the security certificate.
1 Assignment
0 Petitions
Accused Products
Abstract
Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific.
-
Citations
26 Claims
-
1. A computer-implemented policy-based security certificate filtering method, comprising steps of:
-
receiving, by a first entity in a communications network, a security certificate of a second entity; and
determining whether the first entity will treat the security certificate as though it has been authenticated, comprising steps of;
locating at least one policy specification that is applicable to resolving the determination; and
evaluating each of the at least one located policy specifications until reaching a conclusion about how to treat the security certificate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system for policy-based security certificate filtering, comprising:
-
a first entity communicably coupled to a second entity in a communications network;
a policy repository that stores, at least temporarily, at least one policy specification pertaining to secure communications between the first entity and the second entity;
a security certificate of the second entity, received by the first entity from the second entity by communications over the communications network;
means for locating in the policy repository, responsive to determining that at least one security certificate needed for cryptographically authenticating the received security certificate is not locally stored by the first entity, at least one of the stored policy specifications that is applicable for resolving how to treat the received security certificate;
means for evaluating each of the at least one located policy specifications until reaching a conclusion about whether the received security certificate is to be treated as though it has been authenticated; and
means for enforcing the conclusion. - View Dependent Claims (23, 24)
-
-
25. A computer program product for policy-based security certificate filtering, the computer program product embodied on one or more computer-usable media and comprising computer-readable program code that, when executed on a computer, causes the computer to:
-
determine whether the first entity will treat a security certificate received by the first entity from the second entity as though it has been authenticated, comprising steps of;
locating at least one policy specification that is applicable to resolving the determination; and
evaluating each of the at least one located policy specifications until reaching a conclusion about how the first entity will treat the security certificate; and
enforce the conclusion. - View Dependent Claims (26)
-
Specification