Policy-based security certificate filtering

US 20070245401A1
Filed: 04/17/2006
Published: 10/18/2007
Est. Priority Date: 04/17/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented policy-based security certificate filtering method, comprising steps of:

receiving, by a first entity in a communications network, a security certificate of a second entity; and

determining whether the first entity will treat the security certificate as though it has been authenticated, comprising steps of;

locating at least one policy specification that is applicable to resolving the determination; and

evaluating each of the at least one located policy specifications until reaching a conclusion about how to treat the security certificate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific.

Citations

26 Claims

1. A computer-implemented policy-based security certificate filtering method, comprising steps of:
- receiving, by a first entity in a communications network, a security certificate of a second entity; and
  
  determining whether the first entity will treat the security certificate as though it has been authenticated, comprising steps of;
  
  locating at least one policy specification that is applicable to resolving the determination; and
  
  evaluating each of the at least one located policy specifications until reaching a conclusion about how to treat the security certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method according to claim 1, wherein the conclusion indicates that the first entity will treat the security certificate as though it has been authenticated.
  - 3. The method according to claim 1, wherein the conclusion indicates that the first entity will treat the security certificate as though it has not been authenticated.
  - 4. The method according to claim 1, wherein the conclusion indicates that input from a user is required to determine how the first entity will treat the security certificate, and further comprising the steps of:
    - requesting the input from the user; and
      
      treating the security certificate as though it has been validated or as though it has not been validated, according to the user input
  - 5. The method according to claim 1, wherein the first entity is a client device and the second entity is a server device.
  - 6. The method according to claim 1, wherein the first entity is a server device and the second entity is a client device.
  - 7. The method according to claim 1, wherein the receiving and determining steps occur during a protocol handshaking flow between the first entity and the second entity.
  - 8. The method according to claim 1, wherein the determining step occurs responsive to determining that a certificate authority certificate needed for authenticating the security certificate is not available at the first entity.
  - 9. The method according to claim 1, wherein the evaluating step reaches the conclusion after evaluating a first matching one of the located policy specifications.
  - 10. The method according to claim 1, wherein the evaluating step reaches the conclusion after evaluating at least two matching ones of the located policy specifications.
  - 11. The method according to claim 1, wherein the policy specifications are evaluated in order of most-specific to least-specific.
  - 12. The method according to claim 1, wherein the policy specifications comprise policy rules, each policy rule comprising at least one condition to be used in the evaluation and an action to be used in reaching the conclusion.
  - 13. The method according to claim 2, wherein the conclusion that first entity will treat the security certificate as though it has been authenticated is reached upon evaluating at least one matching one of the located policy specifications that specifies conditions under which the security certificate is permitted.
  - 14. The method according to claim 3, wherein the conclusion that first entity will treat the security certificate as though it has not been authenticated is reached upon evaluating at least one matching one of the located policy specifications that specifies conditions under which the security certificate is blocked.
  - 15. The method according to claim 1, wherein the evaluating step further comprises comparing each of at least one condition specified in the evaluated policy specifications to information pertaining to the security certificate.
  - 16. The method according to claim 15, where the information pertaining to the security certificate comprises an issuer thereof.
  - 17. The method according to claim 15, where the information pertaining to the security certificate comprises a validity period thereof.
  - 18. The method according to claim 1, wherein locating step further comprises the step of locating at least one policy specification that pertains to at least one value specified in the security certificate.
  - 19. The method according to claim 1, wherein locating step further comprises the step of locating at least one policy specification that pertains to the first entity.
  - 20. The method according to claim 1, wherein locating step further comprises the step of locating at least one policy specification that pertains to the second entity.
  - 21. The method according to claim 1, further comprising the step of enforcing the conclusion about how the first entity will treat the security certificate.

22. A system for policy-based security certificate filtering, comprising:
- a first entity communicably coupled to a second entity in a communications network;
  
  a policy repository that stores, at least temporarily, at least one policy specification pertaining to secure communications between the first entity and the second entity;
  
  a security certificate of the second entity, received by the first entity from the second entity by communications over the communications network;
  
  means for locating in the policy repository, responsive to determining that at least one security certificate needed for cryptographically authenticating the received security certificate is not locally stored by the first entity, at least one of the stored policy specifications that is applicable for resolving how to treat the received security certificate;
  
  means for evaluating each of the at least one located policy specifications until reaching a conclusion about whether the received security certificate is to be treated as though it has been authenticated; and
  
  means for enforcing the conclusion.
- View Dependent Claims (23, 24)
- - 23. The system according to claim 22, wherein the means for enforcing further comprises means for permitting secure communications between the first entity and the second entity to continue, as though the received security certificate has been authenticated, if the conclusion reached by the means for evaluating so indicates.
  - 24. The system according to claim 22, wherein the means for enforcing further comprises means for blocking further secure communications between the first entity and the second entity, as though the received security certificate has not been authenticated, if the conclusion reached by the means for evaluating so indicates.

25. A computer program product for policy-based security certificate filtering, the computer program product embodied on one or more computer-usable media and comprising computer-readable program code that, when executed on a computer, causes the computer to:
- determine whether the first entity will treat a security certificate received by the first entity from the second entity as though it has been authenticated, comprising steps of;
  
  locating at least one policy specification that is applicable to resolving the determination; and
  
  evaluating each of the at least one located policy specifications until reaching a conclusion about how the first entity will treat the security certificate; and
  
  enforce the conclusion.
- View Dependent Claims (26)
- - 26. The computer program product according to claim 25, wherein the computer-readable program code that causes the computer to determine whether the first entity will treat the security certificate as though it has been authenticated is executed responsive to determining that a certificate authority certificate needed for authenticating the security certificate is not available at the first entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Mosakowski, Barry, Overby, Linwood, Brabson, Roy

Granted Patent

US 7,984,479 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/33   using certificates

H04L 2209/80   Wireless

H04L 63/0227   Filtering policies mail mes...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/166   at the transport layer

H04L 9/3265   using certificate chains, t...

Policy-based security certificate filtering

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based security certificate filtering

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links