IDENTITY-BASED CERTIFICATE MANAGEMENT

US 20100257358A1
Filed: 04/07/2009
Published: 10/07/2010
Est. Priority Date: 04/07/2009
Status: Active Grant

First Claim

Patent Images

1. A method for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:

receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period identifier, the user identifier corresponding to the specific client identity;

generating a first query to a directory service having a plurality of entries each associated with different client identities, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value for the specific client identity;

receiving the directory validity time value returned by the first query; and

validating the digital certificate in response to a first evaluation of the certificate validity period identifier against the received directory validity time value.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Citations

23 Claims

1. A method for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:
- receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period identifier, the user identifier corresponding to the specific client identity;
  
  generating a first query to a directory service having a plurality of entries each associated with different client identities, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value for the specific client identity;
  
  receiving the directory validity time value returned by the first query; and
  
  validating the digital certificate in response to a first evaluation of the certificate validity period identifier against the received directory validity time value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the certificate validity period is defined by a validity start time and a validity end time.
  - 3. The method of claim 2, wherein the validity start time is subsequent to the validity time value in the first evaluation.
  - 4. The method of claim 2, wherein the digital certificate is rejected in response to a second evaluation in which the validity start time in the digital certificate is prior to the received directory validity time value for the specific client identity.
  - 5. The method of claim 2, wherein the digital certificate is rejected in response to a third evaluation in which the validity end time in the digital certificate is prior to a current time.
  - 6. The method of claim 1, further comprising:
    - removing access restrictions to a network application resource upon validating the digital certificate.
  - 7. The method of claim 6, wherein the user identifier corresponds to an account on the network application resource.
  - 8. The method of claim 1, wherein the directory service is a lightweight directory access protocol (LDAP) compliant system.
  - 9. The method of claim 1, wherein the directory service is a Standard Query Language (SQL) database.

10. A method for issuing a digital certificate to a client system, the digital certificate being associated with a client identity, the method comprising:
- receiving a certificate issuance request from the client system;
  
  generating a first query to a directory service for a first entry associated with the client identity in response to the certificate issuance request, the first entry having an attribute including an issuance count value;
  
  generating the digital certificate in response to a comparison of the issuance count value being less than a predefined issuance limit value; and
  
  issuing the digital certificate to the client system.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein prior to issuing the digital certificate to the client system, the method further includes:
    - transmitting a challenge to a user of the client system;
      
      receiving from the user a response to the challenge; and
      
      validating the client system based upon the challenge-response sequence, the digital certificate being issued to the validated client system.
  - 12. The method of claim 11, wherein the challenge is transmitted to the user via a predetermined telephone device associated with the client identity.
  - 13. The method of claim 11 wherein the challenge is transmitted to an e-mail address associated with the client identity.
  - 14. The method of claim 10, further comprising:
    - generating a second query to the directory service including an increment of the issuance count value of the entry associated with the client identity.
  - 15. The method of claim 10, wherein the generated digital certificate includes a certificate validity period identifier with a validity start time and a validity end time.
  - 16. The method of claim 15, wherein the validity start time and the validity end time are subsequent to a generation time of the digital certificate.
  - 17. The method of claim 10, wherein the directory service is a lightweight directory access protocol (LDAP) compliant system.
  - 18. The method of claim 10, wherein the directory service is a Standard Query Language (SQL) database.

19. A method for revoking digital certificates associated with a client identity, the method comprising:
- receiving a revocation request for a one of the digital certificates associated with the client identity, the revocation request including a validity time stamp;
  
  setting a directory validity time value in a first entry of a directory service to the validity time stamp; and
  
  incrementing an issuance count value in the first entry, the issuance count value being representative of a number of digital certificates issued to the client identity;
  
  wherein the digital certificates include a user identifier corresponding to the client identity and a certificate validity period identifier, the directory validity time value being subsequent to the certificate validity period identifier of the one of the digital certificates.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, wherein the validity time stamp has a value corresponding to the time of the revocation request, all of the digital certificates associated with the client identity being revoked as having a validity time value prior to the validity time stamp.
  - 21. The method of claim 20, further comprising:
    - resetting the issuance count value to zero.
  - 22. The method of claim 19, wherein the directory service is a lightweight directory access protocol (LDAP) compliant system.
  - 23. The method of claim 19, wherein the directory service is a Standard Query Language (SQL) database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Lo, Jeff, GRAJEK, GARRET

Granted Patent

US 8,707,031 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/158
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3252   using DSA or related signat...

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

IDENTITY-BASED CERTIFICATE MANAGEMENT

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY-BASED CERTIFICATE MANAGEMENT

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links