CERTIFICATE VALIDATION METHOD AND CERTIFICATE VALIDATION SERVER AND STORAGE MEDIUM

US 20110004763A1
Filed: 06/29/2010
Published: 01/06/2011
Est. Priority Date: 07/01/2009
Status: Active Grant

First Claim

Patent Images

1. A certificate validation method for use with a certificate validation server connected to a network together with a plurality of terminal devices and a plurality of certificate authority entities, for causing the certificate validation server to receive a certificate validation request from a given terminal device via the network, for building a certification path of from a first certificate authority up to a second certificate authority, for performing validation of the certification path, and for sending a validation result via said network to the terminal device which is a source of the certificate validation request, wherein said certificate validation server performs a processing operation comprising the steps of:

detecting a key update of a given certificate authority or a compromise of the given certificate authority;

acquiring a certificate of a relevant certificate authority, first certificate status information and second certificate status information;

storing the acquired information in a storage unit or updating the information being presently stored in the storage unit based on the acquired information; and

performing building of the certification path and validation of the certification path by use of the information of said storage unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A certificate validation method for causing a certificate validation server to receive a certificate validation request from a given terminal device, build a certification path of from a first certificate authority (CA) to a second CA, perform validation of the certification path, and send a validation result to the terminal which issued the certificate validation request is disclosed. The validation server detects either a key update of any given CA or a compromise of the given CA, acquires a certificate of relevant CA and first certificate status information and second certificate status information, stores the acquired information in a storage unit or, alternatively, updates the information stored in the storage based on the acquired information, and performs the building of a certification path and validation of the certification path by use of the information of the storage unit.

Citations

18 Claims

1. A certificate validation method for use with a certificate validation server connected to a network together with a plurality of terminal devices and a plurality of certificate authority entities, for causing the certificate validation server to receive a certificate validation request from a given terminal device via the network, for building a certification path of from a first certificate authority up to a second certificate authority, for performing validation of the certification path, and for sending a validation result via said network to the terminal device which is a source of the certificate validation request, wherein said certificate validation server performs a processing operation comprising the steps of:
- detecting a key update of a given certificate authority or a compromise of the given certificate authority;
  
  acquiring a certificate of a relevant certificate authority, first certificate status information and second certificate status information;
  
  storing the acquired information in a storage unit or updating the information being presently stored in the storage unit based on the acquired information; and
  
  performing building of the certification path and validation of the certification path by use of the information of said storage unit.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The certificate validation method according to claim 1, wherein the processing of said certificate validation server further comprises:
    - periodically updating a certificate of the certificate authority or the first certificate status information or the second certificate status information being stored in said storage unit.
  - 3. The certificate validation method according to claim 2, wherein said first certificate status information is certificate revocation list information whereas said second certificate status information is online certificate status protocol (“
    - OCSP”
      
      ) response information.
  - 4. The certificate validation method according to claim 3, wherein the processing of said certificate validation server further comprises:
    - detecting a key update of the given certificate authority during the building of the certification path; and
      
      during the validation of the certification path, detecting compromise of said given certificate authority.
  - 5. The certificate validation method according to claim 4, wherein said storage unit stores therein information indicating a registration time point of the OCSP response information, a next update time point and cache usage criteria, and wherein the processing of said certificate validation server further comprises the steps of:
    - calculating the next update time point of said OCSP response information based on the cache usage criteria of said OCSP response information and the registration time point of said OCSP response information; and
      
      updating a corresponding next update time point of corresponding response information being stored in said storage unit.
  - 6. The certificate validation method according to claim 5, wherein the cache usage criteria of said OCSP response information is under management per certificate authority and per certificate relating thereto.

7. A certificate validation server connected to a network together with a plurality of terminal devices and a plurality of certificate authority entities, for causing the certificate validation server to receive a certificate validation request from a given terminal device via the network, for building a certification path of from a first certificate authority up to a second certificate authority, for performing validation of the certification path, and for sending a validation result via said network to the terminal device which is a source of the certificate validation request, wherein said certificate validation server comprises:
- an information processing unit operative to detect a key update of a given certificate authority or a compromise of the given certificate authority, acquire a certificate of a relevant certificate authority, first certificate status information and second certificate status information, store the acquired information in a storage unit or update the information being presently stored in the storage unit based on the acquired information, and perform building of the certification path and validation of the certification path by use of the information of said storage unit.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The certificate validation server according to claim 7, wherein said information processing unit is further operative to periodically update a certificate of the certificate authority or the first certificate status information or the second certificate status information being stored in said storage unit.
  - 9. The certificate validation server according to claim 8, wherein said first certificate status information is certificate revocation list information whereas said second certificate status information is online certificate status protocol (“
    - OCSP”
      
      ) response information.
  - 10. The certificate validation server according to claim 9, wherein said information processing unit detects a key update of the given certificate authority during the building of the certification path, and detects compromise of said given certificate authority during the validation of the certification path.
  - 11. The certificate validation server according to claim 10, wherein said storage unit stores therein information indicating a registration time point of the OCSP response information, a next update time point and cache usage criteria, and wherein said information processing unit calculates the next update time point of said OCSP response information based on the cache usage criteria of said OCSP response information and the registration time point of said OCSP response information, and updates a corresponding next update time point of corresponding response information being stored in said storage unit.
  - 12. The certificate validation server according to claim 11, wherein the cache usage criteria of said OCSP response information is under management per certificate authority and per certificate relating thereto.

13. A computer-readable storage medium having stored thereon computer-executable program to be used in a computer connected to a network together with a plurality of terminal devices and a plurality of certificate authority entities, for causing the computer to execute certificate validation processing which includes receiving a certificate validation request from a given terminal device via the network, building a certification path of from a first certificate authority to a second certificate authority, performing validation of the certification path, and sending a validation result via said network to the terminal device which is a source of the certificate validation request, wherein said program causes said computer to perform, in the certificate validation processing, an operation comprising the steps of:
- detecting a key update of a given certificate authority or a compromise of the given certificate authority;
  
  acquiring a certificate of a relevant certificate authority, first certificate status information and second certificate status information;
  
  storing the acquired information in a storage unit or updating the information being presently stored in the storage unit based on the acquired information; and
  
  performing building of the certification path and validation of the certification path by use of the information of said storage unit.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable storage medium having stored thereon computer-executable program according to claim 13, wherein said program causes said computer to periodically update a certificate of the certificate authority or the first certificate status information or the second certificate status information being stored in said storage unit.
  - 15. The computer-readable storage medium having stored thereon computer-executable program according to claim 14, wherein said first certificate status information is certificate revocation list information whereas said second certificate status information is online certificate status protocol (OCSP) response information.
  - 16. The computer-readable storage medium having stored thereon computer-executable program according to claim 15, wherein said program causes said computer to detect a key update of the given certificate authority during the building of the certification path, and detect compromise of said given certificate authority during the validation of the certification path.
  - 17. The computer-readable storage medium having stored thereon computer-executable program according to claim 16, wherein said storage unit stores therein information indicating a registration time point of the OCSP response information, a next update time point and cache usage criteria, and wherein said program causes said computer to calculate the next update time point of said OCSP response information based on the cache usage criteria of said OCSP response information and the registration time point of said OCSP response information, and update a corresponding next update time point of corresponding response information being stored in said storage unit.
  - 18. The computer-readable storage medium having stored thereon computer-executable program according to claim 17, wherein the cache usage criteria of said OCSP response information is under management per certificate authority and per certificate relating thereto.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Hashimoto, Yoko, Ogawa, Masami, Furuya, Masahiko, Fujishiro, Takahiro, Hane, Shingo, SATO, Akane

Granted Patent

US 8,380,985 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/175
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/006   involving public key infras...

H04L 9/0891   Revocation or update of sec...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04L 9/3265   using certificate chains, t...

H04L 9/3268   using certificate validatio...

CERTIFICATE VALIDATION METHOD AND CERTIFICATE VALIDATION SERVER AND STORAGE MEDIUM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

CERTIFICATE VALIDATION METHOD AND CERTIFICATE VALIDATION SERVER AND STORAGE MEDIUM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links