Policy-Based Security Certificate Filtering
First Claim
1. A computer-implemented policy-based security certificate filtering method, comprising:
- receiving, by a first entity in a communications network during a handshaking protocol exchange for establishing a secure connection with a second entity, a security certificate of the second entity; and
responsive to detecting that a certificate authority certificate in a certificate authority chain of the security certificate is not available at the first entity and the security certificate therefore cannot be authenticated, using policy-based security certificate filtering as a substitute for the authentication, comprising;
searching a storage repository to locate at least one policy specification that is applicable to the security certificate;
evaluating each of the located at least one policy specification until reaching a decision on whether to permit the handshaking protocol exchange to continue; and
continuing the handshaking protocol exchange if the decision is to permit the handshaking protocol exchange to continue, and causing the handshaking protocol exchange to fail otherwise.
0 Assignments
0 Petitions
Accused Products
Abstract
Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific.
-
Citations
20 Claims
-
1. A computer-implemented policy-based security certificate filtering method, comprising:
-
receiving, by a first entity in a communications network during a handshaking protocol exchange for establishing a secure connection with a second entity, a security certificate of the second entity; and responsive to detecting that a certificate authority certificate in a certificate authority chain of the security certificate is not available at the first entity and the security certificate therefore cannot be authenticated, using policy-based security certificate filtering as a substitute for the authentication, comprising; searching a storage repository to locate at least one policy specification that is applicable to the security certificate; evaluating each of the located at least one policy specification until reaching a decision on whether to permit the handshaking protocol exchange to continue; and continuing the handshaking protocol exchange if the decision is to permit the handshaking protocol exchange to continue, and causing the handshaking protocol exchange to fail otherwise. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for policy-based security certificate filtering, comprising:
-
a first entity communicably coupled to a second entity in a communications network; a policy repository that stores, at least temporarily, at least two policy specifications pertaining to secure communications between the first entity and the second entity; a security certificate of the second entity, received by the first entity from the second entity by communications over the communications network during a handshaking protocol exchange for establishing a secure connection between the first entity and the second entity; a computer comprising a processor; and instructions which are executable, using the processor, to implement functions comprising; searching the policy repository, responsive to detecting that at least one certificate authority certificate in a certificate authority chain of the received security certificate is not locally stored by the first entity and the received security certificate therefore cannot be authenticated, to locate at least one of the stored policy specifications that is applicable to the received security certificate; evaluating each of the located at least one policy specification, as a substitute for the authentication, until reaching a decision on whether to permit the handshaking protocol exchange to continue; and continuing the handshaking protocol exchange if the decision is to permit the handshaking protocol exchange to continue, and causing the handshaking protocol exchange to fail otherwise. - View Dependent Claims (15, 16, 17)
-
-
18. A computer program product for policy-based security certificate filtering, the computer program product embodied on one or more non-transitory computer-usable storage media and comprising computer-readable program code that, when executed on a computer, causes the computer to:
determine whether a first entity that receives a security certificate from a second entity during a handshaking protocol exchange will continue the handshaking protocol exchange for establishing a secure connection with the second entity, responsive to detecting that a certificate authority certificate in a certificate authority chain of the security certificate is not available at the first entity and the security certificate therefore cannot be authenticated, comprising; searching a storage repository to locate at least one policy specification that is applicable to the security certificate; evaluating each of the located at least one policy specification, as a substitute for the authentication, until reaching a decision on whether to permit the handshaking protocol exchange to continue; and continuing the handshaking protocol exchange if the decision is to permit the handshaking protocol exchange to continue, and causing the handshaking protocol exchange to fail otherwise. - View Dependent Claims (19, 20)
Specification