Software Signing Certificate Reputation Model

US 20120096516A1
Filed: 10/19/2010
Published: 04/19/2012
Est. Priority Date: 10/19/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for using a computer system of a certificate authority to digitally sign software, the method comprising:

receiving a request from a software developer to digitally sign software included in the request;

accessing a security policy associated with the software developer, the security policy describing criteria for valid requests by the software developer;

determining whether the request is valid based at least in part on the security policy;

digitally signing the software responsive to the determination indicating that the request is valid; and

providing the digitally-signed software to the software developer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request from a software developer is received to digitally sign software included in the request. A security policy associated with the software developer is accessed where the security policy describes criteria for valid request by the software developer. A determination is made whether the request is valid based at least in part on the security policy. The software is digitally signed responsive to the determination indicating that the request is valid. The digitally signed software is provided to the software developer.

40 Citations

View as Search Results

20 Claims

1. A computer-implemented method for using a computer system of a certificate authority to digitally sign software, the method comprising:
- receiving a request from a software developer to digitally sign software included in the request;
  
  accessing a security policy associated with the software developer, the security policy describing criteria for valid requests by the software developer;
  
  determining whether the request is valid based at least in part on the security policy;
  
  digitally signing the software responsive to the determination indicating that the request is valid; and
  
  providing the digitally-signed software to the software developer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein receiving the request from the software developer comprises:
    - receiving a request to digitally co-sign software that is already digitally signed by the software developer.
  - 3. The computer-implemented method of claim 1, wherein determining whether the request is valid based at least in part on the security policy comprises:
    - identifying conditions in which the request is received from the software developer;
      
      comparing the identified conditions to the criteria for valid requests described by the security policy of the software developer;
      
      determining whether the identified conditions of the request match the criteria for valid requests described by the security policy based on the comparison;
      
      responsive to the identified conditions of the request matching the criteria for the valid requests, determining that the request is valid and digitally signing the software; and
      
      responsive to the identified conditions of the request not matching the criteria for the valid requests, determining that the request is anomalous.
  - 4. The computer-implemented method of claim 3, further comprising:
    - embedding reputation information in a digital certificate, the reputation information indicative of the identified conditions of the request that match the criteria for the valid requests; and
      
      providing the digital certificate to the software developer.
  - 5. The computer-implemented method of claim 3, further comprising:
    - performing a security action responsive to determining that the request is anomalous, wherein the security action comprises denying the request.
  - 6. The computer-implemented method of claim 3, further comprising:
    - performing a security action responsive to determining that the request is anomalous, wherein the security action comprises contacting the software developer to confirm that the request is valid; and
      
      wherein the confirmation comprises receiving a security credential from the software developer.
  - 7. The computer-implemented method of claim 1, further comprising:
    - responsive to receiving the request, contacting a stakeholder associated with the software developer to verify that the request is valid; and
      
      refraining from processing the request until a security credential from the stakeholder is received verifying that the request is valid.
  - 8. The computer-implemented method of claim 2, further comprising:
    - responsive to receiving the request to digitally co-sign the software, contacting a certificate authority to verify whether usage of a signing key by the software developer to digitally sign the software is expected, the signing key provided by the certificate authority; and
      
      responsive to determining that the usage of the signing key is unexpected, determining that the signing key is stolen.
  - 9. The computer-implemented method of claim 1, wherein the criteria for valid requests by the software developer comprises at least one of a specific machine identifier that submits valid requests, geo-locations from which valid requests are issued by the software developer, identifiers of personnel associated with the software developer that issue valid requests, and a time period in which the software developer may issue valid requests.

10. A computer program product comprising a non-transitory computer-readable storage medium storing computer-executable code, the code when executed by a computer processor performs steps comprising:
- receiving a request from a software developer to digitally sign software included in the request;
  
  accessing a security policy associated with the software developer, the security policy describing criteria for valid requests by the software developer;
  
  determining whether the request is valid based at least in part on the security policy;
  
  digitally signing the software responsive to the determination indicating that the request is valid; and
  
  providing the digitally-signed software to the software developer.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer program product of claim 10, wherein the code when executed by the processor further performs steps comprising:
    - identifying conditions in which the request is received from the software developer;
      
      comparing the identified conditions to the criteria for valid requests described by the security policy of the software developer;
      
      determining whether the identified conditions of the request match the criteria for valid requests described by the security policy based on the comparison;
      
      responsive to the identified conditions of the request matching the criteria for the valid requests, determining that the request is valid and digitally signing the software; and
      
      responsive to the identified conditions of the request not matching the criteria for the valid requests, determining that the request is anomalous.
  - 12. The computer program product of claim 11, wherein the code when executed by the processor further performs steps comprising:
    - embedding reputation information in a digital certificate, the reputation information indicative of the identified conditions of the request that match the criteria for the valid requests; and
      
      providing the digital certificate to the software developer.
  - 13. The computer program product of claim 11, wherein the code when executed by the processor further performs steps comprising:
    - performing a security action responsive to determining that the request is anomalous, wherein the security action comprises denying the request.
  - 14. The computer program product of claim 11, wherein the code when executed by the processor further performs steps comprising:
    - performing a security action responsive to determining that the request is anomalous, wherein the security action comprises contacting the software developer to confirm that the request is valid; and
      
      wherein the confirmation comprises receiving a security credential from the software developer.
  - 15. The computer program product of claim 10, wherein the code when executed by the processor further performs steps comprising:
    - responsive to receiving the request, contacting a stakeholder associated with the software developer to verify that the request is valid; and
      
      refraining from processing the request until a security credential from the stakeholder is received verifying that the request is valid.

16. A computer system of a certificate authority to digitally sign software, the system comprising:
- a computer processor; and
  
  a non-transitory computer readable storage medium storing computer program modules configured to execute on the computer processor, the computer program modules comprising;
  
  a signing request module configured to receive a request from a software developer to digitally sign software included in the request;
  
  a request verification module configured to;
  
  access a security policy associated with the software developer, the security policy describing criteria for valid requests by the software developer;
  
  determine whether the request is valid based at least in part on the security policy; and
  
  a software signing module configured to;
  
  digitally sign the software responsive to the determination indicating that the request is valid; and
  
  provide the digitally-signed software to the software developer.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-system of claim 16, wherein the request verification module is further configured to:
    - identify conditions in which the request is received from the software developer;
      
      compare the identified conditions to the criteria for valid requests described by the security policy of the software developer;
      
      determine whether the identified conditions of the request match the criteria for valid requests described by the security policy based on the comparison;
      
      responsive to the identified conditions of the request matching the criteria for the valid requests, determine that the request is valid and digitally signing the software; and
      
      responsive to the identified conditions of the request not matching the criteria for the valid requests, determine that the request is anomalous.
  - 18. The computer system of claim 17, wherein the software signing module is further configured to:
    - embed reputation information in a digital certificate, the reputation information indicative of the identified conditions of the request that match the criteria for the valid requests; and
      
      provide the digital certificate to the software developer.
  - 19. The computer system of claim 17, wherein the request verification module is further configured to:
    - perform a security action responsive to determining that the request is anomalous, wherein the security action comprises contacting the software developer to confirm that the request is valid; and
      
      wherein the confirmation comprises receiving a security credential from the software developer.
  - 20. The computer system of claim 17, wherein the request verification module is further configured to:
    - responsive to receiving the request, contact a stakeholder associated with the software developer to verify that the request is valid; and
      
      refrain from processing the request until a security credential from the stakeholder is received verifying that the request is valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., McCorkendale, Bruce E.

Granted Patent

US 8,621,591 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/645 using a third party

Software Signing Certificate Reputation Model

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Software Signing Certificate Reputation Model

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links