Handling of Digital Certificates

US 20150381374A1
Filed: 03/05/2013
Published: 12/31/2015
Est. Priority Date: 03/05/2013
Status: Active Grant

First Claim

Patent Images

1-22. -22. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for handling digital certificates in a communication network is described. The communication network comprises a first certificate authority (110-116) having issued at least one digital certificate. The method comprises determining (216) whether a revocation condition for revoking the at least one digital certificate is fulfilled. The at least one digital certificate has been issued by the first certificate authority, wherein the at least one digital certificate is valid and is not revoked. The method further comprises, based on a result of the step of determining (216), revoking (404), by the first certificate authority (110-116), the at least one digital certificate, and based on the result of the step of determining (216), issuing, by a second certificate authority (110-116), at least one further digital certificate for the revoked at least one digital certificate. An associated system, methods in involved network entities, the involved network entities, and computer programs are also described. Therefore security handling in the communication network which may be fluctuating with respect to its number of network nodes and/or which may comprise numerous network nodes may be performed in an easy and efficient way.

19 Citations

View as Search Results

46 Claims

1-22. -22. (canceled)

23. A method for handling digital certificates in a communication network, the communication network comprising a first certificate authority having issued at least one digital certificate, the method comprising:
- determining whether a revocation condition for revoking the at least one digital certificate is fulfilled, wherein the at least one digital certificate was issued by the first certificate authority, wherein the at least one digital certificate is valid and not presently revoked;
  
  based on a result of the determining, revoking, by the first certificate authority, the at least one digital certificate; and
  
  based on the result of the determining, issuing, by a second certificate authority, at least one further digital certificate for the revoked at least one digital certificate.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 24. The method of claim 23, further comprising:
    - prior to the determining, determining whether a trust relation addition condition for adding a trust relation in at least one network node of the communication network to the second certificate authority is fulfilled; and
      
      based on a result of determining whether the trust relation addition condition is fulfilled, establishing a trust relation in the at least one network node of the communication network to the second certificate authority.
  - 25. The method of claim 24, wherein the establishing comprises sending, to a network managing node, information for the network managing node to send information to the at least one network node to add a trust relation in the at least one network node to the second certificate authority.
  - 26. The method of claim 24, further comprising stopping, based on the result of the determining whether the trust relation addition condition is fulfilled, by the first certificate authority, to issue a further digital certificate and enabling the second certificate authority to issue the at least one further digital certificate.
  - 27. The method of claim 24, further comprising, based on the result of the step of determining whether the trust relation addition condition is fulfilled, creating the second certificate authority.
  - 28. The method of claim 26, wherein the following are performed in parallel:
    - the stopping, by the first certificate authority, to issue a further digital certificate;
      
      the enabling the second certificate authority, to issue the at least one further digital certificate.
  - 29. The method of claim 24, further comprising:
    - stopping, based on the result of the determining whether the trust relation addition condition is fulfilled, by the first certificate authority, to issue a further digital certificate and enabling the second certificate authority to issue the at least one further digital certificate;
      
      subsequent to determining whether the trust relation addition condition is fulfilled, determining whether the first certificate authority is enabled to issue a further digital certificate;
      
      wherein, if the first certificate authority is enabled to issue a further digital certificate, the stopping, by the first certificate authority, to issue a further digital certificate and the enabling the second certificate authority to issue the at least one further digital certificate are performed;
      
      wherein, if the first certificate authority is not enabled to issue a further digital certificate;
      
      the determining whether the revoking condition is fulfilled is performed.
  - 30. The method of claim 24:
    - wherein the at least one network node comprises a trust relation to the first certificate authority,further comprising, subsequent to the revoking, by the first certificate authority, the at least one digital certificate, removing the trust relation to the first certificate authority in the at least one network node.
  - 31. The method of claim 25, wherein the establishing and/or the removing is performed by operation and maintenance means.
  - 32. The method of claim 23, further comprising revoking the first certificate authority subsequent to the removing the trust relation in the at least one network node to the first certificate authority.
  - 33. The method of claim 23, further comprising receiving, by the first certificate authority, a request for revoking the at least one digital certificate.
  - 34. The method of claim 23:
    - wherein at least one condition of the revocation condition is associated with at least one threshold;
      
      wherein the determining whether the at least one revocation condition is fulfilled comprises;
      
      comparing a corresponding characteristic with the at least one threshold; and
      
      determining that the at least one revocation condition is fulfilled if the corresponding characteristic is equal to or above the at least one threshold.
  - 35. The method of claim 23, wherein at least one condition of the revocation condition is related to at least one of:
    - a length of a certificate revocation record in the first certificate authority for digital certificates having been revoked by the first certificate authority;
      
      a number of entries in the certificate revocation record in the first certificate authority;
      
      an elapsed life time of the first certificate authority since a creation of the first certificate authority;
      
      a remaining life time of the first certificate authority;
      
      a number of digital certificates in the first certificate authority, the digital certificates being valid and being not revoked;
      
      a ratio between digital certificates revoked by the first certificate authority and digital certificates issued by the first certificate authority;
      
      the first certificate authority being compromised; and
      
      an administrative reason affecting the first certificate authority selected from the group consisting of;
      
      a change of a name of the first certificate authority, a shutdown of the first certificate authority, a change of a platform of the first certificate authority, and maintenance work for the first certificate authority.
  - 36. The method of claim 24:
    - wherein at least one condition of the trust relation addition condition;
      
      wherein the determining whether the at least one trust relation addition condition is fulfilled comprises;
      
      comparing a corresponding characteristic with the at least one threshold; and
      
      determining that the at least one trust relation addition condition is fulfilled if the corresponding characteristic is equal to or above the at least one threshold.
  - 37. The method of claim 24, wherein at least one condition of the trust relation addition condition is related to at least one of:
    - a length of a certificate revocation record in the first certificate authority for digital certificates having been revoked by the first certificate authority;
      
      a number of entries in the certificate revocation record in the first certificate authority;
      
      an elapsed life time of the first certificate authority since a creation of the first certificate authority;
      
      a remaining life time of the first certificate authority;
      
      a number of digital certificates in the first certificate authority, the digital certificates being valid and being not revoked;
      
      a ratio between digital certificates revoked by the first certificate authority and digital certificates issued by the first certificate authority;
      
      the first certificate authority being compromised; and
      
      an administrative reason affecting the first certificate authority selected from the group consisting of;
      
      a change of a name of the first certificate authority, a shutdown of the first certificate authority, a change of a platform of the first certificate authority, and maintenance work for the first certificate authority.

38. A method, in a controlling certificate authority, for handling digital certificates in a communication network, the controlling certificate authority comprising first and second certificate authorities, wherein the first certificate authority has issued at least one digital certificate, the method comprising:
- determining whether a revocation condition for revoking the at least one certificate is fulfilled, the at least one digital certificate having been issued by the first certificate authority, the at least one digital certificate being valid and not presently revoked;
  
  based on a result of the determining, trigger the first certificate authority to revoke the at least one digital certificate; and
  
  based on the result of the determining, trigger the second certificate authority to issue at least one further digital certificate for the revoked at least one certificate.
- View Dependent Claims (39)
- - 39. The method of claim 38, further comprising:
    - receiving, from a network node of the communication network, a request for issuing the at least one further digital certificate, wherein the initiating the second certificate authority to issue the at least one further digital certificate is performed in response to the received request;
      
      sending the issued at least one further digital certificate to the at least one network node.

40. A method, in a network node, for handling digital certificates in a communication network, the network node maintaining a digital certificate issued by a first certificate authority of the communication network, the method comprising:
- sending a request for issuing, by a second certificate authority of the communication network, a further digital certificate; and
  
  receiving the further digital certificate, the further digital certificate having been issued by the second certificate authority.

41. A method, in a network managing node, for handling digital certificates in a communication network, the communication network comprising a first certificate authority having issued at least one digital certificate, the method comprising:
- sending information, to a network node of the communication network for the network node, requesting a further digital certificate to be issued by a second certificate authority for a digital certificate.

42. A controlling certificate authority for handling digital certificates in a communication network, the controlling certificate authority comprising:
- one or more processing circuits configured to function as first and second certificate authorities, wherein the first certificate authority has issued at least one digital certificate;
  
  wherein the controlling certificate authority is configured to;
  
  determine whether a revocation condition for revoking the at least one first digital certificate is fulfilled, the at least one digital certificate having been issued by the first certificate authority, the at least one digital certificate being valid and not presently revoked;
  
  based on a result of the determining, trigger the first certificate authority to revoke the at least one digital certificate; and
  
  based on the result of the determining, trigger the second certificate authority to issue at least one further digital certificate for the revoked at least one digital certificate.

43. A network node for handling digital certificates in a communication network, the network node maintaining a digital certificate issued by a first certificate authority of the communication network, the network node comprising:
- one or more processing circuits configured to cause the network node to;
  
  send a request for issuing, by a second certificate authority of the communication network, a further digital certificate; and
  
  receive the further digital certificate, the further digital certificate having been issued by the second certificate authority.

44. A network managing node for handling digital certificates in a communication network, the communication network comprising a first certificate authority having issued at least one digital certificate,one or more processing circuits configured to cause the network managing node to send information, to a network node of the communication network for the network node, requesting a further digital certificate to be issued by a second certificate authority for a digital certificate.

45. A computer program product stored in a non-transitory computer readable medium for controlling the handling of digital certificates in a communication network, the communication network comprising a first certificate authority having issued at least one digital certificate, the computer program product comprising software instructions which, when run on one or more processors of the communication network, causes the communication network to:
- determine whether a revocation condition for revoking the at least one digital certificate is fulfilled, wherein the at least one digital certificate was issued by the first certificate authority, wherein the at least one digital certificate is valid and not presently revoked;
  
  based on a result of the determining, revoke, by the first certificate authority, the at least one digital certificate; and
  
  based on the result of the determining, issue, by a second certificate authority, at least one further digital certificate for the revoked at least one digital certificate.
- View Dependent Claims (46)
- - 46. The computer program product of claim 45, wherein a controlling certificate authority comprises the or more processors and functions as the first and second certificate authorities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Zmbik, Lszlo

Granted Patent

US 9,960,923 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 9/3268 using certificate validatio...

Handling of Digital Certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Handling of Digital Certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links