METHOD AND APPARATUS FOR AUTOMATING SELECTION OF CERTIFICATE MANAGEMENT POLICIES DURING ISSUANCE OF A CERTIFICATE

US 20160142216A1
Filed: 11/18/2015
Published: 05/19/2016
Est. Priority Date: 11/19/2014
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising;

receiving, by a Public Key Infrastructure (PKI) device, a certificate signing request from an end entity;

obtaining, by the PKI device, at least one of;

a controlling attribute of at least one PKI device associated with processing of the certificate signing request; and

a controlling attribute associated with the certificate signing request;

obtaining, by the PKI device, an end entity policy object (EEPO) to be associated with the end entity based on at least one obtained controlling attribute;

determining, by the PKI device and based on an obtained EEPO, at least one attribute and at least one value associated with the at least one attribute that is to be included in a certificate; and

issuing, by the PKI device to the end entity, the certificate including the at least one attribute.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Public Key Infrastructure (PM) device receives a certificate signing request (CSR) from an end entity. The PKI device obtains at least one of: a controlling attribute of at least one PKI device associated with processing of the certificate signing request and a controlling attribute associated with the CSR. The PKI device obtains an end entity policy object (EEPO) to be associated with the end entity based on at least one obtained controlling attribute. Based on the obtained EEPO, the PKI device determines at least one attribute and at least one value associated with the attribute this is to be included in a certificate and issues, to the end entity, the certificate including the at least one attribute.

6 Citations

View as Search Results

20 Claims

1. A method comprising;
- receiving, by a Public Key Infrastructure (PKI) device, a certificate signing request from an end entity;
  
  obtaining, by the PKI device, at least one of;
  
  a controlling attribute of at least one PKI device associated with processing of the certificate signing request; and
  
  a controlling attribute associated with the certificate signing request;
  
  obtaining, by the PKI device, an end entity policy object (EEPO) to be associated with the end entity based on at least one obtained controlling attribute;
  
  determining, by the PKI device and based on an obtained EEPO, at least one attribute and at least one value associated with the at least one attribute that is to be included in a certificate; and
  
  issuing, by the PKI device to the end entity, the certificate including the at least one attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the at least one attribute includes at least one of the at least one obtained controlling attribute and a second attribute.
  - 3. The method of claim 1, wherein obtaining at least one controlling attribute comprises obtaining at least one controlling attribute in at least one certificate issued to at least one PKI device associated with processing of the certificate signing request, wherein the at least one PKI device associated with processing of the certificate signing request includes at least one of a current PKI device associated with current processing of the certificate signing request, a predecessor PM device associated with a previous processing of the certificate signing request, and a future PKI device associated with subsequent processing of the certificate signing request.
  - 4. The method of claim 1, wherein the EEPO includes parameters for indicating to a subject of the certificate at least one of:
    - how and when the certificate is to be at least one of used, renewed, rekeyed, revoked, and destroyed; and
      
      at least one certificate that may be accepted from another end entity.
  - 5. The method of claim 1, wherein the EEPO is forwarded to the end entity and is used by the end entity in managing the certificate throughout a lifecycle of the certificate.
  - 6. The method of claim 1, wherein obtaining the EEPO comprises accessing at least one data structure, wherein the accessing is performed using at least one of the at least one obtained controlling attribute and another attribute.
  - 7. The method of claim 1, wherein the at least one obtained controlling attribute associated with the certificate signing request identifies at least one of a certificate policy object identifier and a private certificate extension, wherein the private certificate extension identifies at least one of an end entity type, a service type, and a provisioning device type.
  - 8. The method of claim 1, wherein obtaining the EEPO comprises assigning the EEPO to the end entity based on at least one of:
    - an assurance level of the end entity; and
      
      an assurance level of the PKI device.
  - 9. The method of claim 1, wherein the PKI device comprises one or more of a certificate authority device, a registration authority device, and a provisioning device.
  - 10. The method of claim 1, wherein obtaining the EEPO comprises determining which of the at least one controlling attribute associated with the certificate signing request to consider along with at least one of:
    - a controlling attribute in a certificate for which the PKI device is a subject; and
      
      an EEPO issued to the PKI device.

11. A Public Key Infrastructure (PKI) apparatus comprising:
- an end entity configured to generate and transmit a certificate signing request;
  
  at least one PKI device configured to receive the certificate signing request, the at least one PKI device comprising a certificate policy engine that is configured to;
  
  obtain at least one of;
  
  a controlling attribute of the at least one PKI device associated with processing of the certificate signing request; and
  
  a controlling attribute associated with the certificate signing request;
  
  obtain an end entity policy object (EEPO) to be associated with the end entity based on at least one obtained controlling attribute;
  
  determine, based on an obtained EEPO, at least one attribute and at least one value associated with the at least attribute that is to be included in a certificate; and
  
  issue to the end entity, the certificate including the at least one attribute.
- View Dependent Claims (12, 13, 14, 16, 17, 18, 19, 20)
- - 12. The PKI apparatus of claim 11, wherein the at least one PKI device comprises at least one of a provisioning device and a registration device and wherein the at least one of the provisioning device and the registration device is configured to establish a trust relationship with the end entity and with another PKI device.
  - 13. The PKI apparatus of claim 12, wherein the at least one PKI device comprises the provisioning device and wherein the provisioning device is configured to:
    - receive the certificate signing request from the end entity;
      
      sign the certificate signing request;
      
      return the signed certificate signing request to the end entity; and
      
      wherein the end entity is configured to send the signed certificate signing request to the registration device.
  - 14. The PKI apparatus of claim 12, wherein the at least one PKI device comprises at least one of a current PKI device, a predecessor PKI device, and a future PKI device.
  - 16. The PKI device of claim 14, wherein the certificate policy engine is configured to perform functions including:
    - determining contents of the certificate in response to receiving the certificate signing request and wherein, in determining the contents of the certificate, the certificate policy engine selects the EEPO.
  - 17. The PKI device of claim 14, wherein the EEPO comprises parameters for indicating to a subject of the certificate at least one of:
    - how and when the certificate is to be at least one of used, renewed, rekeyed, revoked, and destroyed; and
      
      at least one certificate that may be accepted from another end entity.
  - 18. The PKI device of claim 14, wherein the certificate policy engine is configured to obtain the EEPO by accessing at least one data structure, wherein the accessing is performed using at least one of the at least one obtained controlling attribute and another attribute.
  - 19. The PKI device of claim 14, wherein the certificate policy engine is configured to perform assigning the EEPO based on one or more of:
    - an assurance level of the end entity; and
      
      an assurance level of the PKI device.
  - 20. The PKI device of claim 14, wherein the certificate policy engine is configured to perform functions including:
    - determining, based on the EEPO, population of certificate attributes and corresponding certificate attribute values in the certificate;
      
      determining, based on contents of the certificate, one or more of certificate use, cryptographic characteristics, duration, and constraints.

15. A Public Key Infrastructure (PKI) device comprising:
- a memory;
  
  a transceiver configured to receive a certificate signing request from an end entity;
  
  a processor configured to implement a certificate policy engine that performs a set of functions including;
  
  obtaining at least one of;
  
  a controlling attribute of at least one PKI device associated with processing of the certificate signing request; and
  
  a controlling attribute associated with the certificate signing request;
  
  obtaining an end entity policy object (EEPO) to be associated with the end entity based on at least one obtained controlling attribute;
  
  determining, based on an obtained EEPO, at least one attribute and at least one value associated with the at least one attribute that is to be included in a certificate; and
  
  issuing, to the end entity, the certificate including the at least one attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Motorola Solutions, Inc.
Original Assignee
Motorola Solutions, Inc.
Inventors
TURNER, STEVEN K., GRZESIK, ANDRZEJ, BOERGER, MARK A., HIMAWAN, ERWIN, KRUEGEL, CHRIS A., METKE, ANTHONY R., THOMAS, SHANTHI E.

Application Number

US14/945,411
Publication Number

US 20160142216A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 9/006   involving public key infras...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

METHOD AND APPARATUS FOR AUTOMATING SELECTION OF CERTIFICATE MANAGEMENT POLICIES DURING ISSUANCE OF A CERTIFICATE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR AUTOMATING SELECTION OF CERTIFICATE MANAGEMENT POLICIES DURING ISSUANCE OF A CERTIFICATE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links