Method of issuance and revocation of certificates of authenticity used in public key networks and other systems

US 5,261,002 A
Filed: 03/13/1992
Issued: 11/09/1993
Est. Priority Date: 03/13/1992
Status: Expired due to Term

First Claim

Patent Images

1. A method for authenticating users of an information system, comprising the steps of:

issuing a signed certificate for each user of an information system, wherein the signed certificate contains an issue date, a unique public key associated with the user, and other public information pertaining to the user, and wherein a valid certificate is one that authenticates an association between the user and the public key contained in the certificate, and an invalid certificate is one for which the association between the user and the public key is no longer valid;

issuing a signed list of invalid certificates, referred to as a blacklist, containing a blacklist start date, a blacklist expiration date, and an entry for each user whose certificate was issued after the blacklist start date and is invalid; and

determining whether a user'"'"'s certificate is valid by first obtaining a copy of the certificate and a copy of the signed blacklist, then determining whether the blacklist has expired, and then, if the blacklist has not expired, determining whether the certificate issued after the blacklist start date and is not on the blacklist, and is therefore valid.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for issuing and revoking user certificates of authenticity in a public key cryptography system, wherein certificates do not need expiration dates, and the inconvenience and overhead associated with routine certificate renewals are minimized or avoided entirely. A Certification Authority issues certificates as required, and issues a blacklist having a start date, an expiration date, and an entry for every invalid certificate issued after the start date. Users assume that every certificate issued prior to the blacklist start date is invalid, and that invalid certificates issued after the start date will be included in the current blacklist. A new blacklist is issued prior to expiration of the current one, and the blacklist start date is changed only when the blacklist becomes unmanageably long.

217 Citations

18 Claims

1. A method for authenticating users of an information system, comprising the steps of:
- issuing a signed certificate for each user of an information system, wherein the signed certificate contains an issue date, a unique public key associated with the user, and other public information pertaining to the user, and wherein a valid certificate is one that authenticates an association between the user and the public key contained in the certificate, and an invalid certificate is one for which the association between the user and the public key is no longer valid;
  
  issuing a signed list of invalid certificates, referred to as a blacklist, containing a blacklist start date, a blacklist expiration date, and an entry for each user whose certificate was issued after the blacklist start date and is invalid; and
  
  determining whether a user'"'"'s certificate is valid by first obtaining a copy of the certificate and a copy of the signed blacklist, then determining whether the blacklist has expired, and then, if the blacklist has not expired, determining whether the certificate issued after the blacklist start date and is not on the blacklist, and is therefore valid.
- View Dependent Claims (2, 3, 4)
- - 2. A method as defined in claim 1, and further comprising:
    - if the blacklist has expired, concluding that the certificate is invalid.
  - 3. A method as defined in claim 1, and further comprising:
    - if the blacklist has expired, determining whether the blacklist has a default expiration date that has passed;
      
      if the blacklist has a default expiration date that has not passed, concluding that the certificate is invalid; and
      
      if the blacklist has a default expiration date has not passed, continuing with the step of determining whether the certificate issued after the blacklist start date and is not on the blacklist.
  - 4. A method as defined in claim 1, and further comprising:
    - if the blacklist has expired, determining whether the blacklist expired more than a selected time earlier;
      
      if the certificate expired more than a selected time earlier, concluding that the certificate is invalid; and
      
      if the certificate expired less than a selected time earlier, continuing with the step of determining whether the certificate issued after the blacklist start date and is not on the blacklist.

5. A method as defined in claim and further comprising:
- issuing a new blacklist prior to the blacklist expiration date.
- View Dependent Claims (6)
- - 6. A method as defined in claim 5, wherein the step of issuing a new blacklist includes:
    - determining whether the current blacklist is longer than a selected length; and
      
      , if so,selecting a new start date for the new blacklist, to provide for a shorter blacklist, and advising holders of valid certificates issued prior to the new blacklist start date that these certificates must be renewed to remain valid.

7. A method for authenticating users of a public key cryptographic system, comprising the steps of:
- issuing a signed certificate for each user of a public key cryptographic system, wherein the signed certificate contains an issue date, a unique public key associated with the user, and other public information pertaining to the user, and wherein a valid certification is one that authenticates an association between the user and the public key contained in the certificate, and an invalid certificate is one for which the association between the user and the public key is no longer valid;
  
  issuing a signed list of invalid certificates, referred to as a blacklist, containing a blacklist start date, a blacklist expiration date, and an entry for each user whose certificate was issued after the blacklist start date and is invalid; and
  
  determining whether a user'"'"'s certificate is valid by first obtaining a copy of the certificate and a copy of the signed blacklist, then determining whether the blacklist has expired, and then, if the blacklist has not expired, determining whether the certificate issued after the blacklist start date and is not on the blacklist, and is therefore valid.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. A method as defined in claim 7, and further comprising:
    - if the blacklist has expired, concluding that the certificate is invalid.
  - 9. A method as defined in claim 7, and further comprising:
    - if the blacklist has expired, determining whether the blacklist has a default expiration date that has passed;
      
      if the blacklist has a default expiration date that has passed, concluding that the certificate is invalid; and
      
      if the blacklist has a default expiration date that has not passed, continuing with the step of determining whether the certificate issued after the blacklist start date and is not on the blacklist.
  - 10. A method as defined in claim 7, and further comprising:
    - if the blacklist has expired, determining whether the blacklist expired more than a selected time earlier;
      
      if the certificate expired more than a selected time earlier, concluding that the certificate is invalid; and
      
      if the certificate expired less than a selected time earlier, continuing with the step of determining whether the certificate issued after the blacklist start date and is not on the blacklist.
  - 11. A method as defined in claim 7, and further comprising:
    - issuing a new blacklist prior to the blacklist expiration date.
  - 12. A method as defined in claim 11, wherein the step of issuing a new blacklist includes:
    - determining whether the current blacklist is longer than a selected length; and
      
      , if so,selecting a new start date for the new blacklist, to provide for a shorter blacklist, and advising holders of valid certificates issued prior to the new blacklist start date that these certificates must be renewed to remain valid.

13. A method for authenticating users of a public key cryotpgraphic system, comprising the steps of:
- issuing a signed certificate for each user of a public key cryptographic system, wherein the signed certificate contains an issue sequence number, a unique public key associated with the user, and other public information pertaining to the user, and wherein a valid certificate is one that authenticates an association between the user and the public key contained in the certificate, and an invalid certificate is one for which the association between the user and the public key is no longer valid;
  
  issuing a signed list of invalid certificates, referred to as a blacklist, containing a blacklist start sequence number, a blacklist expiration date, and an entry for each user whose certificate has a sequence number greater than the blacklist start sequence number and is to be considered invalid; and
  
  determining whether a user'"'"'s certificate is valid by first obtaining a copy of the certificate and a copy of the signed blacklist, then determining whether the blacklist has expired, and then, if the blacklist has not expired, determining whether the certificate has a sequence number greater than the blacklist start sequence number and is not on the blacklist, and is therefore valid.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. A method as defined in claim 13, and further comprising:
    - if the blacklist has expired, concluding that the certificate is invalid.
  - 15. A method as defined in claim 13, and further comprising:
    - if the blacklist has expired, determining whether the blacklist has a default expiration date that has passed;
      
      if the blacklist has a default expiration date that has passed, concluding that the certificate is invalid; and
      
      if the blacklist has a default expiration date that has not passed, continuing with the step of determining whether the certificate has a sequence number greater than the blacklist starting sequence number and is not on the blacklist.
  - 16. A method as defined in claim 13, and further comprising:
    - if the blacklist has expired, determining whether the blacklist expired more than a selected time earlier;
      
      if the certificate expired more than a selected time earlier, concluding that the certificate is invalid; and
      
      if the certificate expired less than a selected time earlier, continuing with the step of determining whether the certificate has a sequence number greater than the blacklist staring sequence number and is not on the blacklist.
  - 17. A method as defined in claim 13, and further comprising:
    - issuing a new blacklist prior to expiration of the blacklist.
  - 18. A method as defined in claim 17, wherein the step of issuing a new blacklist includes:
    - determining whether the current blacklist is longer than a selected length; and
      
      , if so,selecting a new start sequence number for the new blacklist, to provide for a shorter blacklist, and advising holders of valid certificates issued with sequence numbers smaller than the new blacklist start sequence number that these certificates must be renewed to remain valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Digital Equipment Corporation (HP Inc.)
Inventors
Perlman, Radia J., Kaufman, Charles W.
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US07/850,593
Time in Patent Office

606 Days
Field of Search

380/23-25, 380/30, 380/49, 380/50, 340/825.31, 340/825.34
US Class Current

380/30
CPC Class Codes

G07F 7/1016 Devices or methods for secu...

H04L 9/3263 involving certificates, e.g...

Method of issuance and revocation of certificates of authenticity used in public key networks and other systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

217 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method of issuance and revocation of certificates of authenticity used in public key networks and other systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others