Certificate revocation system

US 5,666,416 A
Filed: 11/16/1995
Issued: 09/09/1997
Est. Priority Date: 10/24/1995
Status: Expired due to Term

First Claim

Patent Images

1. A method of managing certificates in a communication system having a certifying authority, comprising the steps of:

having the certifying authority generate a certificate that includes a public key pk of a digital signature scheme; and

at a later point time, having the certifying authority produce a digital signature relative to pk that authenticates that the certificate is currently valid.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing certificates in a communication system having a certifying authority and a directory. Preferably, the method begins by having the certifying authority generate certificates by digitally signing a given piece of data. At a later point time, the certifying authority may produce a string that proves whether a particular certificate is currently valid without also proving the validity of at least some other certificates. The technique obviates use of certification revocation lists communicated between the certifying authority and the directory.

Citations

34 Claims

1. A method of managing certificates in a communication system having a certifying authority, comprising the steps of:
- having the certifying authority generate a certificate that includes a public key pk of a digital signature scheme; and
  
  at a later point time, having the certifying authority produce a digital signature relative to pk that authenticates that the certificate is currently valid.
- View Dependent Claims (2, 3, 4, 5, 7, 8)
- - 2. The method as described in claim 1 further including the step of having the certifying authority provide the digital signature to a third party, and having the third party authenticate to a requesting party that the particular certificate is valid.
  - 3. The method as described in claim 2 wherein the third party is a directory that stores the digital signatures communicated from the certifying authority.
  - 4. The method as described in claim 1 wherein the digital signature relative to pk is one-time.
  - 5. The method as described in claim 4 further including the step of having the certifying authority provide the digital signature to a third party, and having the third party authenticate to a requesting party that the particular certificate is valid.
  - 7. In the certificate revocation system as described in claim 1 wherein the digital signature relative to the public key includes an nth functional inverse of a one-way function evaluated on at least a portion of pk, wherein n is a given number.
  - 8. In the certificate revocation system as described in claim 7 where the given number n encodes a date in which the certificate is valid.

6. A method of managing certificates in a communication system having a certifying authority, comprising steps of:
- having the certifying authority generate certificates that include a public key pk of a digital signature scheme;
  
  having a corresponding secret key sk that is known to a second entity; and
  
  having the second entity authenticate that the certificate is valid by producing a digital signature relative to pk.

9. A method of certifying information about a plurality of certificates, each of which corresponds to a serial number, comprising the steps of:
- obtaining a bit string wherein at least some bits of the bit string correspond to serial numbers of given certificates, each bit having a value depending on a given property of a corresponding one of the certificates; and
  
  having an entity certify information about the certificate by digitally signing the bit string.
- View Dependent Claims (10, 11)
- - 10. The method as described in claim 9 wherein the given property is that the serial number is associated to a certificate that has been issued by the entity.
  - 11. The method as described in claim 9 wherein the given property is that the serial number is associated to a certificate that has been issued for a given interval of time.

12. A method of certifying information about issued certificates, comprising the steps of:
- encoding in a bit string information indicating all certificates that have been issued; and
  
  having an entity certify information about the issued certificate by digitally signing the bit string.

13. A method of providing certified information about certificates, comprising the steps of:
- having a first party query a second party about a certificate that has not been issued; and
  
  in response to the query, having the second party provide certified information about the certificate by authenticating that the certificate has not been issued.
- View Dependent Claims (14, 15)
- - 14. The method as described in claim 13 wherein the information includes a digital signature.
  - 15. The method as described in claim 13 wherein the second party is selected from the group consisting of a database, a directory, a certifying authority, a given party that generates and revokes certificates, a given party that generates certificates, and an other party.

16. A method of managing a plurality of certificates, comprising the steps of:
- having a certifying authority provide a second party with authenticated information about certificates;
  
  having a third party request information from the second party about an unissued certificate; and
  
  having the second party use the authenticated information to provide the third party with information authenticating that the given certificate was not issued.

17. A method of extending the validity of authenticated data, comprising the steps of:
- (a) digitally signing the data together with a public key, pk, of a digital signature scheme to obtain authenticated data; and
  
  (b) extending the validity of the authenticated data by producing a second digital signature, relative to pk.
- View Dependent Claims (18, 19, 20)
- - 18. A method according to claim 17, wherein pk is a public key of a one-time digital signature scheme.
  - 19. A method according to claim 17, wherein use of the second digital signature is constrained to authenticate extended validity up to a given date.
  - 20. A method according to claim 17, wherein a first entity digitally signs the data and a different second entity produces the second digital signature.

21. A method of proving that previously certified information is valid at each date in a sequence of dates, comprising the steps of:
- (a) at each date of the sequence of dates, determining whether the previously certified information is valid; and
  
  (b) if the certified information is valid at one of the dates d of the sequence of dates, producing an off-line digital signature authenticating that the previously certified information is valid at date d.

22. A method of authenticating that each member of a subset of certificate information that binds given keys to given users is valid at a given date, comprising the steps of:
- (a) determining each of the members of the subset that are valid at a given date specific to the member; and
  
  (b) for each member of the subset that is determined valid, authenticating that the member is valid at the given date by producing an off line digital signature, unique to the member.
- View Dependent Claims (23, 24, 25)
- - 23. A method according to claim 22, wherein at the least two members of the subset have the same given date.
  - 24. A method according to claim 22, wherein an off-line step for at least one off-line digital signature is performed by a Certifying Authority and a corresponding on-line step is performed by a different entity.
  - 25. A method according to claim 22, wherein the given date of all of the members is the current date.

26. A method of extending validity through a given date of previously certified information that binds given keys to given users, comprising the steps of:
- (a) selecting a subset of the previously certified information; and
  
  (b) for each member of the subset, authenticating that the validity of the member is extended through the given date by producing an off-line digital signature, unique to the member.
- View Dependent Claims (27, 28, 29)
- - 27. A method according to claim 26, wherein the given date is different for at least two of the members.
  - 28. A method according to claim 26, wherein an off-line step of at least one off-line digital signature is performed by a Certification Authority and a corresponding on-line step is performed by a different entity.
  - 29. A method according to claim 26, wherein the given date for all the members is the current date.

30. A method of extending the validity of a subset of certificates in a set of previously issued certificates that bind given keys to given users, comprising the steps of:
- (a) determining which certificates belong to the subset; and
  
  (b) for each certificate in the subset, producing an off-line digital signature unique to the certificate indicating that the certificate is valid through a given date.
- View Dependent Claims (31, 32, 33, 34)
- - 31. A method according to claim 30, wherein a first entity issues at least one certificate and the validity of the at least one certificate is extended by a different entity.
  - 32. A method according to claim 31, wherein the different entity is constrained to extend the validity within a predetermined date.
  - 33. A method according to claim 32, wherein the predetermined date is determined by the first entity.
  - 34. A method according to claim 30, wherein the given date is the current date.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Silvio Micali
Inventors
Micali, Silvio
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/559,533
Time in Patent Office

663 Days
Field of Search

380/9, 380/21, 380/23, 380/25, 380/29, 380/30, 380/49, 380/50
US Class Current

713/158
CPC Class Codes

G06Q 20/02 involving a neutral party, ...

H04L 9/3268 using certificate validatio...

Certificate revocation system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Certificate revocation system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links