Certificate revocation performance optimization

US 5,687,235 A
Filed: 10/26/1995
Issued: 11/11/1997
Est. Priority Date: 10/26/1995
Status: Expired due to Term

First Claim

Patent Images

1. In a public key distributed network, a system for improving the efficiency of an authentication exchange among a plurality of principals interconnected by a communications medium, the system comprising:

a verifying principal configured to request revocation information pertaining to a certificate;

a certificate authority (CA), coupled to said verifying principal, for generating said certificate; and

a revocation service, responsive to said verifying principal, including,a database configured to store a current certificate revocation list (CRL) including serial numbers of all revoked certificates in the network, andmeans for generating a reply to said request, said reply providing an optimal CRL based upon said current CRL and optimized to contain serial numbers of a predetermined number of revoked certificates in response to one or more optimization factors and an issue time for said optimal CRL,such that said optimal CRL includes one or more of said revoked certificate serial numbers to improve the efficiency of the authentication exchange.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is an improved certificate revocation process that improves the efficiency of an authentication exchange in a public key distributed network system. Specifically, the present invention includes a novel revocation service (RS) that, in response to a unique request from a server node, selects certain revoked certificates from a current CRL to include in its reply so as to consume minimal system bandwidth. The unique request includes a number of parameters for consideration by the RS in generating its reply, including a maximum CRL size and/or a timestamp. The maximum CRL size indicates the largest number of revoked certificate serial numbers that the server node can process and thus receive in the revocation service reply, whereas the timestamp indicates the latest certificate revocation date of the certificates included in the CRL presently retained by the server node. Significantly, the RS generates an optimal CRL for its reply that contains all, part, or none of the current CRL revoked certificate serial numbers. Determination of the optimal CRL entails consideration of any number and combination of optimization factors, including the number of revoked certificates stored in the CRL storage facility and the time remaining before the current CRL is to be updated by a certificate authority (CA), the expiration date of the certificates, as well as the maximum CRL size and/or timestamp parameters provided to the RS in the server node request. The server node may control whether it will receive an optimal CRL and if so, what portion of the current CRL it will include by manipulating the parameters it provides to the RS. This enables each server node to request the CRL based upon its own specific security needs while optimizing the certificate revocation process. Further, the RS and/or server node may discard certificate serial numbers as their expiration dates come to pass.

161 Citations

32 Claims

1. In a public key distributed network, a system for improving the efficiency of an authentication exchange among a plurality of principals interconnected by a communications medium, the system comprising:
- a verifying principal configured to request revocation information pertaining to a certificate;
  
  a certificate authority (CA), coupled to said verifying principal, for generating said certificate; and
  
  a revocation service, responsive to said verifying principal, including,a database configured to store a current certificate revocation list (CRL) including serial numbers of all revoked certificates in the network, andmeans for generating a reply to said request, said reply providing an optimal CRL based upon said current CRL and optimized to contain serial numbers of a predetermined number of revoked certificates in response to one or more optimization factors and an issue time for said optimal CRL,such that said optimal CRL includes one or more of said revoked certificate serial numbers to improve the efficiency of the authentication exchange.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 26, 27, 28)
- - 2. The system of claim 1, wherein said one or more optimization factors comprises:
    - a quantity of said revoked certificate serial numbers stored in said database; and
      
      an anticipated update time of said current CRL by said CA.
  - 3. The system of claim 2, wherein said optimal CRL includes said revoked certificate serial numbers stored in said database when said quantity of said revoked certificate serial numbers is small relative to said anticipated update time of said current CRL, and further wherein said revocation service does not include said revoked certificate serial numbers in said reply when said quantity of revoked certificate serial numbers is large relative to said anticipated update time.
  - 4. The system of claim 2, wherein said one or more optimization factors include one or more parameters provided to said revocation service by said verifying principal in said request, said one or more parameters comprising:
    - a maximum CRL size indicating a maximum number of certificate serial numbers said optimal CRL may include.
  - 5. The system of claim 4, wherein said optimal CRL includes all said revoked certificates stored in said database only if said quantity of said revoked certificates is equal to or less than said maximum CRL size provided by said verifying principal.
  - 6. The system of claim 4, wherein said one or more parameters further comprises:
    - a timestamp indicating an earliest acceptable revocation date for certificate serial numbers included in said optimal CRL.
  - 7. The system of claim 6, wherein said optimal CRL is an incremental CRL including serial numbers of revoked certificates having revocation dates after said timestamp date and wherein said quantity of said serial numbers in said optimal CRL is less than or equal to said maximum CRL size, andwherein said issue time for said optimal CRL indicates a latest revocation date of said revoked certificates having a serial number included in said incremental CRL.
  - 8. The system of claim 6, wherein said one or more optimization factors further comprises:
    - communications activity over the network,wherein said revocation service transmits said reply at a time when said communications activity is less likely to be impacted by said reply.
  - 9. The system of claim 5, wherein said reply includes a value representing the quantity of said revoked certificate serial numbers when said quantity of said revoked certificate serial numbers is larger than said maximum CRL size.
  - 10. The system of claim 1, wherein said revocation service provides a signature of said reply in said reply.
  - 11. The system of claim 1, wherein said verifying principal appends said optimal CRL to a presently retained CRL when said optimal CRL is an incremental CRL comprising a portion of said current CRL stored in said database and further wherein said verifying principal replaces said presently retained CRL with said optimal CRL when said optimal CRL contains all of said revoked certificate serial numbers stored in said database, such that said verifying principal may thereafter refer to said retained CRL to determine if a certificate has been revoked.
  - 12. The system of claim 2, wherein said one or more optimization factors further comprises:
    - communications activity over the network,wherein said revocation service transmits said reply at a time when said communications activity is less likely to be impacted by said reply.
  - 26. The system of claim 1, whereinsaid database is further configured to store a certificate expiration date with each said serial number of said revoked certificates, and whereinsaid generating means includes said expiration date with each of said revoked certificate serial numbers in said reply, and whereinsaid verifying principal discards said serial numbers of said revoked certificates alter said expiration date has passed.
  - 27. The system of claim 1, whereinsaid database is further configured to store a scheduled expiration date with each said serial number of said revoked certificates, and whereinsaid generating means excludes from said optimal CRL one or more certificate serial numbers having an associated expiration date that has passed.
  - 28. The system of claim 10, whereinsaid verifying principal stores said signature of said reply.

13. A revocation service for use in a public key network system, the revocation service improving the efficiency of an authentication exchange among a plurality of principals interconnected by a communications medium, the revocation service comprising:
- means for receiving a certificate revocation request from a verifying principal logically coupled with the revocation service by said communications medium;
  
  means for storing a current certificate revocation list (CRL), said current CRL including a list of serial numbers of unexpired certificates that have been revoked; and
  
  reply means, coupled to said storing means, for generating a reply to said request, said reply including,a revocation status for it particular certificate,an optimal CRL based upon said current CRL and optimized to contain a predetermined number of revoked certificates in response to one or more optimization factors, andan issue time for said optimal CRL if said optimal CRL includes one or more revoked certificates.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 29, 30, 31)
- - 14. The service of claim 13, wherein said means for storing comprises a revocation service database and wherein said one or more optimization factors comprises:
    - a quantity of revoked certificate serial numbers stored in said database; and
      
      an anticipated certificate authority (CA) update time of said current CRL stored in said database.
  - 15. The service of claim 14, wherein said optimal CRL includes said revoked certificate serial numbers stored in said database when said quantity of said revoked certificate serial numbers is small relative to the anticipated occurrence of said current CRL update by said CA, and further wherein said revocation service does not include said revoked certificate serial numbers in said reply when said quantity of revoked certificate serial numbers is large relative to said anticipated update of said current CRL.
  - 16. The service of claim 14, wherein said one or more optimization factors include one or more parameters provided by said verifying principal in said request, said parameters comprising:
    - a maximum CRL size indicating a maximum number of certificate serial numbers said optimal CRL may include,wherein said optimal CRL includes all said revoked certificates stored in said database only if said quantity of said revoked certificates is equal to or less than said maximum CRL size provided by said verifying principal.
  - 17. The service of claim 16, wherein said reply includes a value representing quantity of said revoked certificate serial numbers when said quantity of said revoked certificate serial numbers is larger than said maximum CRL size.
  - 18. The service of claim 16, wherein said one or more parameters further comprises:
    - a timestamp indicating an earliest acceptable revocation date for certificate serial numbers included in said optimal CRL,wherein said optimal CRL is an incremental CRL including serial numbers of revoked certificates having revocation dates after said timestamp date and wherein said quantity of said serial numbers in said optimal CRL is less than or equal to said maximum CRL size, andwherein said issue time for said optimal CRL indicates a latest revocation date of said revoked certificates having a serial number included in said incremental CRL.
  - 19. The service of claim 13, wherein said verifying principal appends said optimal CRL to a presently retained CRL when said optimal CRL is an incremental CRL comprising a portion of said current CRL stored in a database and further wherein said verifying principal replaces said presently retained CRL with said optimal CRL when said optimal CRL contains all of said revoked certificate serial numbers stored in said database, such that said verifying principal may thereafter refer to said retained CRL to determine if a certificate has been revoked.
  - 20. The service of claim 13, wherein said one or more optimization factors further comprises:
    - communications activity over the network,wherein said revocation service transmits said reply at a time when said communications activity is less likely to be impacted by said reply.
  - 21. The service of claim 13, wherein said certificate revocation request further comprises a status request identifying a particular certificate, and wherein said reply means further comprises a revocation status for said particular certificate.
  - 29. The service of claim 13, whereinsaid optimal CRL further includes an expiration date with each said revoked serial numbers, and whereinsaid reply means further includes said expiration date in said reply.
  - 30. The service of claim 29, wherein the verifying principal discards said serial numbers of said revoked certificates after said expiration date has passed.
  - 31. The service of claim 29, wherein the reply means discards said serial numbers of said revoked certificates after said expiration date has passed.

22. A revocation service for use in a public key network system, the revocation service improving the efficiency of an authentication exchange among a plurality of principals interconnected by a communications medium, the revocation service comprising:
- means for receiving a certificate revocation request from a verifying principal logically coupled with the revocation service by said communications medium;
  
  means for storing a current certificate revocation list (CRL) of serial numbers of unexpired certificates that have been revoked; and
  
  means for constructing and signing a reply to said request, said reply including,an optimal based upon said current CRL and optimized to contain a predetermined number of revoked certificates in response to one or more optimization factors including one or more parameters, andan issue time for said optimal CRL if said optimal CRL includes one or more revoked certificates.
- View Dependent Claims (23, 24, 25, 32)
- - 23. The service of claim 22, wherein said certificate revocation request comprises said one or more parameters, including a maximum CRL size indicating a maximum number of certificate serial numbers said verifying principal can process, and a timestamp indicating a latest revocation date of certificate serial numbers retained by said verifying principal.
  - 24. The service of claim 23, wherein said verifying principal appends said optimal CRL to said retained certificate serial numbers when said optimal CRL is an incremental CRL comprising a portion of said current CRL stored in said database and further wherein said verifying principal replaces said retained certificate serial numbers with said optimal CRL when said optimal CRL contains all of said revoked certificate serial numbers stored in said database, such that said verifying principal may thereafter refer to said optimal CRL to determine if a certificate has been revoked.
  - 25. The service of claim 23, wherein said optimal CRL is an incremental CRL including serial numbers of revoked certificates having revocation dates after said timestamp date and wherein a quantity of said serial numbers in said optimal CRL is less than or equal to said maximum CRL size, andwherein said issue time for said optimal CRL indicates a latest revocation date of said revoked certificates having a serial number included in said incremental CRL.
  - 32. The service of claim 22, whereinsaid optimal CRL further includes an expiration date of said serial number with each said serial number, and whereinsaid verifying principal discards said serial numbers of said revoked certificates after said expiration date has passed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Tammy G., Perlman, Radia J., Reed, Edwards E.
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US08/548,461
Time in Patent Office

747 Days
Field of Search

380/25, 380/30
US Class Current

713/158
CPC Class Codes

H04L 9/3268 using certificate validatio...

Certificate revocation performance optimization

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

161 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Certificate revocation performance optimization

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links