Certificate revocation performance optimization
First Claim
1. In a public key distributed network, a system for improving the efficiency of an authentication exchange among a plurality of principals interconnected by a communications medium, the system comprising:
- a verifying principal configured to request revocation information pertaining to a certificate;
a certificate authority (CA), coupled to said verifying principal, for generating said certificate; and
a revocation service, responsive to said verifying principal, including,a database configured to store a current certificate revocation list (CRL) including serial numbers of all revoked certificates in the network, andmeans for generating a reply to said request, said reply providing an optimal CRL based upon said current CRL and optimized to contain serial numbers of a predetermined number of revoked certificates in response to one or more optimization factors and an issue time for said optimal CRL,such that said optimal CRL includes one or more of said revoked certificate serial numbers to improve the efficiency of the authentication exchange.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention is an improved certificate revocation process that improves the efficiency of an authentication exchange in a public key distributed network system. Specifically, the present invention includes a novel revocation service (RS) that, in response to a unique request from a server node, selects certain revoked certificates from a current CRL to include in its reply so as to consume minimal system bandwidth. The unique request includes a number of parameters for consideration by the RS in generating its reply, including a maximum CRL size and/or a timestamp. The maximum CRL size indicates the largest number of revoked certificate serial numbers that the server node can process and thus receive in the revocation service reply, whereas the timestamp indicates the latest certificate revocation date of the certificates included in the CRL presently retained by the server node. Significantly, the RS generates an optimal CRL for its reply that contains all, part, or none of the current CRL revoked certificate serial numbers. Determination of the optimal CRL entails consideration of any number and combination of optimization factors, including the number of revoked certificates stored in the CRL storage facility and the time remaining before the current CRL is to be updated by a certificate authority (CA), the expiration date of the certificates, as well as the maximum CRL size and/or timestamp parameters provided to the RS in the server node request. The server node may control whether it will receive an optimal CRL and if so, what portion of the current CRL it will include by manipulating the parameters it provides to the RS. This enables each server node to request the CRL based upon its own specific security needs while optimizing the certificate revocation process. Further, the RS and/or server node may discard certificate serial numbers as their expiration dates come to pass.
161 Citations
32 Claims
-
1. In a public key distributed network, a system for improving the efficiency of an authentication exchange among a plurality of principals interconnected by a communications medium, the system comprising:
-
a verifying principal configured to request revocation information pertaining to a certificate; a certificate authority (CA), coupled to said verifying principal, for generating said certificate; and a revocation service, responsive to said verifying principal, including, a database configured to store a current certificate revocation list (CRL) including serial numbers of all revoked certificates in the network, and means for generating a reply to said request, said reply providing an optimal CRL based upon said current CRL and optimized to contain serial numbers of a predetermined number of revoked certificates in response to one or more optimization factors and an issue time for said optimal CRL, such that said optimal CRL includes one or more of said revoked certificate serial numbers to improve the efficiency of the authentication exchange. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 26, 27, 28)
-
-
13. A revocation service for use in a public key network system, the revocation service improving the efficiency of an authentication exchange among a plurality of principals interconnected by a communications medium, the revocation service comprising:
-
means for receiving a certificate revocation request from a verifying principal logically coupled with the revocation service by said communications medium; means for storing a current certificate revocation list (CRL), said current CRL including a list of serial numbers of unexpired certificates that have been revoked; and reply means, coupled to said storing means, for generating a reply to said request, said reply including, a revocation status for it particular certificate, an optimal CRL based upon said current CRL and optimized to contain a predetermined number of revoked certificates in response to one or more optimization factors, and an issue time for said optimal CRL if said optimal CRL includes one or more revoked certificates. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 29, 30, 31)
-
-
22. A revocation service for use in a public key network system, the revocation service improving the efficiency of an authentication exchange among a plurality of principals interconnected by a communications medium, the revocation service comprising:
-
means for receiving a certificate revocation request from a verifying principal logically coupled with the revocation service by said communications medium; means for storing a current certificate revocation list (CRL) of serial numbers of unexpired certificates that have been revoked; and means for constructing and signing a reply to said request, said reply including, an optimal based upon said current CRL and optimized to contain a predetermined number of revoked certificates in response to one or more optimization factors including one or more parameters, and an issue time for said optimal CRL if said optimal CRL includes one or more revoked certificates. - View Dependent Claims (23, 24, 25, 32)
-
Specification