Method for efficient management of certificate revocation lists and update information

US 5,699,431 A
Filed: 11/13/1995
Issued: 12/16/1997
Est. Priority Date: 11/13/1995
Status: Expired due to Term

First Claim

Patent Images

1. In a secure telecommunication system which includes an authorization agent such as a certification authority and other entities authorized by said certification authority for digitally issuing a certificate, a method of conveying additional information which alters actions taken by a system processing said certificate, comprising steps of:

i) storing additional information at a plurality of data storage locations;

ii) extracting from said certificate accessing information which specifies how said additional information is to be obtained;

iii) verifying the authenticity of said additional information through digital verifying techniques such as digital signature verification;

iv) processing said verified additional information obtained from any of the plurality of data storage locations; and

v) performing on said certificate the action altered by the additional information.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method which allows implementation of the revocation of public-key certificates facilitates engineering of certificate revocation lists (CRLs). It solves the practical problem of CRLs potentially growing to unmanageable lengths by allowing CRLs to be segmented, based on size considerations or priority considerations related to revocation reasons. The method is used to distribute CRL information to users of certificate-based public-key systems. It is also applied more generally to update any field in a certificate by reference to a secondary source of authenticated information.

203 Citations

20 Claims

1. In a secure telecommunication system which includes an authorization agent such as a certification authority and other entities authorized by said certification authority for digitally issuing a certificate, a method of conveying additional information which alters actions taken by a system processing said certificate, comprising steps of:
- i) storing additional information at a plurality of data storage locations;
  
  ii) extracting from said certificate accessing information which specifies how said additional information is to be obtained;
  
  iii) verifying the authenticity of said additional information through digital verifying techniques such as digital signature verification;
  
  iv) processing said verified additional information obtained from any of the plurality of data storage locations; and
  
  v) performing on said certificate the action altered by the additional information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method according to claim 1, wherein the additional information is related to the validity of a certificate, conditions for the validity including any of certificate revocation, a validity period specified by a starting and ending date and other relevant information, and any alteration of such conditions.
  - 3. The method according to claim 2 wherein the validity conditions are verified by the use of CRLs.
  - 4. The method according to claim 3, wherein a CRL is segmented and a list of revoked certificates corresponding to a particular authorization agent is separated into at least one CRL segment whose content is stored in one of the plurality of data storage locations, and each certificate contains at least one location indicator which indicates associated CRL segment.
  - 5. The method according to claim 4, wherein at least one CRL segment corresponds to at least one revocation reason.
  - 6. The method according to claim 5, wherein the location indicator specifies a field in an entry in a database.
  - 7. The method according to claim 5, wherein the certificate is of the format as specified in X.509 and the location indicator is an additional field in the certificate.
  - 8. The method according to claim 5, wherein the format of CRLs and CRL segments is that specified in X.509 with an added field within the CRL itself specifying any of the location indicator of the CRL segment and the reason codes associated with this particular CRL segment.
  - 10. The method according to claim 5, wherein the certificate is for an attribute other than a public key.
  - 11. The method according to claim 5, wherein CRL segments at at least one distribution point are signed by any of a common certification authority key and segment keys authorized by the certification authority which issued the certificate.
  - 12. The method according to claim 5, wherein a particular certificate appears on a plurality of different CRL segments associated with any of the same revocation reasons and an overlapping set of revocation reasons.
  - 13. The method according to claim 5 wherein a CRL segment is indicated indirectly from information embedded in the certificate and the certificate includes a compressed representation such as hash of a more complete specification of information, linkable thereto.
  - 14. The method according to claim 5 wherein a CRL segment is indicated by an explicit address.
  - 15. The method according to claim 5 wherein the method of indicating a CRL segment can be determined indirectly from information embedded in the certificate, the embedded information being represented by a compressed representation, such as the result of one-way hash.
  - 16. The method according to claim 5, wherein at least one revocation reason is specified in the CRL segment.
  - 17. The method according to claim 6, wherein the database is a directory and the entry includes a CRL attribute of an entry in an X.509directory.
  - 18. The method according to claim 5, wherein the certificate is of the format similar to that specified in X.509 and the location indicator is an additional field in the certificate.
  - 19. The method according to claim 5, wherein the format of CRLs and CRL segments is similar to that specified in X.509, with an added field within the CRL itself specifying any of the location of the CRL segment and the reason codes associated with this particular CRL segment.
  - 20. The method according to claim 14 wherein an explicit address is any of a network address, filename address, and database directory entry address.

9. The method according to claim, wherein the certificate is a public-key certificate for any type of public key, including Diffie-Hellman public keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Incorporated (Entrust Corp.)
Original Assignee
Northern Telecom Limited (Nortel Networks Corporation)
Inventors
Van Oorschot, Paul C., Ford, Warwick S., Hillier, Stephen W., Otway, Josanne
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US08/556,360
Time in Patent Office

764 Days
Field of Search

380/30, 235/492
US Class Current

380/30
CPC Class Codes

H04L 9/3268 using certificate validatio...

Method for efficient management of certificate revocation lists and update information

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

203 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for efficient management of certificate revocation lists and update information

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links