Apparatus and method for demonstrating and confirming the status of a digital certificates and other data
First Claim
1. A method comprising the computer implemented steps of:
- where each digital certificate in a superset of issued digital certificates is associated with a unique data item, sorting those data items associated with a plurality of revoked digital certificates belonging to said superset of issued digital certificates;
deriving a plurality of ranges using adjacent pairs of data items in said sorted data items as endpoints such that all data items associated with said plurality of revoked digital certificates are at endpoints of said plurality of ranges and such that all data items associated with unrevoked digital certificates fall in-between the endpoints of said plurality of ranges, wherein each adjacent pair of data items in said sorted data items is used to derive a different one of said pluralitv of ranges;
digitally signing each of the plurality of ranges individually, wherein the plurality of ranges and said digital signatures cryptographically demonstrate whether any given digital certificate is one of said plurality of revoked digital certificates; and
electronically transmitting said plurality of ranges and said said digital signatures onto a network and using them in cryptographically demonstrating whether any given digital certificate is one of said plurality of revoked digital certificates, wberein a given one of said pilrality of ranges together with the digital signature of that range cryptographically demonstrates whether a given digital certificate within that range is one of the plurality of revoked digital certificates.
8 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatuses for providing cryptographic assurance based on ranges as to whether a particular data item is on a list. According to one computer-implemented method, the items on the list are sorted and ranges are derived from adjacent pairs of data items on the list. Next, cryptographically manipulated data is generated from the plurality of ranges. At least parts of the cryptographically manipulated data is transmitted onto a network for use in cryptographically demonstrating whether any given data item is on the list. According to another computer-implemented method, a request message is received requesting whether a given data item is on a list of data items. In response, a range is selected that is derived from the pair of data items on the list that define the smallest range that includes the given data item. A response message is transmitted that cryptographically demonstrates whether the first data item is on the list using cryptographically manipulated data derived from the range. According to another computer-implemented method, a request message requesting an indication as to whether a first data item is on a list of data items is transmitted. In response, a message is received that cryptographically demonstrates whether the first data item is on the list, where the response message identifies a range that is derived from the pair of data items on the list that defines the smallest range that includes the first data item.
-
Citations
11 Claims
-
1. A method comprising the computer implemented steps of:
-
where each digital certificate in a superset of issued digital certificates is associated with a unique data item, sorting those data items associated with a plurality of revoked digital certificates belonging to said superset of issued digital certificates; deriving a plurality of ranges using adjacent pairs of data items in said sorted data items as endpoints such that all data items associated with said plurality of revoked digital certificates are at endpoints of said plurality of ranges and such that all data items associated with unrevoked digital certificates fall in-between the endpoints of said plurality of ranges, wherein each adjacent pair of data items in said sorted data items is used to derive a different one of said pluralitv of ranges; digitally signing each of the plurality of ranges individually, wherein the plurality of ranges and said digital signatures cryptographically demonstrate whether any given digital certificate is one of said plurality of revoked digital certificates; and electronically transmitting said plurality of ranges and said said digital signatures onto a network and using them in cryptographically demonstrating whether any given digital certificate is one of said plurality of revoked digital certificates, wberein a given one of said pilrality of ranges together with the digital signature of that range cryptographically demonstrates whether a given digital certificate within that range is one of the plurality of revoked digital certificates. - View Dependent Claims (2)
-
-
3. A method comprising the computer implemented steps of:
-
receiving a request message requesting whether a first digital certificate is one of a plurality of revoked digital certificates belonging to a superset of issued digital certificates, where each digital certificate in said superset of issued digital certificates is associated with a unique data item; selecting a range having as endpoints the unique data items associated with the pair of revoked digital certificates in said plurality of revoked digital certificates that defines the smallest range of the unigue data items that includes said first digital certificate, wherein the first digital certificate is not one of the plurality revoked digital certificates if the unique data item associated with the first digital certificate is in-between the endpoints of the range, and wherein the first digital certificate is revoked if the unique data item associated with the first digital certificate is one of the endpoints of the range; forming a response message including the unique data items that are the endpoints of the range and including a digital signature on the range, said response message cryptographically demonstrating whether said first digital certificate is one of said plurality of revoked digital certificates; and electronically transmitting the response message onto a network. - View Dependent Claims (4, 5, 6, 7)
-
-
8. A method comprising the computer implemented steps of:
-
electronically transmitting a request message as to whether a first digital certificate is one of a plurality of revoked digital certificates belonging to a superset of issued digital certificates, where each digital certificate in said superset of issued digital certificates is associated with a unigue data item; receiving a response message that cryptographically demonstrates whether said first digital certificate is one of said plurality of revoked digital certificates, said response message identifying a range having as endpoints the data items associated with the pair of revoked digital certificates in said plurality of revoked digital certificates that defines the smallest range of the data items that includes said first digital certificate, said response message also including a digital signature on said range, wherein the first digital certificate is not one of the plurality of revoked digital certificates if the unique data item associated with the first digital certificate is in-between the endpoints of the range, and wherein the first digital certificate is revoked if the unigue data item associated with the first digital certificate is one of the endpoints of the range; and determining if said first digital certificate is one of said plurality of revoked digital certificates based on said range by, detemining whether the unique data item associated with said first digital certificate is either in-between the endpoints of said range, one of the endpoints of said range, or outside said range, and validating said digital signature. - View Dependent Claims (9, 10, 11)
-
Specification