Computer security system and method with on demand publishing of certificate revocation lists

US 6,128,740 A
Filed: 12/08/1997
Issued: 10/03/2000
Est. Priority Date: 12/08/1997
Status: Expired due to Term

First Claim

Patent Images

1. A computer network security system comprising:

means for on demand publishing of data identifying revoked certificates in response to receipt of revocation request data including means, responsive to the revocation request data, for determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing to at least one network node if on demand publishing is specified wherein the means for determining whether to publish the data generates on demand update request data and receives response data representing whether on demand publishing of the data is specified and wherein the means for on demand publishing determines whether to publish on demand in response to data representing a reason for certificate revocation; and

means for storing the on demand published data for use to determine whether a certificate is valid including certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network security system provides generation of a certificate revocation list (CRL) upon each revocation. The entire certificate revocation list may be published on demand, or only the portion that has changed. The computer network security system provides on-demand publishing of data identifying revoked certificates, such as revocation and expiration data, in response to receipt of revocation request data. The computer network security system stores the on-demand published data for analysis by one or more network nodes, such as a client, to determine whether a certificate is valid. The network nodes include certificate revocation list cache memory that may be selectively activated/deactivated, to effect storage/non-storage of the data identifying the revoked certificates.

195 Citations

27 Claims

1. A computer network security system comprising:
- means for on demand publishing of data identifying revoked certificates in response to receipt of revocation request data including means, responsive to the revocation request data, for determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing to at least one network node if on demand publishing is specified wherein the means for determining whether to publish the data generates on demand update request data and receives response data representing whether on demand publishing of the data is specified and wherein the means for on demand publishing determines whether to publish on demand in response to data representing a reason for certificate revocation; and
  
  means for storing the on demand published data for use to determine whether a certificate is valid including certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1 including a network node that determines whether the certificate is valid and including means for selectively controlling certificate revocation list cache memory to facilitate evaluation of latest on demand published data identifying revoked certificates.
  - 3. The system of claim 1 wherein the means for on demand publishing of the data identifying revoked certificates outputs a certificate revocation list on a per revocation request basis.
  - 4. The system of claim 1 wherein the means for on demand publishing of the data identifying revoked certificates specifies the data that has changed from a previous publication.
  - 5. The system of claim 2 wherein the means for selectively controlling certificate revocation list cache memory includes means for determining whether the certificate revocation list cache memory is activated.

6. A computer network security system comprising:
- means for on demand publishing of data identifying revoked certificates in response to receipt of revocation request data on a per revocation request basis including means, responsive to the revocation request data, for determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing to a network node if on demand publishing is specified;
  
  means for storing the on demand published data for use by the network node to determine whether a certificate is valid including certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers; and
  
  wherein the network node includes means for selectively controlling certificate revocation list cache memory to facilitate evaluation of latest on demand published data identifying revoked certificates.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6 wherein the means for determining whether to publish the data generates on demand update request data and receives response data representing whether on demand publishing of the data is specified.
  - 8. The system of claim 6 wherein the means for on demand publishing determines whether to publish on demand in response to data representing a reason for certificate revocation.
  - 9. The system of claim 6 wherein the means for on demand publishing of the data identifying revoked certificates specifies the data that has changed from a previous publication.
  - 10. The system of claim 7 wherein the means for selectively controlling certificate revocation list cache memory includes means for determining whether the certificate revocation list cache memory is activated.

11. A computer network security method comprising the steps of:
- providing on demand publishing of data identifying revoked certificates in response to receipt of revocation request data;
  
  enabling a network node to selectively control certificate revocation list cache memory to effect non-storage of the data identifying revoked certificates; and
  
  storing the on demand published data for use in determining whether a certificate is valid, using certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11 wherein the step of providing on demand publishing of the data identifying revoked certificates includes outputting a certificate revocation list on a per revocation request basis.
  - 13. The method of claim 11 wherein providing on demand publishing of the data identifying revoked certificates includes determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing to network nodes if on demand publishing is specified.
  - 14. The method of claim 13 wherein determining whether to publish the data includes generating on demand update request data and receiving response data representing whether on demand publishing of the data is specified.
  - 15. The method of claim 11 wherein providing on demand publishing includes determining whether to publish on demand in response to data representing a reason for certificate revocation.
  - 16. The method of claim 11 wherein providing on demand publishing of the data identifying revoked certificates includes publishing the data that has changed from a previous publication.
  - 17. The method of claim 11 wherein selectively controlling certificate revocation list cache memory includes determining whether the certificate revocation list cache memory is activated.

18. A storage medium for storing programming instructions that, when read by a processing unit, causes the processing unit to provide on demand publishing of data representing revoked certificates, the storage medium comprising:
- means for storing programming instructions that provide on demand publishing of data identifying revoked certificates in response to receipt of revocation request data and enabling a network node to selectively control certificate revocation list cache memory to effect non-storage of the data identifying revoked certificates; and
  
  means for storing programming instructions that facilitate storage of the on demand published data for use to determine whether a certificate is valid, using certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers.
- View Dependent Claims (19)
- - 19. The storage medium of claim 18 wherein the means for storing programming instructions that, when read by a processing unit, causes the processing unit to provide on demand publishing includes programming instructions that facilitate determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing to network nodes if on demand publishing is specified.

20. A computer network security method comprising the steps of:
- selectively controlling certificate revocation list cache memory to facilitate evaluation of latest on demand published data identifying revoked certificates; and
  
  evaluating whether a certificate is revoked based on at least one of a status and content of the certificate revocation list cache memory.

21. A computer network security system comprising:
- means for on demand publishing of data identifying revoked certificates in response to receipt of revocation request data and in response to on demand update request data;
  
  means for storing the on demand published data for use to determine whether a certificate is valid; and
  
  means for selectively controlling certificate revocation list cache memory to facilitate evaluation of latest on demand published data identifying revoked certificates and includes means for determining whether the certificate revocation list cache memory is activated.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The system of claim 21 wherein the means for on demand publishing of the data identifying revoked certificates outputs a certificate revocation list on a per revocation request basis.
  - 23. The system of claim 21 wherein the means for on demand publishing of the data identifying revoked certificates includes means, responsive to the revocation request data, for determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing for at least one network node if on demand publishing is specified.
  - 24. The system of claim 23 wherein the means for determining whether to publish the data generates on demand update request data and receives response data representing whether on demand publishing of the data is specified.
  - 25. The system of claim 21 wherein the means for storing on demand published certificate revocation data includes certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers.
  - 26. The system of claim 21 wherein the means for on demand publishing determines whether to publish on demand in response to data representing a reason for certificate revocation.
  - 27. The system of claim 21 wherein the means for on demand publishing of the data identifying revoked certificates specifies the data that has changed from a previous publication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Incorporated (Entrust Corp.), Entrust Technologies Limited
Original Assignee
Entrust Technologies Limited
Inventors
Curry, Ian, Van Oorschot, Paul C.
Primary Examiner(s)
Swann, Tod R.
Assistant Examiner(s)
Callahan, Paul E.

Application Number

US08/986,435
Time in Patent Office

1,030 Days
Field of Search

380/25, 380/51, 380/59, 707/10, 705/51, 705/57, 705/76, 713/152, 713/156, 713/175, 713/179, 713/200
US Class Current

713/158
CPC Class Codes

G06Q 20/3821   Electronic credentials

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 9/3268   using certificate validatio...

Computer security system and method with on demand publishing of certificate revocation lists

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

195 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Computer security system and method with on demand publishing of certificate revocation lists

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

195 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links