Computer security system and method with on demand publishing of certificate revocation lists
First Claim
1. A computer network security system comprising:
- means for on demand publishing of data identifying revoked certificates in response to receipt of revocation request data including means, responsive to the revocation request data, for determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing to at least one network node if on demand publishing is specified wherein the means for determining whether to publish the data generates on demand update request data and receives response data representing whether on demand publishing of the data is specified and wherein the means for on demand publishing determines whether to publish on demand in response to data representing a reason for certificate revocation; and
means for storing the on demand published data for use to determine whether a certificate is valid including certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer network security system provides generation of a certificate revocation list (CRL) upon each revocation. The entire certificate revocation list may be published on demand, or only the portion that has changed. The computer network security system provides on-demand publishing of data identifying revoked certificates, such as revocation and expiration data, in response to receipt of revocation request data. The computer network security system stores the on-demand published data for analysis by one or more network nodes, such as a client, to determine whether a certificate is valid. The network nodes include certificate revocation list cache memory that may be selectively activated/deactivated, to effect storage/non-storage of the data identifying the revoked certificates.
195 Citations
27 Claims
-
1. A computer network security system comprising:
-
means for on demand publishing of data identifying revoked certificates in response to receipt of revocation request data including means, responsive to the revocation request data, for determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing to at least one network node if on demand publishing is specified wherein the means for determining whether to publish the data generates on demand update request data and receives response data representing whether on demand publishing of the data is specified and wherein the means for on demand publishing determines whether to publish on demand in response to data representing a reason for certificate revocation; and means for storing the on demand published data for use to determine whether a certificate is valid including certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer network security system comprising:
-
means for on demand publishing of data identifying revoked certificates in response to receipt of revocation request data on a per revocation request basis including means, responsive to the revocation request data, for determining whether to publish the data identifying revoked certificates on demand and for generating an updated certificate revocation list for on demand publishing to a network node if on demand publishing is specified; means for storing the on demand published data for use by the network node to determine whether a certificate is valid including certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers; and wherein the network node includes means for selectively controlling certificate revocation list cache memory to facilitate evaluation of latest on demand published data identifying revoked certificates. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer network security method comprising the steps of:
-
providing on demand publishing of data identifying revoked certificates in response to receipt of revocation request data; enabling a network node to selectively control certificate revocation list cache memory to effect non-storage of the data identifying revoked certificates; and storing the on demand published data for use in determining whether a certificate is valid, using certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A storage medium for storing programming instructions that, when read by a processing unit, causes the processing unit to provide on demand publishing of data representing revoked certificates, the storage medium comprising:
-
means for storing programming instructions that provide on demand publishing of data identifying revoked certificates in response to receipt of revocation request data and enabling a network node to selectively control certificate revocation list cache memory to effect non-storage of the data identifying revoked certificates; and means for storing programming instructions that facilitate storage of the on demand published data for use to determine whether a certificate is valid, using certificate revocation list memory having a segmented certificate revocation list with associated distribution pointers. - View Dependent Claims (19)
-
-
20. A computer network security method comprising the steps of:
-
selectively controlling certificate revocation list cache memory to facilitate evaluation of latest on demand published data identifying revoked certificates; and evaluating whether a certificate is revoked based on at least one of a status and content of the certificate revocation list cache memory.
-
-
21. A computer network security system comprising:
-
means for on demand publishing of data identifying revoked certificates in response to receipt of revocation request data and in response to on demand update request data; means for storing the on demand published data for use to determine whether a certificate is valid; and means for selectively controlling certificate revocation list cache memory to facilitate evaluation of latest on demand published data identifying revoked certificates and includes means for determining whether the certificate revocation list cache memory is activated. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
Specification