Method of caching digital certificate revocation lists

US 6,134,551 A
Filed: 01/08/1996
Issued: 10/17/2000
Est. Priority Date: 09/15/1995
Status: Expired due to Term

First Claim

Patent Images

1. In a method for updating a locally cached revocation list in a client computer with a database of revoked certificates stored in a host computer, the method comprising:

establishing a communication link by the client computer with the host computer based upon circumstances defined at the client computer; and

requesting by the client computer of an updated revocation list of digital certificates from the host computer, the updated revocation list being generated by a bloom filter having parameters selectable by the client computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of updating a locally cached revocation list of digital certificates in a client computer with a current data base of revoked certificates stored in a host computer. Upon receipt of a digital certificate submitted to the client computer for verification, the client computer checks the submitted digital certificate against the locally cached revocation list. If the submitted digital certificate is not on the locally cached revocation list, the client computer confirms the validity of the submitted digital certificate and the transaction is consummated. If however, the submitted digital certificate is on the revocation list, the client computer establishes a communication link with the host computer and determines if the submitted digital certificate is in the data base of revoked certificates on the host computer. Without breaking the communication link, the client may request that an updated revocation list to be downloaded.

251 Citations

28 Claims

1. In a method for updating a locally cached revocation list in a client computer with a database of revoked certificates stored in a host computer, the method comprising:
- establishing a communication link by the client computer with the host computer based upon circumstances defined at the client computer; and
  
  requesting by the client computer of an updated revocation list of digital certificates from the host computer, the updated revocation list being generated by a bloom filter having parameters selectable by the client computer.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the circumstances at the client computer comprising:
    - upon receipt of a digital certificate submitted to the client computer for verification, checking by the client computer of the submitted certificate against the locally cached revocation list;
      
      if the submitted digital certificate is not on the locally cached revocation list, confirming the validity of the submitted digital certificate;
      
      if the submitted digital certificate is on the revocation list, making a communication link with the host computer and determining if the submitted digital certificate is in the database of revoked certificates; and
      
      requesting by the client computer that an updated revocation list be sent to the client computer.
  - 3. The method of claim 1 further comprising receiving the parameterized bloom filter by the client computer.
  - 4. The method of claim 1 further comprising updating memory of the client computer with the bloom filter.

5. A method comprising:
- (a) initiating a communication link by a client computer with a host computer, the host computer contains a database of revoked digital certificates;
  
  (b) establishing the communication link; and
  
  (c) requesting by the client computer of an updated revocation list of digital certificates, from the host computer, said updated revocation list being generated by a bloom filter having parameters selected by said client computer.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The method of claim 5 wherein the client computer contains a revocation list.
  - 7. The method of claim 6 wherein the revocation list is locally cached in the client computer.
  - 8. The method of claim 5, wherein prior to initiating the communication link, the method further comprisesreceiving a digital certificate by the client computer;
    - andchecking whether the digital certificate is listed in a current revocation list contained in the client computer.
  - 9. The method of claim 8, wherein prior to initiating the communication link, the method comprises determining whether the digital certificate is contained in the database of revoked digital certificates.
  - 10. The method of claim 8, wherein prior to initiating the communication link, the method further comprises confirming the validity of the digital certificate if the digital certificate is not listed on the current revocation list.
  - 11. The method of claim 10, wherein prior to initiating the communication link, the method further comprisesdetermining whether a bloom vector string associated with the parameterized bloom filter is being updated within the time interval set by the client computer,halting the establishment of communication link if revocation lists has recently been updated.
  - 12. The method of claim 5 further comprising loading the updated revocation list into the client computer.

13. A method comprising:
- (a) checking a digital certificate submitted to a client computer against a revocation list stored in the client computer, the revocation list being generated by a bloom filter having parameters selectable by the client computer;
  
  (b) if the submitted digital certificate is on the revocation list, initiating a communication link by the client computer with a host computer, the host computer contains a database of revoked digital certificates and the client computer contains a current revocation list;
  
  (c) establishing the communication link;
  
  (d) requesting by the client computer of the current revocation list from the host computer; and
  
  (e) loading the current revocation list into the client computer.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein the revocation list is locally cached in the client computer.
  - 15. The method of claim 13, wherein prior to checking the digital certificate, the method further comprises receiving the digital certificate by the client computer.
  - 16. The method of claim 15, wherein prior to initiating the communication link, the method further comprises confirming validity of the submitted digital certificate if the submitted digital certificate is not listed on the revocation list.
  - 17. The method of claim 15, wherein prior to requesting of the current revocation list, the method comprises determining whether the digital certificate is contained in the database of revoked digital certificates.

18. In a method for updating a locally cached revocation list of digital certificates in a client computer with a database of revoked certificates stored in a host computer, the method comprising:
- receiving a digital certificate submitted to the client computer for verification;
  
  checking the submitted digital certificate against the locally cached revocation list by the client computer;
  
  if the submitted digital certificate is not on the locally cached revocation list, confirming validity of the submitted digital certificate;
  
  if the submitted digital certificate is on the revocation list, initiating a communication link by the client computer with the host computer; and
  
  requesting by the client computer that an updated revocation list be sent to the client computer.

19. An apparatus comprising:
- a memory containing a condensed revocation list being a value formed by applying at least one hash function to a plurality of keys; and
  
  circuitry for retrieving an updated version of the condensed revocation list, the updated version is generated by parameters selected by a source remotely located from the apparatus, the parameters are associated with a bloom filter.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The apparatus of claim 19, wherein the remotely located source is a client computer.
  - 21. The apparatus of claim 19, wherein the circuitry includesa module for requesting a remote server to transmit an updated version of the condensed revocation list;
    - anda control circuit to control activation of the module.
  - 22. The apparatus of claim 19, wherein the plurality of keys used to form the condensed revocation list include at least one key deemed to be invalid.
  - 23. The apparatus of claim 22, wherein the memory is a local invalidity cache containing the bloom filter associated with the invalid key.
  - 24. The apparatus of claim 22, wherein the key is a unique value including a digital certificate.
  - 25. The apparatus of claim 22 further comprising:
    - a client computer that includes the memory and the circuitry, the client computer to communicate with a host computer storing a database including a non-condensed list of invalid keys.
  - 26. The method of claim 22, wherein the key is a unique value including one of a credit card, a debit card number, an identification badge and a digitized biometric characteristic.

27. A computer comprising:
- a memory containing a database including a list of revoked keys;
  
  a lookup module in communication with the memory, the lookup module accessing the database in response to a lookup request inquiring whether a selected key has been revoked;
  
  a control module in communication with the lookup module, the control module controlling the access of the database and responding to the lookup request by providing information whether the selected key has been revoked; and
  
  circuitry for generating a condensed revocation list being a value formed by applying at least one hash function to a plurality of keys, the circuitry comprisesa bloom filter matrix, which contained bloom filters that were generated from parameters selectable by the client computer, coupled to the control module, anda bloom vector calculator coupled to the bloom filter matrix and the memory.
- View Dependent Claims (28)
- - 28. The computer of claim 27, wherein the control module further includes circuitry for controlling the bloom filter matrix to respond to an update request for an updated condensed revocation list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Aucsmith, David W.
Primary Examiner(s)
Choules, Jack M.

Application Number

US08/584,261
Time in Patent Office

1,744 Days
Field of Search

235/379, 235/380, 395/235, 395/239, 395/242, 395/243, 395/244, 395/610, 380/23, 707/2, 707/10
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 9/14   using a plurality of keys o...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3268   using certificate validatio...

H04L 9/40   Network security protocols

Y10S 707/99932   Access augmentation or opti...

Method of caching digital certificate revocation lists

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

251 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method of caching digital certificate revocation lists

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

251 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links