Authentication system and process
First Claim
Patent Images
1. A computerized authentication system, comprising:
- a first revocation server (RS) for issuing certificate revocation information;
a first certificate authority (CA) for issuing, if the first RS is compromised, a delegation certificate indicating that certificates issued by a second CA prior to issuance of said delegation certificate should be considered valid unless indicated by a second RS to be revoked and also indicating that only information provided by the second RS concerning revocation status of the certificates issued by the second CA should be considered valid, the second CA also being for issuing, if the first RS is compromised, a renunciation certificate indicating renouncement of certification authority of said second CA in favor of said first CA; and
a third CA for certifying respective keys of said first and second certificate authorities and being configured to issue an acknowledgement message in response to receipt of said renunciation certificate.
2 Assignments
0 Petitions
Accused Products
Abstract
An authentication method and process are provided. One aspect of the process of the present invention includes authorizing a first on-line revocation server (OLRS) to provide information concerning certificates issued by a certificate authority (CA) that have been revoked. If the first OLRS is compromised, a second OLRS is authorized to provide certificate revocation information, but certificates issued by the CA remain valid unless indicated by the second OLRS to be revoked.
150 Citations
87 Claims
-
1. A computerized authentication system, comprising:
-
a first revocation server (RS) for issuing certificate revocation information;
a first certificate authority (CA) for issuing, if the first RS is compromised, a delegation certificate indicating that certificates issued by a second CA prior to issuance of said delegation certificate should be considered valid unless indicated by a second RS to be revoked and also indicating that only information provided by the second RS concerning revocation status of the certificates issued by the second CA should be considered valid, the second CA also being for issuing, if the first RS is compromised, a renunciation certificate indicating renouncement of certification authority of said second CA in favor of said first CA; and
a third CA for certifying respective keys of said first and second certificate authorities and being configured to issue an acknowledgement message in response to receipt of said renunciation certificate. - View Dependent Claims (70)
-
-
2. A computerized authentication system, comprising:
a first revocation server (RS) for providing information related to certificates issued by a first certificate authority (CA) that have been revoked, said CA being for issuing, if the first RS is compromised, a delegation certificate indicating that said first RS is no longer authorized to provide said information and that certificates previously issued by said CA remain valid unless indicated by a second RS to be revoked, the delegation certificate also indicating that only information provided by the second RS concerning revocation status of the certificates issued by the CA should be considered valid since the first RS is compromised, and a second CA for certifying a key of the first CA and being configured to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (3, 4, 5, 6, 11, 12, 71)
-
7. A computerized authentication process, comprising:
-
authorizing a first revocation server (RS) to provide information concerning revoked certificates issued by a first certificate authority (CA);
if the first RS is compromised, authorizing a second RS to provide said information while permitting certificates issued by said CA to remain valid unless indicated by said second RS to be revoked, and permitting only said information provided by the second RS to be considered valid; and
a second CA for certifying a key of the first CA and being configured to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (8, 72)
-
-
9. A computerized authentication process, comprising:
-
authorizing a plurality of revocation servers to provide information concerning certificates issued by a first certificate authority (CA) that have been revoked;
comparing the information provided by at least two of said servers whereby to determine whether difference exists therebetween;
determining, based at least upon whether said difference exists, whether revocation server compromise has occurred;
if said revocation server compromise is determined to have occurred, permitting only certificate revocation information provided by at least one uncompromised revocation server to be considered valid; and
providing a second CA for certifying a key of the first CA and configuring the second CA to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (10, 73)
-
-
13. Computer readable memory storing executable program instructions comprising instructions which when executed cause:
-
a first revocation server (RS) to issue certificate revocation information;
a first certificate authority (CA) to issue, if the first RS is compromised, a delegation certificate indicating that certificates issued by a second CA prior to issuance of said delegation certificate should be considered valid unless indicated by a second RS to be revoked and also indicating that only information provided by the second RS concerning revocation status of the certificates issued by the second CA should be considered valid, the second CA also being for issuing, if the first RS is compromised, a renunciation certificate indicating renouncement of certification authority of said second CA in favor of said first CA; and
a third CA to certify respective keys of said first and second certificate authorities and to issue an acknowledgement message in response to receipt of said renunciation certificate. - View Dependent Claims (74)
-
-
14. Computer readable memory storing executable program instructions comprising instructions which when executed cause:
-
a first revocation server (RS) to provide information related to certificates issued by a first certificate authority (CA) that have been revoked;
said CA to issue, if the first RS is compromised, a delegation certificate indicating that said first RS is no longer authorized to provide said information and that certificates previously issued by said CA remain valid unless indicated by a second RS to be revoked, the delegation certificate also indicating that only information provided by the second RS concerning revocation status of the certificates issued by the CA should be considered valid since the first RS is compromised, and a second CA to certify a key of the first CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (75)
-
-
15. A computer data signal embodied in a carrier wave and representing executable instructions comprising instructions for:
-
authorizing a first revocation server (RS) to provide information concerning revoked certificates issued by a first certificate authority (CA);
if the first RS is compromised, authorizing a second RS to provide said information while permitting certificates issued by said CA to remain valid unless indicated by said second RS to be revoked, and permitting only said information provided by the second RS to be considered valid; and
causing a second CA to certify a key of the first CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (76)
-
-
16. A computer data signal embodied in a carrier wave and representing executable instructions comprising instructions for:
-
authorizing a plurality of revocation servers to provide information concerning certificates issued by a first certificate authority (CA) that have been revoked;
comparing the information provided by at least two of said servers whereby to determine whether difference exists therebetween;
determining, based at least upon whether said difference exists, whether revocation server compromise has occurred;
if said revocation server compromise is determined to have occurred, permitting only certificate revocation information provided by at least one uncompromised revocation server to be considered valid; and
providing a second CA for certifying a key of the first CA and configuring the second CA to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (19, 77)
-
-
17. A computerized authentication system, comprising:
-
means for authorizing a first revocation server (RS) to provide information concerning revoked certificates issued by a first certificate authority (CA);
means for authorizing, if the first RS is compromised, a second RS to provide said information while permitting certificates issued by said CA to remain valid unless indicated by said second RS to be revoked, and means for permitting only said information provided by the second RS to be considered valid; and
means for causing a second CA to certify a key of the first CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (78)
-
-
18. A computerized authentication system, comprising:
-
means for authorizing a plurality of revocation servers to provide information concerning certificates issued by a first certificate authority (CA) that have been revoked;
means for comparing the information provided by at least two of said servers whereby to determine whether difference exists therebetween;
means for determining, based at least upon whether said difference exists, whether revocation server compromise has occurred;
means for, if said server compromise is determined to have occurred, permitting only certificate revocation information provided by at least one uncompromised revocation server to be considered valid; and
means for causing a second CA to certify a key of the first CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (79)
-
-
20. A computerized authentication system, comprising:
-
a first revocation server (RS) for being authorized to provide information concerning revoked certificates issued by a first certificate authority (CA);
a second revocation server (RS) for being authorized, if the first RS is compromised, to provide said information while permitting certificates issued by said CA to remain valid unless indicated by said second RS to be revoked, only the information being provided by the second RS being permitted to be considered valid, and a second CA to certify a key of the first CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (21, 80)
-
-
22. A computerized system, comprising:
-
an auditor for comparing information provided by one or more servers whereby to determine whether possible compromise of said one or more servers exists;
wherein if the auditor determines that the possible compromise exists, only the information provided by at least one uncompromised server is permitted to be considered valid and authorized; and
a first certificate authority (CA) to certify a key of a second CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the second CA, the renunciation certificate indicating renouncement of certification authority of the second CA in favor of a third CA. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 81)
-
-
31. A computerized process, comprising:
-
comparing information provided by one or more servers whereby to audit said one or more servers to determine whether possible compromise of said one or more servers exists;
if the possible compromise is determined to exist, permitting only the information provided by at least one uncompromised server to be considered valid and authorized; and
providing a first certificate authority (CA) to certify a key of a second CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the second CA, the renunciation certificate indicating renouncement of certification authority of the second CA in favor of a third CA. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 82)
-
-
40. A computerized system, comprising:
-
means for comparing information provided by one or more servers whereby to audit said one or more servers to determine whether possible compromise of said one or more servers exists;
means for, if the possible compromise is determined to exist, permitting only the information provided by at least one uncompromised server to be considered valid and authorized; and
means for causing a first certificate authority (CA) to certify a key of a second CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the second CA, the renunciation certificate indicating renouncement of certification authority of the second CA in favor of a third CA. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 83)
-
-
49. Computer readable memory storing executable program instructions comprising instructions which when executed cause:
-
comparison of information provided by one or more servers whereby to audit said one or more servers to determine whether possible compromise of said one or more servers exists;
if the possible compromise is determined to exist, permitting only the information provided by at least one uncompromised server to be considered valid and authorized; and
causing a first certificate authority (CA) to certify a key of a second CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the second CA, the renunciation certificate indicating renouncement of certification authority of the second CA in favor of a third CA. - View Dependent Claims (50, 51, 84)
-
-
52. A computer data signal embodied in a carrier wave and representing executable program instructions comprising instructions for:
-
comparing information provided by one or more servers whereby to audit said one or more servers to determine whether possible compromise of said one or more servers exists;
if the possible compromise is determined to exist, permitting only the information provided by at least one uncompromised server to be considered valid and authorize; and
causing a first certificate authority (CA) to certify a key of a second CA and to issue an acknowledgement message in response to receipt of a renunciation certificate from the second CA, the renunciation certificate indicating renouncement of certification authority of the second CA in favor of a third CA. - View Dependent Claims (53, 54, 85)
-
-
55. A computerized authentication process, comprising:
-
issuing certificate revocation information from a first revocation server (RS);
if the first RS is compromised, issuing from a first certificate authority (CA) a delegation certificate indicating that certificates issued by a second CA prior to issuance of said delegation certificate should be considered valid unless indicated by a second RS to be revoked and also indicating that only information provided by the second RS concerning revocation status of the certificates issued by the second CA should be considered valid;
issuing from the second CA, if the first RS is compromised, a renunciation certificate indicating renouncement of certification authority of said second CA in favor of said first CA; and
providing a third CA to certify respective keys of said first and second certificate authorities and to issue an acknowledgement message in response to receipt of said renunciation certificate. - View Dependent Claims (56, 57, 58, 59, 60, 68, 69)
-
-
61. A computerized authentication process, comprising:
-
providing a first revocation server (RS) for providing information related to certificates issued by a first certificate authority (CA) that have been revoked;
if said first RS is compromised, issuing from said CA a delegation certificate indicating that said first RS is no longer authorized to provide said information and that certificates previously issued by said CA remain valid unless indicated by a second RS to be revoked, the delegation certificate also indicating that only information provided by the second RS concerning revocation status of the certificates issued by the CA should be considered valid since the first RS is compromised; and
providing a second CA for certifying a key of the first CA and for issuing an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (62, 63, 64, 65, 86)
-
-
66. A computerized authentication system, comprising:
-
a plurality of revocation servers authorized to provide information concerning certificates issued by a first certificate authority (CA) that have been revoked;
a comparison mechanism for comparing the information provided by at least two of said servers whereby to determine whether difference exists therebetween;
a determination mechanism for determining, based at least upon whether said difference exists, whether revocation server compromise has occurred;
if said revocation server compromise is determined to have occurred, permitting only certificate revocation information provided by at least one uncompromised revocation server to considered valid; and
a second CA for certifying a key of the first CA and for issuing an acknowledgement message in response to receipt of a renunciation certificate from the first CA, the renunciation certificate indicating renouncement of certification authority of the first CA in favor of a third CA. - View Dependent Claims (67, 87)
-
Specification