Method and apparatus for managing trusted certificates
First Claim
1. A method for managing trusted certificates for authenticating communications for clients belonging to an enterprise, comprising:
- assembling a list of trusted certificates, trusted certificates in the list containing public keys for authenticating communications signed by associated private keys;
constructing a fingerprint for the list of trusted certificates;
communicating the list of trusted certificates to a client through a first communication mechanism;
communicating the fingerprint to the client through a second communication mechanism;
verifying, at the client, that the fingerprint received through the second communication mechanism was constructed from the list of trusted certificates received through the first communication mechanism;
storing the list of trusted certificates within a directory service; and
using, at the client, a trusted certificate from the list of trusted certificates to authenticate a communication by using a public key within the trusted certificate to verify that the communication was signed by a private key belonging to a sender of the communication.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a system for managing trusted certificates for authenticating communications for clients belonging to an enterprise. The system assembles a list of trusted certificates containing public keys for authenticating communications signed by associated private keys. This assembly process may include verifying the authenticity of trusted certificates in the list. The system then constructs a fingerprint for the list. The list is then communicated to a client through a first communication mechanism, and the fingerprint is communicated to the client through a second communication mechanism. Next, the client verifies that the fingerprint received through the second communication mechanism was constructed from the list of trusted certificates received through the first communication mechanism. This establishes a high degree of confidence that the list of trusted certificates is authentic. The client can then confidently use trusted certificates from the list to authenticate subsequent communications. Trusted certificates in the list are associated with certificate authorities that issue certificates for entities communicating across the network. Each of these trusted certificates includes a public key and an identity for a certificate authority. The enterprise administrator includes its own certificate along with other trusted certificates in the list. Once the user verifies the fingerprint and installs the list, subsequent updates to the list do not require further out-of-band verification of the fingerprint because the updated list can be verified using the public key of the enterprise administrator taken from the enterprise administrator'"'"'s certificate.
135 Citations
31 Claims
-
1. A method for managing trusted certificates for authenticating communications for clients belonging to an enterprise, comprising:
-
assembling a list of trusted certificates, trusted certificates in the list containing public keys for authenticating communications signed by associated private keys;
constructing a fingerprint for the list of trusted certificates;
communicating the list of trusted certificates to a client through a first communication mechanism;
communicating the fingerprint to the client through a second communication mechanism;
verifying, at the client, that the fingerprint received through the second communication mechanism was constructed from the list of trusted certificates received through the first communication mechanism;
storing the list of trusted certificates within a directory service; and
using, at the client, a trusted certificate from the list of trusted certificates to authenticate a communication by using a public key within the trusted certificate to verify that the communication was signed by a private key belonging to a sender of the communication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
further comprising using the first public key to authenticate a subsequent updated list of trusted certificates received by the client from the enterprise administrator.
-
-
8. The method of claim 1, wherein the first communication mechanism and the second communication mechanism include separate communication pathways across the network.
-
9. The method of claim 1, wherein the first communication mechanism operates across the network and the second communication mechanism operates by delivering to the client a physical medium encoded with a communication.
-
10. The method of claim 1, wherein the act of communicating the list to the client through the first communication mechanism includes updating a serial number associated with the list so that when the client subsequently reads the updated serial number, the client knows the list has changed and requests an updated list.
-
11. The method of claim 1, wherein the act of communicating the list to the client through the first communication mechanism includes updating a time stamp associated with the list so that when the client subsequently reads the updated time stamp, the client knows the list has changed and requests an updated list.
-
12. The method of claim 1, wherein the act of communicating the list to the client through the first communication mechanism includes sending the list to the client without first receiving a request for the list from the client.
-
13. A method for managing trusted certificates for securely authenticating communications for clients belonging to an enterprise, comprising:
-
assembling a list of trusted certificates, wherein a trusted certificate in the list is associated with a certificate authority that issues certificates for entities communicating across the network, the trusted certificate including a public key and an identity associated with the certificate authority, and wherein the list is assembled by an enterprise administrator that manages the list of trusted certificates for the enterprise;
authenticating certificates in the list of trusted certificates;
constructing a fingerprint for the list of trusted certificates;
communicating the list of trusted certificates to a client through a first communication mechanism;
communicating the fingerprint to the client through a second communication mechanism;
communicating a first public key to the client by including it with the list of trusted certificates, the first public key enabling the client to verify that a message has been signed by a first private key belonging to the enterprise administrator;
verifying, at the client, that the fingerprint received through the second communication mechanism was constructed from the list of trusted certificates received through the first communication mechanism;
storing the list of trusted certificates within a directory service;
using, at the client, a trusted certificate from the list of trusted certificates to authenticate a communication across a network by using a public key within the trusted certificate to verify that the communication was signed by a private key belonging to a sender of the communication; and
using the first public key to authenticate an updated list of trusted certificates subsequently received by the client from the enterprise administrator.
-
-
14. A method for managing trusted certificates for authenticating communications for clients belonging to an enterprise, comprising:
-
assembling a list of trusted certificates, trusted certificates in the list containing public keys for authenticating communications signed by associated private keys belonging to entities that are trusted by the enterprise;
signing the list of trusted certificates with a first private key;
communicating the signed list of trusted certificates to a client;
using a first public key, previously obtained by the client through a reliable communication mechanism, to verify that the signed list of trusted certificates communicated to the client was signed with the first private key;
storing the list of trusted certificates within a directory service; and
using, at the client, a trusted certificate from the list of trusted certificates to authenticate a subsequent communication. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for managing trusted certificates for authenticating communications for clients belonging to an enterprise, comprising:
-
receiving a list of trusted certificates through a first communication mechanism, trusted certificates in the list containing public keys for authenticating communications signed by associated private keys;
receiving a fingerprint constructed from the list of trusted certificates through a second communication mechanism;
verifying that the fingerprint received through the second communication mechanism was constructed from the list of trusted certificates received through the first communication mechanism;
storing the list of trusted certificates within a directory service; and
using a trusted certificate from the list of trusted certificates to authenticate a subsequent communication by using a public key within the trusted certificate to verify that the subsequent communication was signed by a private key belonging to a sender of the communication.
-
-
25. A method for managing trusted certificates for authenticating communications for clients belonging to an enterprise, comprising:
-
assembling a list of trusted certificates, trusted certificates in the list containing public keys for authenticating communications signed by associated private keys;
constructing a fingerprint for the list of trusted certificates;
communicating the list of trusted certificates to a client through a first communication mechanism;
communicating the fingerprint to the client through a second communication mechanism, wherein the client is able to verify that the fingerprint received through the second communication mechanism was constructed from the list of trusted certificates received through the first communication mechanism; and
storing the list of trusted certificates within a directory service.
-
-
26. A computer readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for managing trusted certificates for authenticating communications for clients belonging to an enterprise, comprising:
-
assembling a list of trusted certificates, trusted certificates in the list containing public keys for authenticating communications signed by associated private keys;
constructing a fingerprint for the list of trusted certificates;
communicating the list of trusted certificates to a client through a first communication mechanism;
communicating the fingerprint to the client through a second communication mechanism;
allowing the client to verify that the fingerprint received through the second communication mechanism was constructed from the list of trusted certificates received through the first communication mechanism; and
storing the list of trusted certificates within a directory service.
-
-
27. An apparatus that manages trusted certificates for authenticating communications for an enterprise, comprising:
-
a list assembly mechanism that assembles a list of trusted certificates, trusted certificates in the list containing public keys for authenticating communications signed by associated private keys;
a fingerprint generation mechanism that generates a fingerprint for the list of trusted certificates;
a first communication mechanism that communicates the list of trusted certificates to a client;
a second communication mechanism that communicates the fingerprint to the client;
a verification mechanism, at the client, that verifies that the fingerprint received through the second communication mechanism was constructed from the list of trusted certificates received through the first communication mechanism;
a storing mechanism that stores the list of trusted certificates within a directory service; and
an authentication mechanism, at the client, that uses a trusted certificate from the list of trusted certificates to authenticate a subsequent communication by using a public key within the trusted certificate to verify that the subsequent communication was signed by a private key belonging to a sender of the subsequent communication. - View Dependent Claims (28, 29, 30, 31)
wherein the verification mechanism at the client is configured to use the first public key to authenticate a subsequent updated list of trusted certificates received by the client from the enterprise administrator.
-
Specification