Certificate revocation system
First Claim
Patent Images
1. A method of conveying status information about a certificate that is part of a plurality of certificates, comprising:
- at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having a certifying authority compute individual certificate revocation status information CRSi about i by digitally signing together i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the certifying authority compute individual certificate revocation status CRSi by digitally signing together certificate i'"'"'s serial number, date j, and an indication that the certificate is no longer valid;
providing the digitally signed CRSi to a directory;
for each certificate i in the plurality of certificates, having the directory store the latest received CRSi; and
in response to an inquiry about revocation status of certificate i, having the directory provide the latest receiver CRSi.
7 Assignments
0 Petitions
Accused Products
Abstract
A method of managing certificates in a communication system having a certifying authority and a directory. Preferably, the method begins by having the certifying authority generate certificates by digitally signing a given piece of data. At a later point time, the certifying authority may produce a string that proves whether a particular certificate is currently valid without also proving the validity of at least some other certificates. The technique obviates use of certification revocation lists communicated between the certifying authority and the directory.
-
Citations
39 Claims
-
1. A method of conveying status information about a certificate that is part of a plurality of certificates, comprising:
-
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having a certifying authority compute individual certificate revocation status information CRSi about i by digitally signing together i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the certifying authority compute individual certificate revocation status CRSi by digitally signing together certificate i'"'"'s serial number, date j, and an indication that the certificate is no longer valid;
providing the digitally signed CRSi to a directory;
for each certificate i in the plurality of certificates, having the directory store the latest received CRSi; and
in response to an inquiry about revocation status of certificate i, having the directory provide the latest receiver CRSi. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of conveying status information about a certificate that is part of a plurality of certificates, comprising:
-
having a certifying authority digitally sign using a first digital signature scheme the public key pk of a second signature scheme, wherein pk'"'"'s secret key is known to an other entity;
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having the other entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to public key pk, i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the other entity compute individual certificate revocation status CRSi by digitally signing together, with respect to public key pk, certificate i'"'"'s serial number, date j and an indication that the certificate is no longer valid;
providing the digitally signed CRSi to the directory;
for each certificate i in the plurality of certificates, having the directory store the latest received CRSi; and
in response to an inquiry about revocation status of certificate i, having the directory provide the latest received CRSi. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A method of conveying status information about a certificate that is part of a plurality of certificates, comprising:
-
having a certifying authority digitally sign using a first digital signature scheme the public key pk of a second signature scheme, wherein pk'"'"'s secret key is known to an other entity;
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having the other entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to public key pk, i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the second entity compute individual certificate revocation status CRSi by digitally signing together, with respect to public key pk, certificate i'"'"'s serial number, date j and an indication that the certificate is no longer valid;
providing the digitally signed CRSi to the directory;
for each certificate i in the plurality of certificates, have the directory store the latest received CRSi; and
in response to an inquiry out revocation status of certificate i, having the directory provide the latest received CRSi. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A method of preparing certificate revocation status information about a plurality of certificates issued by a first entity, comprising:
-
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having a second entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to public key pk of the second entity, i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the second entity compute individual certificate revocation status CRSi by digitally signing together, with respect to public key pk of the second entity, certificate i'"'"'s serial number, date j, and an indication that the certificate is no longer valid; and
providing the digitally signed CRSi to a directory for handling queries about the certificate revocation status of certificate i. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. A method of preparing certificate revocation status information about a plurality of certificates, comprising:
-
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having a directory receive individual certificate revocation status information CRSi about i consisting of a digital signature, with respect to public key pk, of at least the following three quantities taken together;
(1) i'"'"'s serial number, (2) date j and (3) an indication that i continues to be valid, or, if i ceases to be valid, having the directory receive individual certificate revocation status CRSi about i consisting of the digital signature of the following three quantities taken together;
(1) certificate i'"'"'s serial number, (2) date j, and (3) an indication that the certificate is no longer valid;
having the directory store CRSi; and
having the directory provide the latest received CRSi in response to queries about the certificate revocation status of certificate i. - View Dependent Claims (28, 29, 30, 31)
-
-
32. A method of conveying status information about a certificate that is part a plurality of certificates, comprising:
-
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates that continues to valid, having a certifying authority compute individual certificate revocation status information CRSi about i by digitally signing together i'"'"'s serial number, date j and an indication that i continues to be valid;
providing the digitally signed CRSi to a directory;
for each certificate i in the plurality of certificates that continues to be valid, having the directory store the latest received CRSi; and
in response to an inquiry about the revocation status of certificate i, having the directory provide the latest received CRSi, wherein whenever a certificate becomes no longer valid, the certifying authority computes a direct signature that the certificate has been revoked and sends it to the directory, and wherein the directory provides the direct signature in response to an inquiry about the status of the certificate. - View Dependent Claims (33)
-
-
34. A method of conveying status information about a certificate that is part of a plurality of certificates issued by a certifying authority, comprising:
-
having the certifying authority digitally sign using a first digital signature scheme the public key pk of a second signature scheme, wherein pk'"'"'s secret key is known to an other entity;
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates that continue to be valid, having the other entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to public key pk, i'"'"'s serial number, date j and an indication that i continues to be valid;
providing the digitally signed CRSi to a directory;
for each certificate i in the plurality of certificates, having the directory store the latest received CRSi; and
in response to a request about the revocation status of certificate i, having the directory provide the latest received CRSi, wherein whenever a certificate becomes no longer valid, the other entity computes a direct signature indicating that the certificate has been revoked and sends it to the directory, and wherein the directory forwards the direct signature in response to an inquiry about the certificate revocation status of the certificate. - View Dependent Claims (35)
-
-
36. A method of preparing certificate revocation status information about a plurality of certificates issued by a first entity, comprising:
-
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates that continue to be valid, having a second entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to a public key pk, i'"'"'s serial number, date j and an indication that i continues to be valid; and
providing the digitally signed CRSi to a directory to handle queries about the certificate revocation status of certificate i, wherein whenever a certificate becomes no longer valid, the certifying authority computes a direct signature that the certificate has been revoked and sends the direct signature to the directory for providing in response to an inquiry about the certificate evocation status of the certificate. - View Dependent Claims (37)
-
-
38. A method of preparing certificate revocation status information about a plurality of certificates, comprising:
-
at every date j of a sequence of dates, and for every certificate i of the plurality of certificates that continues to be valid, having a directory receive individual certificate revocation status information CRSi about i consisting of a digital signature, with respect to public key pk, of at least the following three quantities together;
(1) i'"'"'s serial number, (2) date j and (3) an indication that i continues to be valid, having the directory store CRSi; and
having the directory provide the latest received CRSi in response to queries about the certificate revocation status of certificate i, wherein whenever a certificate becomes no longer valid, the directory receives a direct signature that the certificate has been revoked, stores the direct signature, and provides the direct signature in response to inquiries about the certificate revocation status of the certificate. - View Dependent Claims (39)
-
Specification