Certificate revocation system

US 6,766,450 B2
Filed: 07/25/2001
Issued: 07/20/2004
Est. Priority Date: 10/24/1995
Status: Expired due to Term

First Claim

Patent Images

1. A method of conveying status information about a certificate that is part of a plurality of certificates, comprising:

at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having a certifying authority compute individual certificate revocation status information CRSi about i by digitally signing together i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the certifying authority compute individual certificate revocation status CRSi by digitally signing together certificate i'"'"'s serial number, date j, and an indication that the certificate is no longer valid;

providing the digitally signed CRSi to a directory;

for each certificate i in the plurality of certificates, having the directory store the latest received CRSi; and

in response to an inquiry about revocation status of certificate i, having the directory provide the latest receiver CRSi.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing certificates in a communication system having a certifying authority and a directory. Preferably, the method begins by having the certifying authority generate certificates by digitally signing a given piece of data. At a later point time, the certifying authority may produce a string that proves whether a particular certificate is currently valid without also proving the validity of at least some other certificates. The technique obviates use of certification revocation lists communicated between the certifying authority and the directory.

Citations

39 Claims

1. A method of conveying status information about a certificate that is part of a plurality of certificates, comprising:
- at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having a certifying authority compute individual certificate revocation status information CRSi about i by digitally signing together i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the certifying authority compute individual certificate revocation status CRSi by digitally signing together certificate i'"'"'s serial number, date j, and an indication that the certificate is no longer valid;
  
  providing the digitally signed CRSi to a directory;
  
  for each certificate i in the plurality of certificates, having the directory store the latest received CRSi; and
  
  in response to an inquiry about revocation status of certificate i, having the directory provide the latest receiver CRSi.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein digitally signing includes digitally signing with respect to a public verification key pk, which is digitally signed by the certifying authority with respect to another public verification key PK.
  - 3. A method according to claim 2, wherein having pk digitally signed by the certifying authority includes having pk be a quantity within the plurality of certificates and having the certifying authority digitally sign the certificates with respect to PK.
  - 4. A method according to claim 2, wherein digitally signing with respect to the public verification key pk includes digitally signing using an off-line digital signature scheme.
  - 5. A method according to claim 1, wherein the indication that i continues so to be valid includes the string YES.
  - 6. A method according to claim 1, wherein the certificate revocation status information CRSi of a no longer valid certificate i includes a revocation signature indicating that i has been revoked together with i'"'"'s revocation date.
  - 7. A method according to claim 6, wherein the revocation signature of the no longer valid certificate i is not sent to the directory at every subsequent date.
  - 8. A method according to claim 1, wherein the directory is not trusted and can not make a valid certificate revoked and can not make a revoked certificate valid.

9. A method of conveying status information about a certificate that is part of a plurality of certificates, comprising:
- having a certifying authority digitally sign using a first digital signature scheme the public key pk of a second signature scheme, wherein pk'"'"'s secret key is known to an other entity;
  
  at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having the other entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to public key pk, i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the other entity compute individual certificate revocation status CRSi by digitally signing together, with respect to public key pk, certificate i'"'"'s serial number, date j and an indication that the certificate is no longer valid;
  
  providing the digitally signed CRSi to the directory;
  
  for each certificate i in the plurality of certificates, having the directory store the latest received CRSi; and
  
  in response to an inquiry about revocation status of certificate i, having the directory provide the latest received CRSi.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A method according to claim 9, wherein having the certifying authority digitally sign pk includes having pk be a quantity within the plurality of certificates and having the certifying authority digitally sign the plurality of certificates using the first signature scheme.
  - 11. A method according to claim 9, wherein the indication that i continues to be valid includes the string YES.
  - 12. A method according to claim 10, wherein the certificate revocation status information CRSi of a no longer valid certificate i includes a revocation signature indicating that i has been revoked together with i'"'"'s revocation date.
  - 13. A method according to claim 12, wherein the revocation signature of the no longer valid certificate i is not sent to the directory at every subsequent date.
  - 14. A method according to claim 9, wherein the directory is not trusted and can not make a revoked certificate valid and can not make a valid certificate revoked.

15. A method of conveying status information about a certificate that is part of a plurality of certificates, comprising:
- having a certifying authority digitally sign using a first digital signature scheme the public key pk of a second signature scheme, wherein pk'"'"'s secret key is known to an other entity;
  
  at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having the other entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to public key pk, i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the second entity compute individual certificate revocation status CRSi by digitally signing together, with respect to public key pk, certificate i'"'"'s serial number, date j and an indication that the certificate is no longer valid;
  
  providing the digitally signed CRSi to the directory;
  
  for each certificate i in the plurality of certificates, have the directory store the latest received CRSi; and
  
  in response to an inquiry out revocation status of certificate i, having the directory provide the latest received CRSi.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. A method according to claim 15, wherein having the certifying authority digitally sign pk includes having pk be a quantity within the plurality of certificates and having the certifying authority digitally sign the plurality of certificates using the first signature scheme.
  - 17. A method according to claim 15, wherein the indication that i continues to be valid includes the string YES.
  - 18. A method according to claim 15, wherein the certificate revocation status information CRSi of a no longer valid certificate i includes a revocation signature indicating that i has been revoked together with i'"'"'s revocation date.
  - 19. A method according to claim 18, wherein the revocation signature of the no longer valid certificate i is not sent to the directory at every subsequent date.
  - 20. A method according to claim 15, wherein the directory is not trusted and can not make a valid certificate revoked can not make a revoked certificate valid.

21. A method of preparing certificate revocation status information about a plurality of certificates issued by a first entity, comprising:
- at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having a second entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to public key pk of the second entity, i'"'"'s serial number, date j and an indication that i continues to be valid, or, if i ceases to be valid, having the second entity compute individual certificate revocation status CRSi by digitally signing together, with respect to public key pk of the second entity, certificate i'"'"'s serial number, date j, and an indication that the certificate is no longer valid; and
  
  providing the digitally signed CRSi to a directory for handling queries about the certificate revocation status of certificate i.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. A method according to claim 21, wherein the public key pk of the second entity is digitally signed by a first entity with respect to a public key of the first entity.
  - 23. A method according to claim 22, wherein the public key pk of the second entity is digitally signed by the first entity by making pk a quantity within the plurality of certificates and having the first entity digitally sign the plurality of certificates with respect to the public key PK.
  - 24. A method according to claim 21, wherein the certificate revocation status information CRSi of a no longer valid certificate i includes a revocation signature indicating that i has been revoked together with i'"'"'s revocation date.
  - 25. A method according to claim 24, wherein, the revocation signature of the no longer valid certificate i is not sent to the directory at every subsequent date.
  - 26. A method according to claim 21, wherein the directory is not trusted and can not make a valid certificate revoked and can not make a revoked certificate valid.

27. A method of preparing certificate revocation status information about a plurality of certificates, comprising:
- at every date j of a sequence of dates, and for every certificate i of the plurality of certificates, if i continues to be valid, having a directory receive individual certificate revocation status information CRSi about i consisting of a digital signature, with respect to public key pk, of at least the following three quantities taken together;
  
  (1) i'"'"'s serial number, (2) date j and (3) an indication that i continues to be valid, or, if i ceases to be valid, having the directory receive individual certificate revocation status CRSi about i consisting of the digital signature of the following three quantities taken together;
  
  (1) certificate i'"'"'s serial number, (2) date j, and (3) an indication that the certificate is no longer valid;
  
  having the directory store CRSi; and
  
  having the directory provide the latest received CRSi in response to queries about the certificate revocation status of certificate i.
- View Dependent Claims (28, 29, 30, 31)
- - 28. A method according to 27, wherein the public key pk is included in the plurality of certificates.
  - 29. A method according to claim 27, wherein the certificate revocation status information CRSi of a no longer valid certificate i includes a revocation signature indicating that i has been revoked together with i'"'"'s revocation date.
  - 30. A method according to claim 29, wherein, the revocation signature of the no longer valid certificate i is not received by the directory at every subsequent date.
  - 31. A method according to claim 27, wherein the directory is not trusted and can not make a valid certificate revoked and can not make a revoked certificate valid.

32. A method of conveying status information about a certificate that is part a plurality of certificates, comprising:
- at every date j of a sequence of dates, and for every certificate i of the plurality of certificates that continues to valid, having a certifying authority compute individual certificate revocation status information CRSi about i by digitally signing together i'"'"'s serial number, date j and an indication that i continues to be valid;
  
  providing the digitally signed CRSi to a directory;
  
  for each certificate i in the plurality of certificates that continues to be valid, having the directory store the latest received CRSi; and
  
  in response to an inquiry about the revocation status of certificate i, having the directory provide the latest received CRSi, wherein whenever a certificate becomes no longer valid, the certifying authority computes a direct signature that the certificate has been revoked and sends it to the directory, and wherein the directory provides the direct signature in response to an inquiry about the status of the certificate.
- View Dependent Claims (33)
- - 33. A method as in claim 32, wherein digitally signing is digitally signing with respect a public key included in the plurality of certificates.

34. A method of conveying status information about a certificate that is part of a plurality of certificates issued by a certifying authority, comprising:
- having the certifying authority digitally sign using a first digital signature scheme the public key pk of a second signature scheme, wherein pk'"'"'s secret key is known to an other entity;
  
  at every date j of a sequence of dates, and for every certificate i of the plurality of certificates that continue to be valid, having the other entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to public key pk, i'"'"'s serial number, date j and an indication that i continues to be valid;
  
  providing the digitally signed CRSi to a directory;
  
  for each certificate i in the plurality of certificates, having the directory store the latest received CRSi; and
  
  in response to a request about the revocation status of certificate i, having the directory provide the latest received CRSi, wherein whenever a certificate becomes no longer valid, the other entity computes a direct signature indicating that the certificate has been revoked and sends it to the directory, and wherein the directory forwards the direct signature in response to an inquiry about the certificate revocation status of the certificate.
- View Dependent Claims (35)
- - 35. A method as in claim 34, wherein having the certifying authority digitally sign pk includes having the public key pk be included in the plurality of certificates and having the certifying authority digitally sign the plurality of certificates using the first digital scheme.

36. A method of preparing certificate revocation status information about a plurality of certificates issued by a first entity, comprising:
- at every date j of a sequence of dates, and for every certificate i of the plurality of certificates that continue to be valid, having a second entity compute individual certificate revocation status information CRSi about i by digitally signing together, with respect to a public key pk, i'"'"'s serial number, date j and an indication that i continues to be valid; and
  
  providing the digitally signed CRSi to a directory to handle queries about the certificate revocation status of certificate i, wherein whenever a certificate becomes no longer valid, the certifying authority computes a direct signature that the certificate has been revoked and sends the direct signature to the directory for providing in response to an inquiry about the certificate evocation status of the certificate.
- View Dependent Claims (37)
- - 37. A method as in claim 36, wherein the public key pk is included in each of the plurality of certificates.

38. A method of preparing certificate revocation status information about a plurality of certificates, comprising:
- at every date j of a sequence of dates, and for every certificate i of the plurality of certificates that continues to be valid, having a directory receive individual certificate revocation status information CRSi about i consisting of a digital signature, with respect to public key pk, of at least the following three quantities together;
  
  (1) i'"'"'s serial number, (2) date j and (3) an indication that i continues to be valid, having the directory store CRSi; and
  
  having the directory provide the latest received CRSi in response to queries about the certificate revocation status of certificate i, wherein whenever a certificate becomes no longer valid, the directory receives a direct signature that the certificate has been revoked, stores the direct signature, and provides the direct signature in response to inquiries about the certificate revocation status of the certificate.
- View Dependent Claims (39)
- - 39. A method as in claim 38, wherein the public key pk is included in each of the plurality of certificates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Corestreet, Ltd. (Assa Abloy AB)
Inventors
Micali, Silvio
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Lipman, Jacob

Application Number

US09/915,180
Publication Number

US 20020107814A1
Time in Patent Office

1,091 Days
Field of Search

713/158
US Class Current

713/158
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/3674   involving authentication

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/3268   using certificate validatio...

Certificate revocation system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Certificate revocation system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links