Method and system for a policy enforcing module
First Claim
1. A method for automated policy enforcement during issuance of a certificate by a PKI component, comprising the steps of:
- receiving one or more interface commands in a policy enforcing module; and
automatically enforcing, with the policy enforcing module, a policy governing issuance of the certificate in response to said one or more interface commands.
2 Assignments
0 Petitions
Accused Products
Abstract
A programmable policy module (PPM) allows a user to configure specific policy elements available from a software application, in order to meet a particular assurance level. The policy will then be enforced by the PPM to meet a target set of policy requirements. In one embodiment, the PPM provides the linkage between the certificate policy identified in an X.509 certificate extension, and the execution of a module that enforces the specific policy elements during the process of digital certificate registration. The PPM can execute at the Registration Authority (RA) in a Public Key Infrastructure (PKI), and can permit enforcement of the policy elements in the Certificate Policy (CP) which governs the operations of the RA.
59 Citations
42 Claims
-
1. A method for automated policy enforcement during issuance of a certificate by a PKI component, comprising the steps of:
-
receiving one or more interface commands in a policy enforcing module; and
automatically enforcing, with the policy enforcing module, a policy governing issuance of the certificate in response to said one or more interface commands. - View Dependent Claims (2, 3, 4)
-
-
5. A method for automatically enforcing policy during issuance of a certificate by a PKI component, comprising the steps of:
-
in said PKI component;
initializing a user policy information table;
determining one or more policy identifiers applicable to said PKI component;
opening an interface to a policy enforcing module corresponding to one of said policy identifiers;
automatically configuring said user policy information table with information from said policy enforcing module governing issuance of the certificate;
automatically negotiating one or more certificate versions between said policy enforcing module and said PKI component in accordance with said information from said policy enforcing module governing issuance of the certificate;
automatically negotiating one or more algorithm domains between said policy enforcing module and said PKI component in accordance with said information from said policy enforcing module governing issuance of the certificate; and
automatically validating responses of said policy enforcing module. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
decoding one or more policy identifiers from a certificate; and
identifying one or more policy enforcing modules corresponding to said one or more policy identifiers.
-
-
7. A method as in claim 6, wherein said certificate is formatted in accordance with the X.509 standard.
-
8. A method as in claim 7, wherein one or more of said policy identifiers is an object identifier as defined in X.680.
-
9. A method as in claim 5, wherein said opening step further comprises calling a subroutine for initiating operation of said policy enforcing module.
-
10. A method as in claim 9, wherein said calling step further comprises the steps of:
-
initializing a shared area of memory; and
specifying pointers to said shared area of memory.
-
-
11. A method as in claim 5, wherein said PKI component is a registration authority.
-
12. A method as in claim 5, wherein said PKI component is a certification authority.
-
13. A method as in claim 5, wherein said configuring step further comprises the steps of:
-
binding the user to one or more policies corresponding to said one or more policy enforcing module;
loading the descriptions of one or more policies from said one or more policy enforcing module;
determining one or more request operations permitted under said one or more policies from said one or more policy enforcing modules; and
populating said user policy information table with said policy identifiers, said descriptions, and said request operations of one or more policies from said one or more policy enforcing module.
-
-
14. A method as in claim 5, wherein said configuring step further comprises the steps of:
-
generating one or more data entry windows; and
displaying said data entry windows.
-
-
15. A method as in claim 14, wherein said data entry windows further comprise one or more property pages.
-
16. A method as in claim 15, wherein a plurality of said property pages further comprise a property sheet.
-
17. A method as in claim 14, wherein said generating step further comprises the steps of:
-
initializing a computer application data entry window;
initializing an administration data entry window; and
initializing policy enforcing module data entry windows.
-
-
18. A system for automated policy enforcement during issuance of a certificate by a PKI component, comprising:
-
means for receiving one or more interface commands in a policy enforcing module; and
means for automatically enforcing, with the policy enforcing module, a policy governing issuance of the certificate in response to said one or more interface commands. - View Dependent Claims (19, 20, 21)
-
-
22. A system for automatically enforcing policy during issuance of a certificate by a PKI component, comprising:
-
in said PKI component;
means for initializing a user policy information table;
means for determining one or more policy identifies applicable to said PKI component;
means for opening an interface to a policy enforcing module corresponding to one of said policy identifiers;
means for automatically configuring said user policy information table with information from said policy enforcing module governing issuance of the certificate;
means for automatically negotiating one or more certificate versions between said policy enforcing module and said PKI component in accordance with said information from said policy enforcing module governing issuance of the certificate;
means for automatically negotiating one or more algorithm domains between said policy enforcing module and said PKI component in accordance with said information from said policy enforcing module governing issuance of the certificate; and
means for automatically validating responses of said policy enforcing module. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
means for decoding one or more policy identifiers from a certificate; and
means for identifying one or more policy enforcing modules corresponding to said one or more policy identifiers.
-
-
24. A system as in claim 23, wherein said certificate is formatted in accordance with the X.509 standard.
-
25. A system as in claim 24, wherein one or more of said policy identifiers is an object identifier as defined in X.680.
-
26. A system as in claim 22, wherein said means for opening further comprises calling a subroutine for initiating operation of said policy enforcing module.
-
27. A system as in claim 26, wherein said means for calling further comprises:
-
means for initializing a shared area of memory; and
means for specifying pointers to said shared area of memory.
-
-
28. A system as in claim 22, wherein said PKI component is a registration authority.
-
29. A system as in claim 22, wherein said PKI component is a certification authority.
-
30. A system as in claim 22, wherein said means for configuring further comprises:
-
means for binding the user to one or more policies corresponding to said one or more policy enforcing module;
means for loading the descriptions of one or more policies from said one or more policy enforcing module;
means for determining one or more request operations permitted under said one or more policies from said one or more policy enforcing modules; and
means for populating said user policy information table with said policy identifiers, said descriptions, and said request operations of one or more policies from said one or more policy enforcing module.
-
-
31. A system as in claim 22, wherein said means for configuring further comprises:
-
means for generating one or more data entry windows; and
means for displaying said data entry windows.
-
-
32. A system as in claim 31, wherein said data entry windows further comprise one or more property pages.
-
33. A system as in claim 32, wherein a plurality of said property pages further comprise a property sheet.
-
34. A system as in claim 31, wherein said means for generating further comprises:
-
means for initializing a computer application data entry window;
means for initializing an administration data entry window; and
means for initializing policy enforcing module data entry windows.
-
-
35. A method for creating a policy enforcement module for use in automatically enforcing policy during issuance of a certificate by a PKI component, comprising the steps of:
-
creating core communications infrastructure functionality governing issuance of a certificate;
integrating said core communications infrastructure functionality with specific communications infrastructure functionality governing issuance of a certificate that is particular to one or more PKI components; and
testing said integrated combination. - View Dependent Claims (36, 37, 38, 39, 40, 41)
entering a name for a policy issuer;
inputting the definition of one or more policies;
adding functional support for said policies; and
combining said name, said definitions, and said functional support.
-
-
40. A method as in claim 39, wherein said inputting step further comprises:
-
entering a name for the policy;
adding an object identifier for said policy;
adding a description for said policy; and
adding features specific to said policy.
-
-
41. A method as in claim 35, wherein said integrating step further comprises compiling code for said communications infrastructure functionality with code for said specific communications infrastructure functionality.
-
42. A general purpose computer system for use in automatically enforcing policy during issuance of a certificate by a PKI component, comprising:
-
one or more policy enforcing modules adapted to enforce a policy governing issuance of the certificate;
means for determining one or more policy identifiers;
means for opening an interface to said one or more policy enforcing modules in accordance with said one or more policy identifiers;
means for automatically negotiating one or more certificate versions with said one or more policy enforcing modules in accordance with said policy governing issuance of the certificate; and
means for automatically negotiating one or more algorithm domains with said one or more policy enforcing modules in accordance with said policy governing issuance of the certificate.
-
Specification