Method and system for a policy enforcing module

US 6,816,965 B1
Filed: 07/16/1999
Issued: 11/09/2004
Est. Priority Date: 07/16/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for automated policy enforcement during issuance of a certificate by a PKI component, comprising the steps of:

receiving one or more interface commands in a policy enforcing module; and

automatically enforcing, with the policy enforcing module, a policy governing issuance of the certificate in response to said one or more interface commands.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A programmable policy module (PPM) allows a user to configure specific policy elements available from a software application, in order to meet a particular assurance level. The policy will then be enforced by the PPM to meet a target set of policy requirements. In one embodiment, the PPM provides the linkage between the certificate policy identified in an X.509 certificate extension, and the execution of a module that enforces the specific policy elements during the process of digital certificate registration. The PPM can execute at the Registration Authority (RA) in a Public Key Infrastructure (PKI), and can permit enforcement of the policy elements in the Certificate Policy (CP) which governs the operations of the RA.

59 Citations

View as Search Results

42 Claims

1. A method for automated policy enforcement during issuance of a certificate by a PKI component, comprising the steps of:
- receiving one or more interface commands in a policy enforcing module; and
  
  automatically enforcing, with the policy enforcing module, a policy governing issuance of the certificate in response to said one or more interface commands.
- View Dependent Claims (2, 3, 4)
- - 2. A method as in claim 1, wherein said enforcing step further comprises generating one or more data entry windows.
  - 3. A method as in claim 2, wherein said one or more data entry windows further comprise property pages.
  - 4. A method as in claim 3, wherein a plurality of said property pages comprise a property sheet.

5. A method for automatically enforcing policy during issuance of a certificate by a PKI component, comprising the steps of:
- in said PKI component;
  
  initializing a user policy information table;
  
  determining one or more policy identifiers applicable to said PKI component;
  
  opening an interface to a policy enforcing module corresponding to one of said policy identifiers;
  
  automatically configuring said user policy information table with information from said policy enforcing module governing issuance of the certificate;
  
  automatically negotiating one or more certificate versions between said policy enforcing module and said PKI component in accordance with said information from said policy enforcing module governing issuance of the certificate;
  
  automatically negotiating one or more algorithm domains between said policy enforcing module and said PKI component in accordance with said information from said policy enforcing module governing issuance of the certificate; and
  
  automatically validating responses of said policy enforcing module.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. A method as in claim 5, wherein said determining step further comprises the steps of:
7. A method as in claim 6, wherein said certificate is formatted in accordance with the X.509 standard.
8. A method as in claim 7, wherein one or more of said policy identifiers is an object identifier as defined in X.680.
9. A method as in claim 5, wherein said opening step further comprises calling a subroutine for initiating operation of said policy enforcing module.
10. A method as in claim 9, wherein said calling step further comprises the steps of:
- initializing a shared area of memory; and
  
  specifying pointers to said shared area of memory.
11. A method as in claim 5, wherein said PKI component is a registration authority.
12. A method as in claim 5, wherein said PKI component is a certification authority.
13. A method as in claim 5, wherein said configuring step further comprises the steps of:
- binding the user to one or more policies corresponding to said one or more policy enforcing module;
  
  loading the descriptions of one or more policies from said one or more policy enforcing module;
  
  determining one or more request operations permitted under said one or more policies from said one or more policy enforcing modules; and
  
  populating said user policy information table with said policy identifiers, said descriptions, and said request operations of one or more policies from said one or more policy enforcing module.
14. A method as in claim 5, wherein said configuring step further comprises the steps of:
- generating one or more data entry windows; and
  
  displaying said data entry windows.
15. A method as in claim 14, wherein said data entry windows further comprise one or more property pages.
16. A method as in claim 15, wherein a plurality of said property pages further comprise a property sheet.
17. A method as in claim 14, wherein said generating step further comprises the steps of:
- initializing a computer application data entry window;
  
  initializing an administration data entry window; and
  
  initializing policy enforcing module data entry windows.

18. A system for automated policy enforcement during issuance of a certificate by a PKI component, comprising:
- means for receiving one or more interface commands in a policy enforcing module; and
  
  means for automatically enforcing, with the policy enforcing module, a policy governing issuance of the certificate in response to said one or more interface commands.
- View Dependent Claims (19, 20, 21)
- - 19. A system as in claim 18, wherein said means for enforcing further comprises means for generating one or more data entry windows.
  - 20. A system as in claim 19, wherein said one or more data entry windows further comprise property pages.
  - 21. A system as in claim 20, wherein a plurality of said property pages comprise a property sheet.

22. A system for automatically enforcing policy during issuance of a certificate by a PKI component, comprising:
- in said PKI component;
  
  means for initializing a user policy information table;
  
  means for determining one or more policy identifies applicable to said PKI component;
  
  means for opening an interface to a policy enforcing module corresponding to one of said policy identifiers;
  
  means for automatically configuring said user policy information table with information from said policy enforcing module governing issuance of the certificate;
  
  means for automatically negotiating one or more certificate versions between said policy enforcing module and said PKI component in accordance with said information from said policy enforcing module governing issuance of the certificate;
  
  means for automatically negotiating one or more algorithm domains between said policy enforcing module and said PKI component in accordance with said information from said policy enforcing module governing issuance of the certificate; and
  
  means for automatically validating responses of said policy enforcing module.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 23. A system as in claim 22, wherein said means for determining further comprises:
24. A system as in claim 23, wherein said certificate is formatted in accordance with the X.509 standard.
25. A system as in claim 24, wherein one or more of said policy identifiers is an object identifier as defined in X.680.
26. A system as in claim 22, wherein said means for opening further comprises calling a subroutine for initiating operation of said policy enforcing module.
27. A system as in claim 26, wherein said means for calling further comprises:
- means for initializing a shared area of memory; and
  
  means for specifying pointers to said shared area of memory.
28. A system as in claim 22, wherein said PKI component is a registration authority.
29. A system as in claim 22, wherein said PKI component is a certification authority.
30. A system as in claim 22, wherein said means for configuring further comprises:
- means for binding the user to one or more policies corresponding to said one or more policy enforcing module;
  
  means for loading the descriptions of one or more policies from said one or more policy enforcing module;
  
  means for determining one or more request operations permitted under said one or more policies from said one or more policy enforcing modules; and
  
  means for populating said user policy information table with said policy identifiers, said descriptions, and said request operations of one or more policies from said one or more policy enforcing module.
31. A system as in claim 22, wherein said means for configuring further comprises:
- means for generating one or more data entry windows; and
  
  means for displaying said data entry windows.
32. A system as in claim 31, wherein said data entry windows further comprise one or more property pages.
33. A system as in claim 32, wherein a plurality of said property pages further comprise a property sheet.
34. A system as in claim 31, wherein said means for generating further comprises:
- means for initializing a computer application data entry window;
  
  means for initializing an administration data entry window; and
  
  means for initializing policy enforcing module data entry windows.

35. A method for creating a policy enforcement module for use in automatically enforcing policy during issuance of a certificate by a PKI component, comprising the steps of:
- creating core communications infrastructure functionality governing issuance of a certificate;
  
  integrating said core communications infrastructure functionality with specific communications infrastructure functionality governing issuance of a certificate that is particular to one or more PKI components; and
  
  testing said integrated combination.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. A method as in claim 35, wherein said communications infrastructure components include PKI components.
  - 37. A method as in claim 36, wherein said PKI component is a registration authority.
  - 38. A method as in claim 37, wherein said PKI component is a certification authority.
  - 39. A method as in claim 35, wherein said creating step further comprises:
40. A method as in claim 39, wherein said inputting step further comprises:
- entering a name for the policy;
  
  adding an object identifier for said policy;
  
  adding a description for said policy; and
  
  adding features specific to said policy.
41. A method as in claim 35, wherein said integrating step further comprises compiling code for said communications infrastructure functionality with code for said specific communications infrastructure functionality.

42. A general purpose computer system for use in automatically enforcing policy during issuance of a certificate by a PKI component, comprising:
- one or more policy enforcing modules adapted to enforce a policy governing issuance of the certificate;
  
  means for determining one or more policy identifiers;
  
  means for opening an interface to said one or more policy enforcing modules in accordance with said one or more policy identifiers;
  
  means for automatically negotiating one or more certificate versions with said one or more policy enforcing modules in accordance with said policy governing issuance of the certificate; and
  
  means for automatically negotiating one or more algorithm domains with said one or more policy enforcing modules in accordance with said policy governing issuance of the certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SPEX Technologies, Inc.
Original Assignee
Spyrus, Inc.
Inventors
OʼConnor, Peter V., Moore, Charles R. J.
Primary Examiner(s)
Wright, Norman M.

Application Number

US09/354,234
Time in Patent Office

1,943 Days
Field of Search

713/156, 713/157, 713/200, 713/201, 713/158, 713/155, 713/151
US Class Current

713/158
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/20   for managing network securi...

H04L 9/007   involving hierarchical stru...

H04L 9/3263   involving certificates, e.g...

Method and system for a policy enforcing module

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for a policy enforcing module

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links