Client controlled data recovery management
First Claim
1. A method in a data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, comprising:
- receiving, at a registration manager, a request from a user for a digital certificate, the request including an encryption key associated with the user;
encrypting the user'"'"'s encryption key with a first archival key;
providing, by the registration manager, the user'"'"'s encryption key that is encrypted with the first archival key;
storing, by a recovery manager, the encrypted user'"'"'s encryption key in a database;
providing, by the recovery manager to the registration manager, an indication of proof of storing the encrypted user'"'"'s encryption key, wherein the indication of proof is signed with a second archival key;
verifying, by the registration manager, the signed indication of proof based on the first archival key; and
providing, by the registration manager, the request to the certificate authority based on the verification of the signed indication of proof.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems in accordance with the present invention allow users'"'"' private keys corresponding to their digital certificates to be stored and archived outside of the control of a Certificate Authority (“CA”). A CA may have a policy that a user'"'"'s private key must be archived in order to receive a digital certificate upon a registration request from the user. Typically, the CA knows that the user'"'"'s private key is archived because it implements the archival of the key, for example, on a data recovery manager and associated internal database that the CA controls. Methods and systems in accordance with the present invention allow for the enforcement of such a policy while allowing the archival of the private keys to be outside of the control of the CA by having a data recovery manager supply a digitally signed proof of archival token with a digital certificate request to a CA. The CA is assured that the key has been archived. Methods and systems allow for the data recovery manager and a database of archived keys to be controlled by other entities, including the user or client, for example.
-
Citations
10 Claims
-
1. A method in a data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, comprising:
-
receiving, at a registration manager, a request from a user for a digital certificate, the request including an encryption key associated with the user; encrypting the user'"'"'s encryption key with a first archival key; providing, by the registration manager, the user'"'"'s encryption key that is encrypted with the first archival key; storing, by a recovery manager, the encrypted user'"'"'s encryption key in a database; providing, by the recovery manager to the registration manager, an indication of proof of storing the encrypted user'"'"'s encryption key, wherein the indication of proof is signed with a second archival key; verifying, by the registration manager, the signed indication of proof based on the first archival key; and providing, by the registration manager, the request to the certificate authority based on the verification of the signed indication of proof. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method in a data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, comprising:
-
receiving a request for a digital certificate from a user to a registration manager, the request including an encryption key associated with the user; providing, by the registration manager to a recovery manager, the user'"'"'s encryption key that is encrypted with a first archival key; digitally signing, at a recovery manager, an indication of proof of archival of the encryption key for the user in a database; verifying, by the registration manager, the digitally signed indication of proof based on a first archival key; sending, by the registration manager to the certificate authority, a request for a digital certificate based on the verifying; and receiving, from the certificate authority, a digital certificate in response to the request.
-
-
8. A data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key under control of an entity other than the certificate authority, comprising:
-
a registration manager configured to receive a digital certificate request including a user'"'"'s encryption key, send the user'"'"'s encryption key, and in response receive an indication of proof of archival of the user'"'"'s encryption key; a data recovery manager configured to receive the user'"'"'s encryption key, send the user'"'"'s encryption key to a database controlled by an entity other than the certificate authority for archiving, create the indication of proof of archival, and send the indication of proof of archival to the registration manager; and a certificate authority configured to receive, from the registration manager, a request for a digital certificate for the user, the request including the indication of proof of archival, and issue a digital certificate when it is determined that the indication proof of archival was received.
-
-
9. A computer-readable medium containing instructions for controlling a data processing system to perform a method for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, the method comprising the steps of:
-
receiving, at a recovery manager, a user encryption key from a registration manager that manages certificates for the user, the encryption key being signed by a first archival key; digitally signing, by the recovery manager, an indication of proof of archival of the user'"'"'s encryption key in a database under the control of an entity separate from the certificate authority, wherein the indication of proof is signed with a second archival key; providing, by the recovery manager, the signed indication of proof to the registration manager; verifying, by the registration manager, the digitally signed indication of proof based on the first archival key; sending, by the registration manager, a request for a digital certificate based on the verified digitally signed indication of proof; and receiving, by the registration manager, a digital certificate in response to the request.
-
-
10. A data processing system for requesting a digital certificate from a certificate authority and archiving an encryption key outside of the certificate authority, comprising:
-
a registration manager including; means for receiving a request from a user for a digital certificate, the request including an encryption key associated with the user that is encrypted using a first archival key; a recovery manager including; means for storing the encrypted user'"'"'s encryption key in a database; means for providing an indication of proof of storing the encrypted user'"'"'s encryption key, wherein the indication of proof is signed with a second archival key; wherein the registration manager further includes means for verifying the signed indication of proof based on the first archival key, and means for providing the request to the certificate authority based on the verification of the signed indication of proof.
-
Specification