Method and apparatus for delegating digital signatures to a signature server

US 7,210,037 B2
Filed: 12/15/2000
Issued: 04/24/2007
Est. Priority Date: 12/15/2000
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating the delegation of operations involved in providing digital signatures to a signature server, the method comprising:

allowing a user to authenticate the signature server prior to sending a message to the signature server;

receiving the message from the user at the signature server, the message including an item to be signed on behalf of the user by the signature server, a user identifier which identifies the user, and an application identifier which identifies the application being used;

authenticating the user at the signature server;

determining whether the user is authorized to request a signature for the item by communicating with an authority server that is separate from the signature server, wherein determining whether the user is authorized to request a signature for the item involves looking up an authorization for the user based upon an identifier for the user as well as an identifier for an application to which the user will send the signed item after it has been signed and returned by the signature server;

looking up a private key for the user at the signature server based on the user identifier and the application identifier, wherein looking up a private key for the user based on the user identifier and application identifier, and wherein using the private key prevents a user who is allowed to access a second application, but who is not allowed to access the application being used, from gaining access to the application being used; and

if the private key is found, signing the item with the private key for the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates delegating operations involved in providing digital signatures to a signature server. The system operates by receiving a request for a digital signature from a user at the signature server, wherein the request includes an item to be signed on behalf of the user by the signature server. In response to the request, the system looks up a private key for the user at the signature server, and signs the item with the private key. Next, the system returns the signed item to the user, so that the user can send the signed item to the recipient. In one embodiment of the present invention, the system authenticates the user prior to signing the item. In one embodiment of the present invention, the system determines whether the user is authorized to sign the item prior to signing the item.

Citations

18 Claims

1. A method for facilitating the delegation of operations involved in providing digital signatures to a signature server, the method comprising:
- allowing a user to authenticate the signature server prior to sending a message to the signature server;
  
  receiving the message from the user at the signature server, the message including an item to be signed on behalf of the user by the signature server, a user identifier which identifies the user, and an application identifier which identifies the application being used;
  
  authenticating the user at the signature server;
  
  determining whether the user is authorized to request a signature for the item by communicating with an authority server that is separate from the signature server, wherein determining whether the user is authorized to request a signature for the item involves looking up an authorization for the user based upon an identifier for the user as well as an identifier for an application to which the user will send the signed item after it has been signed and returned by the signature server;
  
  looking up a private key for the user at the signature server based on the user identifier and the application identifier, wherein looking up a private key for the user based on the user identifier and application identifier, and wherein using the private key prevents a user who is allowed to access a second application, but who is not allowed to access the application being used, from gaining access to the application being used; and
  
  if the private key is found, signing the item with the private key for the user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising returning the signed item to the user so that the user can send the signed item to a recipient.
  - 3. The method of claim 1, wherein the method further comprises configuring the signature server to accommodate a new user by:
    - receiving a request from an authorized entity to add the new user;
      
      generating a key pair for the new user, including a new user private key and a new user public key;
      
      communicating with a certification authority to obtain a certificate for the new user based on the key pair; and
      
      storing the certificate and the key pair for the new user in a location that is accessible by the signature server to enable the signature server to sign items on behalf of the new user.
  - 4. The method of claim 1, wherein the method further comprises configuring the signature server to delete an old user by:
    - receiving a request from an authorized entity to delete the old user;
      
      notifying a certification authority to revoke a certificate for the old user; and
      
      removing the private key for the old user from the signature server, so that the signature server can no longer sign items on behalf of the old user.
  - 5. The method of claim 1, wherein the method further comprises archiving the message and the signed item at the signature server.
  - 6. The method of claim 1, wherein the method further comprises forwarding the signed item to an archive server in order to be archived.

7. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for facilitating the delegation of operations involved in providing digital signatures to a signature server, wherein the computer-readable storage medium is selected from a group consisting of magnetic and optical storage devices, disk drives, magnetic tape, CDs (compact discs), and DVDs (digital versatile discs or digital video discs), the method comprising:
- allowing a user to authenticate the signature server prior to sending a message to the signature server;
  
  receiving the message from the user at the signature server, the message including an item to be signed on behalf of the user by the signature server, a user identifier which identifies the user, and an application identifier which identifies the application being used;
  
  authenticating the user at the signature server;
  
  determining whether the user is authorized to request a signature for the item by communicating with an authority server that is separate from the signature server, wherein determining whether the user is authorized to request a signature for the item involves looking up an authorization for the user based upon an identifier for the user as well as an identifier for an application to which the user will send the signed item after it has been signed and returned by the signature server;
  
  looking up a private key for the user at the signature server based on the user identifier and the application identifier, wherein looking up a private key for the user based on the user identifier and application identifier, and wherein using the private key prevents a user who is allowed to access a second application, but who is not allowed to access the application being used, from gaining access to the application being used; and
  
  if the private key is found, signing the item with the private key for the user.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable storage medium of claim 7, wherein the method further comprises returning the signed item to the user so that the user can send the signed item to a recipient.
  - 9. The computer-readable storage medium of claim 7, wherein the method further comprises configuring the signature server to accommodate a new user by:
    - receiving a request from an authorized entity to add the new user;
      
      generating a key pair for the new user, including a new user private key and a new user public key;
      
      communicating with a certification authority to obtain a certificate for the new user based on the key pair; and
      
      storing the certificate and the key pair for the new user in a location that is accessible by the signature server to enable the signature server to sign items on behalf of the new user.
  - 10. The computer-readable storage medium of claim 7, wherein the method further comprises configuring the signature server to delete an old user by:
    - receiving a request from an authorized entity to delete the old user;
      
      notifying a certification authority to revoke a certificate for the old user; and
      
      removing the private key for the old user from the signature server, so that the signature server can no longer sign items on behalf of the old user.
  - 11. The computer-readable storage medium of claim 7, wherein the method further comprises archiving the message and the signed item at the signature server.
  - 12. The computer-readable storage medium of claim 7, wherein the method further comprises forwarding the signed item to an archive server in order to be archived.

13. An apparatus that facilitates delegating operations involved in providing digital signatures, comprising:
- a signature server;
  
  an authentication mechanism that is configured to allow a user to authenticate the signature server prior to sending a message to the signature servera receiving mechanism within the signature server that is configured to receive the message from the user, the message including an item to be signed on behalf of the user by the signature server, a user identifier which identifies the user, and an application identifier which identifies the application being used;
  
  an authenticating mechanism configured to authenticate the user at the signature server;
  
  a determining mechanism configured to determine whether the user is authorized request a signature for the item by communicating with an authority server that is separate from the signature server, wherein determining whether the user is authorized to request a signature for the item involves looking up an authorization for the user based upon an identifier for the user as well as an identifier for an application to which the user will send the signed item after it has been signed and returned by the signature server;
  
  a lookup mechanism within the signature server that is configured to look up a private key for the user based on the user identifier and the application identifier, wherein looking up a private key for the user based on the user identifier and application identifier, and wherein using the private key prevents a user who is allowed to access a second application, but who is not allowed to access the application being used, from gaining access to the application being used; and
  
  a signing mechanism within the signature server that is configured to sign the item with the private key for the user if the private key is found.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, further comprising a sending mechanism within the signature server that is configured to return the signed item to the user so that the user can send the signed item to a recipient.
  - 15. The apparatus of claim 13, further comprising an initialization mechanism that is configured to:
    - receive a request from an authorized entity to add a new user;
      
      generate a key pair for the new user, including a new user private key and a new user public key;
      
      communicate with a certification authority to obtain a certificate for the new user based on the key pair; and
      
      tostore the certificate and the key pair for the new user in a location that is accessible by the signature server to enable the signature server to sign items on behalf of the new user.
  - 16. The apparatus of claim 13, further comprising a deletion mechanism that is configured to:
    - receive a request from an authorized entity to delete an old user;
      
      notify a certification authority to revoke a certificate for the old user; and
      
      toremove the private key for the old user from the signature server, so that the signature server can no longer sign items on behalf of the old user.
  - 17. The apparatus of claim 13, further comprising an archiving mechanism that is configured to archive the message and the signed item at the signature server.
  - 18. The apparatus of claim 13, further comprising an archiving mechanism that is configured to forward the signed item to an archive server in order to be archived.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Samar, Vipin
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Son; Linh L D

Application Number

US09/741,691
Publication Number

US 20020078355A1
Time in Patent Office

2,321 Days
Field of Search

713/176, 713/156, 713/175, 380/280, 380/279, 380/277, 380/30, 705/75, 705/71, 705/67, 707 9- 10
US Class Current

713/176
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 21/645 using a third party

Method and apparatus for delegating digital signatures to a signature server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for delegating digital signatures to a signature server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links