Method, apparatus, and program for automated trust zone partitioning
First Claim
1. A method, in a Certificate Authority, for automated trust zone partitioning, comprising:
- defining a Public Key Infrastructure comprising a plurality of trust zones;
associating a first end entity with a first trust zone within the plurality of trust zones;
receiving, by the Certificate Authority, a request from the first end entity for a certificate, wherein the request includes a first trust zone name identifying the first trust zone; and
sending, by the Certificate Authority, a response to the first end entity, wherein the response includes a list of trusted certificates associated with the first trust zone, and wherein the Certificate Authority generates certificates for the first end entity based on a trust graph for the first trust zone.
2 Assignments
0 Petitions
Accused Products
Abstract
An automated mechanism is provided for generating and distributing appropriate certificates for end entities in a distributed public key infrastructure environment based on trust relationships between the endpoints. Policies between trust zones are specified as an arbitrary graph, referred to as a trust graph. A password is assigned to a trust zone or an individual endpoint by the Certificate Authority. When an endpoint requests a certificate using the appropriate password, the certificate authority uses this graph to generate the appropriate certificates for the endpoint. The distribution of certificates is automated using the Certificate Management Protocol.
13 Citations
33 Claims
-
1. A method, in a Certificate Authority, for automated trust zone partitioning, comprising:
-
defining a Public Key Infrastructure comprising a plurality of trust zones; associating a first end entity with a first trust zone within the plurality of trust zones; receiving, by the Certificate Authority, a request from the first end entity for a certificate, wherein the request includes a first trust zone name identifying the first trust zone; and sending, by the Certificate Authority, a response to the first end entity, wherein the response includes a list of trusted certificates associated with the first trust zone, and wherein the Certificate Authority generates certificates for the first end entity based on a trust graph for the first trust zone. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 32)
-
-
11. A method, in an end entity, for automated trust zone partitioning, comprising:
-
sending a request to a Certificate Authority for a certificate, wherein the request includes a trust zone name identifying a first trust zone; receiving a response from the Certificate Authority, wherein the response includes a list of trusted certificates for the first trust zone; and building a key file using the list of trusted certificates. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method in a Certificate Authority, for initializing an end entity, comprising:
-
in response to receiving, by a Certificate Authority, a request for a first list of trusted certificates corresponding to a bootstrap zone using Transmission Control Protocol, sending the first list of trusted certificates using Transmission Control Protocol; and in response to receiving, by a Certificate Authority, a request for a second list of trusted certificates for a target zone using Secure Sockets Layer protocol, sending the second list of trusted certificates using Secure Sockets Layer protocol.
-
-
22. An apparatus for automated trust zone partitioning in a Certificate Authority, comprising:
-
definition means for defining a Public Key Infrastructure comprising a plurality of trust zones; association means for associating a first end entity with a first trust zone within the plurality of trust zones; receipt means for receiving, by the Certificate Authority, a request from the first end entity for a certificate, wherein the request includes a first trust zone name identifying the first trust zone; and sending means for sending, by the Certificate Authority, a response to the first end entity, wherein the response includes a list of trusted certificates associated with the first trust zone, and wherein the Certificate Authority generates certificates for the first end entity based on a trust graph for the first trust zone. - View Dependent Claims (23, 24, 25, 33)
-
-
26. An apparatus for automated trust zone partitioning in an end entity, comprising:
-
sending means for sending a request to a Certificate Authority for a certificate, wherein the request includes a trust zone name identifying a first trust zone; receipt means for receiving a response from the Certificate Authority, wherein the response includes a list of trusted certificates for the first trust zone; and building means for building a key file using the list of trusted certificates. - View Dependent Claims (27, 28, 29)
-
-
30. A computer program product, in a computer readable recordable-type medium, for automated trust zone partitioning in a Certificate Authority, comprising:
-
instructions for defining a Public Key Infrastructure comprising a plurality of trust zones; instructions for associating a first end entity with a first trust zone within the plurality of trust zones; instructions for receiving, by the Certificate Authority, a request from the first end entity for a certificate, wherein the request includes a first trust zone name identifying the first trust zone; and instructions for sending, by the Certificate Authority, a response to the first end entity, wherein the response includes a list of trusted signer certificates associated with the first trust zone, and wherein the certificate Authority generates certificates for the first end entity based on a trust graph for the first trust zone.
-
-
31. A computer program product, in a computer readable recordable-type medium, for automated trust zone partitioning in an end entity, comprising:
-
instructions for sending a request to a Certificate Authority for a certificate, wherein the request includes a trust zone name identifying a first trust zone; instructions for receiving a response from the Certificate Authority, wherein the response includes a list of trusted certificates for the first trust zone; and instructions for building a key file using the list of trusted certificates.
-
Specification