Public key infrastructure scalability certificate revocation status validation
First Claim
1. A method for authenticating a user certificate received from a user requesting access to a secure web service, said user certificate including user certificate data, said method comprising:
- receiving a request from a user for access to the web service, said request including partial data supporting the user certificate data;
retrieving revoked certificate data from a plurality of certificate issuers, wherein the revoked certificate data identifies one or more revoked certificates, said each of the one or more identified revoked certificates including a next update time for retrieving an update to each of the revoked certificates and an address identifying a location for retrieving the update;
storing the revoked certificate data in a central location;
determining if the user certificate data has expired;
if the determining indicates that the received user certificate data has expired, denying the user accessing the secure web service;
if the determining indicates that the received user certificate data has not expired;
comparing the user certificate data included in the received request to the revoked certificate data stored in the central location;
if the comparing indicates that the user certificate data from the requested user certificate matches one of the revoked certificate data stored in the central location, denying the user access to the secure web service;
if the comparing indicates that the user certificate data from the requested user certificate does not match the revoked certificate data stored in the central location, determining if the update to one of the revoked certificates is available based on the next update time;
if the determining indicates that no update is available, authenticating the user to access the secured web service;
if the determining indicates that the update is available, retrieving the update from the address;
in response to the retrieved update, storing the update to one of the revoked certificates in the central location;
if the comparing indicates that the user certificate data matches the updated revoked certificate data in the central location, denying the user access to the secure web service;
if the comparing indicates that the user certificate data does not match one of the updated revoked certificate data in the central location;
authenticating the user;
providing the user access to the requested web service;
detecting an event including a new entry in the central location, a current time equals to the next update time of one of the revoked certificate data or the current time equals to the next update time of one of the updated revoked certificate data;
organizing the user certificate data in the revoked certificate data in a sequence according to the next update time for each of the plurality of certificate issuers; and
in response to the detected event and the next update time, retrieving another update of one of the revoked certificate in the central location according to the organized sequence.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for retrieving certificate of trust information for a certificate validation process. Fetching servers periodically retrieve certificate revocation lists (CRLs) from servers maintained by various certificate issuers. The revoked certificate data included in the retrieved CRLs are stored in a central database. An authentication server receives a request from a client for access to a secure service and initiates a validation process. The authentication server retrieves revoked certificate data from the central database and compares the retrieved revoked certificate data to certificate of trust information received from the client along with the request. The authentication server denies access to the secure information if the certificate of trust information matches revoked certificate data from the central database, allows access if the certificate of trust information does not match revoked certificate data from the central database.
-
Citations
22 Claims
-
1. A method for authenticating a user certificate received from a user requesting access to a secure web service, said user certificate including user certificate data, said method comprising:
-
receiving a request from a user for access to the web service, said request including partial data supporting the user certificate data; retrieving revoked certificate data from a plurality of certificate issuers, wherein the revoked certificate data identifies one or more revoked certificates, said each of the one or more identified revoked certificates including a next update time for retrieving an update to each of the revoked certificates and an address identifying a location for retrieving the update; storing the revoked certificate data in a central location; determining if the user certificate data has expired; if the determining indicates that the received user certificate data has expired, denying the user accessing the secure web service; if the determining indicates that the received user certificate data has not expired; comparing the user certificate data included in the received request to the revoked certificate data stored in the central location; if the comparing indicates that the user certificate data from the requested user certificate matches one of the revoked certificate data stored in the central location, denying the user access to the secure web service; if the comparing indicates that the user certificate data from the requested user certificate does not match the revoked certificate data stored in the central location, determining if the update to one of the revoked certificates is available based on the next update time; if the determining indicates that no update is available, authenticating the user to access the secured web service; if the determining indicates that the update is available, retrieving the update from the address; in response to the retrieved update, storing the update to one of the revoked certificates in the central location; if the comparing indicates that the user certificate data matches the updated revoked certificate data in the central location, denying the user access to the secure web service; if the comparing indicates that the user certificate data does not match one of the updated revoked certificate data in the central location; authenticating the user; providing the user access to the requested web service; detecting an event including a new entry in the central location, a current time equals to the next update time of one of the revoked certificate data or the current time equals to the next update time of one of the updated revoked certificate data; organizing the user certificate data in the revoked certificate data in a sequence according to the next update time for each of the plurality of certificate issuers; and in response to the detected event and the next update time, retrieving another update of one of the revoked certificate in the central location according to the organized sequence. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for adding additional revoked certificate data from a plurality of certificate issuers to revoked certificate data stored in a central location, said stored revoked certificate data identifying one or more certificate issuers publishing revoked certificate data for a plurality of revoked certificates, comprising:
-
retrieving the stored revoked certificate data from the central location; comparing a user certificate data included in a user certificate included in a user request to the stored revoked certificate data, said user request being received from a user; determining if the user certificate data has expired; if the determining indicates that the received user certificate data has expired, denying the user accessing a secure web service; if the determining indicates that the received user certificate data has not expired; denying the user if the comparing indicates that the user certificate data matches the revoked certificate data in the central location; if the comparing indicates that the user certificate data from the requested user certificate does not match the revoked certificate data stored in the central location; identifying an address of each of the one or more certificate issuers from the retrieved revoked certificate data; authenticating the user; providing the user access to the requested web service; storing the address in the central location for subsequent retrieval;
determining a next update time for each of the one or more certificate issuers from the retrieved revoked certificate data, said next update times each specifying a time updated revoked certificate data is published by each of the one or more certificate issuer;organizing the retrieved revoked certificate data in a sequence according to the determined update time for each of the one or more certificate issuers; and retrieving additional revoked certificate data from the identified addresses according to update times in the organized sequence such that the user certificate included in the user request is compared to the retrieved additional revoked certificate data to determine the access by the user to the secure web service. - View Dependent Claims (10)
-
-
11. A system for retrieving revoked certificate data in response to a client request, said client request requesting access to a secure web service and including user certificate data, comprising:
-
a central database; a fetching server for retrieving revoked certificate data from a plurality of certificate authority servers for storage in said central database, wherein the revoked certificate data identifies one or more revoked certificates; and an authentication server responsive to the client request for executing a certificate revocation provider component, said certificate revocation provider component loading the revoked certificate data in the central database into a memory associated with the authentication server, and wherein the certificate revocation provider component is responsive to the client request and loaded revoked certificate data to determine if the client request is authentic based on a match of the client request and the stored revoked certificate data, wherein, if the client request is expired, the authentication server denies the user; if the client request is not expired and if a match of the client request and the stored revoked certificate data is not found;
determining if the update to one of the revoked certificates is available based on the next update time;if the determining indicates that no update is available, the authentication server authenticates the user to access the secured web service; if the determining indicates that the update is available, the fetching server retrieves the update from the address; in response to the retrieved update, the certification revocation provider component stores the update to one of the revoked certificates in the central database; if the comparing indicates that the user certificate data matches the updated revoked certificate data in the central database, the authentication server denies the user access to the secure web service; if the comparing indicates that the user certificate data does not match one of the updated revoked certificate data in the central database; the authentication server authenticates the user; the authentication server detects an event including a new entry in the central database, a current time equals to the next update time of one of the revoked certificate data or the current time equals to the next update time of one of the updated revoked certificate data; wherein the fetching server organizes the retrieved revoked certificate data in a sequence according to the next update time for each of the one or more certificate authority servers; and in response to the detected event and the next update time, the fetching server retrieves another update of one of the revoked certificate in the central database according to the organized sequence. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system for managing certificate revocation status data, comprising:
-
a fetching server for identifying a list of addresses corresponding to a plurality of certificate issuers, said fetching server retrieving revoked certificate status data from a content server corresponding to the list of addresses; and a central database responsive to the retrieved revoked certificate status data for storing a list of revoked certificates, wherein if the comparing indicates that the user certificate data from the requested user certificate does not match the revoked certificate data stored in the central location, determining if the update to one of the revoked certificates is available based on the next update time; if the determining indicates that no update is available, authenticating the user to access the secured web service; if the determining indicates that the update is available, retrieving the update from the address; in response to the retrieved update, storing the update to one of the revoked certificates in the central location; if the comparing indicates that the user certificate data matches the updated revoked certificate data in the central location, denying the user access to the secure web service; if the comparing indicates that the user certificate data does not match one of the updated revoked certificate data in the central location; authenticating the user; providing the user access to the requested web service; detecting an event including a new entry in the central location, a current time equals to the next update time of one of the revoked certificate data or the current time equals to the next update time of one of the updated revoked certificate data; and wherein the fetching server organizes the retrieved revoked certificate data in a sequence according to the next update time for each of the one or more certificate issuers; in response to the detected event, retrieving another update of one of the revoked certificate in the central location; and wherein the fetching server identifying a address from a user certificate data included in a client request for the stored the list of revoked certificates if it is determined that there is no match between the user certificate data and retrieved certificate status data, said address identifying the location of revoked certificate data for a plurality of revoked certificates being maintained by at least one of the plurality of certificate issuers, and wherein the central database stores the address in the central location for subsequent retrieval according to the next update time in the organized sequence.
-
-
18. A computer storage medium comprising computer-executable instructions for authenticating a user requesting access to a web service, comprising
retrieving instructions for retrieving revoked certificate data from a plurality of certificate issuers, wherein the revoked certificate data identifies one or more revoked certificates; -
storing instructions for storing the revoked certificate data for each of the identified one or more revoked certificates in a central location; receiving instructions for receiving a request from a user for access to the web service, said request including a user certificate including user certificate data; comparing instructions for comparing the user certificate data to the revoked certificate data stored in the central location; denying instructions for selectively authenticating the user if the comparing indicates that the user certificate data matches the revoked certificate data in the central location; if the comparing indicates that the user certificate data from the requested user certificate does not match the revoked certificate data stored in the central location; determining instructions for determining if the update to one of the revoked certificates is available based on the next update time; if the determining indicates that no update is available, authentication instructions for authenticating the user to access the secured web service; if the determining indicates that the update is available, retrieving instructions for retrieving the update from the address; in response to the retrieved update, storing instructions for storing the update to one of the revoked certificates in the central location; wherein the authentication instructions authenticate the user; wherein the providing instructions provide the user access to the requested web service; identifying instructions for identifying an address from the user certificate data included with the request, said address identifying the location of revoked certificate data for a plurality of revoked certificates being maintained by at least one of the plurality of certificate issuers; organizing instructions for organizing the retrieved revoked certificate data in a sequence according to the next update time for each of the one or more certificate authority servers; and wherein the storing instructions store the address in the central location for subsequent retrieval according to the next update time in the organized sequence. - View Dependent Claims (19, 20, 21)
-
-
22. A computer storage medium for adding additional revoked certificate data to revoked certificate data stored in a central location, said stored revoked certificate data identifying one or more certificate issuers publishing revoked certificate data for a plurality of revoked certificates, comprising:
-
retrieving instructions for retrieving the stored revoked certificate data from the central location; comparing instructions for comparing a user certificate data included in a user certificate included in a user request to the stored revoked certificate data, said user request being received from a user; denying instructions for authenticating the user if the comparing indicates that the user certificate data matches the revoked certificate data in the central location; providing instructions for providing the user access to the requested web service when the user is authenticated; identifying instructions for identifying an address of each of the one or more certificate issuers from the retrieved revoked certificate data; if the comparing indicates that the user certificate data from the requested user certificate does not match the revoked certificate data stored in the central location; determining instructions for determining if the update to one of the revoked certificates is available based on the next update time; if the determining indicates that no update is available, authentication instructions for authenticating the user to access the secured web service; if the determining indicates that the update is available, retrieving instructions for retrieving the update from the address; in response to the retrieved update, storing instructions for storing the update to one of the revoked certificates in the central location; wherein the authenticating instructions authenticate the user; wherein the providing instructions provide the user access to the requested web service; wherein the identifying instructions identify another address from the user certificate data included with the request, said address identifying the location of revoked certificate data for a plurality of revoked certificates being maintained by at least one of the plurality of certificate issuers; wherein the storing instructions store the another address in the central location for subsequent retrieval; determining instructions for determining an update time for each of the one or more certificate issuers from the retrieved revoked certificate data, said update times each specifying a time updated revoked certificate data is published by each of the one or more certificate issuer; organizing instructions for organizing the retrieved revoked certificate data in a sequence according to the determined update time for each of the plurality of certificate issuers; and retrieving instructions for retrieving additional revoked certificate data from the identified addresses according to update times in the organized sequence.
-
Specification