Method and system for certification path processing

US 7,444,509 B2
Filed: 05/27/2004
Issued: 10/28/2008
Est. Priority Date: 05/27/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for validating digital certificates by computational entities in a data processing system, the method comprising:

receiving from a first entity at a second entity a certificate validation request for a target certificate;

in response to a determination at the second entity that the target certificate is valid, sending a certificate validation response with an indicating status value that the target certificate is valid;

in response to a determination at the second entity that the target certificate is invalid, sending from the second entity to the first entity a certificate validation response with an indicating status value that the target certificate is invalid;

forwarding the certificate validation request to a third entity such that the third entity validates the target certificate;

forwarding to the third entity a certificate validation policy to be applied against the certificate validation request by the third entity, wherein the certificate validation policy configures processing of the target certificate;

caching information about a certificate and its certificate chain if the certificate is validated;

selecting a certificate validation policy to be applied against the certificate validation request based on information associated with the target certificate, wherein the certificate validation policy configures processing of the target certificate;

processing the certificate validation request at the second entity, wherein the certificate validation request contains a digital certificate and a Uniform Resource Identifier (URI) that references the digital certificate;

fetching the digital certificate that is referenced by the URI in the certificate validation request;

receiving information from an online certificate revocation list (CRL) status service at the second entity;

deleting cached information at the second entity in accordance with the information that has been received from the online CRL status service;

operating the second entity such that the second entity interacts with external entities within a web services architecture in accordance with the XML Key Management Specification (XKMS);

relying by the second entity on an online certificate discovery service for retrieval of digital certificates;

in response to receiving the certificate validation request for the target certificate, determining whether the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request;

in response to a determination that the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by checking that all certificates in a cached certificate chain for the target certificate have not expired;

in response to a determination that the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by checking that all certificates in a cached certificate chain for the target certificate have not been revoked; and

in response to a determination that the second entity has not previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by constructing a certificate chain for the target certificate and validating all certificates in the certificate chain for the target certificate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus, a system, and a computer program product are presented for validating certificates. A certificate validation service receives a certificate validation request for a target certificate from a client, thereby allowing the client to offload certificate validation tasks into an online certificate validation service that is accessible and sharable by multiple components within a data processing system. In response to a determination that the target certificate is valid or invalid, the certificate validation service sends a certificate validation response with an indicating status value that the target certificate is valid or invalid. The certificate validation service is able to cache information about previously validated certificates and the associated certificate chains, thereby enhancing the efficiency of the service. Different certificate validation policies may be applied against target certificates based upon information associated with the target certificates.

23 Citations

View as Search Results

1 Claim

1. A method for validating digital certificates by computational entities in a data processing system, the method comprising:
- receiving from a first entity at a second entity a certificate validation request for a target certificate;
  
  in response to a determination at the second entity that the target certificate is valid, sending a certificate validation response with an indicating status value that the target certificate is valid;
  
  in response to a determination at the second entity that the target certificate is invalid, sending from the second entity to the first entity a certificate validation response with an indicating status value that the target certificate is invalid;
  
  forwarding the certificate validation request to a third entity such that the third entity validates the target certificate;
  
  forwarding to the third entity a certificate validation policy to be applied against the certificate validation request by the third entity, wherein the certificate validation policy configures processing of the target certificate;
  
  caching information about a certificate and its certificate chain if the certificate is validated;
  
  selecting a certificate validation policy to be applied against the certificate validation request based on information associated with the target certificate, wherein the certificate validation policy configures processing of the target certificate;
  
  processing the certificate validation request at the second entity, wherein the certificate validation request contains a digital certificate and a Uniform Resource Identifier (URI) that references the digital certificate;
  
  fetching the digital certificate that is referenced by the URI in the certificate validation request;
  
  receiving information from an online certificate revocation list (CRL) status service at the second entity;
  
  deleting cached information at the second entity in accordance with the information that has been received from the online CRL status service;
  
  operating the second entity such that the second entity interacts with external entities within a web services architecture in accordance with the XML Key Management Specification (XKMS);
  
  relying by the second entity on an online certificate discovery service for retrieval of digital certificates;
  
  in response to receiving the certificate validation request for the target certificate, determining whether the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request;
  
  in response to a determination that the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by checking that all certificates in a cached certificate chain for the target certificate have not expired;
  
  in response to a determination that the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by checking that all certificates in a cached certificate chain for the target certificate have not been revoked; and
  
  in response to a determination that the second entity has not previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by constructing a certificate chain for the target certificate and validating all certificates in the certificate chain for the target certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Nadalin, Anthony Joseph, Zhang, Xiaoyan, Rich, Bruce Arland
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Traore; Fatoumata

Application Number

US10/855,728
Publication Number

US 20050278534A1
Time in Patent Office

1,615 Days
Field of Search

None
US Class Current

713/156
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 9/3263   involving certificates, e.g...

Method and system for certification path processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

1 Claim

Specification

Solutions

Use Cases

Quick Links

Method and system for certification path processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

1 Claim

Specification

Subscription Required

Solutions

Use Cases

Quick Links