Method and system for certification path processing
First Claim
1. A method for validating digital certificates by computational entities in a data processing system, the method comprising:
- receiving from a first entity at a second entity a certificate validation request for a target certificate;
in response to a determination at the second entity that the target certificate is valid, sending a certificate validation response with an indicating status value that the target certificate is valid;
in response to a determination at the second entity that the target certificate is invalid, sending from the second entity to the first entity a certificate validation response with an indicating status value that the target certificate is invalid;
forwarding the certificate validation request to a third entity such that the third entity validates the target certificate;
forwarding to the third entity a certificate validation policy to be applied against the certificate validation request by the third entity, wherein the certificate validation policy configures processing of the target certificate;
caching information about a certificate and its certificate chain if the certificate is validated;
selecting a certificate validation policy to be applied against the certificate validation request based on information associated with the target certificate, wherein the certificate validation policy configures processing of the target certificate;
processing the certificate validation request at the second entity, wherein the certificate validation request contains a digital certificate and a Uniform Resource Identifier (URI) that references the digital certificate;
fetching the digital certificate that is referenced by the URI in the certificate validation request;
receiving information from an online certificate revocation list (CRL) status service at the second entity;
deleting cached information at the second entity in accordance with the information that has been received from the online CRL status service;
operating the second entity such that the second entity interacts with external entities within a web services architecture in accordance with the XML Key Management Specification (XKMS);
relying by the second entity on an online certificate discovery service for retrieval of digital certificates;
in response to receiving the certificate validation request for the target certificate, determining whether the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request;
in response to a determination that the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by checking that all certificates in a cached certificate chain for the target certificate have not expired;
in response to a determination that the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by checking that all certificates in a cached certificate chain for the target certificate have not been revoked; and
in response to a determination that the second entity has not previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by constructing a certificate chain for the target certificate and validating all certificates in the certificate chain for the target certificate.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, an apparatus, a system, and a computer program product are presented for validating certificates. A certificate validation service receives a certificate validation request for a target certificate from a client, thereby allowing the client to offload certificate validation tasks into an online certificate validation service that is accessible and sharable by multiple components within a data processing system. In response to a determination that the target certificate is valid or invalid, the certificate validation service sends a certificate validation response with an indicating status value that the target certificate is valid or invalid. The certificate validation service is able to cache information about previously validated certificates and the associated certificate chains, thereby enhancing the efficiency of the service. Different certificate validation policies may be applied against target certificates based upon information associated with the target certificates.
23 Citations
1 Claim
-
1. A method for validating digital certificates by computational entities in a data processing system, the method comprising:
-
receiving from a first entity at a second entity a certificate validation request for a target certificate; in response to a determination at the second entity that the target certificate is valid, sending a certificate validation response with an indicating status value that the target certificate is valid; in response to a determination at the second entity that the target certificate is invalid, sending from the second entity to the first entity a certificate validation response with an indicating status value that the target certificate is invalid; forwarding the certificate validation request to a third entity such that the third entity validates the target certificate; forwarding to the third entity a certificate validation policy to be applied against the certificate validation request by the third entity, wherein the certificate validation policy configures processing of the target certificate; caching information about a certificate and its certificate chain if the certificate is validated; selecting a certificate validation policy to be applied against the certificate validation request based on information associated with the target certificate, wherein the certificate validation policy configures processing of the target certificate; processing the certificate validation request at the second entity, wherein the certificate validation request contains a digital certificate and a Uniform Resource Identifier (URI) that references the digital certificate; fetching the digital certificate that is referenced by the URI in the certificate validation request; receiving information from an online certificate revocation list (CRL) status service at the second entity; deleting cached information at the second entity in accordance with the information that has been received from the online CRL status service; operating the second entity such that the second entity interacts with external entities within a web services architecture in accordance with the XML Key Management Specification (XKMS); relying by the second entity on an online certificate discovery service for retrieval of digital certificates; in response to receiving the certificate validation request for the target certificate, determining whether the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request; in response to a determination that the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by checking that all certificates in a cached certificate chain for the target certificate have not expired; in response to a determination that the second entity has previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by checking that all certificates in a cached certificate chain for the target certificate have not been revoked; and in response to a determination that the second entity has not previously cached information for the target certificate in response to a validation of the target certificate for a previously received certificate validation request, determining that the target certificate is valid by constructing a certificate chain for the target certificate and validating all certificates in the certificate chain for the target certificate.
-
Specification