System and method for a remote access service enabling trust and interoperability when retrieving certificate status from multiple certification authority reporting components
First Claim
1. A method of providing a Certificate Status Service (“
- CSS”
) for checking validities of certificates issued by respective issuing Certification Authorities (“
CAs”
), comprising the steps of;
receiving status queries for one or more certificates from requesting entities;
if the issuing CAs are not found on a CSS'"'"'s list of approved CAs or the certificates have expired, returning invalid statuses for those certificates;
if current certificate statuses are found in a CSS cache memory, returning the found certificates'"'"' statuses;
if any certificate statuses have not yet been determined, fetching, from a CSS configuration store, all certificate status reporting methods and communications information that are needed for retrieving, from the respective issuing CAs, a certificate status of each certificate whose status has not yet been determined;
configuring connectors based on the identified information for communicating with the issuing CAs;
communicating with the issuing CAs according to the configured connectors;
retrieving the certificate statuses of all queried certificates;
processing the certificate statuses according to certificate status reporting methods implemented by the CSS including, but not limited to, a real-time certificate status retrieval protocol including LDAP, OCSP, and any other certificate status retrieval protocol for retrieving certificate statuses in real-time, and one of Certificate Revocation Lists (CRLs) that are retrieved at specified publication intervals and Delta Certificate Revocation Lists (Δ
CRLs) that are retrieved upon notification;
recording retrieved certificate statuses in the CSS cache memory; and
returning the retrieved certificate statuses to the requesting entities;
wherein the issuing CAs and connector parameters, which enable the CSS to interwork with any CAs and CA domains even though the CSS and issuing CAs may operate using dissimilar certificate practices and policies, are designated on a list of approved CAs in the CSS configuration store.
5 Assignments
0 Petitions
Accused Products
Abstract
A Certificate Status Service that is configurable, directed, and able to retrieve status from any approved Certification Authority (CA) is disclosed. The CSS may be used by a Trusted Custodial Utility (TCU) and comparable systems or applications whose roles are validating the right of an individual to perform a requisite action, the authenticity of submitted electronic information objects, and the status of authentication certificates used in digital signature verification and user authentication processes. The validity check on authentication certificates is performed by querying an issuing CA. Traditionally, to create a trusted Public Key Infrastructure (PKI) needed to validate certificates, complex relationships are formed by cross-certification among CAs or by use of PKI bridges. The PKI and CA interoperability problem is addressed from a different point of view, with a focus on establishing a trust environment suitable for the creation, execution, maintenance, transfer, retrieval and destruction of electronic original information objects that may also be transferable records (ownership may change hands). A TCU is concerned only with a known set of “approved CAs” although they may support a multitude of business environments, and within that set of CAs, only with those certificates that are associated with TCU user accounts. Building PKI/CA trusted relationships is not required as the CSS achieves a trusted environment by querying only approved CAs and maintaining caches of valid certificates'"'"' status.
163 Citations
17 Claims
-
1. A method of providing a Certificate Status Service (“
- CSS”
) for checking validities of certificates issued by respective issuing Certification Authorities (“
CAs”
), comprising the steps of;receiving status queries for one or more certificates from requesting entities; if the issuing CAs are not found on a CSS'"'"'s list of approved CAs or the certificates have expired, returning invalid statuses for those certificates; if current certificate statuses are found in a CSS cache memory, returning the found certificates'"'"' statuses; if any certificate statuses have not yet been determined, fetching, from a CSS configuration store, all certificate status reporting methods and communications information that are needed for retrieving, from the respective issuing CAs, a certificate status of each certificate whose status has not yet been determined; configuring connectors based on the identified information for communicating with the issuing CAs; communicating with the issuing CAs according to the configured connectors; retrieving the certificate statuses of all queried certificates; processing the certificate statuses according to certificate status reporting methods implemented by the CSS including, but not limited to, a real-time certificate status retrieval protocol including LDAP, OCSP, and any other certificate status retrieval protocol for retrieving certificate statuses in real-time, and one of Certificate Revocation Lists (CRLs) that are retrieved at specified publication intervals and Delta Certificate Revocation Lists (Δ
CRLs) that are retrieved upon notification;recording retrieved certificate statuses in the CSS cache memory; and returning the retrieved certificate statuses to the requesting entities; wherein the issuing CAs and connector parameters, which enable the CSS to interwork with any CAs and CA domains even though the CSS and issuing CAs may operate using dissimilar certificate practices and policies, are designated on a list of approved CAs in the CSS configuration store. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- CSS”
Specification