System and method for a remote access service enabling trust and interoperability when retrieving certificate status from multiple certification authority reporting components

US 7,743,248 B2
Filed: 07/16/2003
Issued: 06/22/2010
Est. Priority Date: 01/17/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing a Certificate Status Service (“

CSS”

) for checking validities of certificates issued by respective issuing Certification Authorities (“

CAs”

), comprising the steps of;

receiving status queries for one or more certificates from requesting entities;

if the issuing CAs are not found on a CSS'"'"'s list of approved CAs or the certificates have expired, returning invalid statuses for those certificates;

if current certificate statuses are found in a CSS cache memory, returning the found certificates'"'"' statuses;

if any certificate statuses have not yet been determined, fetching, from a CSS configuration store, all certificate status reporting methods and communications information that are needed for retrieving, from the respective issuing CAs, a certificate status of each certificate whose status has not yet been determined;

configuring connectors based on the identified information for communicating with the issuing CAs;

communicating with the issuing CAs according to the configured connectors;

retrieving the certificate statuses of all queried certificates;

processing the certificate statuses according to certificate status reporting methods implemented by the CSS including, but not limited to, a real-time certificate status retrieval protocol including LDAP, OCSP, and any other certificate status retrieval protocol for retrieving certificate statuses in real-time, and one of Certificate Revocation Lists (CRLs) that are retrieved at specified publication intervals and Delta Certificate Revocation Lists (Δ

CRLs) that are retrieved upon notification;

recording retrieved certificate statuses in the CSS cache memory; and

returning the retrieved certificate statuses to the requesting entities;

wherein the issuing CAs and connector parameters, which enable the CSS to interwork with any CAs and CA domains even though the CSS and issuing CAs may operate using dissimilar certificate practices and policies, are designated on a list of approved CAs in the CSS configuration store.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Certificate Status Service that is configurable, directed, and able to retrieve status from any approved Certification Authority (CA) is disclosed. The CSS may be used by a Trusted Custodial Utility (TCU) and comparable systems or applications whose roles are validating the right of an individual to perform a requisite action, the authenticity of submitted electronic information objects, and the status of authentication certificates used in digital signature verification and user authentication processes. The validity check on authentication certificates is performed by querying an issuing CA. Traditionally, to create a trusted Public Key Infrastructure (PKI) needed to validate certificates, complex relationships are formed by cross-certification among CAs or by use of PKI bridges. The PKI and CA interoperability problem is addressed from a different point of view, with a focus on establishing a trust environment suitable for the creation, execution, maintenance, transfer, retrieval and destruction of electronic original information objects that may also be transferable records (ownership may change hands). A TCU is concerned only with a known set of “approved CAs” although they may support a multitude of business environments, and within that set of CAs, only with those certificates that are associated with TCU user accounts. Building PKI/CA trusted relationships is not required as the CSS achieves a trusted environment by querying only approved CAs and maintaining caches of valid certificates'"'"' status.

163 Citations

17 Claims

1. A method of providing a Certificate Status Service (“
- CSS”
  
  ) for checking validities of certificates issued by respective issuing Certification Authorities (“
  
  CAs”
  
  ), comprising the steps of;
  
  receiving status queries for one or more certificates from requesting entities;
  
  if the issuing CAs are not found on a CSS'"'"'s list of approved CAs or the certificates have expired, returning invalid statuses for those certificates;
  
  if current certificate statuses are found in a CSS cache memory, returning the found certificates'"'"' statuses;
  
  if any certificate statuses have not yet been determined, fetching, from a CSS configuration store, all certificate status reporting methods and communications information that are needed for retrieving, from the respective issuing CAs, a certificate status of each certificate whose status has not yet been determined;
  
  configuring connectors based on the identified information for communicating with the issuing CAs;
  
  communicating with the issuing CAs according to the configured connectors;
  
  retrieving the certificate statuses of all queried certificates;
  
  processing the certificate statuses according to certificate status reporting methods implemented by the CSS including, but not limited to, a real-time certificate status retrieval protocol including LDAP, OCSP, and any other certificate status retrieval protocol for retrieving certificate statuses in real-time, and one of Certificate Revocation Lists (CRLs) that are retrieved at specified publication intervals and Delta Certificate Revocation Lists (Δ
  
  CRLs) that are retrieved upon notification;
  
  recording retrieved certificate statuses in the CSS cache memory; and
  
  returning the retrieved certificate statuses to the requesting entities;
  
  wherein the issuing CAs and connector parameters, which enable the CSS to interwork with any CAs and CA domains even though the CSS and issuing CAs may operate using dissimilar certificate practices and policies, are designated on a list of approved CAs in the CSS configuration store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein a certificate indicating a validity period is deemed to have expired if a local date and time fall outside the validity period.
  - 3. The method of claim 2, wherein the issuing CA is added to at least one organization'"'"'s list of approved CAs by vetting and approving the issuing CA according to predetermined business rules, wherein the business rules include at least one rule for reviewing the acceptability of the CA'"'"'s certificate policy and practices for ensuring the identity of the entity requesting the certificate, and if the issuing CA is vetted and not approved or later disapproved, the issuing CA is added to the at least one organization'"'"'s list of not-approved CAs in the CSS configuration store and/or has any prior entry removed from the at least one organization'"'"'s list of approved CAs.
  - 4. The method of claim 3, wherein vetting and approving the issuing CA include registering a representation of a trusted certificate of the CA with the CSS and adding, to the CSS configuration store, at least the certificate status reporting component of the CA, the certificate status reporting component including, but not limited to CRL, OCSP, or LDAP;
    - a time-to-live data element; and
      
      communication information needed to configure a connector.
  - 5. The method of claim 4, further comprising the steps of:
    - checking and updating the CSS cache memory for the queried certificate status, and if the queried certificate status is found in the CSS cache memory, checking that the local date and time are within the certificate'"'"'s validity period and that the time-to-live data element and use-counter values are within a threshold;
      
      if any of the validity period, time-to-live data element, or use-counter values are unacceptable, clearing the CSS cache memory, wherein if the queried certificate status is not found in the CSS cache memory, the CSS establishes a communication session with the certificate status reporting component of the issuing CA, composes a certificate status request using one of the CRL or real-time reporting methods according to the configured connector, retrieves the queried certificate status from the certificate status reporting component, closes the communication session with the certificate status reporting component, and adds at least one of the certificate identification, certificate'"'"'s status, use-counter, and time-to-live data element to the CSS cache memory.
  - 6. The method of claim 1, wherein if the certificate status reporting method is indicated to be a Certificate Revocation List, then, according to a publication schedule of the issuing CA, the CSS retrieves the CRL from a certificate status reporting component listed in the CSS configuration store, the CSS clears the CSS cache memory associated with the issuing CA, and the CSS extracts the certificate statuses of all certificates from the CRL and stores the extracted certificate statuses in the CSS cache memory associated with the issuing CA.
  - 7. The method of claim 1, wherein if the certificate status reporting method is indicated to be a Δ
    - CRL, then upon notification by the issuing CA that the Δ
      
      CRL is available, the CSS retrieves the Δ
      
      CRL from a certificate status reporting component listed in the CSS configuration store and if the Δ
      
      CRL is a full CRL, then the CSS clears the CSS cache memory associated with the issuing CA, extracts all certificate statuses from the CRL, and stores the extracted certificate statuses in the CSS cache memory, and if the Δ
      
      CRL contains changes occurring after publication of a full CRL, the CSS extracts all certificate statuses from the Δ
      
      CRL, and stores the extracted certificate statuses in the CSS cache memory.
  - 8. The method of claim 1, wherein the communicating step includes communicating according to a plurality of connectors to multiple CAs and PKIs.
  - 9. The method of claim 1, wherein the connectors allow more than one certificate status request to be chained together in a single communicating step between the CSS and the issuing CA.
  - 10. The method of claim 1, wherein certificates are held in the CSS configuration store until expiration and information is extracted as needed.
  - 11. The method of claim 1, further comprising retrieving statuses of the certificates issued by the approved CAs in response to queries from a trusted third-party repository of information objects to the CSS to validate the certificate statuses, further comprising the steps of:
    - locating and reporting the requested certificate statuses if the certificate statuses are present and current in the CSS cache memory;
      
      if the certificate statuses are not present in the CSS cache memory, performing the steps of;
      
      obtaining the communications information, certificate status types, and retrieval methods from the CSS configuration store;
      
      if the certificate status type is CRL, and the CRL in the CSS cache memory is current, and the certificate statuses are not found in the CSS cache memory, then reporting the certificate statuses as valid; and
      
      if the certificate status type is CRL, the CRL is not current or found in the CSS cache memory, and local time is greater than a next scheduled publication time for the CRL, or if the certificate status type is not CRL,creating connectors and composing certificate status requests according to the respective certificate status type;
      
      establishing communication sessions with the certificate status reporting components of the issuing CAs;
      
      retrieving the certificate statuses from the certificate status reporting components using the obtained retrieval methods and ending the communication sessions;
      
      interpreting the retrieved certificate statuses;
      
      associating, with the interpreted retrieved certificate statuses, time-to-live values representing periods specified by the respective CSS policy policies for the certificate status types;
      
      adding at least one of the certificate identification, the interpreted retrieved certificate status and time-to-live values to the CSS cache memory; and
      
      reporting the interpreted retrieved certificate statuses to the trusted third-party repository of information objects.
  - 12. The method of claim 1, further comprising:
    - reporting valid certificate statuses when the certificate status type is CRL, the CRL is current, and the certificate statuses are not found in the CSS cache memory;
      
      reporting the certificate statuses when the certificate statuses are found in the CSS cache memory and the time-to-live and use-counter values have not exceeded respective thresholds;
      
      otherwise,if either the time-to-live or use-counter values have exceeded respective thresholds, clearing the certificate statuses from the CSS cache memory;
      
      if the certificate statuses have not been reported in a previous step, then requesting and retrieving the certificate statuses using the certificate status reporting method indicated in the CSS configuration store;
      
      when the status type is CRL, retrieving and parsing the new CRL at a next indicated publication time;
      
      when the certificate status type is at least one of the type LDAP, OSCP, and any other real-time certificate status reporting protocol, retrieving and parsing the certificate status;
      
      adding at least one of the certificate identification, certificate status, time-to-live and use-counter values to the CSS cache memory; and
      
      reporting the retrieved certificate statuses to the requesting entity.
  - 13. The method of claim 12, wherein a certificate status use-counter data element is added to the CSS'"'"'s certificate status cache, wherein the certificate status use-counter data element is incremented or decremented every time the certificate'"'"'s status is checked, and if the certificate status use-counter value exceeds a respective threshold, then the certificate status is reported and the CSS cache memory is cleared with respect to the certificate status.
  - 14. The method of claim 13, wherein a certificate status last-accessed data element is added to the CSS cache memory, and the certificate status last-accessed data element in conjunction with the certificate status use-counter data element enable the CSS to determine an activity level of the certificate'"'"'s status.
  - 15. The method of claim 14, wherein when a request is made to the CSS to retrieve a certificate status of a new certificate and the CSS cache memory has reached an allocated memory size limit, the CSS searches the CSS cache memory for every certificate status entry where the current time exceeds the time-to-live value for every certificate status entry where the value of the use-counter data element exceeds the threshold and the value of the at least one certificate status entry with the oldest last-accessed value, wherein the CSS then clears the respective CSS cache memory entries, retrieves the requested certificate status, places the retrieved certificate status in the CSS cache memory, and reports the retrieved certificate status to the requesting entity.
  - 16. The method of claim 15, wherein a cleanup process removes all stale cache entries as required when new CRLs or Δ
    - CRLs are retrieved, one of the thresholds is exceeded, or freeing up of cache is required.
  - 17. The method of claim 1, wherein the CSS can query a second CSS for the certificate status if the second CSS is designated in the CSS configuration store as an approved certificate status reporting component for the issuing CA.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
eOriginal, Inc.
Original Assignee
eOriginal, Inc.
Inventors
Szebenyi, Joshua, Hilton, Walter J., Bisbee, Stephen F., Becker, Keith F., Moskowitz, Jack J.
Primary Examiner(s)
Davis; Zachary A

Application Number

US10/620,817
Publication Number

US 20040093493A1
Time in Patent Office

2,533 Days
Field of Search

713155-158, 713/176, 713/178, 713/175, 726/5, 726/10
US Class Current

713/158
CPC Class Codes

G06Q 20/00   Payment architectures, sche...

G06Q 20/02   involving a neutral party, ...

G06Q 20/389   Keeping log of transactions...

G07F 7/08   by coded identity card or c...

G07F 7/12   Card verification

H04L 2209/56   Financial cryptography, e.g...

H04L 9/3247   involving digital signatures

H04L 9/3268   using certificate validatio...

System and method for a remote access service enabling trust and interoperability when retrieving certificate status from multiple certification authority reporting components

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for a remote access service enabling trust and interoperability when retrieving certificate status from multiple certification authority reporting components

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links