Short-lived certificate authority service

US 7,853,995 B2
Filed: 11/18/2005
Issued: 12/14/2010
Est. Priority Date: 11/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

forming, by a processor of a client device configured to communicate with other devices via a network, a bundled request, for communication to an authentication service over a network, the bundled request is configured according to an extended web service trust protocol that comprises a web service trust protocol for token requests that is extended with syntax that permits a request for a certificate, such that the extended web service trust protocol supports bundled requests for a token and a certificate, and the bundled request comprises a request for a token to prove identity at any of a plurality of service providers and a request for a certificate to establish secure communications;

receiving, by the client device, the token and the certificate in response to the bundled request; and

establishing, by the client device, secure communications for secure data sharing between the client device and a different client device using the received certificate with another certificate of the different client device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An integrated authentication service is described which may receive a bundled request from one or more clients. One or more of the described techniques may be utilized to provide, in response to a single bundled request, a token for proof of identity and a certificate for establishing secure communications.

241 Citations

20 Claims

1. A method comprising:
- forming, by a processor of a client device configured to communicate with other devices via a network, a bundled request, for communication to an authentication service over a network, the bundled request is configured according to an extended web service trust protocol that comprises a web service trust protocol for token requests that is extended with syntax that permits a request for a certificate, such that the extended web service trust protocol supports bundled requests for a token and a certificate, and the bundled request comprises a request for a token to prove identity at any of a plurality of service providers and a request for a certificate to establish secure communications;
  
  receiving, by the client device, the token and the certificate in response to the bundled request; and
  
  establishing, by the client device, secure communications for secure data sharing between the client device and a different client device using the received certificate with another certificate of the different client device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as recited in claim 1 further comprising providing client credentials for verification by the authentication service, wherein a single verification of the client credentials permits issuance of both the token and the certificate.
  - 3. The method as recited in claim 1 wherein the establishing secure communications includes setting up a secure communications channel between two clients using a respective said certificate of each client.
  - 4. The method as recited in claim 1 wherein the certificate is a short-lived certificate (SLC).
  - 5. The method as recited in claim 4 wherein:
    - the SLC includes an expiration time that defines a validity period; and
      
      the SLC is automatically revoked when the expiration time passes.

6. A method implemented at a computing device, the method comprising:
- receiving, by an authentication service executed at the computing device having a processor and memory and configured to issue tokens and certificates, a single request from a client over a network;
  
  issuing, by the authentication service executed at the computing device, a response to the single request utilizing an extended web service trust protocol, the extended web service trust protocol comprises a web service trust protocol for certificate requests that is extended with syntax which permits inclusion of the certificate in the response to the single request, and the single request includes;
  
  a token configured to be provided as proof of the client'"'"'s identity to at least one service provider; and
  
  a certificate that is separate and distinct from the token, and when the certificate is received by the client, the certificate is used with another certificate received from a different client to establish secure peer-to-peer transactions between the client and the different client.
- View Dependent Claims (7, 8, 9)
- - 7. The method as recited in claim 6 wherein the certificate is based upon a configurable policy which defines one or more of a certificate validity period, certificate type, key type, key length, key usage, extended key usage, policy id, user notice, clock skew, or certificate signing period.
  - 8. The method as recited in claim 6 wherein the certificate includes a public key used to establish a secure communications channel between the client and the different client, and wherein the secure communications channel permits the secure peer-to-peer transactions between the client and the different client.
  - 9. The method as recited in claim 8 wherein the secure peer-to-peer transactions are selected from a group comprising one or more of the following:
    - instant messaging;
      
      file sharing;
      
      application sharing;
      
      data sharing; and
      
      photo sharing.

10. One or more computer readable media comprising computer executable instruction that when executed by a computer direct the computer to perform a method comprising:
- executing a messaging module to communicate with another computer;
  
  in response to executing the messaging module, generating a bundled request for a token and a short-lived certificate (SLC) using an extended web service trust protocol, wherein the extended web service trust protocol comprises a web service trust protocol for token requests that is extended with syntax that permits a request for an SLC, such that the extended web service trust protocol supports bundled requests for a token and an SLC;
  
  communicating the bundled request to an authentication service, wherein the bundled request is authenticated by the authentication service using client credentials;
  
  in response to the bundled request, receiving a particular token and a particular SLC, wherein the particular SLC is configured to establish a secure peer-to-peer communications channel;
  
  presenting the particular token as proof of identity at any of a plurality of service providers without needing additional authentication at said providers;
  
  using the particular SLC and an additional SLC received at the another computer to establish a secure peer-to-peer communications channel between the computer and the another computer without the authentication service validating the particular SLC received at the computer and the additional SLC received at the another computer; and
  
  sharing data with the another computer via the secure peer-to-peer communications channel.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The one or more computer readable media of claim 10, wherein the secure peer-to-peer communications channel is established automatically when an instant messaging session is initiated.
  - 12. The one or more computer readable media of claim 10, wherein the secure peer-to-peer communications channel is established upon selection of a secure sharing option from a user interface.
  - 13. The one or more computer readable media of claim 10, wherein the method further comprises providing a security indicator to indicate whether the secure peer-to-peer communications channel is established.
  - 14. The one or more computer readable media of claim 10, wherein the method further comprises displaying a scale of security textually or graphically.
  - 15. The one or more computer readable media of claim 10, wherein the secure peer-to-peer communications channel supports secure peer-to-peer transactions comprising instant messaging, file sharing, application sharing, data sharing, photo sharing, or combinations thereof.
  - 16. The one or more computer readable media of claim 10, wherein the particular SLC is based upon a configurable policy which defines one or more of a certificate validity period, certificate type, key type, key length, key usage, extended key usage, policy id, user notice, clock skew, or certificate signing period.
  - 17. The one or more computer readable media of claim 10, wherein the SLC includes an expiration time that defines a validity period and the SLC is automatically revoked when the expiration time passes.
  - 18. The one or more computer readable media of claim 10, wherein the method further comprises providing a plurality of sharing options via a user interface.
  - 19. The one or more computer readable media of claim 18, wherein the sharing options include share, secured sharing, select files, share applications, share images, share desktop, or combinations thereof.
  - 20. The one or more computer readable media of claim 18, wherein the sharing options are shown on the user interface in a menu bar, in a side bar, as individual buttons, or combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Rouskov, Yordan, Jiang, Wei, Sayyaparaju, Kalyan, Pai, Dilip, Belur, Avinash, Chan, Kok Wai, Sullivan, Matt, Nagvekar, Sanjeev, Chow, Colin, Chow, Trevin, Wong, Winfred
Primary Examiner(s)
Brown; Christopher J

Application Number

US11/282,174
Publication Number

US 20070118875A1
Time in Patent Office

1,852 Days
Field of Search

713/175, 726/10, 726/18, 726/19
US Class Current

726/10
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 51/04   Real-time or near real-time...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/0846   using time-dependent-passwo...

H04L 63/20   for managing network securi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

Short-lived certificate authority service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

241 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Short-lived certificate authority service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

241 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others