Method and system for the authentication of a public key certificate

US 8,028,333 B2
Filed: 08/23/2007
Issued: 09/27/2011
Est. Priority Date: 04/07/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authentication of a public key certificate as a service to a relying party (RP) in response to a request for said authentication by the RP who desires to determine a level of trust in a Certificate Authority (CA) that issued the certificate, said method comprising:

accessing a first quality level of each quality characteristic of a first set of quality characteristics required of the CA by the RP, said CA being a member of a Public Key Infrastructure (PKI) having a Certificate Policy (CP);

ascertaining a second quality level of each quality characteristic of a second set of quality characteristics possessed by the CA, each ascertained quality characteristic of the second set corresponding to an accessed quality characteristic of the first set on a one-to-one basis, at least one quality characteristic of the second set relating to at least one element of the CP;

a digital computer comparing the ascertained second quality level of each quality characteristic of the second set with the accessed quality level of each corresponding quality characteristic of the first set; and

said digital computer communicating a first result of said comparing to the RP, said first result being that the certificate is authenticated if said comparing has determined that each first quality level is not greater than each corresponding second quality level, otherwise said first result being that the certificate is not authenticated, said accessing, ascertaining, comparing, and communicating being performed by a certificate classification service,wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises items selected from the group consisting of;

disaster recovery plans for the CA;

allowed or intended application areas for certificates issued by the CA;

liabilities and responsibilities of the CA and of the customers of the CA;

a legal environment and jurisdiction in which the CA operates;

privacy statements used by the CA;

economical conditions pertaining to the CA;

requirements and procedures for identification and authentication in connection with certificate issuing and naming by the C;

requirements and procedures and rules for certificate revocation by the CA;

operational requirements for certificate issuing, revocation, logging procedures, archival, and key management by the CA;

procedures for termination of the CA'"'"'s service or transfer of the CA'"'"'s service to another CA;

physical, logical, and administrative security related to operation of the CA'"'"'s service; and

technical security measures used by the CA relating to generation, storage, and destruction of private keys and public keys.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system of authenticating a public key certificate for a relying party (RP). A Certificate Authority (CA), who issued the certificate, is a member of a Public Key Infrastructure (PKI) having a Certificate Policy (CP). First quality levels required of the CA by the RP are accessed by a certificate classification service (CCS) and corresponding second quality levels possessed by the CA are ascertained by the CCS. At least one quality characteristic pertaining to the second quality levels relates to at least one element of the CP. The ascertained second quality levels are compared by the CCS with the corresponding accessed first quality levels. A result of the comparing, communicated by the CCS to the RP, is that the certificate is authenticated if the comparing has determined that each first quality level is not less than each corresponding second quality level.

22 Citations

View as Search Results

25 Claims

1. A method for authentication of a public key certificate as a service to a relying party (RP) in response to a request for said authentication by the RP who desires to determine a level of trust in a Certificate Authority (CA) that issued the certificate, said method comprising:
- accessing a first quality level of each quality characteristic of a first set of quality characteristics required of the CA by the RP, said CA being a member of a Public Key Infrastructure (PKI) having a Certificate Policy (CP);
  
  ascertaining a second quality level of each quality characteristic of a second set of quality characteristics possessed by the CA, each ascertained quality characteristic of the second set corresponding to an accessed quality characteristic of the first set on a one-to-one basis, at least one quality characteristic of the second set relating to at least one element of the CP;
  
  a digital computer comparing the ascertained second quality level of each quality characteristic of the second set with the accessed quality level of each corresponding quality characteristic of the first set; and
  
  said digital computer communicating a first result of said comparing to the RP, said first result being that the certificate is authenticated if said comparing has determined that each first quality level is not greater than each corresponding second quality level, otherwise said first result being that the certificate is not authenticated, said accessing, ascertaining, comparing, and communicating being performed by a certificate classification service,wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises items selected from the group consisting of;
  
  disaster recovery plans for the CA;
  
  allowed or intended application areas for certificates issued by the CA;
  
  liabilities and responsibilities of the CA and of the customers of the CA;
  
  a legal environment and jurisdiction in which the CA operates;
  
  privacy statements used by the CA;
  
  economical conditions pertaining to the CA;
  
  requirements and procedures for identification and authentication in connection with certificate issuing and naming by the C;
  
  requirements and procedures and rules for certificate revocation by the CA;
  
  operational requirements for certificate issuing, revocation, logging procedures, archival, and key management by the CA;
  
  procedures for termination of the CA'"'"'s service or transfer of the CA'"'"'s service to another CA;
  
  physical, logical, and administrative security related to operation of the CA'"'"'s service; and
  
  technical security measures used by the CA relating to generation, storage, and destruction of private keys and public keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein the second quality level of the quality characteristics of the second set comprises an assurance level with respect to an authenticity of the certificate, an assurance level with respect to guarding against a fake signature on the certificate, and a credit rating of the CA.
  - 3. The method of claim 1,wherein the second quality level of the quality characteristics of the second set comprises parameters relating to a Certification Practice Statement (CPS) describing how the requirements of the CP are met in practice;
    - andwherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises internal control mechanisms or third party audit procedures to verify that the CA'"'"'s operation is in accordance with the CP, the CPS, and internal procedure descriptions.
  - 4. The method of claim 1, wherein the second quality level of the quality characteristics of the second set comprises a trust model defining how the CA relates to other CAs within the PKI that the CA is a member of and to CAs who are members of other PKIs.
  - 5. The method of claim 1, wherein the second quality level of the quality characteristics of the second set comprises formal agreements that regulate relationships between the CA and other actors such that the other actors include customers of the CA for whom the CA issues certificates, Registration Authorities (RA) used by the CA, and at least one other CA.
  - 6. The method of claim 1,wherein the second quality level of the quality characteristics of the second set comprises use of a Certificate Revocation List (CRL);
    - andwherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises requirements for publishing for certificates, CRLs, and other information.
  - 7. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said disaster recovery plans for the CA.
  - 8. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said allowed or intended application areas for certificates issued by the CA.
  - 9. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said liabilities and responsibilities of the CA and of the customers of the CA.
  - 10. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said legal environment and jurisdiction in which the CA operates.
  - 11. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said privacy statements used by the CA.
  - 12. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said economical conditions pertaining to the CA.
  - 13. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said requirements and procedures for identification and authentication in connection with certificate issuing and naming by the CA.
  - 14. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said requirements and procedures and rules for certificate revocation by the CA.
  - 15. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said operational requirements for certificate issuing, revocation, logging procedures, archival, and key management by the CA.
  - 16. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said procedures for termination of the CA'"'"'s service or transfer of the CA'"'"'s service to another CA.
  - 17. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said physical, logical, and administrative security related to operation of the CA'"'"'s service.
  - 18. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises said technical security measures used by the CA relating to generation, storage, and destruction of private keys and public keys.
  - 19. The method of claim 1, wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises an extent of compliance of the CA with the at least one element of the CP.
  - 20. The method of claim 1, wherein said communicating further comprises communicating a second result of said comparing to the RP, wherein the second result is a list of deviations between the determined second quality level of each quality characteristic of the second and the accessed quality level of each corresponding quality characteristic of the first set.
  - 21. The method of claim 1, wherein said accessing comprises obtaining the first quality level of each quality characteristic of the first set of quality characteristics from a certificate profile register of the certificate classification service.
  - 22. The method of claim 1, wherein said accessing comprises receiving the first quality level of each quality characteristic of the first set of quality characteristics from the RP in conjunction with said request.
  - 23. The method of claim 1, wherein the second set of quality characteristics is stored in a certificate profile register of the certificate classification service prior to said ascertaining.

24. A system, comprising a digital computer, said computer comprising an internal memory storing software code configured to be executed on the computer to perform a method for authentication of a public key certificate as a service to a relying party (RP) in response to a request for said authentication by the RP who desires to determine a level of trust in a Certificate Authority (CA) that issued the certificate, said method comprising:
- accessing a first quality level of each quality characteristic of a first set of quality characteristics required of the CA by the RP, said CA being a member of a Public Key Infrastructure (PKI) having a Certificate Policy (CP);
  
  ascertaining a second quality level of each quality characteristic of a second set of quality characteristics possessed by the CA, each ascertained quality characteristic of the second set corresponding to an accessed quality characteristic of the first set on a one-to-one basis, at least one quality characteristic of the second set relating to at least one element of the CP;
  
  comparing the ascertained second quality level of each quality characteristic of the second set with the accessed quality level of each corresponding quality characteristic of the first set; and
  
  communicating a first result of said comparing to the RP, said first result being that the certificate is authenticated if said comparing has determined that each first quality level is not greater than each corresponding second quality level, otherwise said first result being that the certificate is not authenticated, said accessing, ascertaining, comparing, and communicating being performed by a certificate classification service,wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises items selected from the group consisting of;
  
  disaster recovery plans for the CA;
  
  allowed or intended application areas for certificates issued by the CA;
  
  liabilities and responsibilities of the CA and of the customers of the CA;
  
  a legal environment and jurisdiction in which the CA operates;
  
  privacy statements used by the CA;
  
  economical conditions pertaining to the CA;
  
  requirements and procedures for identification and authentication in connection with certificate issuing and naming by the C;
  
  requirements and procedures and rules for certificate revocation by the CA;
  
  operational requirements for certificate issuing, revocation, logging procedures, archival, and key management by the CA;
  
  procedures for termination of the CA'"'"'s service or transfer of the CA'"'"'s service to another CA;
  
  physical, logical, and administrative security related to operation of the CA'"'"'s service; and
  
  technical security measures used by the CA relating to generation, storage, and destruction of private keys and public keys.

25. A computer program product, comprising software code stored in an internal memory of a digital computer, wherein the software code is configured to be executed on the computer to perform a method for authentication of a public key certificate as a service to a relying party (RP) in response to a request for said authentication by the RP who desires to determine a level of trust in a Certificate Authority (CA) that issued the certificate, said method comprising:
- accessing a first quality level of each quality characteristic of a first set of quality characteristics required of the CA by the RP, said CA being a member of a Public Key Infrastructure (PKI) having a Certificate Policy (CP);
  
  ascertaining a second quality level of each quality characteristic of a second set of quality characteristics possessed by the CA, each ascertained quality characteristic of the second set corresponding to an accessed quality characteristic of the first set on a one-to-one basis, at least one quality characteristic of the second set relating to at least one element of the CP;
  
  comparing the ascertained second quality level of each quality characteristic of the second set with the accessed quality level of each corresponding quality characteristic of the first set; and
  
  communicating a first result of said comparing to the RP, said first result being that the certificate is authenticated if said comparing has determined that each first quality level is not greater than each corresponding second quality level, otherwise said first result being that the certificate is not authenticated, said accessing, ascertaining, comparing, and communicating being performed by a certificate classification service,wherein the at least one element of the CP to which the at least one quality characteristic of the second set is related comprises items selected from the group consisting of;
  
  disaster recovery plans for the CA;
  
  allowed or intended application areas for certificates issued by the CA;
  
  liabilities and responsibilities of the CA and of the customers of the CA;
  
  a legal environment and jurisdiction in which the CA operates;
  
  privacy statements used by the CA;
  
  economical conditions pertaining to the CA;
  
  requirements and procedures for identification and authentication in connection with certificate issuing and naming by the C;
  
  requirements and procedures and rules for certificate revocation by the CA;
  
  operational requirements for certificate issuing, revocation, logging procedures, archival, and key management by the CA;
  
  procedures for termination of the CA'"'"'s service or transfer of the CA'"'"'s service to another CA;
  
  physical, logical, and administrative security related to operation of the CA'"'"'s service; and
  
  technical security measures used by the CA relating to generation, storage, and destruction of private keys and public keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Falch, Konrad, Olnes, Jon, Lie, Anund, Lemberg, Trond, Liberg, Hakon, Myrseth, Per
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US11/843,720
Publication Number

US 20080028454A1
Time in Patent Office

1,496 Days
Field of Search

713155-158, 713/175
US Class Current

726/10
CPC Class Codes

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 9/3268   using certificate validatio...

Method and system for the authentication of a public key certificate

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for the authentication of a public key certificate

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links