Method and apparatus for managing digital certificates

US 8,135,950 B2
Filed: 02/27/2007
Issued: 03/13/2012
Est. Priority Date: 02/27/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing digital, certificates, the method comprising:

receiving, at a certificate handler, over a network an email from a user, the email including an encryption certificate having a public key associated with the user, the email requesting the encryption certificate to be added into a directory of an email directory server that provides email directory services to one or more email servers, wherein the email directory server is a lightweight directory access protocol (LDAP) server;

extracting, by the certificate handler, the encryption certificate from the email, the encryption certificate being issued from a certificate authority other than the user, wherein the certificate handler and the user are separate entities;

obtaining, by the certificate handler, a root certificate from the certificate authority, the root certificate corresponding to the encryption certificate;

authenticating, by the certificate handler, the encryption certificate using the root certificate, wherein the certificate handler is a separate entity from the certificate authority; and

upon successfully authenticating the encryption certificate, the certificate handler causing the encryption certificate to be stored in an entry of the directory of the email directory server based on an identity (ID) of the user, such that other users can obtain the encryption certificate from the email directory server to send an encrypted email to the user using the public key of the encryption certificate, wherein the encrypted email is to be decrypted by the user using a private key corresponding to the public key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for managing digital certificates are described herein. In one embodiment, an encryption certificate is extracted from an email received from an owner of the encryption certificate, where the encryption certificate being issued from a trusted party other than the owner. Then the encryption certificate is associated with an entry of a directory based on an identity (ID) of the owner, where the directory provides directory services to one or more email servers. Other methods and apparatuses are also described.

38 Citations

View as Search Results

22 Claims

1. A computer-implemented method for managing digital, certificates, the method comprising:
- receiving, at a certificate handler, over a network an email from a user, the email including an encryption certificate having a public key associated with the user, the email requesting the encryption certificate to be added into a directory of an email directory server that provides email directory services to one or more email servers, wherein the email directory server is a lightweight directory access protocol (LDAP) server;
  
  extracting, by the certificate handler, the encryption certificate from the email, the encryption certificate being issued from a certificate authority other than the user, wherein the certificate handler and the user are separate entities;
  
  obtaining, by the certificate handler, a root certificate from the certificate authority, the root certificate corresponding to the encryption certificate;
  
  authenticating, by the certificate handler, the encryption certificate using the root certificate, wherein the certificate handler is a separate entity from the certificate authority; and
  
  upon successfully authenticating the encryption certificate, the certificate handler causing the encryption certificate to be stored in an entry of the directory of the email directory server based on an identity (ID) of the user, such that other users can obtain the encryption certificate from the email directory server to send an encrypted email to the user using the public key of the encryption certificate, wherein the encrypted email is to be decrypted by the user using a private key corresponding to the public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - locating an existing entry associated with the user within the directory;
      
      upon successfully locating the existing entry, updating the existing entry with the extracted encryption certificate; and
      
      publishing the updated encryption certificate in a network community.
  - 3. The method of claim 1, further comprising adding a new entry based on the ID of the user, if there is no existing entry associated with the user in the directory.
  - 4. The method of claim 1, wherein the email is signed by the user using a signature certificate that is different than the encryption certificate.
  - 5. The method of claim 4, further comprising verifying the signature certificate to confirm that the email is received from the user prior to storing the encryption certificate in the email directory server.
  - 6. The method of claim 5, further comprising matching a first email address extracted from a first subject alternative name extension field of the signature certificate and a second email address extracted from a second subject alternative name extension field of the encryption certificate.
  - 7. The method of claim 1, wherein the email is directed to a predetermined destination address to request for updating the entry associated with the user, including at least one of adding, deleting, modifying, and querying the entry in the directory.
  - 8. The method of claim 1, wherein the directory is an LDAP (lightweight directory access protocol) compatible directory, and the ID of the owner comprises at least one of a name and email address associated with the user.
  - 12. The non-transitory machine-readable medium of claim 1, wherein the email is signed by the user using a signature certificate that is different than the encryption certificate.
  - 13. The non-transitory machine-readable medium of claim 12, wherein the method further comprises verifying the signature certificate to confirm that the email is received from the user prior to storing the encryption certificate in the email directory server.
  - 14. The non-transitory machine-readable medium of claim 13, wherein the method further comprises matching a first email address extracted from a first subject alternative name extension field of the signature certificate and a second email address extracted from a second subject alternative name extension field of the encryption certificate.
  - 15. The non-transitory machine-readable medium of claim 1, wherein the email is directed to a predetermined destination address to request for updating the entry associated with the user, including at least one of adding, deleting, modifying, and querying the entry in the directory.
  - 16. The non-transitory machine-readable medium of claim 1, wherein the directory is an LDAP (lightweight directory access protocol) compatible directory, and the ID of the owner comprises at least one of a name and email address associated with the user.

9. A non-transitory machine-readable medium having instructions, which when executed, cause a processor to perform a method for managing digital certificates, the method comprising:
- receiving, at a certificate handler, over a network an email from a user, the email including an encryption certificate having a public key associated with the user, the email requesting the encryption certificate to be added into a directory of an email directory server that provides email directory services to one or more email servers, wherein the email directory server is a lightweight directory access protocol (LDAP) server;
  
  extracting, by the certificate handler, the encryption certificate from the email, the encryption certificate being issued from a certificate authority other than the user, wherein the certificate handler and the user are separate entities;
  
  obtaining, by the certificate handler, a root certificate from the certificate authority, the root certificate corresponding to the encryption certificate;
  
  authenticating, by the certificate handler, the encryption certificate using the root certificate, wherein the certificate handler is a separate entity from the certificate authority; and
  
  upon successfully authenticating the encryption certificate, the certificate handler causing the encryption certificate to be stored in an entry of the directory of the email directory server based on an identity (ID) of the user, such that other users can obtain the encryption certificate from the email directory server to send an encrypted email to the user using the public key of the encrypted certificate, wherein the encrypted email is to be decrypted by the user using a private key corresponding to the public key.
- View Dependent Claims (10, 11)
- - 10. The non-transitory machine-readable medium of claim 9, wherein the method further comprises:
    - locating an existing entry associated with the user within the directory;
      
      upon successfully locating the existing entry, updating the existing entry with the extracted encryption certificate; and
      
      publishing the updated encryption certificate in a network community.
  - 11. The non-transitory machine-readable medium of claim 9, wherein the method further comprises adding a new entry based on the ID of the user, if there is no existing entry associated with the user in the directory.

17. An apparatus for managing digital certificates, comprising:
- an extractor to extract an encryption certificate from an email received from a user as an owner of the encryption certificate including a public key associated with the user, the encryption certificate being issued from a certificate authority other than the owner, wherein the email requests the encryption certificate to be added into a directory of an email directory server that provides email directory services to one or more email servers, wherein the email directory server is a lightweight directory access protocol (LDAP) server;
  
  an encryption certificate verifier coupled to the extractor to obtain a root certificate from the certificate authority and to verify the encryption certificate using the root certificate; and
  
  a directory entry processing unit coupled to the extractor and the encryption certificate verifier, upon successfully verifying the encryption certificate, to store the encryption certificate in an entry of the directory of the email directory server based on an identity (ID) of the owner, such that other users can obtain the encryption certificate from the email directory server to send an encrypted email to the user using the public key of the encryption certificate, wherein the encrypted email is to be decrypted by the user using a private key corresponding to the public key.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The apparatus of claim 17, wherein the email is signed by the user using a signature certificate that is different than the encryption certificate.
  - 19. The apparatus of claim 18, further comprising a signature verifier configured to verify the signature certificate to confirm that the email is received from the owner of the encryption certificate prior to storing the encryption certificate in the email directory server.
  - 20. The apparatus of claim 19, wherein the signature verifier is configured to match a first email address extracted from a first subject alternative name extension field of the signature certificate and a second email address a second subject alternative name extension field of the encryption certificate.
  - 21. The apparatus of claim 17, wherein the directory entry processing unit is configured to:
    - locate an existing entry associated with the owner of the encryption certificate within the directory,upon successfully locating the existing entry, update the existing entry with the extracted encryption certificate, andcause the directory to publish the updated encryption certificate in a network community.
  - 22. The apparatus of claim 17, wherein the directory entry processing unit is configured to add a new entry based on the ID of the owner of the encryption certificate, if there is no existing entry associated with the owner of the encryption certificate in the directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Parkinson, Steven W.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US11/712,278
Publication Number

US 20080209208A1
Time in Patent Office

1,841 Days
Field of Search

726 10- 21, 713/156, 713/176, 713/180
US Class Current

713/156
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 63/0823 using certificates cryptogr...

Method and apparatus for managing digital certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for managing digital certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links