Validating a certificate chain in a dispersed storage network
First Claim
1. A method for authenticating a certificate chain within a dispersed storage network (DSN) by one or more computing devices of the DSN, wherein the method comprises:
- receiving, by the one or more computing devices, the certificate chain from a requesting entity, wherein the certificate chain includes one or more signed certificates;
determining whether at least one of the one or more signed certificates has a valid signature by;
verifying signature of the requesting entity on a certificate of the certificate chain by at least one of;
instructing the requesting entity to decrypt an encrypted message using a private key of the requesting entity to produce a decrypted message;
receiving the decrypted message from the requesting entity; and
verifying the decrypted message; and
instructing the requesting entity to encrypt a message using the private key to produce a second encrypted message;
receiving the second encrypted message from the requesting entity; and
verifying the second encrypted message using a public key;
when the signature of the requesting entity is verified, verifying signature of another certificate of the certificate chain; and
when the signature of the other certificate is verified, indicating that the at least one of the one or more signed certificates has a valid signature; and
when the at least one of the one or more signed certificates has a valid signature;
identifying one or more certificate authorities (CA) from the one or more signed certificates to produce identified CAs;
accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted certificate authority (CA) IDs;
determining whether one or more of the identified CAs is a trusted CA based on the registry information;
when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid;
identifying a realm ID of the one or more realm IDs based on a trusted CA ID of the one or more of the identified CAs that is a trusted CA, wherein the realm ID identifies a predetermined grouping of entities associated with the DSN; and
generating certificate chain validation information to include the realm ID, the one or more of the identified CAs that is the trusted CA, and the indication of the validity of the certificate chain.
2 Assignments
0 Petitions
Accused Products
Abstract
A method begins by a processing module receiving a certificate chain and determining whether at least one of one or more signed certificates of the chain has a valid signature. When the at least one of the one or more signed certificates has a valid signature, the method continues with the processing module identifying one or more certificate authorities (CA) to produce identified CAs, accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted CA IDs, determining whether one or more of the identified CAs is a trusted CA, and when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid, identifying a realm ID based on a trusted CA ID, and generating certificate chain validation information to include the realm ID, trusted CAs, and the indication of the validity of the certificate chain.
85 Citations
14 Claims
-
1. A method for authenticating a certificate chain within a dispersed storage network (DSN) by one or more computing devices of the DSN, wherein the method comprises:
-
receiving, by the one or more computing devices, the certificate chain from a requesting entity, wherein the certificate chain includes one or more signed certificates; determining whether at least one of the one or more signed certificates has a valid signature by; verifying signature of the requesting entity on a certificate of the certificate chain by at least one of; instructing the requesting entity to decrypt an encrypted message using a private key of the requesting entity to produce a decrypted message;
receiving the decrypted message from the requesting entity; and
verifying the decrypted message; andinstructing the requesting entity to encrypt a message using the private key to produce a second encrypted message;
receiving the second encrypted message from the requesting entity; and
verifying the second encrypted message using a public key;when the signature of the requesting entity is verified, verifying signature of another certificate of the certificate chain; and when the signature of the other certificate is verified, indicating that the at least one of the one or more signed certificates has a valid signature; and when the at least one of the one or more signed certificates has a valid signature; identifying one or more certificate authorities (CA) from the one or more signed certificates to produce identified CAs; accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted certificate authority (CA) IDs; determining whether one or more of the identified CAs is a trusted CA based on the registry information; when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid; identifying a realm ID of the one or more realm IDs based on a trusted CA ID of the one or more of the identified CAs that is a trusted CA, wherein the realm ID identifies a predetermined grouping of entities associated with the DSN; and generating certificate chain validation information to include the realm ID, the one or more of the identified CAs that is the trusted CA, and the indication of the validity of the certificate chain. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer comprises:
-
an interface; a memory; and a processing module operable to; receive, via the interface, the certificate chain from a requesting entity, wherein the certificate chain includes one or more signed certificates; determine whether at least one of the one or more signed certificates has a valid signature by; verifying signature of the requesting entity on a certificate of the certificate chain by at least one of; instructing the requesting entity to decrypt an encrypted message using a private key of the requesting entity to produce a decrypted message;
receiving the decrypted message from the requesting entity; and
verifying the decrypted message; andinstructing the requesting entity to encrypt a message using the private key to produce a second encrypted message;
receiving the second encrypted message from the requesting entity; and
verifying the second encrypted message using a public key;when the signature of the requesting entity is verified, verifying signature of another certificate of the certificate chain; and when the signature of the other certificate is verified, indicating that the at least one of the one or more signed certificates has a valid signature; and when the at least one of the one or more signed certificates has a valid signature; identify one or more certificate authorities (CA) from the one or more signed certificates to produce identified CAs; access registry information that includes one or more realm identifiers (IDs) and a plurality of trusted certificate authority (CA) IDs; determine whether one or more of the identified CAs is a trusted CA based on the registry information; when the one or more of the identified CAs is a trusted CA, indicate that the certificate chain is valid; identify a realm ID of the one or more realm IDs based on a trusted CA ID of the one or more of the identified CAs that is a trusted CA, wherein the realm ID identifies a predetermined grouping of entities associated with the DSN; and generate certificate chain validation information to include the realm ID, the one or more of the identified CAs is the trusted CA, and the indication of the validity of the certificate chain. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification