Identity-based certificate management

US 8,707,031 B2
Filed: 04/07/2009
Issued: 04/22/2014
Est. Priority Date: 04/07/2009
Status: Active Grant

First Claim

Patent Images

1. A method for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:

receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator defined by a validity start time and a validity end time, the user identifier corresponding to the specific client identity;

generating a first query to a directory service having a plurality of entries each associated with different client identities, the client identities each associated with a plurality of informational attributes stored in the directory service, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value attribute for the specific client identity, wherein the plurality of informational attributes comprises at least some attributes unrelated to digital certificates;

receiving the directory validity time value attribute returned by the first query; and

validating the digital certificate in response to evaluations of the validity start time and the validity end time of the certificate validity period indicator against the received directory validity time value attribute and a current time;

wherein the directory validity time value attribute is editable to revoke a plurality of digital certificates associated with the user identifier.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Citations

22 Claims

1. A method for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:
- receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator defined by a validity start time and a validity end time, the user identifier corresponding to the specific client identity;
  
  generating a first query to a directory service having a plurality of entries each associated with different client identities, the client identities each associated with a plurality of informational attributes stored in the directory service, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value attribute for the specific client identity, wherein the plurality of informational attributes comprises at least some attributes unrelated to digital certificates;
  
  receiving the directory validity time value attribute returned by the first query; and
  
  validating the digital certificate in response to evaluations of the validity start time and the validity end time of the certificate validity period indicator against the received directory validity time value attribute and a current time;
  
  wherein the directory validity time value attribute is editable to revoke a plurality of digital certificates associated with the user identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the validity start time is subsequent to the validity time value attribute in a one of the evaluations.
  - 3. The method of claim 1, wherein the digital certificate is rejected in response to a one of the evaluations in which the validity start time of the certificate validity period indicator in the digital certificate is prior to the received directory validity time value attribute for the specific client identity.
  - 4. The method of claim 1, wherein the digital certificate is rejected in response to a one of the evaluations in which the validity end time of the certificate validity period indicator in the digital certificate is prior to the current time.
  - 5. The method of claim 1, further comprising:
    - removing access restrictions to a network application resource upon validating the digital certificate.
  - 6. The method of claim 5, wherein the user identifier corresponds to an account on the network application resource.
  - 7. The method of claim 1, wherein the directory service is a lightweight directory access protocol (LDAP) compliant system.
  - 8. The method of claim 1, wherein the directory service is a Standard Query Language (SQL) database.
  - 9. The method of claim 1, wherein the attributes unrelated to digital certificates comprises at least one of an email address, a mailing address, a telephone number, and an organizational position.
  - 10. The method of claim 1, further comprising revoking the plurality of certificates associated with the user identifier in response to an edit to a single validity time value attribute within the directory service associated with the user identifier.

11. A system for validating a digital certificate issued to a client system and associated with a specific client identity, the system comprising:
- a computing system comprising one or more computing devices, said computing system programmed via executable instructions to at least;
  
  receive the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator defined by a validity start time and a validity end time, the user identifier corresponding to the specific client identity;
  
  send a first query to a directory service having a plurality of entries each associated with different client identities, the client identities each associated with a plurality of informational attributes stored in the directory service, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value attribute for the specific client identity, wherein the plurality of informational attributes comprises at least some attributes unrelated to digital certificates;
  
  receive the directory validity time value attribute from the directory service; and
  
  validate the digital certificate in response to evaluations of the validity start time and the validity end time of the certificate validity period indicator against the received directory validity time value attribute and a current time;
  
  wherein the directory validity time value attribute is editable to revoke a plurality of digital certificates associated with the user identifier.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein the validity start time is subsequent to the validity time value attribute in a one of the evaluations.
  - 13. The system of claim 11, wherein the computing system is further programmed via executable instruction to at least reject the digital certificate in response to a one of the evaluations in which the validity start time of the certificate validity period indicator in the digital certificate is prior to the received directory validity time value attribute for the specific client identity.
  - 14. The system of claim 11, wherein the computing system is further programmed via executable instruction to at least remove access restrictions to a network application resource upon validating the digital certificate.
  - 15. The system of claim 13, wherein the user identifier corresponds to an account on the network application resource.
  - 16. The system of claim 11, wherein the attributes unrelated to digital certificates comprises at least one of an email address, a mailing address, a telephone number, and an organizational position.
  - 17. The system of claim 11, wherein the computing system is further programmed via executable instruction to at least revoke the plurality of certificates associated with the user identifier in response to an edit to a single validity time value attribute within the directory service associated with the user identifier.

18. Non-transitory computer storage medium that comprises executable instructions that when executed by a computing system, directs the computing system to at least:
- receive a digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator defined by a validity start time and a validity end time, the user identifier corresponding to the specific client identity;
  
  generate a first query to a directory service having a plurality of entries each associated with different client identities, the client identities each associated with a plurality of informational attributes stored in the directory service, the first query including a request for an entry associated with the specific client identity, the entry including a directory validity time value attribute for the specific client identity, wherein the plurality of informational attributes comprises at least some attributes unrelated to digital certificates;
  
  receive the directory validity time value attribute returned by the first query; and
  
  validate the digital certificate in response to evaluations of the validity start time and the validity end time of the certificate validity period indicator against the received directory validity time value attribute and a current time;
  
  wherein the directory validity time value attribute is editable to revoke a plurality of digital certificates associated with the user identifier.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The non-transitory computer storage of claim 18, further comprising:
    - executable instructions that direct a computing system to remove access restrictions to a network application resource upon validating the digital certificate.
  - 20. The non-transitory computer storage of claim 19, wherein the user identifier corresponds to an account on the network application resource.
  - 21. The non-transitory computer storage of claim 18, wherein the attributes unrelated to digital certificates comprises at least one of an email address, a mailing address, a telephone number, and an organizational position.
  - 22. The non-transitory computer storage of claim 18, further comprising:
    - executable instructions that revoke the plurality of certificates associated with the user identifier in response to an edit to a single validity time value attribute within the directory service associated with the user identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Lambiase, Mark V., Grajek, Garrett F., Lo, Jeff C.
Primary Examiner(s)
Gelagay, Shewaye

Application Number

US12/419,951
Publication Number

US 20100257358A1
Time in Patent Office

1,841 Days
Field of Search

713/158
US Class Current

713/158
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3252   using DSA or related signat...

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Identity-based certificate management

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Identity-based certificate management

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links