Identity-based certificate management
First Claim
Patent Images
1. A method for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:
- receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator defined by a validity start time and a validity end time, the user identifier corresponding to the specific client identity;
generating a first query to a directory service having a plurality of entries each associated with different client identities, the client identities each associated with a plurality of informational attributes stored in the directory service, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value attribute for the specific client identity, wherein the plurality of informational attributes comprises at least some attributes unrelated to digital certificates;
receiving the directory validity time value attribute returned by the first query; and
validating the digital certificate in response to evaluations of the validity start time and the validity end time of the certificate validity period indicator against the received directory validity time value attribute and a current time;
wherein the directory validity time value attribute is editable to revoke a plurality of digital certificates associated with the user identifier.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.
-
Citations
22 Claims
-
1. A method for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:
-
receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator defined by a validity start time and a validity end time, the user identifier corresponding to the specific client identity; generating a first query to a directory service having a plurality of entries each associated with different client identities, the client identities each associated with a plurality of informational attributes stored in the directory service, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value attribute for the specific client identity, wherein the plurality of informational attributes comprises at least some attributes unrelated to digital certificates; receiving the directory validity time value attribute returned by the first query; and validating the digital certificate in response to evaluations of the validity start time and the validity end time of the certificate validity period indicator against the received directory validity time value attribute and a current time; wherein the directory validity time value attribute is editable to revoke a plurality of digital certificates associated with the user identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for validating a digital certificate issued to a client system and associated with a specific client identity, the system comprising:
a computing system comprising one or more computing devices, said computing system programmed via executable instructions to at least; receive the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator defined by a validity start time and a validity end time, the user identifier corresponding to the specific client identity; send a first query to a directory service having a plurality of entries each associated with different client identities, the client identities each associated with a plurality of informational attributes stored in the directory service, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value attribute for the specific client identity, wherein the plurality of informational attributes comprises at least some attributes unrelated to digital certificates; receive the directory validity time value attribute from the directory service; and validate the digital certificate in response to evaluations of the validity start time and the validity end time of the certificate validity period indicator against the received directory validity time value attribute and a current time; wherein the directory validity time value attribute is editable to revoke a plurality of digital certificates associated with the user identifier. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
18. Non-transitory computer storage medium that comprises executable instructions that when executed by a computing system, directs the computing system to at least:
-
receive a digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator defined by a validity start time and a validity end time, the user identifier corresponding to the specific client identity; generate a first query to a directory service having a plurality of entries each associated with different client identities, the client identities each associated with a plurality of informational attributes stored in the directory service, the first query including a request for an entry associated with the specific client identity, the entry including a directory validity time value attribute for the specific client identity, wherein the plurality of informational attributes comprises at least some attributes unrelated to digital certificates; receive the directory validity time value attribute returned by the first query; and validate the digital certificate in response to evaluations of the validity start time and the validity end time of the certificate validity period indicator against the received directory validity time value attribute and a current time; wherein the directory validity time value attribute is editable to revoke a plurality of digital certificates associated with the user identifier. - View Dependent Claims (19, 20, 21, 22)
-
Specification