Identity-based certificate management

US 9,473,310 B2
Filed: 04/18/2014
Issued: 10/18/2016
Est. Priority Date: 04/07/2009
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer system for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:

receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period identifier, the user identifier corresponding to the specific client identity;

generating a first query to a directory service having a plurality of entries each associated with different client identities, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value for the specific client identity;

receiving the directory validity time value returned by the directory service in response to the first query; and

validating the digital certificate in response to determining that a certificate validity period specified by the certificate validity period identifier is later than the received directory validity time value.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Citations

20 Claims

1. A method performed by a computer system for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:
- receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period identifier, the user identifier corresponding to the specific client identity;
  
  generating a first query to a directory service having a plurality of entries each associated with different client identities, the first query including a request for a first entry associated with the specific client identity, the first entry including a directory validity time value for the specific client identity;
  
  receiving the directory validity time value returned by the directory service in response to the first query; and
  
  validating the digital certificate in response to determining that a certificate validity period specified by the certificate validity period identifier is later than the received directory validity time value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the certificate validity period is defined by a validity start time and a validity end time.
  - 3. The method of claim 2, wherein the certificate validity period is later than the directory validity time value only if the validity start time is later than the directory validity time value.
  - 4. The method of claim 2, wherein the method further comprises rejecting the digital certificate if the validity start time is prior to the received directory validity time value for the specific client identity.
  - 5. The method of claim 2, wherein the method further comprises rejecting the digital certificate if the validity end time is prior to the received directory validity time value for the specific client identity.
  - 6. The method of claim 1, further comprising:
    - removing access restrictions to a network application resource upon validating the digital certificate.
  - 7. The method of claim 6, wherein the user identifier corresponds to an account on the network application resource.
  - 8. The method of claim 1, wherein the directory service is a lightweight directory access protocol (LDAP) compliant system.
  - 9. The method of claim 1, wherein the directory service is a Standard Query Language (SQL) database.
  - 10. The method of claim 1, wherein the method further comprises revoking the digital certificate in response to a modification to the directory validity time value.
  - 11. The method of claim 1, wherein the method further comprises revoking the digital certificate in response to a modification of the directory validity time value to be later than the certificate validity period of the digital certificate.
  - 12. The method of claim 1, wherein the method further comprises revoking the digital certificate in response to a modification of the directory validity time value to a value associated with the current date and time.
  - 13. The method of claim 1, wherein all outstanding digital certificates associated with the specific client entity may be revoked by modifying the directory validity time value to a value associated with the current date and time.
  - 14. The method of claim 1, wherein the directory validity time value comprises a dynamic certificate validation date.
  - 15. The method of claim 14, wherein the dynamic certificate validation date of a directory validity time value stored on a directory service may be modified through an administration panel user interface.
  - 16. The method of claim 15, wherein the administration panel user interface comprises multiple fields for specifying the dynamic certificate validation date of the directory validity time value returned by the directory service in response to the first query.
  - 17. The method of claim 15, wherein the administration panel user interface comprises a revoke all certificates control, wherein selecting the revoke all certificates control revokes all outstanding digital certificates associated with the specific client entity by modifying the dynamic certificate validation date to a current date and time.
  - 18. The method of claim 15, wherein the administration panel user interface is generated by an embedded HTTP server.
  - 19. The method of claim 1, wherein determining that a certificate validity period specified by the certificate validity period identifier is later than the received directory validity time value comprises determining that the digital certificate was issued after the directory validity time value and that the digital certificate expires after the received directory validity time value.
  - 20. The method of claim 1, wherein the directory validity time value comprises a set of date values that identify a specific year, month, and day, and a set of time values that identify a specific hour and minute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Grajek, Garret Florian, Lo, Jeffrey Chiwai, Lambiase, Mark V.
Primary Examiner(s)
Abedin, Shanto M

Application Number

US14/256,270
Publication Number

US 20140344567A1
Time in Patent Office

914 Days
Field of Search

713/156, 713/158, 713/168, 713/175, 726/10, 726/18
US Class Current

1/1
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3252   using DSA or related signat...

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Identity-based certificate management

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identity-based certificate management

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links