Identity-based certificate management

US 9,882,728 B2
Filed: 09/28/2016
Issued: 01/30/2018
Est. Priority Date: 04/07/2009
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer system for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:

receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period identifier, the user identifier corresponding to the specific client identity;

generating a first query to a directory service which includes a request for a first entry associated with the specific client identity, the first entry including a directory validity time value for the specific client identity;

receiving the directory validity time value for the specific client identity returned by the directory service in response to the first query;

validating the digital certificate, wherein validating the digital certificate comprises determining that a certificate validity period specified by the certificate validity period identifier is later than the received directory validity time value; and

revoking the digital certificate in response to a modification of the directory validity time value to a value associated with the current date and time.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

35 Citations

View as Search Results

17 Claims

1. A method performed by a computer system for validating a digital certificate issued to a client system and associated with a specific client identity, the method comprising:
- receiving the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period identifier, the user identifier corresponding to the specific client identity;
  
  generating a first query to a directory service which includes a request for a first entry associated with the specific client identity, the first entry including a directory validity time value for the specific client identity;
  
  receiving the directory validity time value for the specific client identity returned by the directory service in response to the first query;
  
  validating the digital certificate, wherein validating the digital certificate comprises determining that a certificate validity period specified by the certificate validity period identifier is later than the received directory validity time value; and
  
  revoking the digital certificate in response to a modification of the directory validity time value to a value associated with the current date and time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the certificate validity period is defined by a validity start time and a validity end time.
  - 3. The method of claim 2, wherein the certificate validity period is later than the directory validity time value only if the validity start time is later than the directory validity time value.
  - 4. The method of claim 2, further comprising rejecting the digital certificate if the validity start time is prior to the received directory validity time value for the specific client identity.
  - 5. The method of claim 2, further comprising rejecting the digital certificate if the validity end time is prior to the received directory validity time value for the specific client identity.
  - 6. The method of claim 1, further comprising removing access restrictions to a network application resource upon validating the digital certificate.
  - 7. The method of claim 1, further comprising revoking the digital certificate in response to a modification to the directory validity time value to be later than the certificate validity period of the digital certificate.
  - 8. The method of claim 1, wherein the directory service is a Standard Query Language (SQL) database.
  - 9. The method of claim 1, wherein the directory validity time value comprises a dynamic certificate validation date.
  - 10. The method of claim 9, wherein the dynamic certificate validation date of a directory validity time value stored on a directory service may be modified through an administration panel user interface.
  - 11. The method of claim 1, wherein the directory validity time value comprises a set of date values that identify a specific year, month, and day, and a set of time values that identify a specific hour and minute.

12. A system for validating a digital certificate issued to a client system and associated with a specific client identity, the system comprising:
- a computing system comprising one or more computing devices, said computing system programmed via executable instructions to at least;
  
  receive the digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator, the user identifier corresponding to the specific client identity;
  
  generate a first query to a directory service which includes a request for a first entry associated with the specific client identity, the first entry including a directory validity time value for the specific client identity;
  
  receive the directory validity time value for the specific client identity returned by the directory service in response to the first query; and
  
  validate the digital certificate, wherein the computing system is programmed via executable instructions to at least validate the digital certificate by determining that a certificate validity period specified by the certificate validity period identifier is later than the received directory validity time value, and wherein the directory validity time value is editable to revoke the digital certificate that includes the user identifier.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12, wherein the certificate validity period is defined by a validity start time and a validity end time.
  - 14. The system of claim 13, wherein the computing system is further programmed via executable instructions to reject the digital certificate if the validity start time or the validity end time is prior to the received directory validity time value for the specific client identity.

15. A non-transitory computer storage medium that comprises executable instructions that when executed by a computing system, directs the computing system to at least:
- receive a digital certificate from the client system, the digital certificate including a user identifier and a certificate validity period indicator, the user identifier corresponding to the specific client identity;
  
  generate a first query to a directory service which includes a request for a first entry associated with the specific client identity, the first entry including a directory validity time value for the specific client identity;
  
  receive the directory validity time value for the specific client identity returned by the directory service in response to the first query; and
  
  validate the digital certificate, wherein validating the digital certificate comprises determining that a certificate validity period specified by the certificate validity period identifier is later than the received directory validity time value, and wherein the directory validity time value is editable to revoke the digital certificates that includes the user identifier.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer storage medium of claim 15, wherein the certificate validity period is defined by a validity start time and a validity end time.
  - 17. The non-transitory computer storage medium of claim 16, wherein the executable instructions, when executed by a computing system, further directs the computing system to reject the digital certificate if the validity start time or the validity end time is prior to the received directory validity time value for the specific client identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Grajek, Garret Florian, Lo, Jeffrey Chiwai, Lambiase, Mark V.
Primary Examiner(s)
ABEDIN, SHANTO

Application Number

US15/279,191
Publication Number

US 20170019260A1
Time in Patent Office

489 Days
Field of Search

713156, 713158, 713175
US Class Current
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3252   using DSA or related signat...

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Identity-based certificate management

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Identity-based certificate management

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links