Efficient revocation of registration authorities

US 20020099668A1
Filed: 01/22/2001
Published: 07/25/2002
Est. Priority Date: 01/22/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for certificate generation comprising the steps of:

forwarding a request from a first node to a second node to generate a certificate, wherein said request includes a first identifier that identifies the first node; and

in response to receipt of the request at the second node, generating a certificate that includes said first identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for revoking a certificate issued by a certification authority (CA). An identifier associated with a registration authority (RA) that requested issuance of a certificate on behalf of a principal is included within the certificate that is issued by the CA. Additionally, a time stamp indicating when the respective RA requested the certificate may be included in the certificate. In response to a request from a principal to a server for access to a resource, the server verifies the request using a decryption key contained in the certificate. Additionally, in a first embodiment a determination is made whether the RA identifier contained within the certificate is present on a certificate revocation list (CRL) maintained by a revocation server. If the RA identifier is present on the CRL, an indication is provided to the server that the certificate has been revoked and access to the requested resource may be denied. In a second embodiment, a determination is made whether the RA identifier is contained on the CRL and whether the time stamp contained within the certificate corresponds to a time period indicated in the CRL during which the respective RA was deemed untrustworthy. If the RA identifier in the certificate corresponds to an RA identifier on the CRL and the time stamp in the certificate is within a period in which the respective RA was deemed untrustworthy, an indication is provided to the respective server that the certificate has been revoked and access to the requested resource may be denied.

93 Citations

View as Search Results

37 Claims

1. A method for certificate generation comprising the steps of:
- forwarding a request from a first node to a second node to generate a certificate, wherein said request includes a first identifier that identifies the first node; and
  
  in response to receipt of the request at the second node, generating a certificate that includes said first identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 16, 18, 19, 20)
- - 2. The method of claim 1 wherein said request further includes a second identifier that identifies a principal.
  - 3. The method of claim 2 wherein said certificate further includes a public key associated with said principal, and said second identifier.
  - 4. The method of claim 1 further including the step of authenticating said certificate by said second node.
  - 5. The method of claim 4 wherein said step of authenticating said certificate comprises the step of generating a certificate digitally signed by said second node.
  - 6. The method of claim 5 wherein said step of generating said certificate signed by said second node comprises the step of generating a certificate digitally signed by said second node using a private key of a public private key pair associated with said second node.
  - 7. The method of claim 1 wherein said certificate further includes a time stamp that identifies a time associated with the request.
  - 8. The method of claim 1 further including the step of authenticating said request by said first node.
  - 9. The method of claim 8 wherein said step of authenticating said request by said first node comprises the step of digitally signing said request.
  - 10. The method of claim 9 wherein said step of digitally signing said request comprises the step of digitally signing said request using a private key of a public/private key pair associated with said first node.
  - 11. The method of claim 1 wherein said certificate further includes a time stamp that is associated with a time and date when said request was received by said second node.
  - 13. The method of claim 12 wherein said determining step further comprises the step of determining whether a time stamp contained within said certificate that specifies a time of receipt of a request from said registration authority to the certification authority to generate the certificate corresponds to a period identified on said certificate revocation list during which the respective registration authority is indicated to be untrustworthy;
    - and said providing step comprises the step of providing said indication to said server that said certificate has been revoked and denying access of said principal to said resource in response to a determination that said registration authority identifier within said certificate corresponds to said registration authority identifier on said certificate revocation list and said time stamp within said certificate corresponds to a time within said period identified on said certificate revocation list during which said registration authority was indicated to be untrustworthy.
  - 14. The method of claim 13 wherein said period has a beginning point and an assumed ending point, said beginning point being specified by a time value contained within said certificate revocation list and the assumed ending point corresponds to a present time value.
  - 15. The method of claim 13 wherein said period has a beginning point and an ending point, said beginning point being specified by a first time value and the ending point corresponds to a second time value.
  - 16. The method of claim 12 wherein said verifying and determining steps are performed by said server.
  - 18. The certification authority of claim 17 wherein said request to issue said certificate is an authenticated request and said computer program further includes program code for verifying said authenticated request.
  - 19. The certification authority of claim 17 wherein said certificate generated by said computer program further includes a principal identifier associated with a principal and a key associated with said principal.
  - 20. The certification authority of claim 17 wherein said computer program further includes program code for storing within said certificate a time stamp associated with a time when said certification authority received said request from said registration authority.

12. A method for determining whether access to a resource should be provided to a principal in response to a request for access to the resource by the principal comprising the steps of:
- receiving said request for access to said resource from said principal at a server;
  
  verifying the authenticity of said request using a key contained within a certificate associated with said principal;
  
  determining whether a registration authority identifier within said certificate corresponds to a registration identifier contained on a certificate revocation list, wherein said registration authority identifier is associated with a registration authority that requested a certification authority to generate said certificate; and
  
  providing an indication to said server that said certificate has been revoked and denying access of said principal to said resource in response to a determination that said registration authority identifier within said certificate corresponds to a registration authority identifier on said certificate revocation list.

17. A certification authority comprising:
- a memory containing a computer program for generating said certificate; and
  
  a processor operative to execute said computer program, said computer program containing program code for;
  
  receiving a request from a registration authority to issue said certificate; and
  
  in response to receipt of said request, generating said certificate that includes at least a registration authority identifier associated with said registration authority.

21. A system for determining whether access to a resource should be provided to a principal in response to a request for access to the resource by the principal comprising:
- a first server operative to receive a request for access to said resource from said principal, said first server being operative to verify the authenticity of said request using a key contained within a certificate associated with said principal, wherein said certificate includes at least a registration authority identifier associated with a registration authority that issued a request to a certification authority to issue said certificate;
  
  a second server containing a certificate revocation list, wherein said certificate revocation list includes said registration authority identifier in the event the associated registration authority has been determined to be untrustworthy, said second server being operative in response to a certificate revocation inquiry request to ascertain whether said certificate revocation list contains a registration authority identifier that corresponds to said registration authority identifier within said certificate; and
  
  said second server being further operative to provide an indication to said first server that said certificate has been revoked in the event said certificate revocation list contains said registration authority identifier that corresponds to said registration authority identifier within said certificate.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 29)
- - 22. The system of claim 21 wherein said first and second server comprise a single server.
  - 23. The system of claim 21 wherein said first server is further operative in response to receipt of said indication that said certificate has been revoked to deny said principal access to said requested resource.
  - 24. The system of claim 21 wherein said certificate further includes a time stamp associated with a time when said certification authority received from said registration authority said request to issue said certificate on behalf of said principal;
    - and wherein said certificate revocation list includes said registration authority identifier in the event the associated registration authority has been determined to be untrustworthy and at least one value defining a time interval during which said registration authority is deemed to be untrustworthy, said second server being operative in response to a certificate revocation inquiry request to provide a revocation indication if said certificate revocation list contains a registration authority identifier that corresponds to said registration authority identifier within said certificate and a time stamp associated with said registration authority identifier that is within said interval.
  - 25. The system of claim 23 wherein said second server comprises a revocation server.
  - 26. The system of claim 25 wherein said revocation server is further operative in response to said revocation indication to forward a certificate revocation message to said first server that indicates that said certificate has been revoked.
  - 27. The system of claim 26 wherein said first server is operative in response to said certificate revocation message to deny said principal access to said requested resource.
  - 29. The computer program product of claim 28 wherein said program code for generating said certificate is further operative to include within said certificate a time stamp associated with a time or receipt by said certification authority of said request from said registration authority of said request to issue said certificate.

28. A computer program product including a computer readable medium, said computer readable medium having a computer program stored thereon for generating a certificate, said computer program being executable by a processor and comprising:
- program code for receiving a request from a registration authority to issue a certificate on behalf of a principal;
  
  program code operative in response to recognition of said request, for generating by a certification authority a certificate authenticated by said certification authority wherein said certificate includes at least a principal identifier associated with said principal, a key associated with said principal for use in authenticating messages generated by said principal, and a registration identifier associated with said registration authority.

30. A computer data signal, said computer data signal including a computer program for use in generating a certificate, said computer program comprising:
- program code for receiving a request from a registration authority to issue a certificate on behalf of a principal;
  
  program code operative in response to recognition of said request, for generating by a certification authority a certificate authenticated by said certification authority wherein said certificate includes at least a principal identifier associated with said principal, a key associated with said principal for use in authenticating messages generated by said principal, and a registration identifier associated with said registration authority.
- View Dependent Claims (31, 32, 33, 35, 36, 37)
- - 31. The computer data signal of claim 30 wherein said program code for generating said certificate is operative to include within said certificate a time stamp associated with a time of receipt by said certification authority from said registration authority of said request to issue said certificate.
  - 32. The computer data signal of claim 30 wherein said computer program further includes program code for publishing said certificate.
  - 33. The computer data signal of claim 30 wherein said program code for publishing said certificate includes program code for forwarding said certificate to a directory server.
  - 35. The apparatus of claim 34 wherein said request was initiated by a principal and said request includes a principal identifier associated with said principal and said certificate further includes said principal identifier and a public key associated with said principal.
  - 36. The apparatus of claim 34 wherein said certificate is authenticated by said second node.
  - 37. The apparatus of claim 34 further including means for comparing said first node identifier to a node identifier associated with an untrustworthy node on said network that is contained within a certificate revocation list and providing an indication that said certificate is untrustworthy in the event said first node identifier matches said untrustworthy node identifier.

34. An apparatus for generating a certificate in a computer network comprising:
- means operative in response to receipt of a request from a first node coupled to a computer network at a second node coupled to said network for generating at said second node a certificate that includes a first node identifier associated with said first node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Perlman, Radia J.

Application Number

US09/767,128
Publication Number

US 20020099668A1
Time in Patent Office

Days
Field of Search
US Class Current

705/76
CPC Class Codes

G06Q 20/3821   Electronic credentials

H04L 63/0823   using certificates cryptogr...

H04L 9/3268   using certificate validatio...

H04L 9/3297   involving time stamps, e.g....

Efficient revocation of registration authorities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

93 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient revocation of registration authorities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links