Efficient revocation of registration authorities
First Claim
1. A method for certificate generation comprising the steps of:
- forwarding a request from a first node to a second node to generate a certificate, wherein said request includes a first identifier that identifies the first node; and
in response to receipt of the request at the second node, generating a certificate that includes said first identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for revoking a certificate issued by a certification authority (CA). An identifier associated with a registration authority (RA) that requested issuance of a certificate on behalf of a principal is included within the certificate that is issued by the CA. Additionally, a time stamp indicating when the respective RA requested the certificate may be included in the certificate. In response to a request from a principal to a server for access to a resource, the server verifies the request using a decryption key contained in the certificate. Additionally, in a first embodiment a determination is made whether the RA identifier contained within the certificate is present on a certificate revocation list (CRL) maintained by a revocation server. If the RA identifier is present on the CRL, an indication is provided to the server that the certificate has been revoked and access to the requested resource may be denied. In a second embodiment, a determination is made whether the RA identifier is contained on the CRL and whether the time stamp contained within the certificate corresponds to a time period indicated in the CRL during which the respective RA was deemed untrustworthy. If the RA identifier in the certificate corresponds to an RA identifier on the CRL and the time stamp in the certificate is within a period in which the respective RA was deemed untrustworthy, an indication is provided to the respective server that the certificate has been revoked and access to the requested resource may be denied.
93 Citations
37 Claims
-
1. A method for certificate generation comprising the steps of:
-
forwarding a request from a first node to a second node to generate a certificate, wherein said request includes a first identifier that identifies the first node; and
in response to receipt of the request at the second node, generating a certificate that includes said first identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 16, 18, 19, 20)
-
-
12. A method for determining whether access to a resource should be provided to a principal in response to a request for access to the resource by the principal comprising the steps of:
-
receiving said request for access to said resource from said principal at a server;
verifying the authenticity of said request using a key contained within a certificate associated with said principal;
determining whether a registration authority identifier within said certificate corresponds to a registration identifier contained on a certificate revocation list, wherein said registration authority identifier is associated with a registration authority that requested a certification authority to generate said certificate; and
providing an indication to said server that said certificate has been revoked and denying access of said principal to said resource in response to a determination that said registration authority identifier within said certificate corresponds to a registration authority identifier on said certificate revocation list.
-
-
17. A certification authority comprising:
-
a memory containing a computer program for generating said certificate; and
a processor operative to execute said computer program, said computer program containing program code for;
receiving a request from a registration authority to issue said certificate; and
in response to receipt of said request, generating said certificate that includes at least a registration authority identifier associated with said registration authority.
-
-
21. A system for determining whether access to a resource should be provided to a principal in response to a request for access to the resource by the principal comprising:
-
a first server operative to receive a request for access to said resource from said principal, said first server being operative to verify the authenticity of said request using a key contained within a certificate associated with said principal, wherein said certificate includes at least a registration authority identifier associated with a registration authority that issued a request to a certification authority to issue said certificate;
a second server containing a certificate revocation list, wherein said certificate revocation list includes said registration authority identifier in the event the associated registration authority has been determined to be untrustworthy, said second server being operative in response to a certificate revocation inquiry request to ascertain whether said certificate revocation list contains a registration authority identifier that corresponds to said registration authority identifier within said certificate; and
said second server being further operative to provide an indication to said first server that said certificate has been revoked in the event said certificate revocation list contains said registration authority identifier that corresponds to said registration authority identifier within said certificate. - View Dependent Claims (22, 23, 24, 25, 26, 27, 29)
-
-
28. A computer program product including a computer readable medium, said computer readable medium having a computer program stored thereon for generating a certificate, said computer program being executable by a processor and comprising:
-
program code for receiving a request from a registration authority to issue a certificate on behalf of a principal;
program code operative in response to recognition of said request, for generating by a certification authority a certificate authenticated by said certification authority wherein said certificate includes at least a principal identifier associated with said principal, a key associated with said principal for use in authenticating messages generated by said principal, and a registration identifier associated with said registration authority.
-
-
30. A computer data signal, said computer data signal including a computer program for use in generating a certificate, said computer program comprising:
-
program code for receiving a request from a registration authority to issue a certificate on behalf of a principal;
program code operative in response to recognition of said request, for generating by a certification authority a certificate authenticated by said certification authority wherein said certificate includes at least a principal identifier associated with said principal, a key associated with said principal for use in authenticating messages generated by said principal, and a registration identifier associated with said registration authority. - View Dependent Claims (31, 32, 33, 35, 36, 37)
-
-
34. An apparatus for generating a certificate in a computer network comprising:
means operative in response to receipt of a request from a first node coupled to a computer network at a second node coupled to said network for generating at said second node a certificate that includes a first node identifier associated with said first node.
Specification