Method and system for configuring highly available online certificate status protocol responders

US 20040111607A1
Filed: 12/06/2002
Published: 06/10/2004
Est. Priority Date: 12/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for providing certificate status from a distributed computing environment, wherein the distributed computing environment comprises a set of OCSP responders, the method comprising:

configuring each OCSP responder in the set of OCSP responders so that each OCSP responder can generate a group digital signature;

receiving from an OCSP client an OCSP request message at an OCSP responder in the set of OCSP responders; and

returning to the OCSP client an OCSP response message comprising a group digital signature.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is presented for configuring a group of OCSP (Online Certificate Status Protocol) responders so that they are highly available. Each of the grouped OCSP responders share a common public key. When responding to an OCSP request, an OCSP responder generates an OCSP response that is signed with a group digital signature; the certificate for the common or group public key can be attached to the OCSP response. An OCSP client uses the group public key to verify the group digital signature on an OCSP response from any of the OCSP responders. For an OCSP client, the availability of this group of responders is greater than the availability of any one member of the group.

128 Citations

27 Claims

1. A method for providing certificate status from a distributed computing environment, wherein the distributed computing environment comprises a set of OCSP responders, the method comprising:
- configuring each OCSP responder in the set of OCSP responders so that each OCSP responder can generate a group digital signature;
  
  receiving from an OCSP client an OCSP request message at an OCSP responder in the set of OCSP responders; and
  
  returning to the OCSP client an OCSP response message comprising a group digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - obtaining one asymmetric cryptographic public key and an associated set of unique asymmetric cryptographic keys, wherein the asymmetric cryptographic public key is able to verify a group digital signature that is generated by using any key in the associated set of unique asymmetric cryptographic keys;
      
      configuring each OCSP responder in the set of OCSP responders with a unique asymmetric cryptographic key; and
      
      generating the OCSP response message comprising the group digital signature that is generated by the OCSP responder using its unique asymmetric cryptographic key.
  - 3. The method of claim 1 further comprising:
    - attaching a copy of the public key certificate to the OCSP response message.
  - 4. The method of claim 1 further comprising:
    - designating one OCSP responder within the set of OCSP responders as a master OCSP responder.
  - 5. The method of claim 4 further comprising:
    - dispersing from the master OCSP responder to each OCSP responder in the set of OCSP responders a copy of a public key certificate, wherein the asymmetric cryptographic public key is stored within the public key certificate.
  - 6. The method of claim 4 further comprising:
    - generating the asymmetric cryptographic public key at the master OCSP responder.
  - 7. The method of claim 4 further comprising:
    - managing a life-cycle of the asymmetric cryptographic public key at the master OCSP responder.
  - 8. The method of claim 1 further comprising:
    - setting an expiration period of a public key certificate for the asymmetric cryptographic public key to be equal to an earliest expiration date among public key certificates associated with OCSP responders in the set of OCSP responders
  - 9. The method of claim 1 further comprising:
    - revoking a public key certificate for the asymmetric cryptographic public key if a public key certificate associated with an OCSP responder in the set of OCSP responders expires or is revoked.

10. A data processing system for providing certificate status, wherein the data processing system comprises a set of OCSP responders, the data processing system comprising:
- means for configuring each OCSP responder in the set of OCSP responders so that each OCSP responder can generate a group digital signature;
  
  means for receiving from an OCSP client an OCSP request message at an OCSP responder in the set of OCSP responders; and
  
  means for returning to the OCSP client an OCSP response message comprising a group digital signature.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The data processing system of claim 10 further comprising:
    - means for obtaining one asymmetric cryptographic public key and an associated set of unique asymmetric cryptographic keys, wherein the asymmetric cryptographic public key is able to verify a group digital signature that is generated by using any key in the associated set of unique asymmetric cryptographic keys;
      
      means for configuring each OCSP responder in the set of OCSP responders with a unique asymmetric cryptographic key; and
      
      means for generating the OCSP response message comprising the group digital signature that is generated by the OCSP responder using its unique asymmetric cryptographic key.
  - 12. The data processing system of claim 10 further comprising:
    - means for attaching a copy of the public key certificate to the OCSP response message.
  - 13. The data processing system of claim 10 further comprising:
    - means for designating one OCSP responder within the set of OCSP responders as a master OCSP responder.
  - 14. The data processing system of claim 13 further comprising:
    - means for dispersing from the master OCSP responder to each OCSP responder in the set of OCSP responders a copy of a public key certificate, wherein the asymmetric cryptographic public key is stored within the public key certificate.
  - 15. The data processing system of claim 13 further comprising:
    - means for generating the asymmetric cryptographic public key at the master OCSP responder.
  - 16. The data processing system of claim 13 further comprising:
    - means for managing a life-cycle of the asymmetric cryptographic public key at the master OCSP responder.
  - 17. The data processing system of claim 10 further comprising:
    - means for setting an expiration period of a public key certificate for the asymmetric cryptographic public key to be equal to an earliest expiration date among public key certificates associated with OCSP responders in the set of OCSP responders
  - 18. The data processing system of claim 10 further comprising:
    - means for revoking a public key certificate for the asymmetric cryptographic public key if a public key certificate associated with an OCSP responder in the set of OCSP responders expires or is revoked.

19. A computer program product in a computer readable medium for use in a data processing system for providing certificate status within a distributed computing environment comprising a set of OCSP responders, the computer program product comprising:
- means for configuring each OCSP responder in the set of OCSP responders so that each OCSP responder can generate a group digital signature;
  
  means for receiving from an OCSP client an OCSP request message at an OCSP responder in the set of OCSP responders; and
  
  means for returning to the OCSP client an OCSP response message comprising a group digital signature.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer program product of claim 19 further comprising:
    - means for obtaining one asymmetric cryptographic public key and an associated set of unique asymmetric cryptographic keys, wherein the asymmetric cryptographic public key is able to verify a group digital signature that is generated by using any key in the associated set of unique asymmetric cryptographic keys;
      
      means for configuring each OCSP responder in the set of OCSP responders with a unique asymmetric cryptographic key; and
      
      means for generating the OCSP response message comprising the group digital signature that is generated by the OCSP responder using its unique asymmetric cryptographic key.
  - 21. The computer program product of claim 19 further comprising:
    - means for attaching a copy of the public key certificate to the OCSP response message.
  - 22. The computer program product of claim 19 further comprising:
    - means for designating one OCSP responder within the set of OCSP responders as a master OCSP responder.
  - 23. The computer program product of claim 22 further comprising:
    - means for dispersing from the master OCSP responder to each OCSP responder in the set of OCSP responders a copy of a public key certificate, wherein the asymmetric cryptographic public key is stored within the public key certificate.
  - 24. The computer program product of claim 22 further comprising:
    - means for generating the asymmetric cryptographic public key at the master OCSP responder.
  - 25. The computer program product of claim 22 further comprising:
    - means for managing a life-cycle of the asymmetric cryptographic public key at the master OCSP responder.
  - 26. The computer program product of claim 19 further comprising:
    - means for setting an expiration period of a public key certificate for the asymmetric cryptographic public key to be equal to an earliest expiration date among public key certificates associated with OCSP responders in the set of OCSP responders
  - 27. The computer program product of claim 19 further comprising:
    - means for revoking a public key certificate for the asymmetric cryptographic public key if a public key certificate associated with an OCSP responder in the set of OCSP responders expires or is revoked.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Yellepeddy, Krishna K.

Granted Patent

US 7,318,155 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/104   Grouping of entities

H04L 9/321   involving a third party or ...

H04L 9/3255   using group based signature...

H04L 9/3268   using certificate validatio...

Method and system for configuring highly available online certificate status protocol responders

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for configuring highly available online certificate status protocol responders

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links