Security infrastructure for electronic transactions
DC CAFCFirst Claim
1. A certification system for issuance, distribution and verification of public key certificates which may be used for secure and authentic electronic transactions over open networks, comprising computer processes implementing certification servers, certification clients and certification protocols, in which:
- a. one or more first computer processes are associated with at least one initial (root) registration authority,b. one or more second computer processes are associated with policy certification authorities,c. one or more third computer processes are associated with certification authorities, andd. one or more end-user computer processes or application computer processes are associated with respective end-users or user applications, ande. said one or more second computer processes hold a data structure certified by said registration authority, said one or more third computer processes hold a data structure certified either by one of said policy certification authorities or other certification authorities, and end-user or application computer processes hold a data structure certified by one or more of said certification authorities,whereby users and applications of said system are logically located at end-points of certification chains in a certification infrastructure.
8 Assignments
Litigations
4 Petitions
Accused Products
Abstract
A plurality of certification authorities connected by an open network are interrelated through an authentication and certification system for providing and managing public key certificates. The certification system with its multiple certification and its policies constitute a public key infrastructure facilitating secure and authentic transactions over an unsecure network. Security services for applications and users in the network are facilitated by a set of common certification functions accessible by well-defined application programming interface which allows applications to be developed independently of the type of underlying hardware platforms used, communication networks and protocols and security technologies.
409 Citations
34 Claims
-
1. A certification system for issuance, distribution and verification of public key certificates which may be used for secure and authentic electronic transactions over open networks, comprising computer processes implementing certification servers, certification clients and certification protocols, in which:
-
a. one or more first computer processes are associated with at least one initial (root) registration authority, b. one or more second computer processes are associated with policy certification authorities, c. one or more third computer processes are associated with certification authorities, and d. one or more end-user computer processes or application computer processes are associated with respective end-users or user applications, and e. said one or more second computer processes hold a data structure certified by said registration authority, said one or more third computer processes hold a data structure certified either by one of said policy certification authorities or other certification authorities, and end-user or application computer processes hold a data structure certified by one or more of said certification authorities, whereby users and applications of said system are logically located at end-points of certification chains in a certification infrastructure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. In a certification system for secure communications containing computer processes arranged in a certification infrastructure, a method of requesting and issuing a public key certificate, comprising:
-
a. at a requesting computer process, generating a data structure containing the data items required for a public key certificate, including a public key, self-signing the data structure and sending the signed data structure as a certificate signature request to a computer process authorized as an issuing certification authority, and b. at said computer process authorized as an issuing certification authority, verifying the authenticity of said request, and if authentic, certifying and returning the data structure in a certificate signature reply. - View Dependent Claims (19, 20, 21, 22)
-
-
23. In a global network with secure communications containing computer processes arranged in a certification infrastructure, a method of verifying a signed data structure sent from a sender to a receiver, comprising:
-
a. obtaining a public key certificate for every computer process in the infrastructure between the sender and a common point of trust in the infrastructure and, b. verifying the authenticity of signatures iteratively, beginning with the common point of trust. - View Dependent Claims (24, 25, 26, 27)
-
-
28. In a certification system for secure communications containing computer processes arranged in a certification infrastructure, a method of validating public key certificates comprising:
using the certificate revocation lists of each computer process between a computer process or user whose certificate is being validated and a point of trust in common with the computer process or user which is validating the certificate to ensure the certificates being used in the validation process do not appear on any certificate revocation list. - View Dependent Claims (29)
-
30. In a computer system for secure communications containing computer processes arranged in a certification infrastructure, a method of updating certificates comprising:
-
a. at a first computer process, which possesses a certificates to be updated, updating the current certificate by a.1. receiving a new signed certificate from a computer process which is authorized to issue the new signed certificate, a.2. revoking the current certificate previously used for verification of certificates of subordinate computer processes, a.3. issuing new certificates to all subordinate computer processes for which certificates had been previously signed by the first computer process and copying to all subordinate computer processes the new certificate to be used for verification of new subordinate certificates, and b. iteratively performing the distribution of the new certificate to all subsequent subordinate computer processes, until all computer processes subordinate in the infrastructure to said first computer process have the new certificates.
-
-
31. In a certification system for secure communications containing computer processes arranged in a certification infrastructure, a method of adding a new computer process to the infrastructure comprising:
-
a. adding a new component to a representation of a certification infrastructure at a location indicative of where the said computer process is to be added, b. creating entries in a certificate storage database at least at both said new computer process and at the computer process authorized to certify the said new process, c. obtaining a signed certificate for the said new computer process from said computer process authorized to certify the new process and storing it at the said new computer process.
-
-
32. In a certification system for secure communications containing computer processes arranged in a certification infrastructure, a method of deleting an existing computer process from the infrastructure comprising:
-
a. notifying at least all computer processes certified by the existing process being deleted that said existing computer process is being deleted, b. revoking all certificates signed by said first computer process at said computer processes certified by the existing process being deleted, if any; c. obtain new certificates for each computer process previously being certified by the said existing computer process being deleted from another certification authority being authorized to certify these computer processes in the new certification infrastructure. - View Dependent Claims (33)
-
-
34. In a certification system for secure communications containing computer processes arranged in a certification infrastructure, a method of restructuring at least part of the certification infrastructure by deleting one or more certification authorities and adding said one or more certification authorities or new certification authorities so as to derive a modified form of the certification infrastructure.
Specification