Authorization infrastructure based on public key cryptography

US 7,340,600 B1
Filed: 01/14/2000
Issued: 03/04/2008
Est. Priority Date: 01/14/2000
Status: Expired due to Term

First Claim

Patent Images

1. A public key authorization infrastructure comprising:

a client program accessible by a user;

an application program;

a certificate authority issuing a long-term public key identity certificate (long-term certificate) that binds a public key of the user to long-term identification information related to the user;

a directory for storing short-term authorization information related to the user; and

a credentials server for issuing a short-term public key credential certificate (short-term certificate) to the client, the short-term certificate binds the public key of the user to the long-term identification information related to the user from the long term certificate and to the short-term authorization information related to the user from the directory, wherein the short-term certificate includes meta-data related to the short-term certificate and at least one of an expiration date and an expiration time and is never subject to revocation, wherein as long as the at least one of an expiration date and an expiration time has not expired, the short-term certificate can still be used, wherein the client program presents the short-term certificate to the application program for authorization and demonstrates that the user has knowledge of a private key corresponding to the public key in the short-term certificate.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A public key authorization infrastructure includes a client program accessible by a user and an application program. A certificate authority issues a long-term certificate that binds a public key of the user to long-term identification information related to the user. A directory stores the issued long-term certificate and short-term authorization information related to the user. A credentials server issues a short-term certificate to the client. The short-term certificate binds the public key to the long-term identification information and to the short-term authorization information. The client presents the short-term certificate to the application program for authorization and demonstrates that the user has knowledge of a private key corresponding to the public key in the short-term certificate. The short-term certificate includes an expiration date, and is not subject to revocation.

204 Citations

20 Claims

1. A public key authorization infrastructure comprising:
- a client program accessible by a user;
  
  an application program;
  
  a certificate authority issuing a long-term public key identity certificate (long-term certificate) that binds a public key of the user to long-term identification information related to the user;
  
  a directory for storing short-term authorization information related to the user; and
  
  a credentials server for issuing a short-term public key credential certificate (short-term certificate) to the client, the short-term certificate binds the public key of the user to the long-term identification information related to the user from the long term certificate and to the short-term authorization information related to the user from the directory, wherein the short-term certificate includes meta-data related to the short-term certificate and at least one of an expiration date and an expiration time and is never subject to revocation, wherein as long as the at least one of an expiration date and an expiration time has not expired, the short-term certificate can still be used, wherein the client program presents the short-term certificate to the application program for authorization and demonstrates that the user has knowledge of a private key corresponding to the public key in the short-term certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The public key authorization infrastructure of claim 1 wherein a validity period from when the credentials server issues the short-term certificate to the at least one of expiration date and expiration time is sufficiently short such that the short-term certificate does not need to be subject to revocation.
  - 3. The public key authorization infrastructure of claim 1 further comprising:
    - a certificate revocation list (CRL), wherein the at least one of expiration date and expiration time of the short-term certificate is before the CRL is next scheduled to be updated.
  - 4. The public key authorization infrastructure of claim 1 wherein the short-term certificate is a non-structured short-term certificate.
  - 5. The public key authorization infrastructure of claim 1 further comprising:
    - a second application program; and
      
      wherein the short-term certificate is a structured short-term certificate including;
      
      a first folder corresponding to the first named application program and containing long-term information and short-term information as required by the first named application program;
      
      a second folder corresponding to the second application program and containing long-term information and short-term information as required by the second application; and
      
      wherein the first folder is open and the second folder is closed when the client presents the short-term certificate to the first named application program for authorization, wherein closing the second folder makes its contents not readable by the first named application program.
  - 6. The public key authorization infrastructure of claim 1 wherein the short-term certificate is an X.509v3 certificate.
  - 7. The public key authorization infrastructure of claim 5 wherein the first folder and the second folder are implemented as extension fields of an X.509v3 certificate.
  - 8. The public key authorization infrastructure of claim 1 wherein the directory further stores the issued long-term certificate.
  - 9. The public key authorization infrastructure of claim 1 wherein the private key is stored in a smartcard accessible by the client program.
  - 10. The public key authorization infrastructure of claim 1 wherein the private key is stored in a secure software wallet accessible by the client program.

11. A method of authorizing a user, the method comprising the steps of:
- issuing a long-term public key identity certificate (long-term certificate) that binds a public key of the user to long-term identification information related to the user;
  
  storing short-term authorization information related to the user;
  
  issuing a short-term public key credential certificate (short-term certificate) that binds the public key of the user to the long-term identification information related to the user contained in the long-term certificate and to the short-term authorization information related to the user wherein die short-term certificate includes meta-data related to the short-term certificate and at least one of an expiration date and an expiration time and is never subject to revocation;
  
  wherein as long as the at least one of an expiration date and an expiration time has not expired, the short-term certificate can still be used, and presenting the short-term certificate on behalf of the user to an application program for authorization and demonstrating that the user has knowledge of a private key corresponding to the public key in the short-term certificate.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 wherein a validity period from when the short-term certificate is issued to the at least one of expiration date and expiration time is sufficiently short such that the short-term certificate does not need to be subject to revocation.
  - 13. The method of claim 11 further comprising the step of:
    - maintaining a certificate revocation list (CRL), wherein the at least one of expiration date and expiration time of the short-term certificate is before the CRL is next scheduled to be updated.
  - 14. The method of claim 11 wherein the short-term certificate is a non-structured short-term certificate.
  - 15. The method of claim 11 wherein the short-term certificate is a structured short-term certificate including a first folder corresponding to the first named application program and containing long-term information and short-term information as required by the first named application program, and including a second folder corresponding to a second application program and containing long-term information and short-term information as required by the second application, wherein the method further comprises:
    - closing the second folder and leaving the first folder open prior to the presenting step if the presenting step presents the short-term certificate to the first named application program for authorization, wherein closing the second folder makes its contents not readable by the first named application program.
  - 16. The method of claim 11 wherein the short-term certificate is an X.509v3 certificate.
  - 17. The method of claim 15 wherein the first folder and the second folder are implemented as extension fields of an X.509v3 certificate.
  - 18. The method of claim 11 wherein the method further comprises the step of:
    - storing the issued long-term certificate in a directory.
  - 19. The method of claim 11 further comprising the step of:
    - storing the private key in a smartcard.
  - 20. The method of claim 11 further comprising the step of:
    - storing the private key in a secure software wallet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Corella, Francisco
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Brown; Christopher J

Application Number

US09/483,185
Time in Patent Office

2,972 Days
Field of Search

713/155, 713/158, 713/156, 726/18, 726/5, 726/10
US Class Current

713/155
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 9/3268   using certificate validatio...

Authorization infrastructure based on public key cryptography

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

204 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Authorization infrastructure based on public key cryptography

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

204 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others