Revocation of a certificate and exclusion of other principals in a digital rights management (DRM) system based on a revocation list from a delegated revocation authority

US 7,543,140 B2
Filed: 02/26/2003
Issued: 06/02/2009
Est. Priority Date: 02/26/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium having instructions stored thereon that, when executed by a processor, perform a method of using a single digital certificate for authenticating a corresponding element in a digital rights management (DRM) system, the single certificate issued by an issuer for being verified by a trusted component of a user computing device to authenticate the element prior to access of digital content, the verification including ensuring that the single certificate is not revoked, the single certificate comprising:

an identification of at least two entities as having delegated authority over the single certificate to revoke same as delegated by the issuer, the issuer and the at least two entities being separate entities, the at least two entities being delegated revocation authorities, the delegated revocation authorities revoking the single certificate by identifying same in a separate revocation list for each of the delegated revocation authorities, locations of respective revocation lists internal to the single certificate; and

at least one revocation condition internal to the single certificate relating to possible revocation of the single certificate, each revocation condition having to be satisfied when the single certificate is employed to authenticate the element of the digital rights management system, wherein upon authentication of the corresponding element, access to the digital content is granted to the user computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital certificate identifies an entity as having authority over the certificate to revoke same as delegated by the issuer. The certificate also has at least one revocation condition relating to possible revocation of the certificate. To authenticate the certificate, the identification of the delegated revocation authority, a location from which a revocation list is to be obtained, and any freshness requirement to be applied to the revocation list are determined from the certificate. It is then ensured that the revocation list from the location is present and that the present revocation list satisfies the freshness requirement, that the revocation list is promulgated by the delegated revocation authority identified in the certificate, and that the certificate is not identified in the revocation list as being revoked.

75 Citations

View as Search Results

20 Claims

1. A computer-readable storage medium having instructions stored thereon that, when executed by a processor, perform a method of using a single digital certificate for authenticating a corresponding element in a digital rights management (DRM) system, the single certificate issued by an issuer for being verified by a trusted component of a user computing device to authenticate the element prior to access of digital content, the verification including ensuring that the single certificate is not revoked, the single certificate comprising:
- an identification of at least two entities as having delegated authority over the single certificate to revoke same as delegated by the issuer, the issuer and the at least two entities being separate entities, the at least two entities being delegated revocation authorities, the delegated revocation authorities revoking the single certificate by identifying same in a separate revocation list for each of the delegated revocation authorities, locations of respective revocation lists internal to the single certificate; and
  
  at least one revocation condition internal to the single certificate relating to possible revocation of the single certificate, each revocation condition having to be satisfied when the single certificate is employed to authenticate the element of the digital rights management system, wherein upon authentication of the corresponding element, access to the digital content is granted to the user computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-readable storage medium of claim 1 wherein the identification of the delegated revocation authorities comprises a public key thereof, and wherein a revocation list from each of the delegated revocation authorities is digitally signed by a private key of each of the delegated revocation authorities corresponding to the public key thereof and is verifiable by such public key.
  - 3. The computer-readable storage medium of claim 1 wherein the revocation condition specifies a location from which a revocation list must be obtained.
  - 4. The computer-readable storage medium of claim 1 wherein the identification of the at least two entities having delegated revocation authority comprises a public key thereof, and wherein each revocation list from the location specified in the at least one revocation condition is from the respective delegated revocation authority, is digitally signed by a private key of the respective delegated revocation authority corresponding to the public key thereof, and is verifiable by such public key.
  - 5. The computer-readable storage medium of claim 1 wherein the identification of the at least two entities having delegated revocation authority comprises a public key thereof, and wherein each revocation list from the location specified in the at least one revocation condition is not from the respective delegated revocation authority, is not digitally signed by a private key of the respective delegated revocation authority corresponding to the public key thereof, and is not verifiable by such public key.
  - 6. The computer-readable storage medium of claim 1 wherein the at least one revocation condition specifies a freshness requirement regarding a respective revocation list, the freshness requirement stating a maximum age that the respective revocation list can reach before a fresher copy of the respective revocation list must be obtained.
  - 7. The computer-readable storage medium of claim 1 in combination with a respective revocation list from a location specified in the at least one revocation condition, wherein the identification of the at least two entities having delegated revocation authority comprises a public key thereof, and wherein the respective revocation list is from the respective delegated revocation authority, is digitally signed by a private key of the respective delegated revocation authority corresponding to the public key thereof, and is verifiable by such public key.
  - 8. The computer-readable storage medium of claim 7 wherein the respective revocation list specifies a non-trustworthy principal that is to be excluded in connection with using the certificate.
  - 9. The computer-readable storage medium of claim 8 wherein the respective revocation list specifies a plurality of non-trustworthy principals that are to be excluded in connection with using the certificate.
  - 10. The computer-readable storage medium of claim 8 wherein the excluded principal specified in the respective revocation list is another certificate.
  - 11. The computer-readable storage medium of claim 8 wherein the excluded principal specified in the respective revocation list is selected from a group consisting of a public key, a user, an application, an operating system, a piece of hardware, a piece of software, a piece of content, and a digital license.

12. A method for authenticating a single digital certificate in a digital rights management (DRM) system for a corresponding element on a user computing device, the single certificate being issued by an issuer for being authenticated by a trusted component of the user computing device to authenticate the element prior to access to digital content, the method comprising:
- determining from the single certificate an identification of at least two entities as having delegated authority over the single certificate to revoke same as delegated by the issuer, the issuer and the at least two entities being separate entities, the at least two entities being delegated revocation authorities, the delegated revocation authorities revoking the single certificate by identifying same in a separate revocation list for each of the delegated revocation authorities;
  
  determining from the single certificate a location from which the revocation lists are to be obtained, the location of each of the revocation lists internal to the single certificate;
  
  determining from the single certificate a freshness requirement to be applied to the revocation lists, the freshness requirement internal to the single certificate;
  
  ensuring that the revocation lists from each of the locations is present and that the present revocation lists satisfy the freshness requirement;
  
  ensuring that the present revocations lists promulgated by the delegated revocation authorities identified in the single certificate; and
  
  ensuring that the single certificate is not identified in the present revocation lists as being revoked, wherein upon authenticating the single digital certificate in the DRM system, access to the digital content is granted to the user computing device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12 wherein ensuring that the revocation lists are present and that the present revocation lists satisfy the freshness requirement comprises obtaining a revocation list from each of the locations.
  - 14. The method of claim 12 wherein ensuring that the revocation lists are present and that the present revocation lists satisfy the freshness requirement comprises ensuring that the revocation lists from each of the locations is already present and that such present revocation lists have an issue time that satisfies the freshness requirement.
  - 15. The method of claim 12 wherein the revocation lists are digitally signed by a private key of each of the delegated revocation authorities, the method signature comprising:
    - determining from the certificate as the identification of the delegated revocation authorities a public key thereof corresponding to the private key thereof; and
      
      ensuring that the present revocation lists are promulgated by the delegated revocation authorities identified in the certificate by verifying the signature of the revocation lists with the public key of the delegated revocation authorities.
  - 16. The method of claim 12 wherein the revocation lists specify a non-trustworthy principal, the method further comprising ensuring that the non-trustworthy principal is excluded in connection with using the certificate.
  - 17. The method of claim 16 wherein the revocation lists specify a plurality of non-trustworthy principals, the method further comprising ensuring that each non-trustworthy principal is excluded in connection with using the certificate.
  - 18. The method of claim 16 wherein the revocation lists specify a non-trustworthy principal that is another certificate, the method further comprising ensuring that the non-trustworthy another certificate is excluded in connection with using the certificate.
  - 19. The method of claim 16 wherein the revocation lists specify a non-trustworthy principal that is selected from a group consisting of a public key, a user, an application, an operating system, a piece of hardware, a piece of software, a piece of, content, and a digital license another certificate, the method farther comprising ensuring that the non-trustworthy principal is excluded in connection with using the certificate.
  - 20. The method of claim 12 comprising determining from the certificate an identification of the issuer as being the delegated revocation authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lafornara, Philip, Rose, Charles F. III, LaMacchia, Brian A., Malaviarachchi, Rushmi U., Manferdelli, John L., Dillaway, Blair Brewster
Primary Examiner(s)
COLIN, CARL G

Application Number

US10/374,312
Publication Number

US 20040168056A1
Time in Patent Office

2,288 Days
Field of Search

713/156, 713/157, 713/158, 713/173, 713/175
US Class Current

713/156
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 2209/603   Digital right managament [DRM]

H04L 9/3268   using certificate validatio...

Revocation of a certificate and exclusion of other principals in a digital rights management (DRM) system based on a revocation list from a delegated revocation authority

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Revocation of a certificate and exclusion of other principals in a digital rights management (DRM) system based on a revocation list from a delegated revocation authority

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links