Revocation of cryptographic digital certificates
First Claim
Patent Images
1. A method for generating computer-readable computer data for a plurality of slots of digital certificates, the computer data being for generating validity or invalidity proofs for the digital certificates, wherein each slot is associated with at most one digital certificate, and each digital certificate is associated with a respective one of the slots;
- wherein each digital certificate certifies that a cryptographic key is associated with an entity, and each digital certificate is associated with an expiration time indicating when the certificate expires, each digital certificate comprising revocation data for enabling revocation of the digital certificate before the certificate'"'"'s expiration time;
the method comprising;
generating, in a data carrier;
one or more digital certificates, wherein the number of slots is greater than the number of the one or more digital certificates; and
first computer data for generating proofs of validity or invalidity for any digital certificate associated with a slot;
wherein the computer data comprises the one or more digital certificates and the first computer data;
wherein a plurality of sets F is defined, each set F being a set of one or more of the slots, each slot belonging to at least one set F;
wherein each proof is digital data associated with a set F and with time, and is for proving validity or invalidity, at the associated time, for each digital certificate associated with a slot in the set F, wherein the proof depends on secret data associated with the set F;
wherein said generating of the one or more digital certificates and the first computer data comprises;
generating, for at least each set F comprising at least one slot associated with a digital certificate, the secret data associated with the set F, the first computer data comprising the secret data;
for at least each slot associated with a digital certificate, generating the digital certificate'"'"'s revocation data from the secret data;
wherein for each digital certificate, the certificate'"'"'s validity or invalidity status for a given time is verifiable, even before the certificate'"'"'s expiration time, by a verification method comprising;
obtaining the proof associated with the given time and with a set F comprising a slot associated with the digital certificate; and
performing a predefined verification operation on the proof and the digital certificate'"'"'s revocation data;
wherein the time associated with at least one proof is operable to extend beyond the expiration time of each of the one or more digital certificates, to permit subsequent creation of one or more additional digital certificates and association of each additional digital certificate with an empty slot (a slot not previously associated with any digital certificate), and to permit at least one additional digital certificate to be associated with an expiration time which is later than the expiration time of each of said one or more digital certificates.
0 Assignments
0 Petitions
Accused Products
Abstract
In the setup phase, the certification authority (CA 120) generates validation proof data structures for greater time than the maximum validity period of any digital certificate. Therefore, new certificates can be added to the existing data structures after the setup phase.
140 Citations
17 Claims
-
1. A method for generating computer-readable computer data for a plurality of slots of digital certificates, the computer data being for generating validity or invalidity proofs for the digital certificates, wherein each slot is associated with at most one digital certificate, and each digital certificate is associated with a respective one of the slots;
-
wherein each digital certificate certifies that a cryptographic key is associated with an entity, and each digital certificate is associated with an expiration time indicating when the certificate expires, each digital certificate comprising revocation data for enabling revocation of the digital certificate before the certificate'"'"'s expiration time; the method comprising; generating, in a data carrier; one or more digital certificates, wherein the number of slots is greater than the number of the one or more digital certificates; and first computer data for generating proofs of validity or invalidity for any digital certificate associated with a slot; wherein the computer data comprises the one or more digital certificates and the first computer data; wherein a plurality of sets F is defined, each set F being a set of one or more of the slots, each slot belonging to at least one set F; wherein each proof is digital data associated with a set F and with time, and is for proving validity or invalidity, at the associated time, for each digital certificate associated with a slot in the set F, wherein the proof depends on secret data associated with the set F; wherein said generating of the one or more digital certificates and the first computer data comprises; generating, for at least each set F comprising at least one slot associated with a digital certificate, the secret data associated with the set F, the first computer data comprising the secret data; for at least each slot associated with a digital certificate, generating the digital certificate'"'"'s revocation data from the secret data; wherein for each digital certificate, the certificate'"'"'s validity or invalidity status for a given time is verifiable, even before the certificate'"'"'s expiration time, by a verification method comprising; obtaining the proof associated with the given time and with a set F comprising a slot associated with the digital certificate; and performing a predefined verification operation on the proof and the digital certificate'"'"'s revocation data; wherein the time associated with at least one proof is operable to extend beyond the expiration time of each of the one or more digital certificates, to permit subsequent creation of one or more additional digital certificates and association of each additional digital certificate with an empty slot (a slot not previously associated with any digital certificate), and to permit at least one additional digital certificate to be associated with an expiration time which is later than the expiration time of each of said one or more digital certificates. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeNTT Docomo Incorporated (Nippon Telegraph and Telephone Corporation)
-
Original AssigneeNTT Docomo Incorporated (Nippon Telegraph and Telephone Corporation)
-
InventorsGentry, Craig B., Ramzan, Zulfikar Amin, Bruhn, Bernhard
-
Primary Examiner(s)Barron, Jr.; Gilberto
-
Assistant Examiner(s)HO, VIRGINIA T
-
Application NumberUS12/492,901Publication NumberTime in Patent Office816 DaysField of Search713156-158, 713/175US Class Current713/158CPC Class CodesH04L 2209/56 Financial cryptography, e.g...H04L 2209/80 Wireless network architectu...H04L 63/0823 using certificates cryptogr...H04L 9/3236 using cryptographic hash fu...H04L 9/3265 using certificate chains, t...H04L 9/50 using hash chains, e.g. blo...
