Distributed delegated path discovery and validation
First Claim
1. A method of providing path validation information for a system, comprising:
- determining, using at least one processor, paths between each of a plurality of certificates of the system and at least one trust root;
storing, in a non-transitory computer readable medium, validation information prior to a request for path validation information for a trust path from a target certificate to the at least one trust root, the trust path including a chain of certificates from the target certificate to the at least one trust root, wherein the validation information identifies a particular trust path from a particular one of the plurality of certificates to the at least one trust root, wherein the validation information for each particular trust path includes a proof for each of the plurality of certificates along the particular trust path indicating that each of the plurality of certificates has not been revoked, and wherein the proofs for the plurality of certificates are stored for each of the plurality of certificates of the particular trust path, are digitally signed, and are pre-generated prior to receiving the request for path validation information;
in response to the request for path validation information, determining, using at least one processor, the trust path from the target certificate to the at least one trust root that satisfies the request, fetching the validation information for the trust path, and providing to a relying party the validation information for the trust path in response to the request without performing real-time certificate status validation of the trust path; and
applying name or policy constraints to the validation information and only providing validation information that is consistent with the constraints.
5 Assignments
0 Petitions
Accused Products
Abstract
Providing path validation information for a system includes determining paths between a subset of certificate of the system and at least one trust root, storing each of the paths in a table prior to a request for path validation information, and fetching the validation information stored in the table in response to a request for path validation information. Providing path validation information may also include digitally signing the validation information. Providing path validation information may also include applying constraints to the validation information and only providing validation information that is consistent with the constraints. Determining paths may include constructing a directed graph of trusted roots and the subset of certificates and performing a depth-first acyclic search of the graph.
161 Citations
24 Claims
-
1. A method of providing path validation information for a system, comprising:
-
determining, using at least one processor, paths between each of a plurality of certificates of the system and at least one trust root; storing, in a non-transitory computer readable medium, validation information prior to a request for path validation information for a trust path from a target certificate to the at least one trust root, the trust path including a chain of certificates from the target certificate to the at least one trust root, wherein the validation information identifies a particular trust path from a particular one of the plurality of certificates to the at least one trust root, wherein the validation information for each particular trust path includes a proof for each of the plurality of certificates along the particular trust path indicating that each of the plurality of certificates has not been revoked, and wherein the proofs for the plurality of certificates are stored for each of the plurality of certificates of the particular trust path, are digitally signed, and are pre-generated prior to receiving the request for path validation information; in response to the request for path validation information, determining, using at least one processor, the trust path from the target certificate to the at least one trust root that satisfies the request, fetching the validation information for the trust path, and providing to a relying party the validation information for the trust path in response to the request without performing real-time certificate status validation of the trust path; and applying name or policy constraints to the validation information and only providing validation information that is consistent with the constraints. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product, stored on a non-transitory computer-readable storage medium, that provides path validation information for a system, comprising:
-
a storage medium that contains executable code for the computer program product;
executable code that determines paths between each of a plurality of certificates of the system and at least one trust root;executable code that stores validation information prior to a request for path validation information for a trust path from a target certificate to the at least one trust root, the trust path including a chain of certificates from the target certificate to the at least one trust root, wherein the validation information identifies a particular trust path from a particular one of the plurality of certificates to the at least one trust root, wherein the validation information for each particular trust path includes a proof for each of the plurality of certificates along the particular trust path indicating that each of the plurality of certificates has not been revoked, and wherein the proofs for the plurality of certificates are stored for each of the plurality of certificates of the particular trust path, are digitally signed, and are pre-generated prior to receiving the request for path validation information; executable code that, in response to the request for path validation information, determines the trust path from the target certificate to the at least one trust root that satisfies the request, fetches the validation information for the trust path, and provides to a relying party the validation information for the trust path in response to the request without performing real-time certificate status validation of the trust path; and executable code that applies name or policy constraints to the validation information and that only provides validation information that is consistent with the constraints. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A server, comprising:
-
a processor; internal storage coupled to the processor; executable code, provided on the internal storage, that determines paths between each of a plurality of certificates of the system and at least one trust root; executable code, provided on the internal storage, that stores validation information prior to a request for path validation information for a trust path from a target certificate to the at least one trust root, the trust path including a chain of certificates from the target certificate to the at least one trust root, wherein the validation information identifies a particular trust path from a particular one of the plurality of certificates to the at least one trust root, wherein the validation information for each particular trust path includes a proof for each of the plurality of certificates along the particular trust path indicating that each of the plurality of certificates has not been revoked, and wherein the proofs for the plurality of certificates are stored for each of the plurality of certificates of the particular trust path, are digitally signed, and are pre-generated prior to receiving the request for path validation information; and executable code, provided on the internal storage, that, in response to the request for path validation information, determines the trust path from the target certificate to the at least one trust root that satisfies the request, fetches the validation information for the trust path, and provides to a relying party the validation information for the trust path in response to the request without performing real-time certificate status validation of the trust path; and executable code, provided on the internal storage, that applies name or policy constraints to the validation information and that only provides validation information that is consistent with the constraints. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification