Certificate generation using virtual attributes

US 8,719,574 B2
Filed: 08/31/2006
Issued: 05/06/2014
Est. Priority Date: 08/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a processor, that a directory does not include client attributes associated with a client recipient in the directory; and

in response to determining that the directory does not include client attributes for the client recipient, accessing a client virtual attribute, wherein accessing the client virtual attribute causes the processor to perform operations comprising;

receiving a new certificate associated with but not authorized by the client recipient from a certificate authority, wherein the new certificate is signed by the certificate authority and is associated with a public key and a private key;

sending the new certificate and the public key to a client sender;

storing the signed new certificate and associated public key as client attributes for the client recipient in the directory; and

sending the private key to the client recipient.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server, method and/or computer-readable medium system for secure communication includes a certificate authority for generating certificates signed by the certificate authority and associated public and private keys for a client. The server further includes a directory of client attributes and client virtual attributes. At least one of the client virtual attributes is for, when receiving a query for a client that cannot be located in the directory, requesting the certificate authority to dynamically generate a certificate and associated public and private key for the client, and for storing the dynamically generated certificate and public key as a client attribute in the directory.

23 Citations

View as Search Results

22 Claims

1. A method comprising:
- determining, by a processor, that a directory does not include client attributes associated with a client recipient in the directory; and
  
  in response to determining that the directory does not include client attributes for the client recipient, accessing a client virtual attribute, wherein accessing the client virtual attribute causes the processor to perform operations comprising;
  
  receiving a new certificate associated with but not authorized by the client recipient from a certificate authority, wherein the new certificate is signed by the certificate authority and is associated with a public key and a private key;
  
  sending the new certificate and the public key to a client sender;
  
  storing the signed new certificate and associated public key as client attributes for the client recipient in the directory; and
  
  sending the private key to the client recipient.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising storing the private key in a secure memory to be accessed by the client recipient after performing an authentication process.
  - 3. The method of claim 1, further comprising storing the private key in a secure key repository associated with a data recovery manager to be accessed by the client recipient after performing an authentication process.
  - 4. The method of claim 1, further comprising:
    - receiving a query from the client sender for the digital certificate, wherein the directory comprises an X.500 based directory and the query comprises a Lightweight Directory Access Protocol (LDAP) query.

5. A non-transitory computer readable storage medium comprising computer executable instructions to cause a processor to perform operations comprising:
- determining, by the processor, that a directory does not include client attributes associated with a client recipient in the directory; and
  
  in response to determining that the directory does not include client attributes for the client recipient, accessing a client virtual attribute, wherein accessing the client virtual attribute causes the processor to perform operations comprising;
  
  receiving a new certificate associated with but not authorized by the client recipient from a certificate authority, wherein the new certificate is signed by the certificate authority and is associated with a public key and a private key;
  
  sending the new certificate and the public key to a client sender;
  
  storing the signed new certificate and associated public key as client attributes for the client recipient in the directory; and
  
  sending the private key to the client recipient.
- View Dependent Claims (6, 7)
- - 6. The non-transitory computer readable storage medium of claim 5, wherein the operations further comprise:
    - storing the private key in a secure memory to be accessed by the client recipient after performing an authentication process.
  - 7. The non-transitory computer readable storage medium of claim 5, wherein the operations further comprise:
    - receiving a query from the client sender for the certificate, wherein the directory is located within a directory server, wherein the directory server comprises an X.500 based directory, and wherein the query comprises a Lightweight Directory Access Protocol (LDAP) query.

8. A method comprising:
- accessing a client virtual attribute in response to a determination that a directory does not include client attributes associated with the client recipient, wherein accessing the client virtual attribute causes a processor to perform operations comprising;
  
  generating a certificate, a public key, and a private key for the client recipient, wherein the public key and the private key are associated with the certificate;
  
  signing the certificate;
  
  providing the certificate and the public key to a client sender;
  
  storing the signed certificate and associated public key as client attributes for the client recipient in the directory; and
  
  sending the private key to the client recipient after performing a client authentication process.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein the client authentication process comprises a Kerberos authentication process.
  - 10. The method of claim 8, further comprising:
    - publishing the certificate and the public key in a directory server, the directory server comprising an X.500 based directory, the publishing of the certificate and the public key performed according to a Lightweight Directory Access Protocol (LDAP).
  - 11. The method of claim 8, further comprising storing the generated private key in a secure key repository using a data recovery manager.
  - 12. The method of claim 8, wherein the request to generate the certificate is received based on a query for an existing certificate of the client recipient in a directory server, wherein the directory server fails to locate the existing certificate for the client recipient.

13. A server comprising:
- a memory to store a directory; and
  
  a processor coupled to the memory, the processor to;
  
  determine that the directory does not include client attributes associated with a client recipient and, in response to determining that the directory does not include client attributes for the client recipient, accessing a client virtual attribute, wherein accessing the client virtual attribute causes the processor to;
  
  receive a new digital certificate associated with but not authorized by the client recipient from a certificate authority, wherein the new certificate is signed by the certificate authority and is associated with a public key and a private key;
  
  provide a copy of the public key to a client sender;
  
  store the signed new certificate and associated public key as client attributes for the client recipient in the directory; and
  
  provide the private key to the client recipient.
- View Dependent Claims (14, 15)
- - 14. The server of claim 13, the processor to store the private key in a secure portion of the memory to be accessed by the client recipient after performing a client authentication process.
  - 15. The server of claim 13, the processor to store the private key in a secure portion of the memory to be accessed by the client recipient after a client authentication process, the client authentication process comprising a Kerberos authentication process.

16. A system comprising:
- a memory to store a directory; and
  
  a processor coupled to the memory, the processor to;
  
  generate digital certificates and public keys for client recipients, the processor storing the digital certificates and the public keys in the directory as client attributes,determine that the directory does not include client attributes for a client recipient,in response to determining that the directory does not include client attributes for the client recipient, accessing the client virtual attribute, wherein accessing the client virtual attribute causes the processor to perform operations comprising;
  
  generating a digital certificate, an associated public key, and an associated private key for the client recipient;
  
  digitally signing the generated digital certificate;
  
  storing the digitally signed generated digital certificate and the associated public key as client attributes for the client recipient in the directory; and
  
  providing the associated public key to a client sender.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The system of claim 16, wherein the client virtual attribute comprises an executable script for causing the directory to fetch the digitally signed generated digital certificate and the associated public key.
  - 18. The system of claim 16, the processor to store the generated private key in a secure portion of the storage device to be accessed by the client recipient after performing a client authentication process.
  - 19. The system of claim 16, the processor to store the generated private key in a secure portion of the storage device to be accessed by the client recipient after a client authentication process, the client authentication process comprising Kerberos authentication process.
  - 20. The system of claim 16, wherein the directory stores the generated private key in a secure portion of the storage device to be accessed by the client recipient after a client authentication process.
  - 21. The system of claim 16, the processor to store the generated private key in a secure key repository to be accessed by the client recipient after performing a client authentication process.
  - 22. The system of claim 16, wherein the directory comprises an X.500 directory model, the directory to receive directory queries for digital certificates associated with clients according to a Lightweight Directory Access Protocol (LDAP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Relyea, Robert
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US11/469,459
Publication Number

US 20080072039A1
Time in Patent Office

2,805 Days
Field of Search

713/158, 713/175, 709/220, 709/228, 380/282, 380/30, 380/279, 380/286, 726/10
US Class Current

713/175
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/007   involving hierarchical stru...

H04L 9/3263   involving certificates, e.g...

Certificate generation using virtual attributes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Certificate generation using virtual attributes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others