Techniques for multiple independent verifications for digital certificates

US 9,021,255 B1
Filed: 06/29/2012
Issued: 04/28/2015
Est. Priority Date: 06/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computing device, the method comprising:

receiving, at the computing device, a first certificate signing request (1CSR) from a certificate authority (CA), the 1CSR including an embedded second certificate signing request (2CSR), the 2CSR having been received by the CA from an entity seeking a signed certificate from the CA that validates an identity claim made by the entity in the 2CSR, the CA having performed a preliminary verification of the 2CSR prior to embedding it in the 1CSR;

verifying, at the computing device, that the 1CSR came from the CA;

performing a verification procedure on the embedded 2CSR at the computing device independent of the preliminary verification performed by the CA, to validate the identity claim made by the entity in the 2CSR; and

upon successfully validating the identity claim made by the entity in the 2CSR, sending a certificate from the computing device to the CA, the certificate validating the identity claim made by the entity in the 2CSR.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes (a) receiving, at a computing device, a first certificate signing request (1CSR) from a certificate authority (CA), the 1CSR including an embedded second certificate signing request (2CSR), the 2CSR having been received by the CA from an entity seeking a signed certificate from the CA that validates an identity claim made by the entity in the 2CSR, the CA having performed a preliminary verification of the 2CSR prior to embedding it in the 1CSR, (b) verifying that the 1CSR came from the CA, (c) performing a verification procedure on the embedded 2CSR independent of the preliminary verification performed by the CA, to validate the identity claim made by the entity in the 2CSR, and (d) upon successfully validating the identity claim made by the entity in the 2CSR, sending a certificate to the CA, the certificate validating the identity claim made by the entity in the 2CSR.

58 Citations

View as Search Results

15 Claims

1. A method performed by a computing device, the method comprising:
- receiving, at the computing device, a first certificate signing request (1CSR) from a certificate authority (CA), the 1CSR including an embedded second certificate signing request (2CSR), the 2CSR having been received by the CA from an entity seeking a signed certificate from the CA that validates an identity claim made by the entity in the 2CSR, the CA having performed a preliminary verification of the 2CSR prior to embedding it in the 1CSR;
  
  verifying, at the computing device, that the 1CSR came from the CA;
  
  performing a verification procedure on the embedded 2CSR at the computing device independent of the preliminary verification performed by the CA, to validate the identity claim made by the entity in the 2CSR; and
  
  upon successfully validating the identity claim made by the entity in the 2CSR, sending a certificate from the computing device to the CA, the certificate validating the identity claim made by the entity in the 2CSR.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein performing the verification procedure on the embedded 2CSR at the computing device independent of the preliminary verification performed by the CA includes comparing a first entity contact address provided within the 2CSR to a second entity contact address previously used by an entity making the same identity claim, the second entity contact address being stored within a database maintained by the computing device in conjunction with other computing devices configured to perform independent verification procedures on embedded certificate requests.
  - 3. The method of claim 2 wherein performing the verification procedure on the embedded 2CSR at the computing device independent of the preliminary verification performed by the CA further includes, if the first entity contact address and the second entity contact address differ, refraining from sending the certificate from the computing device to the CA.
  - 4. The method of claim 2 wherein performing the verification procedure on the embedded 2CSR at the computing device independent of the preliminary verification performed by the CA further includes:
    - sending a query to the first entity contact address to ensure that the 2CSR was actually issued by the entity; and
      
      if the first entity contact address and the second entity contact address differ, sending a query to the second entity contact address to ensure that contact information for the entity was not fraudulently changed.
  - 5. The method of claim 2 wherein:
    - performing the verification procedure on the embedded 2CSR at the computing device independent of the preliminary verification performed by the CA further includes;
      
      sending a third certificate request (3CSR) to the first entity contact address to ensure that the 2CSR was actually issued by the entity, the 3CSR including the 1CSR embedded therein;
      
      refraining from validating the identity claim made by the entity in the 2CSR unless the computing device receives a response certificate signed by the entity in response to sending the 3CSR; and
      
      if the first entity contact address and the second entity contact address differ;
      
      sending a fourth certificate request (4CSR) to the second entity contact address to ensure that contact information for the entity was not fraudulently changed, the 4CSR including the 1CSR embdedded therein; and
      
      refraining from validating the identity claim made by the entity in the 2CSR unless the computing device receives an identical response certificate signed by the entity in response to sending the 4CSR; and
      
      sending the certificate from the computing device to the CA includes;
      
      digitally signing the 2CSR at the computing device to create a notarization certificate; and
      
      sending the response certificate and the notarization certificate from the computing device to the CA.
  - 6. The method of claim 1 wherein:
    - performing the verification procedure on the embedded 2CSR at the computing device independent of the preliminary verification performed by the CA includes;
      
      sending a third certificate request (3CSR) to the first entity contact address to ensure that the 2CSR was actually issued by the entity, the 3CSR including the 1CSR embedded therein;
      
      refraining from validating the identity claim made by the entity in the 2CSR unless the computing device receives a response certificate signed by the entity in response to sending the 3CSR; and
      
      sending the certificate from the computing device to the CA includes;
      
      digitally signing the 2CSR at the computing device to create a notarization certificate; and
      
      sending the response certificate and the notarization certificate from the computing device to the CA.
  - 7. The method of claim 6 wherein the method further comprises sending the notarization certificate to the first entity contact address.
  - 8. The method of claim 1 wherein:
    - receiving the 1CSR from the CA includes receiving a preliminarily-signed certificate embedded within the 1CSR, the preliminarily-signed certificate validating the identity claim made by the entity in the 2CSR, the preliminarily-signed certificate being signed by the CA; and
      
      sending the certificate from the computing device to the CA includes appending, at the computing device, a second signature to the preliminarily-signed certificate, thereby forming the certificate to be sent to the CA.
  - 9. The method of claim 1 wherein sending the certificate from the computing device to the CA includes signing, at the computing device, the 1CSR, thereby forming the certificate to be sent to the CA, the certificate serving to authorize the CA to sign the 1CSR in order to send the signed 1CSR back to the entity.

10. A computing device comprising:
- a network interface;
  
  memory; and
  
  a processor, the processor being configured to execute instructions stored in memory in order to;
  
  receive, via the network interface, a first certificate signing request (1CSR) from a certificate authority (CA), the 1CSR including an embedded second certificate signing request (2CSR), the 2CSR having been received by the CA from an entity seeking a signed certificate from the CA that validates an identity claim made by the entity in the 2CSR, the CA having performed a preliminary verification of the 2CSR prior to embedding it in the 1CSR;
  
  verify that the 1CSR came from the CA;
  
  perform a verification procedure on the embedded 2CSR at the computing device independent of the preliminary verification performed by the CA, to validate the identity claim made by the entity in the 2CSR; and
  
  upon successfully validating the identity claim made by the entity in the 2CSR, send a certificate from the computing device to the CA, the certificate validating the identity claim made by the entity in the 2CSR.

11. A method performed by a computing device, the method comprising:
- receiving, at the computing device, a first certificate signing request (1CSR) from an entity seeking a signed certificate from the computing device that validates an identity claim made by the entity in the 1CSR;
  
  performing, at the computing device, a preliminary verification of the 1CSR by;
  
  determining whether a signature provided within the 1CSR by the entity was signed by a private key paired with a public key provided within the 1CSR; and
  
  determining whether the identity claim is valid based on a distinguished name included within the 1CSR;
  
  in response to determining that the signature was signed by the private key paired with the public key and that the identity claim is valid based on the distinguished name, sending, from the computing device to a notarization entity, a second certificate signing request (2CSR), the 2CSR having the 1CSR embedded therein;
  
  in response to sending the 2CSR to the notarization entity, receiving, at the computing device, a notarization certificate signed by the notarization entity; and
  
  in response to receiving the notarization certificate signed by the notarization entity, sending a signed certificate from the computing device, to the entity, the signed certificate validating the identity claim made by the entity in the 1CSR.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 wherein:
    - receiving the notarization certificate includes receiving a version of the 2CSR signed by the notarization entity; and
      
      sending the signed certificate to the entity includes signing, at the computing device, the 1CSR, thereby forming the signed certificate.
  - 13. The method of claim 11 wherein:
    - receiving the notarization certificate includes;
      
      receiving, at the computing device, a version of the 2CSR signed by the notarization entity; and
      
      receiving, at the computing device, from the notarization entity, another certificate, the other certificate having been signed by the entity; and
      
      sending the signed certificate to the entity includes signing the 1CSR, at the computing device, thereby forming the signed certificate.
  - 14. The method of claim 11 wherein:
    - sending the 2CSR to the notarization entity, the 2CSR having the 1CSR embedded therein, includes;
      
      signing the 1CSR at the computing device;
      
      embedding, at the computing device, the signed 1CSR within the 2CSR; and
      
      sending the 2CSR from the computing device to the notarization entity with the embedded signed 1CSR;
      
      receiving the notarization certificate includes receiving, at the computing device, a version of the signed 1CSR also signed by the notarization entity; and
      
      sending the signed certificate to the entity includes sending the notarization certificate from the computing device to the entity.
  - 15. The method of claim 11 wherein sending the 2CSR to the notarization entity includes requesting that a random notarization entity be selected from a pool of notarization entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Aharoni, Idan, Hodgman, Roy, Schubert, Ingo
Primary Examiner(s)
Vostal, O. C.

Application Number

US13/537,904
Time in Patent Office

1,033 Days
Field of Search

713/156, 713/155, 713/157, 713/168, 726/10
US Class Current

713/156
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 63/1483   service impersonation, e.g....

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 9/3268   using certificate validatio...

H04L 9/40   Network security protocols

Techniques for multiple independent verifications for digital certificates

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for multiple independent verifications for digital certificates

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links