CA2374195A1 - System and method of looking up and validating a digital certificate in one pass - Google Patents
System and method of looking up and validating a digital certificate in one pass Download PDFInfo
- Publication number
- CA2374195A1 CA2374195A1 CA002374195A CA2374195A CA2374195A1 CA 2374195 A1 CA2374195 A1 CA 2374195A1 CA 002374195 A CA002374195 A CA 002374195A CA 2374195 A CA2374195 A CA 2374195A CA 2374195 A1 CA2374195 A1 CA 2374195A1
- Authority
- CA
- Canada
- Prior art keywords
- certificate
- digital
- validating
- digital certificate
- verifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Abstract
A system and method for a certificate verifier to make a request to a certificate distribution server for a copy of another entity's digital certificate and to have the certificate distribution center validate it. The certificate distribution center can request the appropriate certificates and validation thereof from a number of certificate authorities or may alternatively obtain copies from a certificate cache and validate the copies against a revocation list server.
Claims (24)
1. A system for accessing and validating a digital certificate, comprising:
a first set of certificate authorities connected to a communication network and able to receive and respond to requests for certificates;
said first set of certificate authorities having a set of hierarchical trust relationships among them, said set of hierarchical trust relationships being verified by a set of digital certificates;
a certificate holder having a digital certificate issued by one of said first set of certificate authorities;
a certificate verifier connected to said communication network and having a trust relationship with a second set of certificate authorities; and a certificate distribution center connected to said communication network and operable to receive a request from said certificate verifier for a validated copy of said digital certificate, obtain said digital certificate from said one of said first set of certificate authorities, obtain a subset of digital certificates of said set of digital certificates necessary to validate said digital certificate, and return to said certificate verifier a validated copy of said digital certificate, wherein said certificate distribution server determines said subset of digital certificates of said set of digital certificates based on said second set of certificate authorities.
a first set of certificate authorities connected to a communication network and able to receive and respond to requests for certificates;
said first set of certificate authorities having a set of hierarchical trust relationships among them, said set of hierarchical trust relationships being verified by a set of digital certificates;
a certificate holder having a digital certificate issued by one of said first set of certificate authorities;
a certificate verifier connected to said communication network and having a trust relationship with a second set of certificate authorities; and a certificate distribution center connected to said communication network and operable to receive a request from said certificate verifier for a validated copy of said digital certificate, obtain said digital certificate from said one of said first set of certificate authorities, obtain a subset of digital certificates of said set of digital certificates necessary to validate said digital certificate, and return to said certificate verifier a validated copy of said digital certificate, wherein said certificate distribution server determines said subset of digital certificates of said set of digital certificates based on said second set of certificate authorities.
2. The system for accessing and validating a digital certificate of claim 1, wherein said certificate distribution center is operable to indicate to said certificate verifier that said digital certificate has a status chosen from the group consisting of invalid, revoked, expired or non-existent.
3. The system for accessing and validating a digital certificate of claim 1, additionally comprising:
at least one revocation list server having a list of digital certificates that have been revoked; and a certificate cache, wherein said certificate distribution center additionally obtains from said certificate cache a cached copy of one of said digital certificate and said set of digital certificates and verifies with said at least one revocation server the validity thereof prior to contacting said set of certificate authorities.
at least one revocation list server having a list of digital certificates that have been revoked; and a certificate cache, wherein said certificate distribution center additionally obtains from said certificate cache a cached copy of one of said digital certificate and said set of digital certificates and verifies with said at least one revocation server the validity thereof prior to contacting said set of certificate authorities.
4. The system for accessing and validating a digital certificate of claim 3, wherein said certificate cache resides at said certificate distribution center.
5. The system for accessing and validating a digital certificate of claim 3, wherein said certificate cache serves a plurality of certificate verifiers.
6. The system for accessing and validating a digital certificate of claim 3, wherein said certificate distribution center deposits a subset of said digital certificate and said subset of digital certificates obtained from said first set of certificate authorities in said certificate cache.
7. The system for accessing and validating a digital certificate of claim 3, wherein said request from said certificate verifier indicates a desired level of confidence for said digital certificate's validity.
8. The system for accessing and validating a digital certificate of claim 3, wherein said request from said certificate verifier directs said certificate distribution center to ignore said certificate cache.
9. The system for accessing and validating a digital certificate of claim 1, wherein said reply to said certificate verifier additionally comprises a formatted first certificate chain summary.
10. The system for accessing and validating a digital certificate of claim 1, wherein said reply to said certificate verifier additionally comprises each of said subset of said set of digital certificates obtained from said first set of certificate authorities.
11. The system for accessing and validating a digital certificate of claim 1, wherein said certificate distribution center additionally constructs and returns a second certificate chain, based on said second set of certificate authorities, to said certificate verifier permitting said certificate verifier to validate said digital certificate of said certificate distribution center.
12. The system for accessing and validating a digital certificate of claim 1, wherein said certificate distribution center has prior knowledge of said second set of certificate authorities trusted by said certificate verifier.
13. The system for accessing and validating a digital certificate of claim 1, wherein said request from said certificate verifier includes a requested certificate identifier from which each of said first set of certificate authorities in parent relationship to said certificate holder can be identified.
14. A method of validating and serving a digital certificate, comprising the steps of:
(a) receiving a first request from a certificate verifier for a digital certificate;
(b) sending a second request to a first certificate authority having issued said digital certificate requested by said certificate verifier;
(c) receiving said digital certificate from said first certificate authority;
(d) if said first certificate authority is not trusted by said certificate verifier;
(i) requesting an additional digital certificate from a subsequent parent certificate authority;
(ii) receiving said additional digital certificate from said subsequent parent certificate authority;
(iii) validating a previous digital certificate with said additional digital certificate; and (iv) in the event that said subsequent parent certificate authority is not trusted by said certificate verifier, repeating steps (i) to (iii) as necessary;
and (e) returning said digital certificate to said certificate verifier.
(a) receiving a first request from a certificate verifier for a digital certificate;
(b) sending a second request to a first certificate authority having issued said digital certificate requested by said certificate verifier;
(c) receiving said digital certificate from said first certificate authority;
(d) if said first certificate authority is not trusted by said certificate verifier;
(i) requesting an additional digital certificate from a subsequent parent certificate authority;
(ii) receiving said additional digital certificate from said subsequent parent certificate authority;
(iii) validating a previous digital certificate with said additional digital certificate; and (iv) in the event that said subsequent parent certificate authority is not trusted by said certificate verifier, repeating steps (i) to (iii) as necessary;
and (e) returning said digital certificate to said certificate verifier.
15. The method of validating and serving a digital certificate of claim 14, wherein steps (c) and (d)(ii) alternatively comprises receiving an indication that said digital certificate or said additional digital certificate is invalid, step (d)(iv) additionally comprises a condition that said previous digital certificate is validated and said additional digital certificate exists and was not revoked, and step (e) alternatively comprise returning a notification that said digital certificate is invalid.
16. The method of validating and serving a digital certificate of claim 14, additionally comprising the step of obtaining said digital certificate or said additional digital certificate from a certificate cache and validating said digital certificate or said additional digital certificate using a revocation list in place of obtaining said digital certificate or said additional digital certificate from said first or subsequent parent certificate authorities, in the event that said digital certificate or said additional digital certificate is available from said certificate cache.
17. The method of validating and serving a digital certificate of claim 16, additionally comprising the step of placing at least one of said digital certificate and said additional digital certificates in said certificate cache once received from said first or subsequent parent certificate authority.
18. The method of validating and serving a digital certificate of claim 16, wherein step (a) additionally comprises receiving a desired level of confidence from said certificate verifier, and the step of validating said digital certificate and said additional digital certificates reflects said desired level of confidence.
19. The method of validating and serving a digital certificate of claim 16, wherein step (a) additionally comprises receiving from said certificate verifier a direction to ignore said certificate cache.
20. The method of validating and serving a digital certificate of claim 14, wherein step (e) additionally comprises constructing a first certificate chain from said digital certificate and said additional digital certificates, if any, and returning said first certificate chain, along with said digital certificate, to said certificate verifier.
21. The method of validating and serving a digital certificate of claim 20, wherein step (e) additionally comprises formatting said first certificate chain and said digital certificate prior to returning said first certificate chain to said certificate verifier.
22. The method of validating and serving a digital certificate of claim 14, additionally comprising the step of;
(f) following step (d), constructing a second certificate chain, based on said second set of certificate authorities, to said certificate verifier permitting said certificate verifier to validate said certificate distribution center, and returning said second certificate chain to said certificate verifier.
(f) following step (d), constructing a second certificate chain, based on said second set of certificate authorities, to said certificate verifier permitting said certificate verifier to validate said certificate distribution center, and returning said second certificate chain to said certificate verifier.
23. The method of validating and serving a digital certificate of claim 22, additionally comprising the step of formatting said second certificate chain prior to returning said second certificate chain to said certificate verifier.
24. The method of validating and serving a digital certificate of claim 14, wherein said first request in step (a) identifies said first certificate authority and each of said subsequent parent certificate authorities, and step (d)(i) is performed prior to receiving said digital certificate from said first certificate authority in step (c).
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2374195A CA2374195C (en) | 2002-03-01 | 2002-03-01 | System and method of looking up and validating a digital certificate in one pass |
| US10/376,249 US7383434B2 (en) | 1998-08-26 | 2003-03-03 | System and method of looking up and validating a digital certificate in one pass |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2374195A CA2374195C (en) | 2002-03-01 | 2002-03-01 | System and method of looking up and validating a digital certificate in one pass |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2374195A1 true CA2374195A1 (en) | 2003-09-01 |
| CA2374195C CA2374195C (en) | 2010-08-10 |
Family
ID=27792803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA2374195A Expired - Lifetime CA2374195C (en) | 1998-08-26 | 2002-03-01 | System and method of looking up and validating a digital certificate in one pass |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2374195C (en) |
-
2002
- 2002-03-01 CA CA2374195A patent/CA2374195C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CA2374195C (en) | 2010-08-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9654298B2 (en) | Signature # efficient real time credentials for OCSP and distributed OCSP | |
| US7600123B2 (en) | Certificate registration after issuance for secure communication | |
| CN101124765B (en) | Distributed delegated path discovery and validation | |
| US7178029B2 (en) | Method and apparatus for validating a digital signature | |
| US7966487B2 (en) | Communication-efficient real time credentials for OCSP and distributed OCSP | |
| US6766450B2 (en) | Certificate revocation system | |
| US7383434B2 (en) | System and method of looking up and validating a digital certificate in one pass | |
| US7395428B2 (en) | Delegating certificate validation | |
| US7392380B2 (en) | Authentication and authorization infrastructure system with CRL issuance notification function | |
| EP0862105A3 (en) | Method of and apparatus for providing secure distributed directory services and public key infrastructure | |
| US20080162928A1 (en) | Method and Apparatus for Distributing Root Certification | |
| Iliadis et al. | Evaluating certificate status information mechanisms | |
| WO2005033868A2 (en) | Delegated certificate authority | |
| WO2022033350A1 (en) | Service registration method and device | |
| CN102857497A (en) | User access system and authentication method based on hybrid type content network of CDN (Content Distribution Network) and P2P (peer to peer) | |
| CN109981288B (en) | Fine-grained cloud server side rapid external certification method based on aggregated signature | |
| CN114930770A (en) | Certificate identification method and system based on distributed ledger | |
| CA2374195A1 (en) | System and method of looking up and validating a digital certificate in one pass | |
| US7124295B1 (en) | Delta CRL enhancement | |
| US20050120207A1 (en) | Method and system for enabling PKI in a bandwidth restricted environment | |
| CN113114463B (en) | Certificate registration method, certificate verification method and equipment | |
| CN112769817B (en) | Block chain network based on trusted network, construction method and construction system | |
| CN117353930A (en) | Method and system for registering information in licensed blockchain and verifying the integrity of a payload | |
| CN113438214B (en) | Domain name management system | |
| Popescu et al. | Secure data replication over untrusted hosts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20220301 |