CN1985460B - Communication-efficient real time credentials for OCSP and distributed OCSP - Google Patents

Abstract

Facilitating a transaction between a first party and a second party includes, prior to initiating the transaction, one of the parties obtaining an artificially pre-computed OCSP response about a specific digital certificate, where the artificially pre-computed OCSP response is generated by an entity other than the first party and the second party, one of the parties initiating the transaction, in connection with the transaction, the first party providing the specific digital certificate to the second party, and the second party verifying the specific digital certificate using the artificially pre-computed OCSP response. The second party may obtain the artificially pre-computed OCSP response prior to the transaction being initiated. The second party may cache the artificially pre-computed OCSP response for future transactions. The first party may obtain the artificially pre-computed OCSP response prior to the transaction being initiated. The first party may cache the artificially pre-computed OCSP response for future transactions.

Description

The communication-efficient real time credentials that is used for OCSP and distributed OCSP

The related application cross-index

The application requires the priority of U.S. Provisional Application of applying on January 9th, 2,004 60/535,666 and the U.S. Provisional Application of applying on January 15th, 2,004 60/536,817, and two applications all are combined in this by reference.

Background of invention

1. technical field

The application relates to the digital certificate field, particularly relates to the field of checking and affirmation digital certificate and other information.

2. background technology

Digital signature provides the internet of effective form to differentiate.Unlike traditional password and PIN, digital signature is differentiated affairs with verifiable mode everywhere.Therefore, negate to be difficult to by the affairs of digital signing, but be not impossible.Digital signature produces through the signature key SK, and verifies through the authentication secret PK that matches.User U its own SK that maintains secrecy, thus have only U can represent U to sign.Fortunately, key PK can " not betray " key SK that matches; It is the knowledge of PK does not provide any reality when calculating SK advantage.Therefore, user U can make its oneself PK open as much as possible, thereby each can verify the signature of U per capita.For this reason, PK is called as PKI.

Digital certificate is an alpha-numeric string, and it enables digital signature through guaranteeing the PKI that given key PK very is user U.Certification authority (CA) produces and sends certificate and gives the user, but only after the identity of confirming the user, carries out usually.Therefore, certificate proof CA has verified holder's identity and other attribute.Certificate at the appointed time back is expired, under the situation of public CA, is generally 1 year.

Substantially, digital certificate C is by forming a few number secure bindings CA digital signature together, and said several numbers are: the unique sequence number SN of cert, user's PKI PK, user name U, date issued D ₁, expiry date D ₂, and other data.Be expressed as symbol:

C＝SIG _CA(SN，PK，U，D ₁，D ₂，...)

The state that can confirm digital certificate is useful, comprises confirming whether particular certificate is effectively sent and/or confirmed whether it is abolished before certificate expired.There are a lot of technology to can be used for confirming the state of individual digit certificate.For example, United States Patent (USP) 5,666,416 and 5,717,758 have described the technology that single certificate status is provided.Other is used to scatter and the technology of definite certificate status also is well-known, comprises certificate revocation tabulation (CRL), and it is the tabulation of the abolishment certificate of digital signing, and comprises online certificate status protocol (OCSP), the mechanism of the state of its specifies query particular certificate.

CRL carries out work through the tabulation (CRL) that each CA is regularly sent state clearly suitable date and digital signing, and said tabulation comprises the sequence number of calcellation certificate.In some practice, CRL comprises all calcellation certificates of given certificate group.Therefore, digital certificate can and appear with nearest CRL electronic transaction relatively.In the tabulation of being abolished certificate, then know that from CRL the invalid and holder of certificate of certificate no longer has the right to carry out the affairs that enabled by digital certificate if given certificate is not out of date.On the other hand, if certificate does not appear among the CRL, then certificate is regarded as effectively.Perhaps, CRL can file with other record of each affairs, can proving the validity of affairs in the future, or under the situation of calcellation certificate, proves that denial of service is correct.

Suppose that the calcellation rate is 10%, then average 10 digital certificates just have 1 before its expiration, to be abolished.According to such calcellation rate, the system with 1,000 ten thousand certificates comprises the CRL of 1,000,000 sequence numbers with generation, and this possibly make the CRL intractable.Although can alleviate this problem through the CRL partitioning technique of nearest appearance, the elementary tactics that the cancel message of many certificates is packaged in together still possibly produce inconvenience and cost.If sequence number is 24 long (to handle millions of certificates), the sub-CRL of 1000 certificates will be that 24000 (3000 byte) is long.In some is disposed because expense, the CRL clauses and subclauses of each certificate be 22 long, thereby the sub-CRL of 1000 certificates be 22000 long.But this is unacceptable under some situation, and for example, under the wireless transaction situation, must transmitting so, multidigit (dispute that protection is following and possible legitimate claim) is unpractical.

CRL becomes greatly gradually, because they provide the calcellation about many certificates of concentrating in together to prove (thereby providing validity to prove indirectly).Through comparing, OCSP can provide the validity of each certificate to prove.The OCSP transponder of the problem that can receive from client (i.e. dependence side) is used in traditional OCSP service; The validity of the given certificate that said problem is sent about given CA; In response to this, OCSP can provide the answer of digital signing, and its state that indicates certificate reaches the temporal information about this answer.

For OCSP service can be provided, traditional OCSP transponder is provided with the information about the state of all certificates of CA.Because usually CA can confirm the state of its oneself certificate, if the OCSP transponder is CA self, then OCSP transponder/CA has had the information about certificate calcellation state.On the other hand, if the OCSP transponder is not CA, then the OCSP transponder can be held the certificate status that upgrades CA.For example, can be referring to United States Patent (USP) 5,717,758: evidential certificate revocation system.

CA can upgrade the OCSP transponder through sending nearest CRL.The OCSP transponder can be consulted this CRL and effectively still abolished current to infer interested particular certificate; Thereby the OCSP transponder can provide the response of signature to dependence side, and it indicates the time of current C RL, the time of next time upgrading and the time of actual treatment.

Certainly, malice/damaged OCSP transponder can provide the answer about the certificate of given CA of any signature, consults or do not consult any CRL.Therefore; For making dependence side safety rely on the answer about the certificate of given CA of OCSP transponder digital signing; OCSP comprises mechanism: CA provides the transponder certificate to the OCSP transponder; By the special number certificate of CA signature, it trusts this OCSP transponder so that the accurate proof about the certificate of CA to be provided to other side's guarantee CA in fact.It should be noted that each OCSP transponder (and each CA) must have the key of secret signature in order this process is suitably worked, and this key must be by protection (protecting as being placed in the strong-room through the server that will realize this transponder).

With reference to figure 1, signal Figure 40 shows the information flow in traditional OCSP environment.Signal Figure 40 comprises CA42, traditional OCSP transponder 44, reaches dependence side 46.The thick line that is used for CA42 and OCSP transponder 44 shows that the necessary protected key of existence is so that system's reliability service.CA42 provides validity information 48 (like CRL) to OCSP transponder 44.Dependence side 46 is to 44 other OCSP requests 52 of OCSP transponder.Validity information (like the CRL form) that OCSP transponder 44 inspection CA42 provide and the state of validity of confirming related certificate.Afterwards, OCSP transponder 44 is prepared corresponding response, and this response of digital signing also offers dependence side 46 with its result as OCSP transponder 54.In some cases, OCSP transponder 44 also can provide transponder certificate 56 to dependence side 46, and it indicates OCSP transponder 44 and is authorized and entrust by CA42.

But OCSP has very big defective.At first, digital signature is the computing in the calculated set.Produce during in request in the digital signature of setting up in each OCSP response by traditional OCSP transponder, and possibly be the part of confirming in the calculated set of computing.For example, produce digital signature and can increase by 50 milliseconds to 1 second transaction time.Even traditional OCSP transponder is inquired for the first time that at digital certificate C buffer memory is about the digital signature of C afterwards; And send the signature of institute's buffer memory when inquiring C afterwards; Owing to produce the initial number signature, first user's of inquiry C answer still can be postponed greatly.

In addition, if having only an OCSP transponder, then all certificate validity inquiries in fact all are sent out to this single OCSP transponder, and afterwards, it becomes main network bottleneck and causes suitable congested and delay.If a large amount of honest users inquires about this OCSP transponder suddenly, the situation of then interrupting denial of service will be ensued.

On the other hand, concentrate the problem of implementing OCSP, mechanism can consider to stride several suitable proofs, traditional OCSP transponder distribution request load (about the validity of its certificate) for preventing.Generally speaking, several (as the 100) strategy of the striding load that is distributed in the server distribution single server in the whole world (to avoid transmission bottleneck) can alleviate network congestion.Yet for OCSP, load distribution can cause other problem, because for the response to the signature of certificate validity inquiry is provided, each in 100 distributed traditional OCSP transponders all has the key that its own secret is signed.Any of therefore, divulging a secret in 100 servers all can make whole several divulging a secret effectively.In fact, if traditional OCSP transponder divulged a secret, assailant's key signed response falsely that can use the secret signature of having found then, it indicates (1) valid certificate and is abolished, or (2) calcellation certificate is still effective.The false positive response of this back one type can allow laid-off employee to regain the right of entering system.

Prevent that a kind of way that transponder is divulged a secret from being the strong-room operation transponder from safety, it has all weather surveillance.Unfortunately, this is the very high selection of cost.Intrinsically safe strong-room such as the strong-room of all requirements of satisfying financial CA, only set up with regard to palpus more than 1,000,000 dollars, and annual operating cost is also about 1,000,000 dollars.In addition, even mechanism is ready to pay such expenditure, strong-room also can not build up overnight.Therefore, if CA needs several strong-rooms to alleviate the load of its current traditional OCSP transponder, the delay of some months, the OCSP of new due care transponder will be arranged before building up.

In addition, the cost that causes several strong-rooms can not solve the OCSP safety problem.This is because OCSP mechanism requires traditional OCSP transponder to receive the request of putting letter source (dependence side) from non-, and uses the key service of the secret signature of transponder to ask in this.Therefore, dependence side malevolently (or pretending the agency malevolently of dependence side) preferred through in basic operating system, finding the make public key of OCSP transponder signature of possible weakness.

And, when serving the certificate validity request that is derived from different security domains, there are several difficulties relevant with OCSP.For example, the response about the certificate status of the CA of the A of mechanism can easily be provided, the response about " external " certificate be provided but have enough information by the OCSP transponder of another mechanism's operation by traditional OCSP transponder of the A of mechanism operation.

Coming from this problem that lacks specific knowledge possibly handle with one of following dual mode.The first, can obtain the certificate status of the CA of the A of mechanism from the transponder of the A of mechanism from the dependence of the B of mechanism.Yet this has limited performance, because maybe be away from the dependence side of the B of mechanism on geography from the OCSP transponder of the A of mechanism, whole affirmation be handled thereby network time can slow down greatly.The second way is to allow can to make the response about the certificate of the A of mechanism from the transponder of the B of mechanism, and it is transmitted to external transponder from the CA of the A of mechanism with the CRL of the A of mechanism and realizes through making.In fact, CRL is by digital signing thereby needn't maintain secrecy, and the CA of the A of mechanism is by hoping that the state of validity with the certificate of the A of mechanism notified to audient as much as possible.This second mode to the OCSP of the B of mechanism transponder provide enough information with answer from dependence side, about the request of the certificate of the A of mechanism.Pay attention to the answer of digital signing of the OCSP transponder of the B of mechanism if it were not for dependence side, the CA of the A of mechanism should prove that also external transponder is reliable answering aspect the validity inquiry of the certificate of the A of mechanism.

With reference to figure 2, signal Figure 60 shows the CA42 shown in signal Figure 40 of Fig. 1, traditional OCSP transponder 44, and dependence side 46.Yet under the situation of signal shown in Figure 60, dependences side 46 provides the OCSP about certificate to ask 62, and it can't help CA42 and manages, but is sent and managed by different CA64.In this case, the information in the CRL48 that can not be separately provides based on CA42 of OCSP transponder 44 provides OCSP response to OCSP transponder 44.But CA64 provides different CRL66 and different transponder certificate to OCSP transponder 44.Afterwards, OCSP transponder 44 uses different CRL66 to work out the OCSP response 72 about external certificate.In some cases, OCSP transponder 44 also can provide transponder certificate 68 to dependence side 46.

This second way can provide better scalability and performance, but it makes two safety between the mechanism and trusts the stream confusion.In signal Figure 60, OCSP transponder 44 is the side of dependence authority response just, and promptly the certificate of CA64 is still effective.If OCSP transponder 44 is because any reason (mismatch put, hostile attack or directly dishonest) and provide incorrect response, but the mechanism of OCSP transponder 44 negative influence CA64 then.Through allowing OCSP transponder 44 to make the authority's statement about the certificate of the mechanism of CA64, the mechanism of CA64 abandons its some trust that had before had.

As an example, suppose that mechanism is the credit card issue people.Abolish user's certificate from the bank of the A of mechanism, and traditional OCSP transponder of the assurance mechanism A of bank is a safety and reliable.The OCSP transponder of supposing the B of mechanism is mismatched to be put, and when the trade company dependence side of the B of mechanism inquiry user's validity, the transponder of the B of mechanism is answered improperly: the user is effective.Trade company accepts this answer and allows to cancel user's transaction.Such trusted right delegation between the mechanism is acceptable in some cases, but disposes for the variety classes of any large-scale traditional OCSP, and it is almost of no use.

Therefore be desirable to provide the system that can solve above-mentioned difficulties.

Summary of the invention

According to the present invention; Each that provides that information about digital certificate validity is included as a plurality of digital certificates in the set of number certificate is confirmed the digital certificate the state of validity; Generation is about the message of a plurality of artificial precomputations of the state of validity of at least one subclass of the digital certificate collection of a plurality of digital certificates; Wherein at least one message indicates the state of validity of an above digital certificate; The message that reaches the artificial precomputation of digital signing is to provide the response of OCSP form, and it is in response to OCSP inquiry of the particular digital certificate of concentrating about digital certificate, and wherein at least one digital signature responds together with the OCSP form and is used for an above digital certificate.Producing also, digital signing can carry out before any OCSP inquiry is answered by arbitrary OCSP form response.Confirm that the digital certificate the state of validity comprises the information through identify of acquisition about digital certificate.The information through identifying about digital certificate can be produced by the entity of abolishing certificate.The information through identifying about digital certificate can be CRL.The response that produces a plurality of artificial precomputations can be included as digital certificate and concentrate all digital certificates that do not cancel generation responses at least.Provide information also can comprise about digital certificate validity; After the message of the artificial precomputation of digital signing; Its result is transmitted to a plurality of transponders of the request of serving dependence side, the state of validity of the digital certificate that said dependence side's inquiry digital certificate is concentrated.Provide the information about digital certificate validity also can comprise, it is used to make the special number certificate that comprises open authentication secret can be transponder, and said key is used to verify the digital signature that when the response of the artificial precomputation of digital signing, provides.The entity that sends the special number certificate also can send the certificate of digital certificate collection.Producing the response of a plurality of artificial precomputations and the response of the artificial precomputation of digital signing can periodically carry out.The response of artificial precomputation can comprise the temporal information when response corresponding to artificial precomputation produces.

According to the present invention; Be kept on the computer-readable medium, provide computer software about digital certificate validity information to comprise that for a plurality of digital certificates in the set of number certificate each confirms the executable code of digital certificate the state of validity; Generation is about the executable code of the message of a plurality of artificial precomputations of the state of validity of at least one subclass of the digital certificate collection of a plurality of digital certificates; Wherein at least one message indicates the state of validity of an above digital certificate; And the message of the artificial precomputation of digital signing is to provide the executable code of OCSP form response; It is in response to the OCSP inquiry of the particular digital certificate of concentrating about digital certificate, and wherein at least one digital signature is used for an above digital certificate together with the response of OCSP form.The executable code of confirming the digital certificate the state of validity comprises the information through identify of acquisition about digital certificate.The information through identifying about digital certificate can be produced by the entity of abolishing certificate.The information through identifying about digital certificate can be CRL.The executable code that produces the response of a plurality of artificial precomputations can be included as digital certificate and concentrate all digital certificates that do not cancel generation responses at least.Computer software also can comprise the executable code of the artificial precomputation forwards of digital signing being given a plurality of transponders of the request of serving dependence side, the state of validity of the digital certificate that said dependence side's inquiry digital certificate is concentrated.Computer software also can comprise makes the special number certificate that comprises open authentication secret can be the used executable code of transponder, and said key is used to verify the digital signature that when the response of the artificial precomputation of digital signing, provides.The entity that sends the special number certificate also can send the certificate of digital certificate collection.The executable code of response that produces the artificial precomputation of response and digital signing of a plurality of artificial precomputations can periodically produce and signed response.

According to the present invention; Provide information to comprise that a plurality of signature key/authentication secrets of acquisition are right about digital certificate validity; Wherein each signature key provides digital signature and this digital signature of corresponding authentication secret checking; Wherein use the signature key together a plurality of data elements of digital signing compare that individually each data element of digital signing efficient on calculating is higher; For each certificate in the set of number certificate is confirmed the digital certificate the state of validity, produce message, and use from the right signature key of the key message of the artificial precomputation of digital signing together about a plurality of artificial precomputations of the state of validity of at least one subclass of digital certificate collection.Confirm that the digital certificate the state of validity can comprise the information through identify of acquisition about digital certificate.The information through identifying about digital certificate can be produced by the entity of abolishing certificate.The information through identifying about digital certificate can be CRL.The response of artificial precomputation can be the response of OCSP form.The response that produces a plurality of artificial precomputations is included as digital certificate and concentrates all digital certificates that do not cancel generation responses at least.Provide information also can comprise about digital certificate validity; After the message of the artificial precomputation of digital signing; Its result is transmitted to a plurality of transponders of the request of serving dependence side, the state of validity of the digital certificate that said dependence side's inquiry digital certificate is concentrated.Producing the response of a plurality of artificial precomputations and the response of the artificial precomputation of digital signing can periodically carry out.The response of artificial precomputation can comprise the temporal information when response corresponding to artificial precomputation produces.Provide information can comprise the evaluation authentication secret about digital certificate validity.The evaluation authentication secret is included in the single digital certificate authentication secret is provided.The evaluation authentication secret can be included in separately and in the digital certificate each authentication secret is provided.

According to the present invention; Be kept on the computer-readable medium, provide computer software about digital certificate validity information to comprise to obtain the right executable code of a plurality of signature key/authentication secrets; Wherein each signature key provides digital signature and this digital signature of corresponding authentication secret checking; Wherein use the signature key together a plurality of data elements of digital signing compare that individually each data element of digital signing efficient on calculating is higher; Confirm the executable code of digital certificate the state of validity for each certificate in the set of number certificate; Generation is about the executable code of the message of a plurality of artificial precomputations of the state of validity of at least one subclass of digital certificate collection, and uses from the right signature key of the key executable code of the message of the artificial precomputation of digital signing together.The executable code of confirming the digital certificate the state of validity can comprise the executable code of acquisition about the information of the warp evaluation of digital certificate.The information through identifying about digital certificate can be produced by the entity of abolishing certificate.The information through identifying about digital certificate can be CRL.The response of artificial precomputation can be the response of OCSP form.The executable code that produces the response of a plurality of artificial precomputations is included as digital certificate and concentrates the executable code of all digital certificates that do not cancel generation responses at least.Computer can comprise the executable code of identifying authentication secret.The executable code of identifying authentication secret can provide authentication secret or separately in the digital certificate each authentication secret is being provided in single digital certificate.

According to the present invention, help the transaction between first party and the second party to comprise, before beginning transaction; One of parties obtains the OCSP response about the artificial precomputation of particular digital certificate; Wherein the OCSP of artificial precomputation response is produced by the entity that is different from first party and second party, and the transaction at the beginning of parties is when transaction; First party provides particular digital certificate to second party, and second party is used this particular digital certificate of OCSP response verification of artificial precomputation.Second party can obtain the OCSP response of artificial precomputation before the transaction beginning.But the OCSP response of the artificial precomputation of second party buffer memory is to be used for transaction in the future.First party can obtain the OCSP response of artificial precomputation before the transaction beginning.But the OCSP response of the artificial precomputation of first party buffer memory is to be used for transaction in the future.First party provided the OCSP of artificial precomputation to respond to second party after transaction between help first party and the second party also can be included in the transaction beginning.

According to the present invention; The validity of confirming digital certificate comprises the message about digital certificate validity that check dight is signed; Wherein message is by the particular entity digital signing that is different from the entity that sends digital certificate, and also comprises the message of use from one of following at least Information Authentication digital signing: digital certificate and the certificate of identifying the entity that sends digital certificate.Information can be the PKI corresponding to the privacy key that is used for digital signing message.Information can be corresponding to the particular digital certificate of the special entity of identifying digital signing message.

According to the present invention; Each certificate of concentrating for digital certificate confirms that the digital certificate the state of validity comprises the artificial precomputation message about the state of validity of at least one subclass of digital certificate collection of a plurality of digital signings of regular generation; And regularly give a plurality of transponders of serving the request of dependence side with the artificial precomputation forwards of digital signing; The state of validity of the digital certificate that said dependence side inquiry digital certificate is concentrated is wherein transmitted to be different from about the frequency of the message of other certificate about the message of some certificates.Compare message, can not transmit continually relatively about the message of calcellation certificate about valid certificate.

According to the present invention; Be kept at the executable code that computer software in the computer-readable medium, that confirm digital certificate validity comprises check dight signature about the message of digital certificate validity; Wherein message is by the particular entity digital signing that is different from the entity that sends digital certificate, and also comprises the executable code of use from the message of one of following at least Information Authentication digital signing: digital certificate and the certificate of identifying the entity that sends digital certificate.Information can be the PKI corresponding to the privacy key that is used for digital signing message.Information can be corresponding to the special number certificate of the particular entity of identifying digital signing message.

According to the present invention; Be kept in the computer-readable medium, provide computer software to comprise the executable code of confirming the digital certificate the state of validity for each certificate of digital certificate collection about the information of digital certificate validity; Regularly produce the executable code about the artificial precomputation message of the state of validity of at least one subclass of digital certificate collection of a plurality of digital signings; And regularly the artificial precomputation forwards of digital signing is given the executable code of the transponder of a plurality of requests of serving dependence side; The state of validity of the digital certificate that said dependence side inquiry digital certificate is concentrated is wherein transmitted to be different from about the frequency of the message of other certificate about the message of some certificates.Compare message, can not transmit continually relatively about the message of calcellation certificate about valid certificate.

System described here is the affirmation system of cost-effective, safe, upgradeable and entire effective, and it has improved traditional method greatly.System described here, even when keeping with OCSP standard compatible, still more traditional OCSP has advantage clearly, thereby super fail safe and scalability are being provided qualitatively.

System described here is general, the autonomous system that is independent of traditional OCSP work.Yet; In certain embodiments; This system can be that OCSP is compatible, wherein all is configured to the OCSP response of the correct digital signing of sentence structure according to each proof of the validity of system described here, makes that dependences side asks also then according to OCSP format verification certificate validity information etc.Digital signature is the computing in the calculated set, but system described here concentrates on this difficulty on the single private server, perhaps, in other embodiments, concentrates on a spot of private server.Therefore, equip that single private server (or a small amount of server) is very easy to and relatively cheap, it has enough computing capabilitys when each upgrades, to handle all essential digital signature.Be that the transponder that uses in the system of this description only need carry out common reading-transmit operation, thereby can more traditional OCSP transponder serve dependence side's inquiry of input quickly, carry out complicated digital signature because traditional OCSP transponder is essential.

Because the transponder that is used for system described here can adopt common hardware and need not protect, thereby can relatively inexpensively buy and move transponder.Therefore, a large amount of relatively transponders can low relatively expense be disposed.Therefore, even produced a large amount of certificate validity state request at short notice, this load can be dispersed to many transponders, thereby under the situation that does not produce too many cost, eliminates the risk of congested and optimum denial of service.The quantity that it should be noted that the digital signature that is used for system described here depends on the quantity of certificate and is relatively independent of the quantity of the state of validity request.Therefore, even estimate that quite a large amount of validity requests is arranged, also can use single server that the response of digital signing is provided.

Be in the system of this description to have only a private server (or a small amount of private server) and CA (if being different from single private server) need to be protected/put into strong-room.In fact, the transponder of system described here is not preserved any privacy key: they only preserve the digital signature of the precomputation response that offers transponder, and it is in case calculated, then can not be by malicious modification, thereby not need to be keep secret.As a comparison, all traditional OCSP transponders all need protection, because each in traditional OCSP transponder all has the key of secret signature, one of them is divulged a secret whole system is divulged a secret.Therefore, system described here is more safer than OCSP, because protect a website (or a small amount of website) website many and more of equal importance than protection more desirable and easier.

In addition, different with the OCSP situation, dependence side can not easily be install software attacker in the system of this description.Even dependence side successfully embeds certain type Trojan Horse in its inquiry; It can not make any secret open, because the transponder of system described here does not have any secret: the digital signature of the precomputation that offers transponder is only preserved and returned to transponder.Therefore, all dependence sides malevolently hope openly be whole, accurately, and the account of digital signing, be included in the given interval which certificate effectively and which cancel.Yet this not only is not a secret information, and in fact, and it is that CA hopes the information that is widely known by the people to depend on the certificate that has cancelled that CA sends improperly to prevent the side of dependence.

In addition, it should be noted that the software attacks program can not easily be directed against the single private server of digital signing precomputation response (or a small amount of private server) and install.In certain embodiments, single private server (or a small amount of private server) is not handled non-request of putting the letter source, but only receives from the information of CA and information that digital signing is provided to transponder.Therefore, can not be to inject Trojan Horse in the system of this description.

Except these advantages, system described here also makes in the different machine that comprises a plurality of mechanisms is disposed can have very big flexibility.Transponder from a mechanism can be transmitted to the response of artificial precomputation another mechanism, and need not be to any trust of another Distribution of Institutions.It is that first mechanism provides thinkable validity to prove that first mechanism can make the transponder of another mechanism, and need not abandon any amount of control to the state of validity of the certificate of first mechanism.That is, be in the system of this description that trust can flow to another mechanism from a mechanism, and can not lose any fail safe or control.In certain embodiments, transponder can be treated to transparent network infrastructure, rather than the points of trust of sclerosis.The service cloud that this DNS infrastructure that is similar to the internet provides, because it allows foreign peoples's set of name server, the mutual cooperation operation pellucidly of these name servers is to find and the significant response of buffer memory to inquiring about.

The different machine property of safety is the major advantage of system described here with respect to traditional OCSP.The different machine property permission various mechanism cooperation operation of safety, thus can be from the dependence of different institutions with the certificate of safe, reliable and effective mode cross validation from other mechanism.

System described here confirms that with all trust is provided in the single organ of power (or a small amount of organ of power), and the unshielded transponder of striding any amount simultaneously distributes and inquires about load.System described here can not reduce fail safe, even be like this even the enforcement that is distributed depends on quite a large amount of not protected transponders yet.System enhancement described here to the inquiry response time.System described here can authorizes trust not give the external transponder in the different machine environment.

Description of drawings

Shown in Figure 1 for to provide OCSP to respond prior art systems to dependence side.

It is shown in Figure 2 for OCSP is provided in different machine environment the prior art systems of response.

Shown in Figure 3 is according to the routine RTC system of system implementation described here.

Fig. 4 is the flow chart according to system implementation example initialization RTCA described here.

The flow chart of Fig. 5 between CA and RTCA, communicating according to system implementation example described here.

Fig. 6 for according to system implementation example described here with data from the push on flow chart of RTC transponder of RTCA.

Fig. 7 is for obtaining the flow chart of data from RTCA according to system implementation example RTC transponder described here.

Fig. 8 is for providing the flow chart of information to dependence side according to system implementation example RTC transponder described here.

Fig. 9 is for obtaining the flow chart of validity information according to system implementation example RTC transponder described here.

Figure 10 is for obtaining the flow chart of validity information according to another embodiment RTC transponder of system described here.

Figure 11 is the flow chart of performed step when helping both sides to conclude the business according to system implementation example described here.

Figure 12 is the sketch map according to system implementation example digital certificate described here.

Figure 13 is the sketch map according to the data flow between system implementation example CA described here, RTCA, RTC transponder and the dependence side.

Figure 14 is according to system implementation example described here, the sketch map of the data flow between the CA of the CA of first system, RTCA, RTC transponder and dependence side and second system, RTCA, RTC transponder and the dependence side.

Figure 15 is the sketch map according to foreign peoples's cloud of system implementation example RTC transponder described here.

The flow chart of Figure 16 for being optimized according to system implementation example described here.

Figure 17 is the sketch map according to the special permission mechanism of system implementation example described here.

Figure 18 is the sketch map according to the data flow of system implementation example described here between CA, SERTCA, RTC transponder and dependence side.

Figure 19 is according to system implementation described here example, for OCSP in batch handles the flow chart of information to the RTCA/SERTCA/OCSP transponder is provided.

Figure 20 is according to system implementation described here example, for OCSP in batch handles the flow chart of information to the RTC transponder is provided.

Embodiment

System described here uses real time credentials (RTC), also is called as distributed OCSP (DOCSP), and uses the entity that is called RTC organ of power (RTCA).RTCA can be not consistent with the CA of given enterprise yet.In certain embodiments, each CA provides with special certificate the RTCA certificate to its oneself RTCA.But CA digital signing RTCA certificate is to show the CA trust and to authorize RTCA that the validity information of the certificate that sends about CA is provided.The RTCA certificate can be passed to the RTCA state given entity (like the entity of being confirmed by given identifier, OID number etc.) and can give special entity with certain validation key PK (special entity has the key of corresponding secret signature) assignment.

Under the CA situation consistent with RTCA, it is favourable that RTCA has the signature key that is different from CA.Therefore, if CA and RTCA are same entity, the CA of entity part is in fact only sent certificate and the RTCA part of entity is effectively or to cancel to manage certificate through the proof particular certificate only.Therefore, even CA and RTCA overlap, still can use the RTCA certificate.

In certain embodiments, each CA is associated with a unique RTCA.In other embodiments, also possibly be associated with an above RTCA by each CA, wherein each RTCA has different signature keys, perhaps, and some or all RTCA shared signing key.It is favourable that a plurality of RTCA are associated with CA as far as redundancy purpose.In other embodiments, one or more RTCA are associated with a plurality of CA.

Protect its signature key such just as CA, its signature key of RTCA protection is for example by means of strong-room, safety devices or safe hardware.In certain embodiments, RTCA can be placed in the shielded facility, and it comprises the server that has secret signature key more than.Facility can be preserved the copy of secret signature key safely.RTCA can comprise an above server, and each server all has the secret signature key that is suitably proved by CA.

CA can keep RTCA to know the state of validity of the certificate of CA, for example through using CRL or using any other mechanism.CA can (1) as long as change, promptly give RTCA with any change notification of certificate validity with online mode; And/or (2) send to RTCA with Fixed Time Interval and/or when CA produces new CRL with CRL.CA can use arbitrary or a plurality of (alone or in combination) in a large amount of technology that each certificate status information is provided.For example, referring to United States Patent (USP) 5,420,927,5,604,804,5,610,982,6; 097,811,6,301,659,5,793,868,5,717,758,5; The content that provides in 717,757,6,487,658 and 5,717,759, all these patents all are combined in this by reference.System described here can use the one or more disclosed technology in these patents, also can combine with one or more other proper technique.Can by separately or the technology that is used in combination comprise whole CRL, the CRL of cutting apart, CRL increment, OCSP response (separately or in groups), mini CRL (CRL of compression by turn), VTokens (uni-directional hash chain), and various Merkle tree or other tree-like.

A succession of date D1, D2 ... Arbitrary date Di; RTCA; Based on the knowledge (like the up-to-date CRL based on CA) of its current the state of validity and be independent of the request of any dependence side, renewal is carried out in the statement of each the uncompleted certificate that can be through handling CA and the state of each certificate of digital signing explanation.For example, the state of each certificate can be regarded as effectively, cancel or delay decision (and possibility " not knowing ").But the statement fixed time interval T of signature.In certain embodiments, when each upgraded, identical time interval T was all specified in the statement of each signature, and in certain embodiments, all time intervals are continuous.For example, at each update date Di, the time interval can be T=D _I+1-D _i, wherein have only one to be the part of T among possibility Di and the Di+1, and other date is the part in the adjacent time interval.In certain embodiments, if the current knowledge about certificate status of RTCA is based on CRL, then each Di can be consistent with the date of a CRL, and Di+1 is consistent with the date of next CRL, and the rest may be inferred.Will be appreciated that time of such strictness interdependent be not essential.For example, RTCA handles or date of beginning to handle its statement can be D1, D2 etc., and designated time intervals can be D1 ', D2 ' etc. in statement, and wherein Di can be different and/or separate with Di '.For example, Di can be early than Di ', and in this case, RTCA can begin to begin processing before in the time interval of statement to be stated-for example, because RTCA hopes before interval T begins, to accomplish its processing.

In certain embodiments, if CRL is used to upgrade from the RTCA of CA, the statement time also can be different with the CRL time.The possibility lack of synchronization is not to described here identical most important between processing time, CRL time and statement time.In practice, " in real time " is abstract, because need some extra times to notify and incident is made suitably reaction.At first, though it should be noted that propelling RTCA process, CRL maybe be by real-time generation.In addition, the process of abolishment certificate possibly not be real-time also.For example, the user possibly have recognized that its privacy key is divulged a secret--thereby its oneself certificate-only in the actual generation one day after of divulging a secret is abolished in request.Therefore, the abolishment of user certificate has 1 day delay, comparatively speaking, can ignore with real-time deviation because RTCA calculating is that cause.

RTCA precomputation digital signature, it indicates the state of each certificate during specified time interval T.Such precomputation can be independent of either party and carry out about the request of certificate validity.In certain embodiments, before any status poll of making about C, even maybe be before the time interval begins, the statement of RTCA precomputation signature of the state of certificate C in specified time interval.

In certain embodiments, the certificate status statement of RTCA signature can be a standard OCSP form.This is useful under the situation that OCSP software has put in place, thereby can utilize the RTC system easily, and need not revise any existing dependence side OCSP software.In certain embodiments, the OCSP unanimity can realize through the relevant quantity of special selection, Digital Signature Algorithm, OID etc.

In many cases, RTCA need produce response for each certificate that sends, rather than only the calcellation certificate is produced response.Be to confirm the existence of each certificate serial number that sends, the copy that RTCA can give each certificate by CA or another entity to be to be used for internal trace, and the perhaps sequence number that can send through another mechanism of RTCA, said mechanism do not comprise and transmit each certificate.In certain embodiments, be to send in particular cases at certificate serial number by consecutive order, the certificate information of sending can offer RTCA clearly.When using continuous sequence number, RTCA can select only to use current C RL to infer the existence of each certificate serial number.This can accomplish through confirming the minimum and highest sequence number among the CRL.Number send by CA any centre in the scope between high and low sequence number.If number appearing among the CRL in the scope knows that then its state is for cancel.If number not appearance of the centre in the scope can confirm that then corresponding certificate is not abolished as yet, it is defined as " effectively " in the OCSP standard.

Above-mentioned technology can be handled the major part of the certificate that sends, although still have the certificate that is issued on a small quantity to have or be lower than minimum CRL clauses and subclauses or be higher than the sequence number of the highest CRL clauses and subclauses.RTCA can comprise the sequence number that these are other through configurable parameter, and said parameter supposition has effective sequence number of fixed qty before the first entry and after the last clauses and subclauses in CRL.For example, RTCA has 100 sequence numbers and after the highest CRL clauses and subclauses, has 500 sequence numbers to represent valid certificate before can specifying in minimum CRL clauses and subclauses.This optimization allows RTCA to fetch a data element (CRL) rather than mass data unit (each certificate).At certificate is under the situation about sending by continuous sequence number from low to high, can be used for holding the certificate that newly sends in the higher number of high-end use.In other embodiments, the minimum and highest sequence number of the certificate that sends can be offered RTCA clearly, and in certain embodiments, this information can be by digital signing.

It should be noted that the correct OCSP response of the sentence structure of precomputation can be regarded as technically is not the OCSP response because these responses be not in response to any original/initial request and calculating.In fact, RTCA response that OCSP is comply with in the OCSP request precomputation that does not produce as yet and possibly can not produce forever.Therefore, the RTCA response can be regarded as the response of artificial precomputation.The RTCA statement of any digital signing is represented in the response of artificial precomputation of also possibly using a technical term, even also possibly use in the situation of not complying with OCSP.

After the response that produces artificial precomputation, RTCA can provide the response that can be used for other side.Particularly, RTCA can return response in response to the state of validity inquiry and give dependence side.Yet in other embodiments, RTCA can provide the artificial precomputation response that can be used for the RTC transponder.The RTC transponder needn't be protected, because the message (artificial precomputation response) of RTCA signature can not be carried out duplicity ground with undetectable mode and revised or distort in practice.Therefore, RTCA can send artificial precomputation and respond to external transponder (transponder that belongs to other mechanism), and can endangering safety property.

In certain embodiments, RTCA can present to the processing that the RTC transponder helps the RTC transponder to carry out with artificial precomputation response through the mode with suitable tissue.For example, RTCA can appear according to certificate serial number or according to the artificial precomputation response of ordering such as length.For guaranteeing that all relevant artificial precomputations responses all are received, when upgrading each time, RTCA can be through signing all artificial precomputation responses and dating and to the RTC transponder other signature is provided.In certain embodiments, can use the counting or the similar mechanism of the quantity of artificial precomputation response, have also and can not have digital signature.

In addition, RTCA can send to the RTCA certificate that CA produces the RTC transponder provides the certificate that sends about CA with proof CA trust and mandate RTCA validity information.In certain embodiments, needn't when each the renewal, all carry out this transmission.In some cases, RTCA only sends the RTCA certificate to the RTC transponder in beginning or with a certain fixed cycle or based on request.

The RTC transponder can be preserved the sufficiently long time with the artificial precomputation response of the RTCA that is received.In certain embodiments, if the signature of RTCA relates to specified time interval T, the RTC transponder can be saved in artificial precomputation response till T finishes at least.In certain embodiments, part RTC transponder at least like the transponder that those and RTCA belong to same mechanism, can regularly be taken measures to guarantee that information is correct and up-to-date.For example; The RTC transponder can verify that the artificial precomputation response about time interval T is to begin to receive before at T or other appropriate time relevant with T; Verify the RTCA signature (also possibly verify suitable RTCA certificate) of all receptions; Checking RTC transponder whether received bear the signature and (as be no less than the signature of anticipated number; The signature that is no less than the last transmission of the certificate that has sent), whether checking RTC transponder has received the information of validity that indication before had been declared the certificate of calcellation, checking RTCA certificate itself whether abolished (as because safety divulge a secret) etc.If detect any problem, then the RTC transponder can be notified RTCA or other suitable entity.

Dependence can be to the state of validity of RTC transponder inquiry certificate.In certain embodiments, request is the OCSP form.When the validity of inquiry particular certificate, the RTC transponder can be fetched the artificial precomputation response of the particular certificate that RTCA produces and it is returned to dependence side from memory.In certain embodiments, the RTC transponder also can be transmitted the RTCA certificate of the artificial precomputation response of signature.In certain embodiments, dependence can be sent signal indicating, and it is lost interest in to receiving the RTCA certificate (for example because there has been copy dependence side), or the RTC transponder is known or supposed that there has been the copy of certificate dependence side.Dependence can be handled the response that received to confirm the state of validity of interested certificate.In certain embodiments, if the response of artificial precomputation is the OCSP form, then relies on and to use OCSP software to be used for such processing.In certain embodiments, dependence can be verified suitable RTCA certificate.Complying with under the situation of OCSP, dependence can be verified the RTCA certificate as OCSP transponder certificate.In certain embodiments, the RTCA certificate can be configured to OCSP transponder certificate on sentence structure.

The various optimizations that are performed are arranged.For example, suppose that U is the side with certificate Cu.As with the part of V side transaction; U can send Cu and give V (only if V is existing Cu); And possibly carry out other task (prove the relevant digital signature of open authentication secret that belongs to U like displaying and in Cu, or use a difficult problem at random that in Cu, proves the public encipherment key encryption that belongs to U to be identified by V) through deciphering.For making transaction security, V can confirm the current validity of Cu and carry out the validity inquiry to the RTC transponder.Transponder can be answered said inquiry through fetching and return about the statement (artificial precomputation response) of the up-to-date RTCA signature of Cu.Yet it is in two sides' the transaction originally that inquiry RTC transponder adds the third party, and this has increased the time and the complexity of transaction.

A kind of solution is to make U side during each time interval T, receive when each time interval, T began or at least the statement Du (response of artificial precomputation) of RTCA signature, and it shows that Cu all is effective during whole T.U can receive Du (for example through carrying out general dependence side's request) in response to the request to the RTC transponder.Perhaps, Du can be pushed on to U and other side of possibility, is for example carrying out when upgrading and/or on automatic basis through RTC transponder or RTCA at every turn.Under any circumstance, when during interval T, concluding the business, except concluding the business all other steps essential or the task, U can transmit Du and give V with V.Therefore, the transaction between the U-V can be able to accelerate largely, because V need not visit the current validity that any third party (like the RTC transponder) confirms the certificate of U.

Even it should be noted that to comprise that the overall time that U obtains Du is not accelerated, the transaction between the U-V is also accelerated.Yet, it shall yet further be noted that it still is useful and efficient only accelerating the transaction between the U-V and not practicing thrift the overall time.For example; If supposition RTCA statement (response of artificial precomputation) was calculated and specified a whole day at midnight is the time interval; Then U can (this moment, transaction was quite few) obtains Du and the term of execution of the U-V of time-sensitive transaction, Du is transmitted to V then early in the morning; And that conclude the business this moment is quite a lot of, thereby to save time be useful.It shall yet further be noted that obtain and buffer memory Du after, also can obtain other efficient through making U forwarding Du when whole day is concluded the business with other side.Like this, for example, single dependence side inquiry (inquiry of U self possibly made in the time that is not in a hurry relatively) can successfully replace a large amount of dependences sides to ask (maybe in the time of more doing).

Above-mentioned optimization also can be accomplished by V side.Obtain to the Du that returns about the validity inquiry of the certificate Cu of U side from the RTC transponder after, V can give U with Du, or makes Du can be other side use.

It should be noted that optimized application in this discussion is in the embodiment that complys with OCSP of system described here.It should be noted that also and maybe similar optimized application be implemented in traditional OCSP.For such enforcement, user request also obtains the OCSP response about its own certificate, afterwards, this OCSP is responded other side who is transmitted to transaction as the part of its transaction with appropriate time at interval.Perhaps; When the validity of certificate Cu of U side is inquired for the first time by dependence side, but OCSP transponder calculated response Ru returns to Ru the dependence side that sends inquiry; And also Ru is transmitted to U; But make U buffer memory Ru, temporary cache (till next time upgrading) at least, and can Ru be transmitted as the part based on the transaction of Cu.

In certain embodiments, system described here can use the data of in each certificate, finding to implement, thereby practices thrift other certificate and/or response length.As stated, CA can send the RTCA certificate, the authoritative answer of the certificate validity that it authorizes specific RTCA to provide to send about CA.Such RTCA certificate can specify PKI to be used to verify the response (response of artificial precomputation) of RTCA signature.Yet in certain embodiments, CA can be embedded in the certificate that CA sends the RTCA PKI or this information can be embedded in the CA certificate self.That is, CA (having suitable form, OID etc.) can comprise PKI PK in certificate Cu, and it can be used for verifying the response about the validity of Cu of digital signing.For these embodiment, dependence side needn't receive independent RTCA certificate.When to the up-to-date proof of the validity of RTC transponder inquiry Cu, dependences side only can obtain the response (response of artificial precomputation) that (as because of it, inquiring) RTCA signs.In fact, Cu can specify the open authentication secret that dependence can prove in order to the validity of checking Cu.In other embodiments, whole RTCA certificate (or point to its pointer) can be embedded in user certificate and/or the CA certificate.These embodiment can produce suitable transmission saving (because the RTC transponder needn't send independent RTCA certificate, they maybe be long more a lot of than the RTCA response) and memory savings (not being kept at because the side of dependenceing will the RTCA certificate respond with RTCA).

Similarly, but the certificate Cu fixed time at interval.For these embodiment, beginning and end that RTCA response needn't the fixed time interval T.In certain embodiments, T can be suitably specified in the beginning of T separately (or other simpler stipulations).For example, if Cu specifies upgrade every day, then any time in the certain day all is enough to the related whole day of specified response.Perhaps, have the validity interval of forming by whole day, then need not such information be pointed out in certificate, thereby practice thrift the RTCA response if understand (like overall policy) certificate from CA.

It should be noted that the proof of cancelling needn't be specified any time at interval when the validity of particular certificate C or the RTCA proof that delays to determine can be specified the time interval that proof relates to.But, for such proof, specify single time point (like the abolishment time) just enough usually, because determine with delaying, abolish normally irrevocable process unlike validity.Therefore, only abolish time rt and can suffice to show that certificate cancels.It should be noted that rt must not be the beginning of interval T any time, but can refer to any time.Therefore, under the permanent situation of cancelling of certificate C, RTCA needn't prove in the calcellation of all update dates (like D1, D2 etc.) transmission C.But the proof of cancelling can only be sent once (or for redundancy send several times) and is returned to dependence side when carrying out the inquiry about C in dependence side by RTC transponder buffer memory.

It shall yet further be noted that RTCA can be notified immediately: certificate C is abolished.For example, the information that C has been abolished can be transmitted in the middle of time interval T, and the RTCA validity that produced and transmitted C proves the transponder to RTC at that time.In this case, before next renewal, will, C not prove for calculating validity.Yet, (promptly finishing) till that time up to T, incorrect but surperficial validity proof effective, C is preserved by the RTC transponder.Possible countermeasure comprises that making the proof of cancelling have precedence over validity proves.In this case, not only seen that C proved in the validity proof of interval T sometime but also the calcellation of seeing C that the honesty dependence side of (t at any time) should regard C as and abolishes (after time t).

Under some situation, some dependence side sees the proof of cancelling never, even thereby C abolished, C can be regarded as still effective by these sides of dependenceing, till the T end.As long as RTCA is known C and is abolished (as directly knowing from CA; Need not wait for that CRL upgrades next time), such problem can be able to alleviate (being independent of predetermined date D1, D2 etc. or D1 ', D2 ' etc.) through making RTCA calculate the abolishment proof of C and send to all RTC transponders.Afterwards, all suitable RTC transponders that move can be deleted any validity proof of C and prove alternative with the new abolishment that receives from memory.In this case, the RTC transponder more possibly provide the accurate proof about the validity of C to dependence side.

With reference to figure 3, signal Figure 80 shows the architecture of implementing system described here.CA82 links RTCA84 and to it confirmation (like CRL) is provided.RTCA84 links a plurality of RTC transponder 86-88, and the RTC transponder receives the response of artificial precomputation from RTCA.Of this specification other places, each among CA82 and the RTCA84 is all used the key of secret signature.In certain embodiments, CA82 and RTCA84 can be same entities, shown in frame 85.

RTCA84 provides the response of artificial precomputation to RTC transponder 86-88.Of this specification other places, the RTC transponder do not need they secret signature key and do not need to be protected because any information that offers dependence side by one of RTC transponder 86-88 is all by the RTCA84 digital signing and be public information.

In other embodiments, can use an above RTCA, it is illustrated by RTCA92 and RTCA94, and they represent a plurality of other RTCA.Each other RTCA92,94 can link the transponder 86-88 by the RTCA84 service.Perhaps, one or more among the other RTCA92,94 link other, different a plurality of transponder 96-98.

With reference to figure 4, flow process Figure 100 shows the performed step of CA when initialization RTCA.When the step of flow process Figure 100 can be added to system at new RTCA or RTCA formerly carry out when being issued new authentication, or because old RTCA certificate has expired or because the key of RTCA divulged a secret.

Processing starts from first step 102, and CA verifies RTCA.Depend on the topology and the security requirement of system at step 102 checking RTCA, and possibly require the keeper physically checking RTCA and verifying that RTCA in position and be safe.Certainly, also can carry out other proper process in step 102 is safe with checking RTCA.Be step 104 after step 102, CA is that RTCA produces key.In step 104, CA both produced privacy key for RTCA, also produced PKI for RTCA.

Be step 106 after step 104, the key that CA is based on step 104 generation is the RTCA Generate Certificate.The certificate that produces in step 106 is the RTCA certificate.Be step 108 after step 106, privacy key is provided for RTCA.In certain embodiments, be security purpose, it is useful making privacy key offer RTCA with offline mode (like the user privacy key being write on a piece of paper, afterwards this privacy key of input at the RTCA place).

Be step 112 after step 108, the certificate that produces in step 106 is provided for RTCA.In step 112, possibly certificate offered RTCA with online (even unsafe) mode, because the RTCA certificate will be disclosed, in fact, there is not the knowledge of the privacy key (being different from the privacy key that produces in step 104 usually) of CA, it can not be distorted.Be step 114 after step 112, offer RTCA from CA about initial certificate data by the certificate of CA management.The primary data that provides in step 114 can comprise initial CRL.In addition, of this specification other places, the primary data that provides in step 114 can comprise also that about information effective, not out of date certificate not out of date certificate provides appropriate responsive thereby RTCA can be effectively.After step 114, processing finishes.

In certain embodiments, step 104 is carried out by RTCA, makes that RTCA is the sole entity with knowledge of privacy key.In this case, RTCA presents to CA (or online or offline mode) with corresponding public key, makes that CA can be at step 106 Generate Certificate.Certainly, under these circumstances, needn't carry out aforesaid step 108.These can be by another flow process 116 explanations from step 106 to step 112 shown in flow process Figure 100.

It should be noted that the step of flow process Figure 100 even can under CA and RTCA are the situation of same entity, carry out.Certainly, under these circumstances, RTCA is nugatory in step 102 checking.In addition, will use same PKI and privacy key to being used for the embodiment of CA operation and RTCA operation for RTCA/CA, step 104,106,108 and 112 need not be performed, because the RTCA certificate will be the certificate of CA simply.Yet, the RTCA certificate format is different under the useful situation of CA certificate form (like OCSP transponder certificate format), step 106 can be carried out when producing the certificate of different-format for the RTCA certificate.

With reference to figure 5, flow process Figure 120 shows the step of the certificate validity data being carried out regularly when CA sends RTCA to.The step of flow process Figure 120 or can regularly carry out, or can carry out based on the dedicated request of RTCA.Whether processing starts from first testing procedure 122, confirm to have recently deed of appointment to have been abolished (promptly since last iteration).If, then to control from testing procedure 122 and forward step 124 to, cancel message is sent out to transponder.Of this specification other places, in certain embodiments, (as far as possible near immediately) sends to RTCA from CA to cancel message by immediately.In certain embodiments, the cancel message that sends to RTCA from CA in step 124 is by digital signing or identified.

(not abolished if there is certificate recently) after step 124 or after the testing procedure 122 is testing procedure 126, confirms that whether the current time is corresponding to the new time interval that is used to upgrade certificate information.Of this specification other places, in certain embodiments, CA with periodic interval with the new affirmation information RTCA that pushes on.Therefore, if do not correspond to new interval, then control from testing procedure 126 and rotate back into aforesaid step 122 in 126 definite current time of testing procedure.Otherwise if the current time corresponding to new interval, is then controlled from testing procedure 126 and forwards step 128 to, new affirmation information is produced by CA, and in certain embodiments, it comprises digital signing or identifies this information.Of this specification other places, new affirmation information can be any in the various ways, comprises CRL.

Be step 132 after step 128, the new confirmation that produces in step 128 is provided for RTCA.Be testing procedure 134 after step 132, it confirms whether RTCA has confirmed to be received in the information that step 132 is sent.If, then do not control and forward step 136 to, error process from step 134.The fault processing of carrying out in step 136 can comprise the reporting system keeper.It should be noted that in step 134 and confirm that whether RTCA has received fresh information is useful, because assailant malevolently possibly make RTCA stop using, with as the means that prevent to be propagated about the information of the certificate of nearest abolishment.After step 136, processing finishes.

If confirm that at testing procedure 134 RTCA has confirmed to be received in the information that step 132 is sent, then control from step 134 and rotate back into step 122 to handle next iteration.In certain embodiments, data are regularly offered RTCA from CA, and no matter whether RTCA confirms the reception of data.This is by another path 137 diagrams.

In certain embodiments, the step of flow process Figure 120 is irregularly carried out, but only carries out in response to the particular request of RTCA request msg.This is by other path 138 diagrams, and it makes control directly forward step 128 to from step 122 or step 124.It shall yet further be noted that other path 142 is corresponding to the reception in the affirmation of step 134.Therefore, in the embodiment that the step of flow process Figure 120 is irregularly carried out, when confirming that at testing procedure 134 RTCA has confirmed to be received in the information that step 132 is sent, then path 142 indication processing finish.Certainly, also have RTCA and do not confirm to receive embodiment from the information of CA.This is by another path 144 diagrams.

With reference to figure 6, flow process Figure 150 shows among the embodiment of the regular RTC transponder that pushes on from RTCA of data quilt, by the performed processing of RTCA.Processing starts from first step 152, and RTCA confirms since before pushing on, whether to have received new data.If not, then control rotates back into step 152 to continue circulation and poll, till new data are received.In case confirm that at testing procedure 152 new data are received, then to control and forward step 154 to from step 152, data are passed to the RTC transponder from RTCA.After step 154, control rotates back into step 152 and waits for new data to continue poll.

With reference to figure 7, flow process Figure 160 shows the step that RTCA carries out among the embodiment that data is offered the RTC transponder from RTCA in response to the request of RTC transponder.Of this specification other places, RTC transponder self can be regularly from the RTCA request msg, rather than depends on and make data by regularly from the RTCA RTC transponder that pushes on automatically.

Processing starts from first step 162, and RTCA receives inquiry (request msg) from the RTC transponder.Be testing procedure 164 after step 162, it confirms whether the RTC transponder asks the RTCA certificate.Of this specification other places, the RTCA certificate is used to explain that CA trusts and mandate RTCA provides confirmation.In certain embodiments, but each RTC transponder buffer memory RTCA certificate (will be provided, if needed by request and/or dependences side) in this case, only need be asked the RTCA certificate once.In other embodiments, but RTC transponder regular request RTCA certificate perhaps in some cases, is asked the RTCA certificate always.

If asked the RTCA certificate at testing procedure 164 definite RTC transponders, then control from testing procedure 164 and forward step 166 to, RTCA provides the RTCA certificate to the RTC transponder.(if the RTC transponder is not asked the RTCA certificate as yet) is testing procedure 168 after step 166 or after testing procedure 164, and it confirms whether out of Memory (being the response of artificial precomputation) is asked.If, then processing does not finish.Otherwise control forwards testing procedure 172 to from testing procedure 168, and it confirms whether another information can obtain at RTCA.In some cases, another information by the request of RTC transponder can not obtain at RTCA.For example, if the request of RTC transponder about the information of external certificate, the response of artificial precomputation can not obtain at RTCA.

If confirm that at testing procedure 172 institute's information requested can not obtain, then control from testing procedure 172 and forward step 174 to, RTCA provides data to the RTC transponder, and it indicates institute's information requested and can not obtain.After step 174, processing finishes.If confirm that at testing procedure 172 another information of being asked can obtain, then to control from testing procedure 172 and forward step 176 to, institute's information requested offers the RTC transponder by RTCA.After step 176, processing finishes.

With reference to figure 8, flow process Figure 190 shows the performed step of RTC transponder when receiving the request of the artificial precomputation response of request (OCSP response) from the side of dependence.Processing starts from first step 192, receives request.Be step 194 after step 192, the RTC transponder obtains to be suitable for the RTCA data of this request.Obtaining the RTCA data in step 194 will describe in detail in this specification other places.Be testing procedure 196 after step 194, determine whether to obtain the data of being asked.If not, then control from testing procedure 196 and forward step 198 to, the RTC transponder provides response to dependence side, and it indicates the state of not knowing particular certificate.After step 198, processing finishes.

If confirm that at testing procedure 196 up-to-date efficacy data can be used for interested certificate, then control from testing procedure 196 and forward step 202 to, data are carried out inspection.Of this specification other places, the inspection of carrying out in step 202 can comprise following arbitrary or a plurality of: the current property of specified data, confirm that the RTCA certificate is not distorted as yet and still effective, and arbitrary or a plurality of other inspection that can carry out the data that step 194 obtains.

Be testing procedure 204 after step 202, it confirms whether the result who carries out inspection in step 202 indicates all normal.If not, then control and forward step 206 to, the indication that shows that efficacy data can not be approved is provided to dependence side from step 204.Can carry out other proper process in step 206, for example comprise and give the system manager error notification.After step 206, processing finishes.

If can approve in testing procedure 204 definite efficacy data, then control from testing procedure 204 and forward testing procedure 208 to, confirm whether dependence side asks the RTCA certificate.If not, then control from testing procedure 208 and forward step 212 to, efficacy data (artificial precomputation response) is provided to dependence side.After step 212, processing finishes.Otherwise, if confirm that at testing procedure 208 the RTCA certificate is asked together with efficacy data, then to control from testing procedure 208 and forward step 214 to, efficacy data (response of artificial precomputation) and RTCA certificate are provided for dependence side.After step 214, processing finishes.

For some embodiment, dependence can be carried out the inspection of its oneself efficacy data, in this case, and the inspection that needn't execution in step 202 or the corresponding test of step 204.This can be illustrated by another flow path 216 from step 196 to step 208.

With reference to figure 9, the step of carrying out by the RTC transponder when step 194 of flow process Figure 190 that flow chart 230 illustrates in greater detail at Fig. 8 is obtained the RTCA data.By push on the automatically embodiment of RTC transponder of RTCA, the RTC transponder needn't clear and definite request msg corresponding to the RTCA data for flow chart 230.For these embodiment, transponder always has the RTCA data of up-to-date (or approaching up-to-date) automatically.

Processing starts from first testing procedure 232, and the RTC transponder confirms whether the data of being asked can obtain at the RTC transponder.If, then to control from testing procedure 232 and forward testing procedure 234 to, it confirms whether the data of being asked at the RTC transponder are latest datas.Of this specification other places, the response of artificial precomputation can comprise artificial precomputation response all effective time interval during it, after this time interval, need obtain new artificial precomputation response.No matter be used for the special mechanism in the time interval of definite artificial precomputation response; Confirm at testing procedure 234 whether the special artificial precomputation response by the request of dependence side is up-to-date, it was confirmed through the time interval of comparing the current time and be associated with artificial precomputation response.

If data are up-to-date, then to control from testing procedure 234 and forward step 236 to, it confirms whether the RTCA certificate is effective.In some cases, the RTCA certificate will also be possible by abolishing (maybe will expire), thereby the data that RTCA provides maybe be unreliable.For example, if the privacy key of RTCA is divulged a secret, then the RTCA certificate can be changed into and cancels.Validity at the definite RTCA certificate of step 236 can be used any execution in the multiple known technology, comprises technology described here.If confirm that at testing procedure 236 the RTCA certificate is effective, then control and forward step 238 to from testing procedure, provide the artificial precomputation response of being asked to be used for further processing, described like the flow process Figure 190 that combines Fig. 8.After step 238, processing finishes.

If confirm to obtain data at testing procedure 232; If or confirm that at testing procedure 234 data of being asked are not up-to-date; If or confirm that at testing procedure 236 the RTCA certificates are not effective; Then control forwards step 242 to, and its step process that is illustrated in flow process Figure 190 of Fig. 8 can not obtain data afterwards.In certain embodiments, the information that provides in step 242 can comprise the reason that can not obtain institute's solicited message.After step 242, processing finishes.

In certain embodiments, possibly not hope when each iteration, all to check the validity of RTCA certificate.For these embodiment, step 236 can be omitted, and this is illustrated by another path 244.

It shall yet further be noted that also and possibly use the processing shown in the flow chart 230 that it is used for the RTC transponder is regularly asked new data from RTCA embodiment.Under these circumstances, data maybe be unavailable or be up-to-date, because it is not asked from RTCA by the RTC transponder as yet.

With reference to Figure 10, performed step when the step 194 of flow process Figure 190 that flow chart 260 illustrates in greater detail at Fig. 8 is obtained the RTCA data, it is used for the embodiment of RTC transponder from the RTCA request msg.Processing starts from first step 262, confirms whether dependence side has asked the RTCA certificate.If, then control and forward step 264 to from step 262, confirm that whether the RTCA certificate is by RTC transponder buffer memory.If not, then control from testing procedure 264 and forward step 266 to, the RTC transponder is from RTCA request RTCA certificate.

After step 266 or after step 262 (if RTCA certificate by request) or after step 264 (if the certificate of being asked can not obtain) be testing procedure 268, confirm whether artificial precomputation response is asked.If, then control from testing procedure 268 and forward testing procedure 272 to, confirm whether the artificial precomputation response of being asked is buffered (it is up-to-date that yes) at the RTC transponder.If not, then control from testing procedure 272 and forward testing procedure 274 to, the RTC transponder is asked artificial precomputation response from RTCA.After step 274 or after step 268 (if having artificial precomputation response) by request or after step 272 (if the artificial precomputation response of being asked is buffered) be step 276, the result who obtains institute's solicited message is provided the processing with the step of the flow process Figure 190 that continues Fig. 8.After step 276, processing finishes.

With reference to Figure 11, flow chart 300 shows in setting up the both sides transaction embodiment with the additional step of avoiding third party transaction and processing, by the step of dependence side's execution of user or user and its transaction.Processing starts from first testing procedure 302, confirm user and/or dependence side the information of buffer memory (artificial precomputation response) whether be up-to-date (or at all being present in this locality).If then control rotates back into testing procedure 302 to continue poll till information is not when being up-to-date.In case confirm that at testing procedure 302 information of buffer memory is not up-to-date, then to control from testing procedure 302 and forward step 304 to, entity (user and/or dependence side) obtains up-to-date information, and is of this specification other places.Be step 306 after step 304, preserved (buffer memory) by this locality in the information that step 304 obtains.After step 306, control rotates back into step 302 to continue poll till the information of institute's buffer memory is when no longer being up-to-date.

With reference to Figure 12, certificate 320 is illustrated as and comprises traditional certificate information 322 and RTCA certificate information 324.Certificate 320 can be user certificate or CA certificate.As stated, in certain embodiments, maybe the PKI of RTCA certificate 324 proofs be embedded in the certificate.When certificate 320 (or user certificate or CA certificate) is checked by dependence side, needn't obtain the RTCA certificate separately.In other embodiments, RTCA certificate information 324 comprises whole RTCA certificate or points to its pointer.

With reference to Figure 13, sketch map 400 shows the information flow between CA402, RTCA404, RTC transponder 406 and the dependence side 408.Of this specification other places, CA402 provides confirmation (like CRL) 412 to give RTCA404.RTCA404 produces a plurality of artificial precomputation responses 416, and it is provided for RTC transponder 406.In some cases, RTCA404 also can provide RTCA certificate 414 to RTC transponder 406.Yet of this specification other places, RTCA certificate 414 can only be provided once or be independent of RTCA404 and regularly provide, and RTCA404 provides artificial precomputation response 416 to RTC transponder 406.

Dependence side 408 produces OCSP request 418 (or requests of the request validity information of some other type) that dependence side 408 offers RTC transponder 406.RTC transponder 406 is served OCSP request 418 through the OCSP response 422 that artificial precomputation is provided, and said response is before to have offered one of artificial precomputation OCSP response 422 of RTC transponder 406 from RTCA404.Afterwards, dependence can use artificial precomputation response 422 to take suitable further action based on the state of validity of related certificate.Of this specification other places, in some cases, RTC transponder 406 can provide RTCA certificate 414 to dependence side 408.

With reference to Figure 14, sketch map 430 shows between two other independent digit diploma systems and transmits confirmation.Sketch map 430 shows CA402, RTCA404, RTC transponder 406, and the dependence side 408 of the sketch map 400 of Figure 13.Sketch map 430 also shows the affirmation information 412 that is offered RTCA404 by CA402, and shows the RTCA certificate 414 and artificial precomputation response 416 of passing to RTC transponder 406 from RTCA404.

Sketch map 430 also shows the 2nd CA432, the 2nd RTCA434, the 2nd RTC transponder 436, and the second dependence side 438.The 2nd CA432 provides confirmation 442 to the 2nd RTCA434.The 2nd RTCA434 provides artificial precomputation response 446 to the 2nd RTC transponder 436.Yet, supposing that CA402 and the 2nd CA432 manage independently digital certificate collection, CRL412 comprises the information about the certificate that is different from CRL442, and artificial precomputation response 416 comprises the information of the certificate that is different from artificial precomputation response 446.Therefore, when the second dependence side 438 provides OCSP request 448 to about second transponder 436 of the certificate of CA402 management the time, in the artificial precomputation response 446 that provides by the 2nd RTCA434 not response can be suitable for satisfying OCSP request 448.

If if RTCA404 provides artificial precomputation response 416 before to provide RTCA certificate 414 to the 2nd RTC transponder 436 to the 2nd RTC transponder 436 and RTCA404; Then above-mentioned difficulties can be able to solve, and the 2nd RTC transponder 436 can offer the second dependence side 438 through the artificial precomputation response 422 with RTCA certificate 414 and RTCA404 generation and satisfy the OCSP request.It should be noted that like this specification other places saidly, must not be safe from the transmission of RTCA404 to the two RTC transponders 436, because before being transferred to second transponder 436, RTCA certificate 414 and artificial precomputation response 436 are by digital signing.

With reference to Figure 15, sketch map 460 shows the system shown in the sketch map 430 that produces Figure 14.In sketch map 460, RTCA404 provides the artificial precomputation response 416 foreign peoples's clouds 462 to the RTC transponder.Similarly, the 2nd RTCA434 provides the artificial precomputation response 446 foreign peoples's clouds 462 to the RTC transponder.RTCA404,434 also can offer its RTCA certificate (not shown) separately foreign peoples's cloud 462 of RTC transponder.It should be noted that any amount of RTCA all can offer artificial precomputation response and/or RTCA certificate foreign peoples's cloud 462 of RTC transponder.Therefore; Dependence side 408, the second dependence side 438 or some other dependence can receive the suitable response in the artificial precomputation response; Alternatively; Also can ask (or request of some other type) to receive the RTCA certificate in response to OCSP, described request is the request that is provided for the deed of appointment of foreign peoples's cloud 462 for its artificial precomputation response.

When the technology that is this description has solved the many defective of traditional OCSP, duplicate optimization in addition even can reduce more calculating and communications cost like the security server of calculating with high costs, high traffic and expensive.Particularly, the traffic between RTCA and RTC transponder can reduce through suitable compression, is described below.Because of the saving of the combination gained of following technology very obvious, all the more so when particularly using standard OCSP grammer.

As stated; RTCA sends artificial precomputation and responds to each RTC transponder; Each artificial precomputation response can be made up of a plurality of data elements, as time, Digital Signature Algorithm identifier, the id of RTCA, certificate number, the certificate of respond style, calculated response be effectively or invalid, reach digital signature itself.Numerous items in these projects be identical or similarly, stride a plurality of responses.For example, for all responses, the time of calculated response and the id of RTCA all are identical.When all responses by jointly when RTCA sends to the RTC transponder, common data element can only be transmitted once.When the request of answer dependence side, the RTC transponder also can be constructed appropriate responsive again.In addition, when data items similar but when inequality, can use suitable compression algorithm to utilize similarity and only to transmit the place that differs.

In addition, be the cost that further reduces calculated response and send transponder to, it is favourable upgrading transponder based on the state of validity of part rather than all certificates.For example, the state of validity of all certificates possibly upgrade by the hour, and the high priority of part (like high security) certificate possibly make its state per minute upgrade.Perhaps (or in addition), the certificate that cancels recently can make its state of validity upgraded to reduce the risk of inappropriate use to transponder immediately.Perhaps, RTCA can provide the renewal of each minute of the certificate that its state changed to transponder, and the state of validity information of all certificates of signature every day (or per hour) also is provided simultaneously.

Can use the common compress technique of standard (like Lempel-Ziv) further to reduce communications cost.Compress technique can be used after above-mentioned optimization has reduced the traffic.

Above-mentioned optimization has reduced computational load and the communications cost between RTCA and the transponder on the RTCA, because in many cases, only need to calculate the signature of less amount.In fact, calculate and the stand-by period of communicating by letter and causing through reducing, this method has increased fail safe: if RTCA has to handle and send the state of validity of all digital certificates always, transponder has than its due more current information.

With reference to Figure 16, flow chart 470 shows the step of the data of communicating by letter between compression RTCA and the RTC transponder.Processing starts from first step 472, removes projects outside the plan, does not transmit.As stated, one of possible optimization is to upgrade the information about certificate with different frequencies, and important more certificate upgrades frequent more.Therefore, in each update cycle, about the information of more unessential, unplanned certificate by from will from RTCA sends to the information of RTC transponder, deleting.

After step 472 step 474, the unnecessary project of deletion from remaining data.As stated, unnecessary project comprises all the same project of information that is transmitted that aligns.For example, to passing to all information of RTC transponder from RTCA, the identity of RTCA with all be update time the same.After step 474 step 476, to remaining information applied compression algorithm.Various possible compression algorithms as stated.After step 476, processing finishes.

The validity of certification is valuable when identity of claiming of proof.Yet, in some cases, prove that an identity of claiming is associated with the privilege of visit specific physical locations, logic entity or service usually.Identity can be implicit with the related of privilege, and can incompatiblely control the needs of a plurality of independent privileges of same user.Diverse ways will adopt the privileged mode that separates of each independent privilege.RTCA can be expanded so that the privileged mode of a plurality of privileges also to be provided except that certificate status is provided.

Privilege can be authorized by one or more authorized organizations.This can be the process that implies, and wherein authorized organization and CA are same entity.Under such situation, prove that the user of its identity can set up the user right of visit ad-hoc location, logic entity or service.Yet the defective of this method is that privileged mode possibly be the same with certificate or identity the state of validity, thereby all causes simple being/denying to be answered to all privileges of inferring.Be described below, this can think that each user provides other, independently privileged mode is able to solve through expansion RTCA.

In beginning, CA proof RTCA is a privilege management mechanism.For example, this part that can be used as the general CA proof procedure of describing in this specification other places is carried out.CA can digital self-signing certificate, and it indicates CA and trusts and authorize RTCA that a plurality of independently privileged modes also are provided except that the certificate the state of validity.Authorize maybe can imply, or in the RTCA certificate, spell out.

After proof, authorized organization can notify the current state of each privileged mode to RTCA.Authorized organization can keep the state of validity of privilege is notified to RTCA, and said privilege can be to each user of its control by grant authorization mechanism.For example, authorized organization can (1) as long as change, give RTCA with online mode with any privileged mode change notification, or (2) will indicates the message of the digital signing of variation to send to RTCA.

Confirm that entity is to have the certificate of the digital signing that the authorized organization of mandate can send through the CA that uses by suitable trust and mandate to carry out.By the privilege of each authorized organization control can be in certificate self (promptly by CA) or at the database that is arranged in RTCA or through some other suitable means and mechanism's binding.

When RTCA produced the certificate validity status message of signature separately, RTCA can comprise each the franchise state that is associated with particular certificate.As the part of the process of the state of validity that certificate is provided, RTCA can comprise each franchise identifier and the current state that is associated with related certificate.The time interval that is associated with privileged mode can be applied to the same of certificate validity state.In this respect, each privileged mode of precomputation can be used for the technological the same also generation simultaneously that certificate status is confirmed with aforesaid.Privileged mode can be included in certificate status to be confirmed in the message of the same digital signing.

RTCA can send to the franchise the state of validity of precomputation unprotected RTC transponder.Distribute each privileged mode process can be used for the same and generation simultaneously that aforesaid certificate status is confirmed.Afterwards, transponder can be preserved the privileged mode of RTCA precomputation.When the privileged mode confirmation was included as certificate status confirmation a part of, privileged mode information can be saved as single response and/or can be preserved with certificate validation information by aforesaid transponder.

As stated, when relying on the state of validity information of direction transponder inquiry certificate, the RTC transponder can provide the response of RTCA precomputation, and it comprises certificate validity state and the privileged mode that all are relevant.Afterwards, dependence can be verified the response (reach, if suitable, also verify the RTCA certificate) of precomputation.Dependence side to the processing of receive response with above-mentioned similar, except present any relevant privileged mode also can obtain.Privileged mode can be read and use to determine whether to authorize the visit of being asked.Expanding to provides the RTC of a plurality of clearly privileged modes system can be similar to the system of describing in this specification other places that is used to provide certificate status, can be known now except the OCSP response of precomputation to comprise franchise the state of validity and the certificate validity state information.

With reference to Figure 17, sketch map 480 shows the enforcement of authorized organization.Sketch map 480 shows the CA482 that links RTCA484.Of this specification other places, CA482 provides information to RTCA484.RTCA484 links a plurality of RTC transponder 486-488 to it information to be provided, and is of this specification other places.

Sketch map 480 also shows provides the authorized organization 492 of authorization message to RTCA484.Alternatively, CA482 can directly link authorized organization 492 initial authorization information, authority certificate to be provided, to reach any other suitable message.Of this specification other places, CA482 and authorized organization 492 can be same entities, and it is by 496 diagrams of the frame around CA482 and authorized organization 492.Although not shown in the sketch map 480, can comprise other RTCA, transponder etc. in this system of describing with authorized organization 492, like this specification other places said (for example, referring to Fig. 3 and corresponding the description).

It should be noted that in certain embodiments CA482 can directly offer RTCA484 with authority certificate, and need not provide certificate to authorized organization 492 from CA482.It shall yet further be noted that authority certificate (or other authorize evidence) can provide (that kind above being similar to shown in Figure 12) or provided by the out of Memory that CA482 offers RTCA484 in the certificate that is sent by CA482.

When the RTC system had solved many OCSP defectives, further optimization also was possible.Particularly, assessing the cost of RTCA can be minimized through a plurality of digital signature of single treatment.For said system, the state of each digital certificate of RTCA signature.Even this is fulfiled ahead of schedule, even possibly before making status poll, also possibly hope to reduce assessing the cost of this process, particularly because the generation of digital signature is the computing in the calculated set.

Like what below will detail; Date through making the effective RTCA of signature (SERTCA) that this statement is also signed and indicated to the combinations of states of a plurality of certificates then in single statement provides improvement, thereby uses single signature can identify the state of a plurality of certificates at particular point in time.Its state can be (each statement always comprises the state information of same certificate of quantity) fixed by the quantity of the certificate that kind is identified, also can change.The certificate of in single statement, confirming also can be confirmed in other statement.For example, a statement can be represented the state of validity of all certificates that belong to particular individual, and another statement can be represented has a certain integer validity of all certificates of interior sequence number at interval.Same certificate possibly belong to two set, thereby belongs to two independent evaluation statements.

After all statements of identifying specified time interval, SERTCA can send statement and give one or more RTC transponders, and it preserves statement to serve the inquiry of dependence side.When the inquiry that receives about certificate X, RTC transponder retrieval comprise X the state of validity the SERTCA signature statement and this statement returned to dependence side.Dependence can be verified the SERTCA signature and in statement, search for the information about X, thereby know the state of X with the mode that warp is identified.

Certainly, SERTCA also can send the statement about the state of single certificate, and therefore, if SERTCA only sends about the statement of single certificate, then SERTCA can provide the information the same with RTCA.But specific SERTCA some the time can be used as RTCA and other the time as RTCA the calculating restriction and the needs of special time (for example, according to).System can combine RTCA and SERTCA.

In beginning, CA proves SERTCA with the mode of proof RTCA above being similar to, as stated.Such just as RTCA, SERTCA is can also can not consistent with the CA of particular organization entity.Each CA provides its oneself one or more SERTCA, and wherein each SERTCA has special certificate, i.e. the SERTCA certificate.But CA digital signing SERTCA certificate is to show that CA trusts and mandate SERTCA provides the validity information about the certificate of CA.Such certificate is passed to special entity (like the entity of being confirmed by unique identifier, OID number etc.) with the SERTCA state, and can certain validation key PK (special entity has the key of its corresponding secret signature) be bound with special entity.

Such just as RTCA, even CA is consistent with SERTCA, it also is favourable that CA has different signature keys with SERTCA.Therefore, no matter whether CA and SERTCA represent same entity, CA send certificate and SERTCA management certificate (as certification effectively/decision of cancelling/delay).Like this, even CA is consistent with SERTCA, also possibly still use independent SERTCA certificate.In certain embodiments, each CA only has a SERTCA, although because redundant or other purpose, it is favourable having more than one, no matter whether uses same signature key.If a plurality of SERTCA are arranged, then wherein part can be used simply as RTCA.

It should be noted that kind, its signature key of SERTCA protection just as RTCA.For example by means of strong-room, safety devices or secure hardware.CA keeps the state of validity of its certificate is notified to SERTCA.For example, CA can (1) as long as change, give SERTCA with online mode with any change notification of certificate validity, perhaps (2) send to SERTCA with its CRL when producing.A succession of date D1, D2 ... Arbitrary date Di; SERTCA is based on its current affirmation state knowledge (like the up-to-date CRL based on CA) and be independent of the request of any dependence side and carry out renewal, and it is not accomplished (preferably not out of date) certificate, will be combined into collection about the information of the state of validity of certificate, and gathers the statement (artificial precomputation response) that digital signing indicates the state of each certificate in the set for each and realize through each that handle CA.For example, such state can be to have cancelled effectively, or delay decision (maybe possibly be " not knowing " or " not sending " or other state indication).But the statement fixed time interval T of signature.In certain embodiments, when each upgraded, the statement of each signature can be specified identical time interval T, and the sum in these time intervals can cover whole " timeline ".For example, at each update date Di, time interval T=D _I+1-D _i-wherein possibly to have only one of Di and Di+1 be the part of T, and another date is the part in the adjacent time interval.

As an example, the statement example can have form SIG-SERTCA (" X: effectively; Y: cancel; Z: delay decision; Date: Di; Next date: Di+1 "), wherein the information (like sequence number) of particular certificate is confirmed in X, Y and Z representative, and " effectively ", engineering noise, " cancelling " are the designators of respective certificate state.If the current knowledge about certificate status of SERTCA is based on the CRL of CA, then each Di can be consistent with the date of a CRL, and Di+1 is consistent with the date of next CRL.The time that it will be appreciated that such strictness is interdependent optional.For example, handle or date of beginning to handle its statement can be D1, D2 etc. at SERTCA, and designated time intervals can be D1 ', D2 ' etc. in statement that wherein Di can be different with Di '.For example, Di can be early than Di ', and in this case, RTCA can begin processing before the time interval that begins to state states-for example, because SERTCA hopes before interval T begins, to accomplish its processing.Similarly, if CRL uses when SERTCA upgrades, the statement time also can be different with the CRL time.

Therefore, in fact, the digital signature of SERTCA precomputation indicates the state of all certificates at specified time interval T.Such precomputation can be independent of any dependence side's request about certificate validity and carry out.SERTCA can make before any status poll in the time interval even the statement of before this time interval begins, signing for this specified time interval precomputation.The statement (artificial precomputation response) of the SERTCA signature of certificate status can be a standard OCSP form, also can be the form with existing dependence side softwarecompatible.OCSP software its time, this is useful to the modification that minimizes or eliminate existing dependence side software.For example, for guaranteeing to comply with all relevant quantity of OCSP, can suitably select Digital Signature Algorithm, OID etc.

Yet, it should be noted that the correct OCSP response of sentence structure of SERTCA must not be traditional OCSP response, because the SERTCA response is not calculated in response to any request.In fact, SERTCA response that the OCSP request precomputation OCSP that does not produce as yet and possibly produce is never comply with.No matter whether the SERTCA response be the OCSP form, all is responses of artificial precomputation.

After the precomputation response, SERTCA can make response can be used for other side.Although SERTCA can return to dependence side with response in response to the state of validity inquiry, in other embodiments, SERTCA can provide the response of precomputation to the RTC transponder, and it is similar with above-mentioned RTC transponder together with the RTCA use.

SERTCA can help RTC responder process signature through with the mode of suitable tissue signature being presented to the RTC transponder.For guaranteeing that all relevant precomputation responses all receive, when upgrading each time, SERTCA can provide other signature to the RTC transponder, and its overall date through the artificial precomputation response that signature and dated RTC transponder receive carries out.In addition, SERTCA can send the SERTCA certificate and give the RTC transponder.This transmission needn't all take place when each the renewal, and it can only be carried out when beginning or regularly.

The RTC transponder can be preserved the sufficiently long time with the artificial precomputation response of the SERTCA that is received.In certain embodiments, if signature relates to specified time interval T, then the RTC transponder can be saved in artificial precomputation response till T finishes at least.In certain embodiments, RTC transponder (particularly those and SERTCA belong to the transponder of same tissue) can be checked to have correct information.For example; The RTC transponder can be verified the artificial precomputation response about time interval T that (or other appropriate time relevant with T) receives before T begins; The SERTCA that checking institute receives to some extent sign (possibly reach suitable SERTCA certificate); Whether checking RTC transponder has received information about all certificates (as is no less than the certificate of anticipated number; Be no less than the certificate that sent of transmission), whether checking RTC transponder has received the statement etc. of DERTCA signature of the validity of the certificate that before had been declared calcellation.If detect any problem, RTC transponder notice SERTCA or another suitable entity.

Dependence can be to the state of validity of RTC transponder inquiry certificate.In certain embodiments, dependence side uses the OCSP form to be used for request.If during the information on the same certificate status appeared at and states more than one, dependence can indicate the first-selection which statement is dependence side to the RTC transponder.For example; If SERTCA provides the statement of the state of validity of representing all certificates that belong to particular individual; And provide representative to have the statement of the state of validity of all certificates of interior sequence number at interval of a certain integer; And dependence side is mainly interested in the state of validity of the certificate with sequence number X that belongs to individual I, and then relying on to provide the preferential designator of selecting of indication to receive the statement of (a) SERTCA signature, and it comprises the information that approaches the certificate of X about sequence number; Or (b) statement of SERTCA signature; It comprises the information about other certificate of I, or (c) statement of very short SERTCA signature, or (d) comprises the statement (promptly not preferential the selection) about the SERTCA signature of the information of the state of X.According to circumstances select one of them that advantage is arranged.

When inquiring the validity of particular certificate, the RTC transponder can be fetched the artificial precomputation response of SERTCA from memory, and it comprises the information of this certificate.The RTC transponder can return artificial precomputation response.The RTC transponder also can be the suitable certificate that SERTCA transmits the artificial precomputation response of signed.It should be noted that dependence can provide indication with reception SERTCA certificate, or the RTC transponder possibly know or suppose that there has been the copy of SERTCA certificate dependence side.If there is the answer of a plurality of precomputations to comprise the information about same certificate, which answer the RTC transponder can select to return according to the preference of dependence side or some assignment algorithm or according to some Else Rules.

The response that the processing of dependence side is received is to confirm the validity of certificate interested.In certain embodiments, if response is the OCSP form, the RTC transponder uses OCSP software to be used for such processing.The RTC transponder can be verified suitable SERTCA certificate.In the embodiment that OCSP complys with, the RTC transponder can be an OCSP transponder certificate with the SERTCA certification authentication.In certain embodiments, the SERTCA certificate can be configured to OCSP transponder certificate on sentence structure.

With reference to Figure 18, sketch map 500 shows the data flow between CA502, SERTCA504, RTC transponder 506 and dependence side 508.CA502 provides confirmation (like CRL) to give SERTCA504.SERTCA504 uses confirmation to produce the artificial precomputation response 516 of a plurality of many certificates.SERTCA504 also has its oneself certificate 514, and it can offer SERTCA504 by CA502.

Dependence side 508 produces the OCSP request 518 that dependence side 508 offers RTC transponder 506.In response to this, RTC transponder 506 provides many certificates artificial precomputation response 522, and it is one of artificial precomputation response 516 of many certificates that is offered by SERTCA504 at first by transponder 506.In addition, of this specification other places, in some cases, transponder 506 provides SERTCA certificate 514 to dependence side 508.

The processing that it should be noted that above-mentioned RTCA system can be suitable for using with SERTCA system and/or hybrid system equally, comprises use authority mechanism, as stated, and above providing together with the described compression optimization of Figure 16.Similarly, the processing of above-mentioned SERTCA system is suitable for using with RTCA system and/or hybrid system equally.

Another technology, batch processing OCSP can be used for reducing RTCA or SERTCA assesses the cost.Batch processing OCSP can use separately, also can be used in combination with one or more other mechanism described here.

, the special number signature that in response, uses to adopt batch processing OCSP when being the RSA digital signature.Be tested and appraised the state of a plurality of certificates in the single signature and improve signature during efficient at SERTCA, batch processing OCSP can produce a plurality of document book OCSP responses and raises the efficiency by means of single calculating, makes every response cost be significantly less than the cost of single OCSP response.For example, if 10 document book OCSP response produces separately, the cost of 10 RSA signatures of cost the chances are RTCA (or traditional OCSP transponder).As stated, SERTCA mechanism can be reduced to cost the cost of a RSA signature, and it is through realizing the information combination on 10 certificates in single statement.Yet, use the defective of SERTCA to be that corresponding statement becomes longer.The total cost (in some cases, being approximately the cost of 2 RSA signatures) that batch processing OCSP can be lower than the cost of 10 RSA signatures produces 10 different document books, the OCSP of signature response separately.

Be described below, batch processing OCSP calculates based on the batch processing RSA of Fiat.The PKI PK of RSA is made up of two integers, and promptly (N, e), it is respectively known modulus and checking index.Modulus is the long-pending of two big secret prime number p and q, and the fail safe of RSA depends on the difficulty of finding its composition prime number from modulus N.Corresponding privacy key SK is by (N d) forms, and wherein d has property: for all positive integer b less than N, if s equals b and is the dark d involution of mould with N, then b equals s and is the dark e involution of mould with N.In other words, with integer with N be the computing of dark e involution of mould and integer is just in time opposite with the computing of dark d involution that with N is mould.

The hash that the calculating of RSA digital signature comprises (maybe randomly) formatting messages m to be obtaining b, the calculating through making b and dark d involution obtain to sign then, and obtaining afterwards with N is the result of mould.Corresponding proof procedure calculates b from s, carry out through making s and the dark e involution that with N is mould, and in fact whether inspection b correctly produces from m.The comment of Fiat batch processing RSA signature is described below.If have a plurality of value b1 ..., bi, a plurality of checking exponent e 1 ..., ei, and corresponding signature index d1 ..., di.Afterwards; Through using the number theoretical algorithm (not in this description; But be known in the art), s1 to N be mould dark d1, s2 to N be mould dark d2 ..., si to N be the comparable i of calculating independent indivedual calculating of the dark di of mould carries out more efficiently (suppose e1 ..., ei is different and satisfy some other condition).

As stated, SERTCA (and RTCA) has the digital certificate that is sent by CA, the PKI that its proof SERTCA signs in precomputation OCSP response and uses, and said precomputation OCSP response indicates the validity information of digital certificate.Equally as stated, the SERTCA digital certificate by with the PKI of several numbers such as SN, the unique sequence number of cert, PK, SERTCA, identifier, date issued, expiry date, and the digital signature of the CA that binds together of other data security form.Be expressed as symbol: C=SIG _CA(SERTCA, SN, PK, ID, D ₁, D ₂...).Under the situation that the RSA digital signature is used by SERTCA, the PKI PK employing of SERTCA (wherein n is a modulus for n, form e), and e is the checking index, and certificate is taked form:

C＝SIG _CA(SERTCA，SN，(n，e)，ID，D ₁，D ₂，…)

The RTC transponder can be known the SERTCA PKI from the SERTCA certificate with the mode that warp is identified with relying on.Yet because traditional certificate only comprises single index e, traditional certificate is inappropriate for the batch processing RSA that uses a plurality of different indexes and uses together.Only if identifier (RTC transponder and/or dependence side) knows the checking index that in the particular signature of the validity information of identifying digital certificate, uses, the identifier can not certifying signature.Use the batch processing RSA in the batch processing OCSP to overcome this problem below.

In a method, SERTCA at first produces such modulus n in traditional RSA signature, and n is presented to the PKI that CA is used to be verified as SERTCA.SERTCA protects its privacy key, and it is made up of prime number p and q.Afterwards, CA sends the digital certificate of the PKI that only is used for being made up of n to SERTCA.For example, the SERTCA certificate can be taked C=SIG _CA(SN, n, ID, D ₁, D ₂...) and form.Afterwards, CA gives SERTCA with the state notifying of the user certificate of SERTCA.Then, SERTCA produce i sign index d1 ..., di and corresponding checking exponent e 1 ..., ei.Be independent of the request of any dependence side; SERTCA produces about the statement of one or more certificates at the state of validity of specified time interval; And these statements are combined into size a collection of for i, and in each batch with index d1 ... Di uses batch processing RSA, for each statement produces digital signature.Then, SERTCA sends to unprotected transponder with the precomputation of the state of validity signature, comprises the information that allows transponder and/or dependence side to confirm to be used to verify the exponent e j of each statement in addition.Afterwards, transponder is preserved the response of the artificial precomputation of SERTCA.

When relying on direction transponder inquiry the state of validity information, the RTC transponder is answered inquiry with artificial precomputation response.Each response comprises the checking exponent e j and the SERTCA certificate (if desired) of auth response needs.Afterwards, dependence can use the RSA of the checking exponent e j that has the modulus n that obtains from the SERTCA certificate and obtain from the RTC transponder to verify the response of artificial precomputation.

It also is possible that this method is changed.For example, if index is (and before sending RSA signature, not using special message format) arbitrarily, knows from the SERTCA certificate that the enemy of SERTCA modulus n can seek and make the enemy can produce the exponent e that the RSA with respect to the false statement of n and e signs.Be the raising fail safe, SERTCA exponent e 1 ..., ei can be by fixing (and needn't all can be obtained by transponder) in advance at every turn.Particularly, index can be designated as the part by the SERTCA certificate of CA signature.Then, the SERTCA certificate can be taked form:

C＝SIG _CA(SERTCA，SN，(n，e1，...，ei)，ID，D ₁，D ₂，...)

Dependence side also can obtain the checking index from SERTCA certificate or another source, rather than obtains from transponder.

Make transponder and/or rely on and to infer enough that which exponent e j is used to certain claims rather than clearly indicates this information is favourable.For example, be the sequence number of the j of mould if the j certificate of in each batch, confirming always has suitable with i, then can carry out such deduction.Next, transponder and/or rely on can reach simply the dark j of the sequence number inferred index of the certificate of just being verified from its validity.

It should be noted that in the method dependence side checking is implemented not follow standard RSA signature verification example, because the PKI of SERTCA can be not according to (n e) presents to dependence side.The cost of revising existing dependence side RSA enforcement is unallowed in some applications.This can be solved by following other method.

For second method, SERTCA begin to produce with traditional RSA signature in the same modulus n, and i verify exponent e 1 ..., ei, SERTCA with its present to CA be used for the proof.For SERTCA, it is favourable that the prime number factor of protection n is decomposed.Afterwards, CA can send the digital certificate that i is used for PKI, PKI by PK1=(n, e1), PK2=(n, e2) ... (n ei) forms PKi=.For example, i SERTCA certificate can be taked form: C1=SIG _CA(SERTCA, SN, (n, e1), ID, D ₁, D ₂...) ..., Ci=SIG _CA(SERTCA, SN, (n, ei), ID, D ₁, D ₂...).Afterwards, CA can give SERTCA with the state notifying of its user certificate.After it; And be independent of the request of any dependence side; SERTCA produces about the statement of one or more certificates at the state of validity of specified time interval; And these statements are combined into size a collection of for i, and in each batch with index d1 ... Di uses batch processing RSA, for each statement produces digital signature.Then, SERTCA sends to unprotected transponder with the precomputation signature of the state of validity, comprises the information that allows transponder and/or dependence side to confirm to be used to verify the exponent e j that signs each statement in addition.Transponder is preserved the response of SERTCA precomputation.

When relying on direction transponder inquiry the state of validity information, the RTC transponder is answered inquiry with the precomputation response.Comprise j SERTCA certificate Cj (if desired or asked) with each response of exponent e j signature.Dependence side uses the PKI that has from the acquisition of SERTCA certificate, and (n, RSA ej) verifies the answer of precomputation.It should be noted that the checking of dependence side is the same on sentence structure with the standard RSA checking, because the RSA PKI of canonical form is to obtain from the SERTCA certificate.Therefore, to relying on Fang Eryan, need not revise standard RSA and implement.In fact, dependence can not know fully that SERTCA is just using batch processing OCSP.

It also is possible that said method is changed.For example, be not selection index e1 ..., ej and present to the such index of CA-can be inferred in advance or know by CA-for example because these indexes are preset parameters of system.Perhaps, transponder and/or dependence can infer enough that which exponent e j is used to certain claims rather than clearly indicates this information is favourable.For example, be the sequence number of the j of mould if the j certificate of in each batch, confirming always has suitable with i, then can carry out such deduction.Next, transponder and/or rely on can reach simply the dark j of the sequence number inferred index of the certificate of just being verified from its validity.

With reference to Figure 19, flow chart 600 shows the step of carrying out when carrying out batch processing OCSP at initialization SERTCA (or suitable RTCA or OCSP transponder).Processing starts from being lower than step 602, CA proof modulus n.Be step 604 after step 602, produce i index (checking exponential sum signature index).Be among this embodiment that index produces the long-pending n that equals of secret prime number to used a pair of secret prime number by SERTCA.Yet, for other embodiment, make index that other entity produces step 604 to and use other algorithm to produce these to also being possible.

For some embodiment, processing can finish after step 604.Yet other embodiment can comprise by CA and carry out other proof, as stated, comprise make CA checking exponent e 1, e2 ..., ei.In one embodiment, shown in step 606, CA proves i checking index in the single proof, as stated.In another embodiment, shown in step 608, i independent certificate of the RSA style PKI of CA proof expression n, ek, wherein ek is one of i checking index.

With reference to Figure 20, flow chart 620 shows the step that SERTCA (or suitable RTCA or OCSP transponder) carries out when the artificial precomputation of generation responds.Processing starts from first step 622, and CA provides confirmation to SERTCA, and is of this specification other places.Be step 624 after step 622, SERTCA use signature index d1, d2 ..., di produces artificial precomputation response.Be step 626 after step 624, SERTCA offers the RTC transponder to be similar to the described mode in this specification other places with artificial precomputation response.

In certain embodiments, SERTCA can provide other index information to the RTC transponder.This is illustrated by the optional step shown in the flow chart 620 of Figure 20.Other index information can be made up of one or more proofs of the certain index of just using and/or the information of indicating which certain index to be used for which artificial precomputation response.Certainly, of this specification other places, also can there be other mechanism to confirm which artificial precomputation response which index is used for, thereby, such information needn't be provided separately for SERTCA.Similarly, can be useful on index information is communicated by letter to the mechanism of RTC transponder (dependence side is given in final communication), thereby needn't any other proof be provided separately for index.

It should be noted that above-mentioned batch processing OCSP technology can replace SERTCA to use with RTCA, also can use that wherein the OCSP transponder calculates the certificate status information of digital signing based on receiving inquiry from the side of dependence with traditional OCSP framework.Particularly, if the OCSP transponder receives isolated inquiry, then the OCSP transponder can produce the response of single RSA signature, if but the OCSP transponder receives many inquiries in very short time, and OCSP can above-mentioned batch fashion answer all or part inquiry.To set forth this below.

At first, CA notifies the transponder to OCSP with the state of its user certificate with the mode compatible with OCSP.On the basis that receives a plurality of certificate status inquiries, transponder can use batch processing RSA to calculate independently document book, and to traditional OCSP response of i inquiry, each is all relevant with exponent e j.The OCSP transponder also can be specified consistent index and/or comprised the transponder certificate of CA signature, and it identifies that ej (and suitable RSA modulus n) can be used for verifying the transponder signature.CA can provide single OCSP transponder certificate to the OCSP transponder, and it points out to have only RSA modulus n to be used for its batch processing RSA signature by transponder.For example, be expressed as symbol:

C＝SIG _CA(responder，SN，n，ID，D ₁，D ₂，...)

It should be noted that if the index that the OCSP transponder uses is fixed, then this accurate especially and safety.Perhaps, CA can provide the transponder certificate to the OCSP transponder, and its given transponder can be used for a plurality of indexes of batch processing RSA signature.For example, be expressed as symbol:

C＝SIG _CA(responder，SN，(n，e1，...ek)，ID，D ₁，D ₂，...)

Perhaps, for specific OCSP transponder, CA can send k different transponder certificate, and each certificate can be used for each index of batch processing RSA signature for transponder.For example, be expressed as symbol:

C1＝SIG _CA(responder，SN，(n，e1)，ID，D ₁，D ₂，...)、...、Ck＝SIG _CA(responder，SN，(n，ek)，ID，D ₁，D ₂，...)

In this whole description, CA, RTCA, transponder, parties, user can be the set of any entity (like individual, mechanism, server, equipment, computer program, computer documents) or entity.Certificate should be understood to include the certificate of all kinds, particularly, comprises classification certificate and plane certificate.For example, referring to United States Patent (USP) 5,420,927, it is combined in this by reference.The proof of the state of validity and the state of validity can comprise the proof (like the state of validity of all certificates in a series of certificates and the proof of the state of validity) of the state of validity and the state of validity of classification certificate.The validity of authentication certificate C can comprise checking sent C CA CA certificate validity and the validity about the RTCA/SERTCA certificate of the RTCA/SERTCA of the signed response of the state of validity of C is provided.

Under suitable situation, digital signing and digital signature can be understood to include any suitable message at this and identify.

Although certificate is described the document of specific key with the digital signing of specific user's binding, at United States Patent (USP) 5,666,416 (being combined in this by reference) afterwards, certificate also should be understood to include the document of all types of digital signings.For example, the seller who uses CA as can prove that price list is under its control through digital signing price list (maybe together with date and time information).The state of validity of knowing such certificate is useful.For example, the seller possibly want to prove the current validity (and refuse the certain price in the price list, only if show the proof of its current validity) of price list.Therefore, client's current validity of table document of possibly hoping to set price.System described here can be used for this.System described here can be used for proving the current validity of webpage.In certain embodiments, the proof of the current validity of RTCA/SERTCA generation can be preserved (or related with it) together with webpage itself.Under these circumstances, parties can be regarded as computer documents.

Sending a blocks of data D (give parties X) should be understood to include and make D can use (or making X receive D).

It should be noted that system described here can use hardware, software or its certain combination to implement, include but not limited to program general purpose computer, with specialized hardware such as digital signal processing combination of hardware and function described here is provided.

Carry out the disclosed while when the present invention has combined a plurality of embodiment, its modification is very obvious to those skilled in the art.Therefore, the spirit and scope of the present invention are proposed by following claim.

Claims (11)

1. help the transaction method between first party and the second party, comprising:

Before beginning transaction; One of parties obtains and preserves the online certificate status protocol OCSP response about the artificial precomputation of particular digital certificate; Wherein the OCSP of artificial precomputation response is produced by the entity that is different from first party and second party, and the OCSP of wherein artificial precomputation response is independent of either party the request generation about the validity of particular digital certificate;

The transaction at the beginning of parties;

When transaction, first party provides particular digital certificate to second party; And

Second party is used this particular digital certificate of OCSP response verification of artificial precomputation, and the OCSP response of said artificial precomputation was before preserved before beginning transaction, and used the validity of the said particular digital certificate of OCSP response verification of said artificial precomputation.

2. according to the process of claim 1 wherein that second party obtained the OCSP response of artificial precomputation before the transaction beginning.

3. according to the method for claim 2, wherein the OCSP response of the artificial precomputation of second party buffer memory is to be used for transaction in the future.

4. according to the process of claim 1 wherein that first party obtained the OCSP response of artificial precomputation before the transaction beginning.

5. according to the method for claim 4, wherein the OCSP response of the artificial precomputation of first party buffer memory is to be used for transaction in the future.

6. according to the method for claim 4, also comprise:

First party provides the OCSP of artificial precomputation to respond to second party after the transaction beginning.

7. confirm the method for the validity of digital certificate, comprising:

Generation is about the response of the artificial precomputation of the digital signing of the state of validity of digital certificate;

Inspection is about the response of the artificial precomputation of the said digital signing of digital certificate the state of validity; Wherein the response of artificial precomputation is by the special entity digital signing that is different from the entity that sends digital certificate; Wherein be independent of the request of enquiring digital certificate validity and produce, and the request that wherein is independent of the enquiring digital certificate validity about the response of the artificial precomputation of the said digital signing of digital certificate the state of validity is obtained and preserved about the response of the artificial precomputation of the said digital signing of digital certificate the state of validity; And

Use is from the response of the artificial precomputation of one of the following at least said digital signing of Information Authentication: digital certificate and the certificate of identifying the entity that sends digital certificate.

8. according to the method for claim 7, wherein information is the PKI corresponding to the privacy key of the response of the artificial precomputation that is used for said digital signing.

9. according to the method for claim 7, wherein information is corresponding to the particular digital certificate of the special entity of the artificial precomputation response of identifying digital signing.

10. the method about the information of digital certificate validity is provided, comprises:

For each certificate that digital certificate is concentrated is confirmed the digital certificate the state of validity;

Regularly produce the artificial precomputation message about the state of validity of at least one subclass of digital certificate collection of a plurality of digital signings; And

Regularly give a plurality of transponders of serving the request of dependence side with the artificial precomputation forwards of digital signing; The state of validity of the digital certificate that said dependence side inquiry digital certificate is concentrated is wherein transmitted to be different from about the frequency of the message of other certificate about the message of some certificates.

11., wherein compare about the message of valid certificate and do not transmitted continually relatively about the message of calcellation certificate according to the method for claim 10.

Images