US20030014629A1 - Root certificate management system and method - Google Patents
Root certificate management system and method Download PDFInfo
- Publication number
- US20030014629A1 US20030014629A1 US09/906,504 US90650401A US2003014629A1 US 20030014629 A1 US20030014629 A1 US 20030014629A1 US 90650401 A US90650401 A US 90650401A US 2003014629 A1 US2003014629 A1 US 2003014629A1
- Authority
- US
- United States
- Prior art keywords
- certificate
- root
- user
- certificates
- store
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- the invention relates generally to information security systems employing cryptographic techniques, and more particularly to wireless information security systems that employ certificates.
- digital signature key pairs having a private key and public key, are often used to authenticate a digital signature of a client using a software application in order to confirm the identity of the sender of the message.
- the software application executes on a processor, sometimes referred to as a cryptographic engine.
- a subscriber may generally be, for example, a network computer mode, an Internet appliance, wireless radiotelephone, a software application or a subscriber in the information security system.
- encryption key pairs are also generally used to encrypt data being sent from one subscriber to another subscriber within the computer network or within a wireless network. Certificates are typically generated by a trusted certification authority for the public keys of the private/public key pair to certify that the keys are genuinely owned by a named subscriber. Standards, such as ISO 9594-8, available from the International Organization Standardization, define typical certificate content.
- Certification authorities (CA), sometimes referred to as certificate issuing units, issue certificates for subscribers.
- Root certificates are those certificates issued by a root certification authority to itself. Thus, a root certificate is verified using the public key contained within it. Since any entity with access to any private/public key pair can produce such a root certificate, a legitimate root certificate must be protected for integrity and authenticity by another external mechanism.
- Convention desktop devices such as desktop computers and laptop computers, Web browsers have a long pre-stored list of trusted root certificates that have been issued by differing certification authorities. Accordingly, a local root certification authority certificate store is maintained by such conventional devices.
- the root CA certificates are typically used by the desktop device or other unit to validate certificates that accompany encrypted information or digitally signed information, such as with electronic transactions via the Internet.
- the stored long list of trusted root certificates allows a device to potentially trust a number of certificates from differing certification authorities allowing the Web browser to potentially transact business with subscribers in different trust domains.
- the limited amount of memory makes it difficult to store a long list of trusted root certificates, and a limited battery life and processing capabilities can reduce the processing capabilities to make it difficult for a wireless device to carry out conventional certificate validation operations.
- a certificate verification module within a device attempts to find a sequence of certificates corresponding to a certification path starting with the trusted certification authority whose public key the subscriber trusts a priori (i.e., root CA), and ending at a target certification authority which has signed the certificate of the public key to be verified.
- search for trusted paths is carried out using conventional search techniques, such as a breadth first or depth first techniques as known in the art, then a problem by way of reduced system or device performance occurs when large numbers of certification authorities are in the community of interest, and many different combinations of links among certification authorities and various networks (or the same network) exist.
- a verification unit may spend valuable processing time obtaining and verifying all combinations of links to determine whether a trusted path has been maintained with the certification authority of the verifying verification unit and the certificate issuing unit that issued the target certificate.
- Wireless application protocol (WAP) servers typically check a list of certificates that it trusts and compares that list to see if a root certificate that is identified by the subscriber is also on the list. If so, it will complete the transport layer security session. Otherwise, it will abandon the protocol.
- WAP Wireless application protocol
- FIG. 1 illustrates a conventional wireless communication system with a mobile wireless device 10 that is in operative communication through a wireless network 12 with a wireless application protocol server 14 and, if desired, another public key infrastructure server 16 .
- the mobile wireless device 10 includes a root CA certificate store 18 that contains, in this example, root certificates from Certification Authority 1 (CA 1 ), CA 5 and CA 20 and accordingly and will trust communications from subscribers or servers that also trust these root CAs.
- CA 1 Certification Authority 1
- CA 5 Certification Authority 1
- the wireless mobile unit 10 communicates with the WAP server and notifies the WAP server that it trusts certificates from CA 1 , CA 5 and CA 20 as indicated in the root CA store 18 . Since the digitally signed message uses a certificate from CA 7 , the WAP server may redirect the wireless mobile unit 10 to contact the server 16 which would provide a root certificate for CA 7 . However, since there is only enough memory to store, for example, three root certificates, the subscriber must now determine which of the root certificates gets deleted in favor of the new root certificate from CA 7 . In addition, many mobile wireless devices may have slow or low bandwidth communication links such as slow modems which limit the amount of information that can be communicated. Moreover, persons owning the devices may typically have to pay for air time and thus minimizing the bandwidth requirements in wireless communications for purposes of information security is high desirable.
- OCSP On-line Certificate Status Protocol
- a subscriber sends a target certificate (certificate to be validated) and the trusted root certificate to a third party OCSP server which constructs and validates the appropriate certificate path.
- the OCSP server indicates whether or not the target certificate is valid.
- a methodology still requires a subscriber to trust and have available the same number of root certificates.
- the client sends the target certificate and a root certificate to the OCSP server. If a valid certificate chain exists for the target certificate and the associated root certificate, the OCSP server responds that the certificate is “valid”. If a valid certificate chain does not exist, the server responds that the certificate is “invalid”.
- a root certificate is sent by the wireless mobile unit in the request to the OCSP server. It would be desirable to avoid having to waste wireless resource bandwidth on sending root certificates. In addition, it would be desirable to avoid having to access or maintain a local root CA store.
- the compromise of a certification authority in any network and particularly a wireless network, such as if a virus is present, can allow an unscrupulous party to be allowed to digitally sign information.
- pre-stored root CA certificates stored, for example, in memory of mobile devices, it is often difficult to determine which subscribers have which root certificates since different browsers may have different pre-stored sets and depending upon the browser version, differing root CAs may be present in any given mobile wireless device.
- FIG. 1 is block diagram illustrating one example of a wireless communication system employing the use of certificates in a conventional manner
- FIG. 2 is a block diagram of a wireless communication system employing certificate validation in accordance with one embodiment of the invention
- FIG. 3 is a flow chart illustrating one method for validating a certificate in accordance with one embodiment of the invention
- FIG. 4 is a block diagram illustrating another embodiment of a wireless communication system employing the validation of a certificate in accordance with one embodiment of the invention
- FIG. 5 is a flow chart illustrating one method for validating a certificate as carried out by the system of FIG. 4;
- FIG. 6 is a block diagram illustrating one example of the content of a multi-subscriber root certificate store in accordance with one embodiment of the invention.
- FIG. 7 is a flow chart illustrating one example of maintenance of a multi-subscriber root certificate store in accordance with one embodiment of the invention.
- a method and system for validating a certificate maintains a multi-subscriber root certificate store, containing subscriber identification data for a plurality of subscribers along with data representing a plurality of root certificates, such as an index to root certificates or the root certificates themselves, associated with each of the plurality of subscribers.
- a table is stored containing specified root CA certificates for a plurality of subscribers in a network such as stored by a network element in a wireless radiotelephone network, or any other suitable wireless network.
- Subscriber units do not have a root CA store that contains pre-stored root CA certificates. Accordingly, memory is saved in the subscriber units.
- a separate server that stores the multi-subscribers root certificate store preferably carries out certificate path validation on behalf of the mobile units so that the wireless mobile unit need not carry out certificate path construction. Instead, a wireless mobile unit simply sends a certificate to be validated along with its subscriber ID data identifying the mobile unit or application to the multi-subscriber root certificate store server and waits for a “yes” or “no” answer from the server to determine whether the certificate is valid.
- the multi-subscriber root certificate management server obtains, based on received subscriber identification data, those root certificates trusted by the subscriber from the multi-root certificate store. The server then performs certificate path validation to validate the received certificate using the root certificates from the multi-root certificate store. Accordingly, a party other than the wireless mobile unit performs certificate validation. Hence, the cryptographic engine resident in the wireless mobile unit may be less sophisticated and need not require a certificate validation engine.
- the multi-subscriber root certificate store may store the list of root certificates trusted by each subscriber or each group of subscribers. Accordingly, the root certificates trusted by each client or subscriber need not reside locally on the client device and hence need not take up valuable memory resources on the device. In addition, the multi-subscriber root certificate store allows each subscriber or group of subscribers to trust as many root certificates as required.
- the central multi-subscriber root certificate management server allows for central and effective control of root certificate revocation. The central root certificate management server is able to immediately remove any untrusted root certificate from any and all subscriber lists of trusted root certificates. This may be desirable where network operators wish to maintain control of their subscribers' trust relationships.
- a subscriber When a subscriber receives a certificate that it wishes to validate, it sends a request to the central root certificate management server with an indication of the subscriber's identity.
- the subscriber identification data may be a signature on the subscriber's identity.
- the subscriber identification data may be a signature on the request, the subscriber's ID number or subscriber's name or any other method of identifying the subscriber.
- the request does not include an indication of the roots trusted by the subscriber since the central root certificate management server already has this information (and the client does not).
- the central root certificate management server then validates the certificate with respect to the list of trusted roots stored for that particular subscriber. A response is then returned, indicating the validity (pass/fail) of the target certificate.
- the response is protected for integrity and authenticity either using a digital signature, a secure session, a MAC or any other method for providing integrity and authenticity.
- the subscriber device In order to verify the response, the subscriber device need only store a verification key required to verify the response. This can result in a substantial savings over having to store a list of trusted root CA certificates and requiring certification path verification.
- the central root certificate management server may also store any policy information required to validate certificates within any particular certification authority domain.
- a subscriber when it wishes to validate, it could send a request to the central root certificate management server with the certificate and an indication of the subscriber's identity, as above, but also including the digital signature to be validated.
- the central root certificate management server then validates the certificate, as above, and also validates the digital signature.
- the digital signature can only be valid if the corresponding certificate is valid.
- the response from the central root certificate management server to the subscriber indicates the validity (pass/fail) of the signature.
- FIG. 2 illustrates one example of a system 200 for validating a certificate 252 in accordance with one embodiment of the invention.
- the system 200 includes a wireless mobile unit 202 and a server referred to as a central root certificate management server (CRCMS) 204 , that includes a central root certificate managing module, such as a software application that contains instructions that, when executed by a processing device resident in the server, causes the server to perform the operations described herein.
- CCMS central root certificate management server
- a central root certificate managing module such as a software application that contains instructions that, when executed by a processing device resident in the server, causes the server to perform the operations described herein.
- any suitable combination of hardware, software and firmware may be used.
- the central root certificate management server 204 includes memory 206 , such as a database or other suitable storage medium or structure that serves as a multi-subscriber root certificate store 208 which contains subscriber identification data 210 for a plurality of subscribers and data representing a plurality of root certificates 212 associated with each of the plurality of subscribers.
- the central root certificate managing module maintains the multi-subscriber root certificate store 208 by at least removing unacceptable root certificates determined to be, for example, invalid or otherwise untrustworthy, that are common for a plurality of subscribers.
- subscribers having subscriber ID 1 and subscriber ID 2 both have root certificate 3 (RC 3 ) as trusted root certificates.
- the central root certificate management server 204 will indicate that these root certificates are untrustworthy and remove them from the multi-subscriber root certificate store and, if desired, notify the subscriber the next time the subscriber requests validation of a certificate using the root certificate RC 3 .
- the central root certificate management server 204 is operably coupled to wireless network through, for example, a wireless application protocol (WAP) gateway 214 .
- WAP wireless application protocol
- the central root certificate management server 204 is a server element within the Internet. However, the server may be in any suitable system.
- the mobile wireless unit 202 is in operative communication with the wireless application protocol gateway 214 through a suitable wireless communication link or network illustrated generally as 215 .
- the system 200 also includes an application server 216 , such as a Web server or other unit with which the wireless mobile device 202 wishes to communicate and which provides the target certificate 252 .
- a certificate repository 205 which includes suitable certificate revocation lists, certificates, and any other suitable information as known in the art to facilitate the construction of trusted paths.
- the repository 205 may be, for example, an X.500 type repository, or any other suitable repository.
- the central root certificate management server 204 may also provide certificate validation as known in the art, by constructing the requisite paths to determine whether a certificate is valid.
- an OCSP server 220 instead of the central root certificate management server 204 performing certificate validation, an OCSP server 220 performs certificate validation.
- the central root certificate management server 204 sends a target certificate 252 to be validated and the root certificate 226 from the multi-subscriber root certificate store to the OCSP server.
- the OCSP server 220 then performs path construction if desired or any other suitable processing necessary to determine whether the target certificate 252 is valid.
- the OCSP server then sends the validation status 222 back to the central root certificate management server 204 which can then communicate whether the certificate is valid back to the wireless mobile unit 202 .
- the wireless mobile unit 202 may be any suitable Internet appliance, a laptop computer with a wireless transceiver, a radiotelephone, or any other suitable device.
- the wireless mobile device 202 includes a cryptographic engine 240 which may be implemented, for example, by suitable programming of a processing device such as a microprocessor, DSP, or any other suitable device to perform cryptographic functions.
- the cryptographic engine 240 is configured to be a digital signature verifier.
- the wireless mobile device 202 also includes memory 242 operably coupled to the cryptographic engine 240 via a suitable bus 244 .
- Subscriber identification data 246 is stored in the wireless mobile device 202 as well as, for example, a verification key 248 such as a public key certificate issued for the central root certificate management server.
- a verification key 248 such as a public key certificate issued for the central root certificate management server.
- a MAC key of the central root certificate management server may also be used, or any other suitable verification key.
- the cryptographic engine 240 determines whether the target certificate 252 or a received certificate received from, for example, the server 216 is valid, without referencing a local root certificate store.
- no root certificates are stored in the wireless mobile unit 202 and instead are maintained by the central root certificate management server 204 .
- the central root certificate management server 204 includes an interface 250 that is operative to communicate with the wireless access protocol-based gateway 214 . Also, if desired, the same interface, or other interface, can be used to communicate with the third party root certificate validation provider, namely the OCSP server 220 .
- the verification key 248 is prestored in the wireless mobile device.
- This may be, for example, the public key associated with the central root certificate management server 204 as issued by itself serving as a certification authority.
- the information may be downloaded wirelessly when the wireless mobile device 202 is activated, as part of an initialization procedure.
- the central root certificate management server 204 sends a root CA certificate selection form containing a list of a plurality of root certification authority certificates to allow the client to identify which root CA certificates to associate with its subscriber identification data. This is shown in block 302 . This may be carried out as part of a set up procedure.
- the root certification authority certificate selection form may be an HTML form, or any data structure, applet or any other mechanism to allow choosing of desired root CA certificates by or through a client device.
- the method also includes the wireless mobile device 202 forwarding any root certificates that it receives from other sources, that are categorized in a different class from those placed in the selection form. For example, if the subscriber is a member of a plurality of different communities of trust, and associated root CA certificates are added periodically, the wireless mobile unit 202 forwards the new root certificates to the central root certificate management server for association with the particular subscriber ID for that device so that the device need not maintain the new root CA certificates.
- the method includes maintaining, such as by the central root certificate management server 204 , the multi-subscriber root certificate store 208 by populating the multi-subscriber root certificate store 208 with selected root CA certificates for the given subscriber ID as indicated in the form. This population is done for all subscribers in the network community as identified, for example, by a system operator or upon initialization with the system 200 .
- the method includes the wireless mobile device 202 attempting to set up, for example, a transport layer security session with the application server 216 . This is shown as TLS handshaking 250 .
- the application server 216 sends the target certificate 252 to be validated, back to the wireless mobile unit 202 as indicated by communication 252 .
- the wireless mobile device 202 in this embodiment, merely forwards the received certificate along with the subscriber identification data 246 to the central root certificate management server 204 as shown by communication 256 .
- the wireless mobile unit 202 avoids a need for a local root certificate store, accessing of such a store, and avoids certificate validation processing, by merely forwarding the received certificate 252 and the subscriber ID 246 to the central root certificate management server 204 . This is shown in block 312 .
- the communication is considered a request 256 to validate the target certificate 252 which includes data representing the certificate to be validated. In this instance, it is the certificate itself. Alternatively, it can be the public key within the certificate, the subject name from the certificate, or an index to a repository indicating where to obtain the target certificate.
- the central root certificate management server 204 receives the request 256 to validate a certificate as shown in block 314 accesses the multi-subscriber root certificate store 208 using the user ID 246 to obtain those root certificates trusted by that particular client. Accordingly, the method includes obtaining, based on the received user identification data 246 , those root certificates trusted by the client as obtained from the multi-user root certificate store 208 . Assuming by way of example that the subscriber ID data corresponds to subscriber ID 1 , the root certificates that are trusted in this example are those from root certificate CA 1 and root certificate CA 3 .
- the central root certificate management server 204 performs validation of the target certificate 252 by constructing a certificate chain between the target certificate and a root certificate stored in the multi-subscriber root certificate store for that client. As known in the art this involves, for example, contacting the requisite certification authorities, directories, and/or if desired, a OCSP server.
- the method includes receiving back, by the wireless mobile unit 202 , a trusted certificate validation response 260 indicating whether the target certificate 252 is valid based on the root certificates from the multi-subscriber root certificate store containing the subscriber identification data for the plurality of subscribers. This is shown in block 318 .
- This validation response 260 is then passed to the WAP gateway, and the WAP gateway 214 then wirelessly passes the validation response 260 to the wireless mobile unit 202 .
- the wireless mobile device 202 uses the cryptographic engine 240 to verify the trusted validation response 260 to validate the digital signature on the response to determine whether the certificate is valid. This is done without accessing a local root certificate store. If the certificate is valid, the wireless mobile apparatus 202 continues set up of the TLS session with the application server 216 as shown in block 320 .
- maintaining the multi subscriber root certificate store 208 may include storing a table containing user identification data 210 for a plurality of subscribers, and data representing the plurality of different classes of root certificates associated with each of the plurality of subscribers. This may be done, for example, on a group of subscriber basis as well.
- the cryptographic engine 240 sends the data representing the certificate 252 to be validated (such as the certificate itself, the public key therefrom, the subject name from the certificate, or an index) as well as subscriber identification data 246 , representing a subscriber for the central root certificate managing server 204 .
- the cryptographic engine 240 receives the trusted validation response 260 indicating whether the target certificate 252 is valid based on the contents of multi-subscriber root certificate store.
- the cryptographic engine 240 then verifies the trusted certificate validation response 260 using the stored verification key 248 that is associated with the central root certificate management unit 204 indicating whether the target certificate is valid. This is done without accessing a local root certificate store.
- FIGS. 4 and 5 an alternative embodiment is shown wherein wireless resource bandwidth is reduced. This is done, for example, by having the application server 216 be in communication with the central root certificate management server 204 .
- the wireless mobile device 202 namely the cryptographic engine 240 , instead of sending the target certificate 252 , sends data representing an address associated with the multi-subscriber root certificate store 208 , namely, an address such as an IP address or DN of the central root certificate management server 204 indicated as data 400 to the WAP gateway 214 which then forwards it to the application server 216 .
- the application server 216 includes a software routing module, such as a software application, which retrieves the target certificate 252 and sends the target certificate 252 along with the subscriber ID 246 as message 256 to the central root certificate management server 204 .
- a software routing module such as a software application
- the application server 216 Upon receipt of the response 260 from the central root certificate management server 204 , the application server 216 forwards the response to the wireless mobile device 202 .
- the target certificate 252 from the application server 216 namely the target certificate to be validated, need not be communicated to the wireless mobile device 202 and hence reduces bandwidth.
- WAP gateway 214 need not be coupled to the central root certificate management server 204 .
- an alternate method includes sending the subscriber ID 246 to the application server 216 along with a central root certificate management server address 400 to avoid the need for local root certificate store and local certificate validation processing.
- the method includes the application server 216 sending the subscriber ID 246 and the target certificate 252 to the central root certificate management server 204 using the address information 400 .
- the same steps 314 and 316 apply.
- the wireless mobile device 202 instead of receiving the response 260 from the central root certificate management server 204 for the WAP gateway, receives and verifies the response 260 as sent by the application server 216 . This is shown in block 504 .
- FIG. 6 illustrates the multi-root certificate store 208 showing a table 600 having root certificate classification divisions 602 and 604 .
- each root certificate is classified as to widely used root certificates and less widely used root certificates.
- the widely used certificates are considered a Class 1 602 and may be prestored in the central root certificate management server.
- the table 600 is preferably digitally signed by the central root certificate management server 204 to protect the integrity of the information.
- the class 2 root certificates 604 are those that are likely obtained and provided to the central root certificate management server 204 by each wireless mobile device as they are transmitted to such devices on a periodic basis.
- each subscriber can also send a request to the central root certificate management server 204 to remove a root CA association, if desired.
- the central root certificate management server 204 can revoke root CAs for all subscribers at the same time to avoid the spreading of a virus, for example.
- FIG. 7 is a flow chart illustrating one example of multi-subscriber root certificate store maintenance.
- the method includes sending the root certificates from all clients to be stored and then populating the store 208 on a per-subscriber ID basis (or per group basis), as shown in block 702 .
- each subscriber may select which certificates they desire in their list.
- the central root certificate management server 204 receives the root certificate revocation information out of band at a later point in time to determine which root certificate should be revoked.
- the central root certificate management server 204 removes the root CA from the multi-subscriber certificate store to avoid virus propagation.
- the method includes determining whether a request has been received from wireless mobile device to change any root CA entries. If so, as shown in block 710 , the method includes updating the root CA certificates for the requesting subscriber based on the update request. If no such request has been received, the method includes waiting, as shown in block 712 , to receive such a request at a later date.
- wireless mobile devices need not store any trusted root certificates and need only, for example, store a single verification key associated with the central root certificate management server 204 , to effect validation of all certificates.
- the wireless mobile units need not download trusted root certificates and do not need to implement certificate path validation.
- the above operations allow for more effective central ‘control of a subscriber’s trusted root certificate list.
- Implementations of the above apparatus and methods may include, for example, the use of software serving as executable instructions that when executed by one or more processing devices in the central root certificate management server and/or application server and/or WAP gateway and/or wireless mobile device, that causes the requisite devices to perform the operations described herein.
- an implementation may have one or more storage mediums, such as CD ROMs, distributed storage to effect downloading of the software from remove servers, or any other suitable storage medium containing executable instructions that when executed by one or more processing devices, causes the one or more processing devices to act as described herein.
- the processors may be a single processing entity or a plurality of processing entities.
- a processing entity may be a microprocessor, microcomputer, microcontroller, central processing units, digital signal processor, state machine, logic circuitry, and/or any device that manipulates information based on operational instructions.
- the memory may be a single memory device or a plurality of memory devices.
- Such a memory device may be a read-only memory, random access memory, floppy disk memory, hard disk memory, system memory, reprogrammable memory, magnetic tape memory, DVD memory, and/or any device that stores digital information. Note that if the processors implement one or more of their functions using a state machine or logic circuitry, the memory containing the corresponding operational instructions is embedded within the circuitry that comprises the state machine and/or logic circuitry.
Abstract
Description
- The invention relates generally to information security systems employing cryptographic techniques, and more particularly to wireless information security systems that employ certificates.
- In typical public key cryptography systems, digital signature key pairs, having a private key and public key, are often used to authenticate a digital signature of a client using a software application in order to confirm the identity of the sender of the message. The software application executes on a processor, sometimes referred to as a cryptographic engine. A subscriber may generally be, for example, a network computer mode, an Internet appliance, wireless radiotelephone, a software application or a subscriber in the information security system. In addition to digital signature key pairs, encryption key pairs are also generally used to encrypt data being sent from one subscriber to another subscriber within the computer network or within a wireless network. Certificates are typically generated by a trusted certification authority for the public keys of the private/public key pair to certify that the keys are genuinely owned by a named subscriber. Standards, such as ISO 9594-8, available from the International Organization Standardization, define typical certificate content.
- Certification authorities (CA), sometimes referred to as certificate issuing units, issue certificates for subscribers. Root certificates are those certificates issued by a root certification authority to itself. Thus, a root certificate is verified using the public key contained within it. Since any entity with access to any private/public key pair can produce such a root certificate, a legitimate root certificate must be protected for integrity and authenticity by another external mechanism. In conventional desktop devices, such as desktop computers and laptop computers, Web browsers have a long pre-stored list of trusted root certificates that have been issued by differing certification authorities. Accordingly, a local root certification authority certificate store is maintained by such conventional devices. The root CA certificates are typically used by the desktop device or other unit to validate certificates that accompany encrypted information or digitally signed information, such as with electronic transactions via the Internet. The stored long list of trusted root certificates allows a device to potentially trust a number of certificates from differing certification authorities allowing the Web browser to potentially transact business with subscribers in different trust domains. However, a problem arises with wireless mobile devices that have a limited amount of memory, battery life and limited processing capabilities. The limited amount of memory makes it difficult to store a long list of trusted root certificates, and a limited battery life and processing capabilities can reduce the processing capabilities to make it difficult for a wireless device to carry out conventional certificate validation operations.
- For example, typically, a certificate verification module within a device attempts to find a sequence of certificates corresponding to a certification path starting with the trusted certification authority whose public key the subscriber trusts a priori (i.e., root CA), and ending at a target certification authority which has signed the certificate of the public key to be verified. If the search for trusted paths is carried out using conventional search techniques, such as a breadth first or depth first techniques as known in the art, then a problem by way of reduced system or device performance occurs when large numbers of certification authorities are in the community of interest, and many different combinations of links among certification authorities and various networks (or the same network) exist. In such systems, a verification unit may spend valuable processing time obtaining and verifying all combinations of links to determine whether a trusted path has been maintained with the certification authority of the verifying verification unit and the certificate issuing unit that issued the target certificate.
- Due to the limited amount of memory in an Internet appliance, mobile wireless units, and other mobile devices, only a small number of trusted root certificates are typically stored on each device. Accordingly, the local root CA certificate store is made smaller. Extensions are then added to most protocols which use certificates allowing the subscriber device to specify which root certificates it trusts. By allowing a subscriber device to specify which roots it trusts, a Web server, or other suitable server, which also has the root certificates stored thereon, can choose the correct certificate (one trusted by the subscriber device) to send to the subscriber or to abandon the protocol if the server does not trust any of the root certificates specified by the subscriber. However, this arrangement requires the Web server, or other server, to possibly have numerous certificates for many different roots which may be trusted by subscribers. It also means that there will be potentially many failed attempts at establishing a transport layer security session when a match does not occur. Wireless application protocol (WAP) servers, for example, typically check a list of certificates that it trusts and compares that list to see if a root certificate that is identified by the subscriber is also on the list. If so, it will complete the transport layer security session. Otherwise, it will abandon the protocol.
- FIG. 1 illustrates a conventional wireless communication system with a mobile
wireless device 10 that is in operative communication through awireless network 12 with a wirelessapplication protocol server 14 and, if desired, another publickey infrastructure server 16. The mobilewireless device 10 includes a rootCA certificate store 18 that contains, in this example, root certificates from Certification Authority 1 (CA1), CA 5 andCA 20 and accordingly and will trust communications from subscribers or servers that also trust these root CAs. As shown, theWAP server 14 has been issued a certificate 7 from CA7, certificate 2 from CA 2, and certificate 3 from CA3. In this example, the mobilewireless device 10 has received a communication in which a certificate from CA7 is used to digitally sign information. Through wireless transport security handshaking 20, the wirelessmobile unit 10 communicates with the WAP server and notifies the WAP server that it trusts certificates from CA1, CA5 and CA20 as indicated in theroot CA store 18. Since the digitally signed message uses a certificate from CA7, the WAP server may redirect thewireless mobile unit 10 to contact theserver 16 which would provide a root certificate for CA7. However, since there is only enough memory to store, for example, three root certificates, the subscriber must now determine which of the root certificates gets deleted in favor of the new root certificate from CA7. In addition, many mobile wireless devices may have slow or low bandwidth communication links such as slow modems which limit the amount of information that can be communicated. Moreover, persons owning the devices may typically have to pay for air time and thus minimizing the bandwidth requirements in wireless communications for purposes of information security is high desirable. - Alternative methods are known that allow devices to securely download lists of trusted root certificates from a server when the current list is insufficient for certain purposes. This allows a subscriber to manage the trusted roots available on the device according to applications commonly used. However, with a limited amount of memory, it may become difficult for subscribers to manage all of the root certificates required. Since air interface resource bandwidth may be limited for mobile wireless devices, typically it is not desirable to always be downloading new root certificates when the current list is insufficient.
- In addition, many mobile devices as noted above, have limited processing capabilities and limited battery life. Thus, computationally intensive operations such as performing full certificate path validation may not be possible or may take prohibitively long periods of time. In order to deal with such a problem, extensions to the On-line Certificate Status Protocol (OCSP) are used. With this solution, a subscriber sends a target certificate (certificate to be validated) and the trusted root certificate to a third party OCSP server which constructs and validates the appropriate certificate path. The OCSP server indicates whether or not the target certificate is valid. However, such a methodology still requires a subscriber to trust and have available the same number of root certificates. For example, if a subscriber requires validation of a certificate, the client sends the target certificate and a root certificate to the OCSP server. If a valid certificate chain exists for the target certificate and the associated root certificate, the OCSP server responds that the certificate is “valid”. If a valid certificate chain does not exist, the server responds that the certificate is “invalid”. In this conventional method, a root certificate is sent by the wireless mobile unit in the request to the OCSP server. It would be desirable to avoid having to waste wireless resource bandwidth on sending root certificates. In addition, it would be desirable to avoid having to access or maintain a local root CA store.
- If a root certification authority needs to be revoked because its security has been compromised, such that it is no longer trusted (or for any other reason), it is difficult often to relay this information to all subscribers and to get all subscribers to manually remove the appropriate certificates from a list of trusted root certificates. One solution has been to post the revocation information in widely available media along with instructions on how to delete the untrusted root certificate from the device or Web browser. An alternative solution has been for a trusted server to create a signed list of root certificates that are no longer trusted and to send this list to all subscribers or subscribers. However, with such approaches, not all subscribers may receive or act on the message. The compromise of a certification authority in any network and particularly a wireless network, such as if a virus is present, can allow an unscrupulous party to be allowed to digitally sign information. Moreover, with pre-stored root CA certificates, stored, for example, in memory of mobile devices, it is often difficult to determine which subscribers have which root certificates since different browsers may have different pre-stored sets and depending upon the browser version, differing root CAs may be present in any given mobile wireless device.
- Consequently, a need exists for a method and apparatus that suitably reduces storage requirements of wireless mobile devices, improves use of wireless bandwidth resources, and also allows for a more efficient control of revoked root certification authority certificates.
- FIG. 1 is block diagram illustrating one example of a wireless communication system employing the use of certificates in a conventional manner;
- FIG. 2 is a block diagram of a wireless communication system employing certificate validation in accordance with one embodiment of the invention;
- FIG. 3 is a flow chart illustrating one method for validating a certificate in accordance with one embodiment of the invention;
- FIG. 4 is a block diagram illustrating another embodiment of a wireless communication system employing the validation of a certificate in accordance with one embodiment of the invention;
- FIG. 5 is a flow chart illustrating one method for validating a certificate as carried out by the system of FIG. 4;
- FIG. 6 is a block diagram illustrating one example of the content of a multi-subscriber root certificate store in accordance with one embodiment of the invention; and
- FIG. 7 is a flow chart illustrating one example of maintenance of a multi-subscriber root certificate store in accordance with one embodiment of the invention.
- A method and system for validating a certificate maintains a multi-subscriber root certificate store, containing subscriber identification data for a plurality of subscribers along with data representing a plurality of root certificates, such as an index to root certificates or the root certificates themselves, associated with each of the plurality of subscribers. In one example, a table is stored containing specified root CA certificates for a plurality of subscribers in a network such as stored by a network element in a wireless radiotelephone network, or any other suitable wireless network. Subscriber units do not have a root CA store that contains pre-stored root CA certificates. Accordingly, memory is saved in the subscriber units. In addition, a separate server that stores the multi-subscribers root certificate store preferably carries out certificate path validation on behalf of the mobile units so that the wireless mobile unit need not carry out certificate path construction. Instead, a wireless mobile unit simply sends a certificate to be validated along with its subscriber ID data identifying the mobile unit or application to the multi-subscriber root certificate store server and waits for a “yes” or “no” answer from the server to determine whether the certificate is valid.
- In one embodiment, the multi-subscriber root certificate management server obtains, based on received subscriber identification data, those root certificates trusted by the subscriber from the multi-root certificate store. The server then performs certificate path validation to validate the received certificate using the root certificates from the multi-root certificate store. Accordingly, a party other than the wireless mobile unit performs certificate validation. Hence, the cryptographic engine resident in the wireless mobile unit may be less sophisticated and need not require a certificate validation engine.
- The multi-subscriber root certificate store may store the list of root certificates trusted by each subscriber or each group of subscribers. Accordingly, the root certificates trusted by each client or subscriber need not reside locally on the client device and hence need not take up valuable memory resources on the device. In addition, the multi-subscriber root certificate store allows each subscriber or group of subscribers to trust as many root certificates as required. The central multi-subscriber root certificate management server allows for central and effective control of root certificate revocation. The central root certificate management server is able to immediately remove any untrusted root certificate from any and all subscriber lists of trusted root certificates. This may be desirable where network operators wish to maintain control of their subscribers' trust relationships.
- When a subscriber receives a certificate that it wishes to validate, it sends a request to the central root certificate management server with an indication of the subscriber's identity. The subscriber identification data may be a signature on the subscriber's identity. The subscriber identification data may be a signature on the request, the subscriber's ID number or subscriber's name or any other method of identifying the subscriber. The request does not include an indication of the roots trusted by the subscriber since the central root certificate management server already has this information (and the client does not). The central root certificate management server then validates the certificate with respect to the list of trusted roots stored for that particular subscriber. A response is then returned, indicating the validity (pass/fail) of the target certificate. The response is protected for integrity and authenticity either using a digital signature, a secure session, a MAC or any other method for providing integrity and authenticity. In order to verify the response, the subscriber device need only store a verification key required to verify the response. This can result in a substantial savings over having to store a list of trusted root CA certificates and requiring certification path verification. In addition to root certificates, the central root certificate management server may also store any policy information required to validate certificates within any particular certification authority domain.
- As an alternative, when a subscriber receives digitally signed information that it wishes to validate, it could send a request to the central root certificate management server with the certificate and an indication of the subscriber's identity, as above, but also including the digital signature to be validated. The central root certificate management server then validates the certificate, as above, and also validates the digital signature. The digital signature can only be valid if the corresponding certificate is valid. The response from the central root certificate management server to the subscriber indicates the validity (pass/fail) of the signature.
- FIG. 2 illustrates one example of a system200 for validating a
certificate 252 in accordance with one embodiment of the invention. The system 200 includes a wirelessmobile unit 202 and a server referred to as a central root certificate management server (CRCMS) 204, that includes a central root certificate managing module, such as a software application that contains instructions that, when executed by a processing device resident in the server, causes the server to perform the operations described herein. However, it will be recognized that any suitable combination of hardware, software and firmware may be used. The central rootcertificate management server 204 includesmemory 206, such as a database or other suitable storage medium or structure that serves as a multi-subscriberroot certificate store 208 which containssubscriber identification data 210 for a plurality of subscribers and data representing a plurality ofroot certificates 212 associated with each of the plurality of subscribers. The central root certificate managing module maintains the multi-subscriberroot certificate store 208 by at least removing unacceptable root certificates determined to be, for example, invalid or otherwise untrustworthy, that are common for a plurality of subscribers. In this example, subscribers having subscriber ID 1 and subscriber ID2 both have root certificate 3 (RC3) as trusted root certificates. Accordingly, if root certificate 3 is determined to be compromised, the central rootcertificate management server 204 will indicate that these root certificates are untrustworthy and remove them from the multi-subscriber root certificate store and, if desired, notify the subscriber the next time the subscriber requests validation of a certificate using the root certificate RC3. - The central root
certificate management server 204 is operably coupled to wireless network through, for example, a wireless application protocol (WAP)gateway 214. As shown, the central rootcertificate management server 204 is a server element within the Internet. However, the server may be in any suitable system. Themobile wireless unit 202 is in operative communication with the wirelessapplication protocol gateway 214 through a suitable wireless communication link or network illustrated generally as 215. The system 200 also includes anapplication server 216, such as a Web server or other unit with which the wirelessmobile device 202 wishes to communicate and which provides thetarget certificate 252. - Also shown is a
certificate repository 205, which includes suitable certificate revocation lists, certificates, and any other suitable information as known in the art to facilitate the construction of trusted paths. Therepository 205 may be, for example, an X.500 type repository, or any other suitable repository. Accordingly, the central rootcertificate management server 204 may also provide certificate validation as known in the art, by constructing the requisite paths to determine whether a certificate is valid. In an alternative embodiment, instead of the central rootcertificate management server 204 performing certificate validation, anOCSP server 220 performs certificate validation. In this embodiment, the central rootcertificate management server 204 sends atarget certificate 252 to be validated and theroot certificate 226 from the multi-subscriber root certificate store to the OCSP server. TheOCSP server 220 then performs path construction if desired or any other suitable processing necessary to determine whether thetarget certificate 252 is valid. The OCSP server then sends thevalidation status 222 back to the central rootcertificate management server 204 which can then communicate whether the certificate is valid back to the wirelessmobile unit 202. As shown, the wirelessmobile unit 202 may be any suitable Internet appliance, a laptop computer with a wireless transceiver, a radiotelephone, or any other suitable device. The wirelessmobile device 202 includes acryptographic engine 240 which may be implemented, for example, by suitable programming of a processing device such as a microprocessor, DSP, or any other suitable device to perform cryptographic functions. In this example, thecryptographic engine 240 is configured to be a digital signature verifier. - The wireless
mobile device 202 also includesmemory 242 operably coupled to thecryptographic engine 240 via asuitable bus 244.Subscriber identification data 246 is stored in the wirelessmobile device 202 as well as, for example, averification key 248 such as a public key certificate issued for the central root certificate management server. In an alternative embodiment, a MAC key of the central root certificate management server may also be used, or any other suitable verification key. - The
cryptographic engine 240 determines whether thetarget certificate 252 or a received certificate received from, for example, theserver 216 is valid, without referencing a local root certificate store. Preferably, no root certificates are stored in the wirelessmobile unit 202 and instead are maintained by the central rootcertificate management server 204. - The central root
certificate management server 204 includes aninterface 250 that is operative to communicate with the wireless access protocol-basedgateway 214. Also, if desired, the same interface, or other interface, can be used to communicate with the third party root certificate validation provider, namely theOCSP server 220. - Referring to FIGS. 2 and 3, the operation of the system200 will be described. As shown in
block 300, theverification key 248 is prestored in the wireless mobile device. This may be, for example, the public key associated with the central rootcertificate management server 204 as issued by itself serving as a certification authority. Alternatively, the information may be downloaded wirelessly when the wirelessmobile device 202 is activated, as part of an initialization procedure. In order for the central rootcertificate management server 204 to populate the multi-subscriberroot certificate store 208, the central rootcertificate management server 204 sends a root CA certificate selection form containing a list of a plurality of root certification authority certificates to allow the client to identify which root CA certificates to associate with its subscriber identification data. This is shown inblock 302. This may be carried out as part of a set up procedure. The root certification authority certificate selection form may be an HTML form, or any data structure, applet or any other mechanism to allow choosing of desired root CA certificates by or through a client device. - As shown in
block 304, the method also includes the wirelessmobile device 202 forwarding any root certificates that it receives from other sources, that are categorized in a different class from those placed in the selection form. For example, if the subscriber is a member of a plurality of different communities of trust, and associated root CA certificates are added periodically, the wirelessmobile unit 202 forwards the new root certificates to the central root certificate management server for association with the particular subscriber ID for that device so that the device need not maintain the new root CA certificates. - As shown in
block 306, the method includes maintaining, such as by the central rootcertificate management server 204 , the multi-subscriberroot certificate store 208 by populating the multi-subscriberroot certificate store 208 with selected root CA certificates for the given subscriber ID as indicated in the form. This population is done for all subscribers in the network community as identified, for example, by a system operator or upon initialization with the system 200. As shown inblock 308, the method includes the wirelessmobile device 202 attempting to set up, for example, a transport layer security session with theapplication server 216. This is shown asTLS handshaking 250. - As shown in
block 310, theapplication server 216 sends thetarget certificate 252 to be validated, back to the wirelessmobile unit 202 as indicated bycommunication 252. In response to receiving thetarget certificate 252, the wirelessmobile device 202, in this embodiment, merely forwards the received certificate along with thesubscriber identification data 246 to the central rootcertificate management server 204 as shown bycommunication 256. Accordingly, the wirelessmobile unit 202 avoids a need for a local root certificate store, accessing of such a store, and avoids certificate validation processing, by merely forwarding the receivedcertificate 252 and thesubscriber ID 246 to the central rootcertificate management server 204. This is shown inblock 312. The communication is considered arequest 256 to validate thetarget certificate 252 which includes data representing the certificate to be validated. In this instance, it is the certificate itself. Alternatively, it can be the public key within the certificate, the subject name from the certificate, or an index to a repository indicating where to obtain the target certificate. The central rootcertificate management server 204 receives therequest 256 to validate a certificate as shown inblock 314 accesses the multi-subscriberroot certificate store 208 using theuser ID 246 to obtain those root certificates trusted by that particular client. Accordingly, the method includes obtaining, based on the receiveduser identification data 246, those root certificates trusted by the client as obtained from the multi-userroot certificate store 208. Assuming by way of example that the subscriber ID data corresponds to subscriber ID1, the root certificates that are trusted in this example are those from root certificate CA1 and root certificate CA3. - As shown in
block 316, the central rootcertificate management server 204 performs validation of thetarget certificate 252 by constructing a certificate chain between the target certificate and a root certificate stored in the multi-subscriber root certificate store for that client. As known in the art this involves, for example, contacting the requisite certification authorities, directories, and/or if desired, a OCSP server. As shown inblock 318, the method includes receiving back, by the wirelessmobile unit 202, a trustedcertificate validation response 260 indicating whether thetarget certificate 252 is valid based on the root certificates from the multi-subscriber root certificate store containing the subscriber identification data for the plurality of subscribers. This is shown inblock 318. This includes, for example, the central rootcertificate management server 204 digitally signing the validation data that forms the trustedvalidation response 260 indicating, for example, whether the certificate is valid or not. This may be digitally signed, for example, by the private key of the central rootcertificate management server 204. Thisvalidation response 260 is then passed to the WAP gateway, and theWAP gateway 214 then wirelessly passes thevalidation response 260 to the wirelessmobile unit 202. Upon receiving thevalidation response 260, the wirelessmobile device 202 uses thecryptographic engine 240 to verify the trustedvalidation response 260 to validate the digital signature on the response to determine whether the certificate is valid. This is done without accessing a local root certificate store. If the certificate is valid, the wirelessmobile apparatus 202 continues set up of the TLS session with theapplication server 216 as shown inblock 320. - As shown in FIG. 2, maintaining the multi subscriber
root certificate store 208 may include storing a table containinguser identification data 210 for a plurality of subscribers, and data representing the plurality of different classes of root certificates associated with each of the plurality of subscribers. This may be done, for example, on a group of subscriber basis as well. - From the perspective of the wireless
mobile unit 202, thecryptographic engine 240 sends the data representing thecertificate 252 to be validated (such as the certificate itself, the public key therefrom, the subject name from the certificate, or an index) as well assubscriber identification data 246, representing a subscriber for the central rootcertificate managing server 204. Thecryptographic engine 240 receives the trustedvalidation response 260 indicating whether thetarget certificate 252 is valid based on the contents of multi-subscriber root certificate store. Thecryptographic engine 240 then verifies the trustedcertificate validation response 260 using the storedverification key 248 that is associated with the central rootcertificate management unit 204 indicating whether the target certificate is valid. This is done without accessing a local root certificate store. - Referring to FIGS. 4 and 5, an alternative embodiment is shown wherein wireless resource bandwidth is reduced. This is done, for example, by having the
application server 216 be in communication with the central rootcertificate management server 204. In contrast with the system and operation described in FIGS. 2 and 3, in this embodiment, the wirelessmobile device 202, namely thecryptographic engine 240, instead of sending thetarget certificate 252, sends data representing an address associated with the multi-subscriberroot certificate store 208, namely, an address such as an IP address or DN of the central rootcertificate management server 204 indicated asdata 400 to theWAP gateway 214 which then forwards it to theapplication server 216. Theapplication server 216 includes a software routing module, such as a software application, which retrieves thetarget certificate 252 and sends thetarget certificate 252 along with thesubscriber ID 246 asmessage 256 to the central rootcertificate management server 204. Upon receipt of theresponse 260 from the central rootcertificate management server 204, theapplication server 216 forwards the response to the wirelessmobile device 202. In this way, thetarget certificate 252 from theapplication server 216, namely the target certificate to be validated, need not be communicated to the wirelessmobile device 202 and hence reduces bandwidth. In addition,WAP gateway 214 need not be coupled to the central rootcertificate management server 204. - Accordingly, as shown in FIG. 5, an alternate method includes sending the
subscriber ID 246 to theapplication server 216 along with a central root certificatemanagement server address 400 to avoid the need for local root certificate store and local certificate validation processing. As shown inblock 502, the method includes theapplication server 216 sending thesubscriber ID 246 and thetarget certificate 252 to the central rootcertificate management server 204 using theaddress information 400. As described above, thesame steps response 260 from the central rootcertificate management server 204 for the WAP gateway, the wirelessmobile device 202 receives and verifies theresponse 260 as sent by theapplication server 216. This is shown inblock 504. - FIG. 6 illustrates the
multi-root certificate store 208 showing a table 600 having rootcertificate classification divisions certificate management server 204 to protect the integrity of the information. The class 2root certificates 604 are those that are likely obtained and provided to the central rootcertificate management server 204 by each wireless mobile device as they are transmitted to such devices on a periodic basis. - With the central storing of root certificates for multiple subscribers, each subscriber can also send a request to the central root
certificate management server 204 to remove a root CA association, if desired. In addition, the central rootcertificate management server 204 can revoke root CAs for all subscribers at the same time to avoid the spreading of a virus, for example. - FIG. 7 is a flow chart illustrating one example of multi-subscriber root certificate store maintenance. As shown in
block 700, the method includes sending the root certificates from all clients to be stored and then populating thestore 208 on a per-subscriber ID basis (or per group basis), as shown inblock 702. As noted above, each subscriber may select which certificates they desire in their list. As shown inblock 704, the central rootcertificate management server 204 receives the root certificate revocation information out of band at a later point in time to determine which root certificate should be revoked. As shown inblock 706, the central rootcertificate management server 204 removes the root CA from the multi-subscriber certificate store to avoid virus propagation. This is done for all subscribers in the system, namely those identified by the subscriber IDs in the table 600. As shown inblock 708, the method includes determining whether a request has been received from wireless mobile device to change any root CA entries. If so, as shown inblock 710, the method includes updating the root CA certificates for the requesting subscriber based on the update request. If no such request has been received, the method includes waiting, as shown inblock 712, to receive such a request at a later date. - In the above-described apparatus and methods, wireless mobile devices need not store any trusted root certificates and need only, for example, store a single verification key associated with the central root
certificate management server 204, to effect validation of all certificates. The wireless mobile units need not download trusted root certificates and do not need to implement certificate path validation. In addition, the above operations allow for more effective central ‘control of a subscriber’s trusted root certificate list. Other advantages will be recognized by those of ordinary skill in the art. - Implementations of the above apparatus and methods may include, for example, the use of software serving as executable instructions that when executed by one or more processing devices in the central root certificate management server and/or application server and/or WAP gateway and/or wireless mobile device, that causes the requisite devices to perform the operations described herein. As such, an implementation may have one or more storage mediums, such as CD ROMs, distributed storage to effect downloading of the software from remove servers, or any other suitable storage medium containing executable instructions that when executed by one or more processing devices, causes the one or more processing devices to act as described herein.
- The processors may be a single processing entity or a plurality of processing entities. Such a processing entity may be a microprocessor, microcomputer, microcontroller, central processing units, digital signal processor, state machine, logic circuitry, and/or any device that manipulates information based on operational instructions. The memory may be a single memory device or a plurality of memory devices. Such a memory device may be a read-only memory, random access memory, floppy disk memory, hard disk memory, system memory, reprogrammable memory, magnetic tape memory, DVD memory, and/or any device that stores digital information. Note that if the processors implement one or more of their functions using a state machine or logic circuitry, the memory containing the corresponding operational instructions is embedded within the circuitry that comprises the state machine and/or logic circuitry.
- It should be understood that the implementation of other variations and modifications of the invention in its various aspects will be apparent to those of ordinary skill in the art, and that the invention is not limited by the specific embodiments described. For example, although the examples above have been described with reference to a wireless environment, the disclosed methods and apparatus can be employed in a non-wireless environment such as conventional Web browsers. It is therefore contemplated to cover by the present invention, any and all modifications, variations, or equivalents that fall within the spirit and scope of the basic underlying principles disclosed and claimed herein.
Claims (26)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/906,504 US20030014629A1 (en) | 2001-07-16 | 2001-07-16 | Root certificate management system and method |
US10/107,538 US6777383B1 (en) | 1995-05-17 | 2002-03-27 | Solid detergents with active enzymes and bleach |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/906,504 US20030014629A1 (en) | 2001-07-16 | 2001-07-16 | Root certificate management system and method |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/727,599 Continuation US6395703B2 (en) | 1995-05-17 | 2000-12-01 | Solid detergents with active enzymes and bleach |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/107,538 Continuation US6777383B1 (en) | 1995-05-17 | 2002-03-27 | Solid detergents with active enzymes and bleach |
Publications (1)
Publication Number | Publication Date |
---|---|
US20030014629A1 true US20030014629A1 (en) | 2003-01-16 |
Family
ID=25422554
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/906,504 Abandoned US20030014629A1 (en) | 1995-05-17 | 2001-07-16 | Root certificate management system and method |
US10/107,538 Expired - Lifetime US6777383B1 (en) | 1995-05-17 | 2002-03-27 | Solid detergents with active enzymes and bleach |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/107,538 Expired - Lifetime US6777383B1 (en) | 1995-05-17 | 2002-03-27 | Solid detergents with active enzymes and bleach |
Country Status (1)
Country | Link |
---|---|
US (2) | US20030014629A1 (en) |
Cited By (61)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030030680A1 (en) * | 2001-08-07 | 2003-02-13 | Piotr Cofta | Method and system for visualizing a level of trust of network communication operations and connection of servers |
US20030084311A1 (en) * | 2001-10-03 | 2003-05-01 | Lionel Merrien | System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials |
US20030163700A1 (en) * | 2002-02-28 | 2003-08-28 | Nokia Corporation | Method and system for user generated keys and certificates |
US20030228866A1 (en) * | 2002-05-24 | 2003-12-11 | Farhad Pezeshki | Mobile terminal system |
US20040203598A1 (en) * | 2002-10-09 | 2004-10-14 | Naveen Aerrabotu | Contact validation and trusted contact updating in mobile wireless communications devices |
US20050154918A1 (en) * | 2003-11-19 | 2005-07-14 | David Engberg | Distributed delegated path discovery and validation |
EP1587238A1 (en) * | 2004-04-16 | 2005-10-19 | Sagem S.A. | Method for verifying in a radio terminal the authenticity of digital certificates and authentification system |
US20060174124A1 (en) * | 2005-01-25 | 2006-08-03 | Cisco Technology, Inc. | System and method for installing trust anchors in an endpoint |
US20060242410A1 (en) * | 2005-04-26 | 2006-10-26 | Microsoft Corporation | Mobile device authentication with a data source using self-signed certificates |
EP1796310A1 (en) * | 2005-12-09 | 2007-06-13 | Samsung Electronics Co., Ltd. | Apparatus and method for managing certificates |
US20070283154A1 (en) * | 2006-05-31 | 2007-12-06 | Microsoft Corporation | Establishing secure, mutually authenticated communication credentials |
US20080086634A1 (en) * | 2006-10-10 | 2008-04-10 | Cisco Technology, Inc. | Techniques for using AAA services for certificate validation and authorization |
WO2008042524A2 (en) * | 2006-09-29 | 2008-04-10 | Motorola, Inc. | Method and system for displaying trust level on a wireless communication device |
US20090113206A1 (en) * | 2006-03-29 | 2009-04-30 | Nds Limited | Revocation List Improvement |
US20090158414A1 (en) * | 2007-12-18 | 2009-06-18 | Kapil Chaudhry | Method and apparatus for mutually authenticating a user device of a primary service provider |
US20090276841A1 (en) * | 2008-04-30 | 2009-11-05 | Motorola, Inc. | Method and device for dynamic deployment of trust bridges in an ad hoc wireless network |
US20100031027A1 (en) * | 2008-07-29 | 2010-02-04 | Motorola, Inc. | Method and device for distributing public key infrastructure (pki) certificate path data |
US20100026576A1 (en) * | 2008-07-29 | 2010-02-04 | Motorola, Inc. | Method for measuring the time of arrival of radio signals |
US20100070754A1 (en) * | 2008-06-10 | 2010-03-18 | Paymetric, Inc. | Payment encryption accelerator |
US20100153713A1 (en) * | 2008-12-15 | 2010-06-17 | Sap Ag | Systems and methods for detecting exposure of private keys |
US20100185849A1 (en) * | 2007-06-11 | 2010-07-22 | Telefonaktiebolaget L M Ericsson (Publ) | Method and arrangement for certificate handling |
US8019082B1 (en) * | 2003-06-05 | 2011-09-13 | Mcafee, Inc. | Methods and systems for automated configuration of 802.1x clients |
US20120216042A1 (en) * | 2006-07-20 | 2012-08-23 | Research In Motion Limited | System and Method for Provisioning Device Certificates |
US20120303951A1 (en) * | 2011-05-27 | 2012-11-29 | General Instrument Corporation | Method and system for registering a drm client |
US20130145158A1 (en) * | 2011-09-02 | 2013-06-06 | Stephen Pao | System and Web Security Agent Method for Certificate Authority Reputation Enforcement |
US8489894B2 (en) | 2010-05-26 | 2013-07-16 | Paymetric, Inc. | Reference token service |
US20130238897A1 (en) * | 2010-11-05 | 2013-09-12 | Atefeh Mashatan | Method and apparatus for providing efficient management of certificate revocation |
US20130346743A1 (en) * | 2012-06-25 | 2013-12-26 | International Business Machines Corporation | Digital certificate issuer-correlated digital signature verification |
US20140215206A1 (en) * | 2013-01-29 | 2014-07-31 | Certicom Corp. | System and method for providing a trust framework using a secondary network |
US8799648B1 (en) * | 2007-08-15 | 2014-08-05 | Meru Networks | Wireless network controller certification authority |
US20150046707A1 (en) * | 2012-03-15 | 2015-02-12 | Mikoh Corporation | Biometric authentication system |
CN104573554A (en) * | 2014-12-30 | 2015-04-29 | 北京奇虎科技有限公司 | Method for loading safety key storage hardware and browser client device |
CN104618108A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Safety communication system |
US9077546B1 (en) * | 2012-11-27 | 2015-07-07 | Symnatec Corporation | Two factor validation and security response of SSL certificates |
US9112704B2 (en) | 2012-06-22 | 2015-08-18 | Ologn Technologies Ag | Systems, methods and apparatuses for securing root certificates |
US9281948B2 (en) | 2012-02-09 | 2016-03-08 | Microsoft Technology Licensing, Llc | Revocation information for revocable items |
DE102014222433A1 (en) * | 2014-11-04 | 2016-05-04 | Siemens Aktiengesellschaft | Method and computing device for the adaptive provision of root certificates |
US20160352521A1 (en) * | 2015-05-27 | 2016-12-01 | International Business Machines Corporation | Automatic root key rollover during digital signature verification |
CN107332858A (en) * | 2017-08-07 | 2017-11-07 | 成都汇智远景科技有限公司 | Cloud date storage method |
US9887975B1 (en) * | 2016-08-03 | 2018-02-06 | KryptCo, Inc. | Systems and methods for delegated cryptography |
US20180054434A1 (en) * | 2016-08-18 | 2018-02-22 | Centrify Corporation | Zero sign-on using a web browser |
US20180262347A1 (en) * | 2017-03-08 | 2018-09-13 | Amazon Technologies, Inc. | Digital certificate usage monitoring systems |
US20180262346A1 (en) * | 2017-03-08 | 2018-09-13 | Amazon Technologies, Inc. | Digital certificate issuance and monitoring |
US20180262504A1 (en) * | 2017-03-08 | 2018-09-13 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10110596B2 (en) * | 2015-05-28 | 2018-10-23 | Ricoh Company, Ltd. | Information processing system, information processing apparatus, method for managing electronic certificate |
US10218692B2 (en) | 2014-08-21 | 2019-02-26 | International Business Machines Corporation | Management of digital certificates |
US10223534B2 (en) | 2015-10-15 | 2019-03-05 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
US10361852B2 (en) | 2017-03-08 | 2019-07-23 | Bank Of America Corporation | Secure verification system |
US10374808B2 (en) | 2017-03-08 | 2019-08-06 | Bank Of America Corporation | Verification system for creating a secure link |
US10432595B2 (en) | 2017-03-08 | 2019-10-01 | Bank Of America Corporation | Secure session creation system utililizing multiple keys |
US10484355B1 (en) | 2017-03-08 | 2019-11-19 | Amazon Technologies, Inc. | Detecting digital certificate expiration through request processing |
US10567411B2 (en) | 2015-10-01 | 2020-02-18 | Twistlock, Ltd. | Dynamically adapted traffic inspection and filtering in containerized environments |
US10586042B2 (en) | 2015-10-01 | 2020-03-10 | Twistlock, Ltd. | Profiling of container images and enforcing security policies respective thereof |
US10599833B2 (en) | 2015-10-01 | 2020-03-24 | Twistlock, Ltd. | Networking-based profiling of containers and security enforcement |
US10664590B2 (en) | 2015-10-01 | 2020-05-26 | Twistlock, Ltd. | Filesystem action profiling of containers and security enforcement |
US10706145B2 (en) | 2015-10-01 | 2020-07-07 | Twistlock, Ltd. | Runtime detection of vulnerabilities in software containers |
US10771261B1 (en) * | 2016-09-29 | 2020-09-08 | EMC IP Holding Company LLC | Extensible unified multi-service certificate and certificate revocation list management |
US10778446B2 (en) * | 2015-10-15 | 2020-09-15 | Twistlock, Ltd. | Detection of vulnerable root certificates in software containers |
US10922418B2 (en) | 2015-10-01 | 2021-02-16 | Twistlock, Ltd. | Runtime detection and mitigation of vulnerabilities in application software containers |
US10943014B2 (en) | 2015-10-01 | 2021-03-09 | Twistlock, Ltd | Profiling of spawned processes in container images and enforcing security policies respective thereof |
US20230198782A1 (en) * | 2013-03-15 | 2023-06-22 | Poltorak Technologies Llc | System and method for secure relayed communications from an implantable medical device |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8951956B2 (en) * | 2008-01-04 | 2015-02-10 | Ecolab USA, Inc. | Solid tablet unit dose oven cleaner |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5371794A (en) * | 1993-11-02 | 1994-12-06 | Sun Microsystems, Inc. | Method and apparatus for privacy and authentication in wireless networks |
US6134550A (en) * | 1998-03-18 | 2000-10-17 | Entrust Technologies Limited | Method and apparatus for use in determining validity of a certificate in a communication system employing trusted paths |
US6233577B1 (en) * | 1998-02-17 | 2001-05-15 | Phone.Com, Inc. | Centralized certificate management system for two-way interactive communication devices in data networks |
US20010011250A1 (en) * | 1997-11-12 | 2001-08-02 | Cris T. Paltenghe | Distributed network based electronic wallet |
US6310966B1 (en) * | 1997-05-09 | 2001-10-30 | Gte Service Corporation | Biometric certificates |
US20010049786A1 (en) * | 2000-05-31 | 2001-12-06 | Hewlett-Packard Company | Information storage |
US6330677B1 (en) * | 1998-10-27 | 2001-12-11 | Sprint Communications Company, L. P. | Object-based security system |
US20020124007A1 (en) * | 2001-03-02 | 2002-09-05 | Wuhan P&S Electronics Company Ltd. | Network server and database therein |
US6463457B1 (en) * | 1999-08-26 | 2002-10-08 | Parabon Computation, Inc. | System and method for the establishment and the utilization of networked idle computational processing power |
US20020184182A1 (en) * | 2001-05-31 | 2002-12-05 | Nang Kon Kwan | Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL) |
US20030046091A1 (en) * | 2000-05-12 | 2003-03-06 | Kenneth Arneson | System and method for providing wireless services |
US6816900B1 (en) * | 2000-01-04 | 2004-11-09 | Microsoft Corporation | Updating trusted root certificates on a client computer |
US6898707B1 (en) * | 1999-11-30 | 2005-05-24 | Accela, Inc. | Integrating a digital signature service into a database |
Family Cites Families (46)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DK127072A (en) | 1967-02-17 | |||
US3595438A (en) | 1969-01-06 | 1971-07-27 | Economics Lab | Automatic detergent dispenser system |
US4033894A (en) | 1975-06-05 | 1977-07-05 | Desoto, Inc. | Powder detergent compositions |
US4020865A (en) | 1975-10-03 | 1977-05-03 | Economics Laboratory, Inc. | Remote powder detergent dispenser |
US4292191A (en) | 1975-11-05 | 1981-09-29 | Colgate-Palmolive Company | Activated peroxy compound bleaching compositions and bleaching detergent compositions |
US4063663A (en) | 1975-12-15 | 1977-12-20 | Economics Laboratory, Inc. | Powdered detergent dispenser |
USRE32763E (en) | 1978-02-07 | 1988-10-11 | Ecolab Inc. | Cast detergent-containing article and method of making and using |
USRE32818E (en) | 1978-02-07 | 1989-01-03 | Ecolab Inc. | Cast detergent-containing article and method of using |
US4318818A (en) | 1979-11-09 | 1982-03-09 | The Procter & Gamble Company | Stabilized aqueous enzyme composition |
US4333844A (en) | 1979-11-12 | 1982-06-08 | Lever Brothers Company | Detergent compositions |
US4430236A (en) | 1981-06-22 | 1984-02-07 | Texize, Division Of Mortonthiokol | Liquid detergent composition containing bleach |
US4412934A (en) | 1982-06-30 | 1983-11-01 | The Procter & Gamble Company | Bleaching compositions |
US4507219A (en) | 1983-08-12 | 1985-03-26 | The Proctor & Gamble Company | Stable liquid detergent compositions |
US4515705A (en) | 1983-11-14 | 1985-05-07 | The Procter & Gamble Company | Compositions containing odor purified proteolytic enzymes and perfumes |
US4537706A (en) | 1984-05-14 | 1985-08-27 | The Procter & Gamble Company | Liquid detergents containing boric acid to stabilize enzymes |
US4537707A (en) | 1984-05-14 | 1985-08-27 | The Procter & Gamble Company | Liquid detergents containing boric acid and formate to stabilize enzymes |
US4595520A (en) | 1984-10-18 | 1986-06-17 | Economics Laboratory, Inc. | Method for forming solid detergent compositions |
US4680134A (en) | 1984-10-18 | 1987-07-14 | Ecolab Inc. | Method for forming solid detergent compositions |
US5213705A (en) | 1985-04-30 | 1993-05-25 | Ecolab Inc. | Encapsulated halogen bleaches and methods of preparation and use |
NZ214260A (en) | 1985-04-30 | 1988-06-30 | Ecolab Inc | Encapsulated halogen bleach compositions |
EP0212976B2 (en) | 1985-08-21 | 1995-03-15 | The Clorox Company | Stable peracid bleaching composition |
EP0245759A3 (en) * | 1986-05-14 | 1990-05-02 | Henkel Kommanditgesellschaft auf Aktien | Stock supply of a solid cleaning block, and process for its preparation |
GB8626080D0 (en) | 1986-10-31 | 1986-12-03 | Unilever Plc | Detergent composition |
US4938893A (en) * | 1986-11-14 | 1990-07-03 | Ecolab Inc. | Detersive systems and low foaming aqueous surfactant solutions containing a mono (C1-4 alkyl)-di(C6-20 alkyl)-amine oxide compound |
US4921627A (en) * | 1986-11-14 | 1990-05-01 | Ecolab Inc. | Detersive system and low foaming aqueous surfactant solutions containing a mono(C1-4 alkyl)-di(C6-20) alkylamine oxide compound |
US4846989A (en) | 1988-02-12 | 1989-07-11 | Ecolab Inc. | Solid cast warewashing composition and process for preparing the same |
US5080819A (en) | 1988-05-27 | 1992-01-14 | Ecolab Inc. | Low temperature cast detergent-containing article and method of making and using |
US4861518A (en) | 1988-08-01 | 1989-08-29 | Ecolab Inc. | Non-filming high performance solid floor cleaner |
DE69014549T2 (en) | 1989-04-24 | 1995-04-13 | Novo Nordisk As | ENZYME FROM BACILLUS PABULI TO DEGRAD THE CELL WALL. |
DK246290D0 (en) | 1990-10-12 | 1990-10-12 | Novo Nordisk As | NEW ENZYM |
US5133892A (en) | 1990-10-17 | 1992-07-28 | Lever Brothers Company, Division Of Conopco, Inc. | Machine dishwashing detergent tablets |
US5340501A (en) | 1990-11-01 | 1994-08-23 | Ecolab Inc. | Solid highly chelated warewashing detergent composition containing alkaline detersives and Aminocarboxylic acid sequestrants |
NZ239112A (en) * | 1991-01-29 | 1994-12-22 | Ecolab Inc | Solid alkaline compositions containing the reaction product in water of alkali metal hydroxide and alkali metal silicate; process of manufacture |
US5310430A (en) * | 1991-05-31 | 1994-05-10 | Ecolab Inc. | Process of dispensing a solid cast block of water soluble detergent |
US5384060A (en) | 1992-07-13 | 1995-01-24 | Fluid Packaging Company Inc. | Solid laundry pre-spotter composition containing encapsulated sodium bicarbonate and method of use |
US5288421A (en) | 1992-07-13 | 1994-02-22 | Fluid Packaging Company, Inc. | Solid laundry pre-spotter composition containing sodium bicarbonate and method of use |
AU668634B2 (en) | 1992-11-24 | 1996-05-09 | Abbott Laboratories | Bacillus thuringiensis isolates active against lepidopteran pests |
US5336424A (en) | 1992-12-23 | 1994-08-09 | Eftichios Van Vlahakis | Improved urinal block composition |
JP2808393B2 (en) | 1992-12-25 | 1998-10-08 | 小野田エー・エル・シー株式会社 | Wall panel mounting method and mounting structure |
US5407598A (en) | 1993-02-26 | 1995-04-18 | Ecolab Inc. | Shaped solid bleach with encapsulate source of bleach |
EP0694059B1 (en) | 1993-04-27 | 1999-01-13 | The Procter & Gamble Company | Liquid or granular automatic dishwashing detergent compositions |
US5397506A (en) | 1993-08-20 | 1995-03-14 | Ecolab Inc. | Solid cleaner |
GB2285052A (en) | 1993-12-23 | 1995-06-28 | Procter & Gamble | Detergent composition |
US5474698A (en) | 1993-12-30 | 1995-12-12 | Ecolab Inc. | Urea-based solid alkaline cleaning composition |
US5861366A (en) | 1994-08-31 | 1999-01-19 | Ecolab Inc. | Proteolytic enzyme cleaner |
US5830839A (en) | 1995-05-17 | 1998-11-03 | Sunburst Chemicals, Inc. | Solid detergents with active enzymes and bleach |
-
2001
- 2001-07-16 US US09/906,504 patent/US20030014629A1/en not_active Abandoned
-
2002
- 2002-03-27 US US10/107,538 patent/US6777383B1/en not_active Expired - Lifetime
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5371794A (en) * | 1993-11-02 | 1994-12-06 | Sun Microsystems, Inc. | Method and apparatus for privacy and authentication in wireless networks |
US6310966B1 (en) * | 1997-05-09 | 2001-10-30 | Gte Service Corporation | Biometric certificates |
US20010011250A1 (en) * | 1997-11-12 | 2001-08-02 | Cris T. Paltenghe | Distributed network based electronic wallet |
US6233577B1 (en) * | 1998-02-17 | 2001-05-15 | Phone.Com, Inc. | Centralized certificate management system for two-way interactive communication devices in data networks |
US6516316B1 (en) * | 1998-02-17 | 2003-02-04 | Openwave Systems Inc. | Centralized certificate management system for two-way interactive communication devices in data networks |
US6134550A (en) * | 1998-03-18 | 2000-10-17 | Entrust Technologies Limited | Method and apparatus for use in determining validity of a certificate in a communication system employing trusted paths |
US6330677B1 (en) * | 1998-10-27 | 2001-12-11 | Sprint Communications Company, L. P. | Object-based security system |
US6463457B1 (en) * | 1999-08-26 | 2002-10-08 | Parabon Computation, Inc. | System and method for the establishment and the utilization of networked idle computational processing power |
US6898707B1 (en) * | 1999-11-30 | 2005-05-24 | Accela, Inc. | Integrating a digital signature service into a database |
US6816900B1 (en) * | 2000-01-04 | 2004-11-09 | Microsoft Corporation | Updating trusted root certificates on a client computer |
US20030046091A1 (en) * | 2000-05-12 | 2003-03-06 | Kenneth Arneson | System and method for providing wireless services |
US20010049786A1 (en) * | 2000-05-31 | 2001-12-06 | Hewlett-Packard Company | Information storage |
US20020124007A1 (en) * | 2001-03-02 | 2002-09-05 | Wuhan P&S Electronics Company Ltd. | Network server and database therein |
US20020184182A1 (en) * | 2001-05-31 | 2002-12-05 | Nang Kon Kwan | Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL) |
Cited By (112)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7162525B2 (en) * | 2001-08-07 | 2007-01-09 | Nokia Corporation | Method and system for visualizing a level of trust of network communication operations and connection of servers |
US20030030680A1 (en) * | 2001-08-07 | 2003-02-13 | Piotr Cofta | Method and system for visualizing a level of trust of network communication operations and connection of servers |
US20030084311A1 (en) * | 2001-10-03 | 2003-05-01 | Lionel Merrien | System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials |
US7925878B2 (en) * | 2001-10-03 | 2011-04-12 | Gemalto Sa | System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials |
US20030163700A1 (en) * | 2002-02-28 | 2003-08-28 | Nokia Corporation | Method and system for user generated keys and certificates |
US7366905B2 (en) * | 2002-02-28 | 2008-04-29 | Nokia Corporation | Method and system for user generated keys and certificates |
US9167420B2 (en) * | 2002-05-24 | 2015-10-20 | Ims Health Inc. | Mobile terminal system |
US20030228866A1 (en) * | 2002-05-24 | 2003-12-11 | Farhad Pezeshki | Mobile terminal system |
US20100205436A1 (en) * | 2002-05-24 | 2010-08-12 | Diversinet Corp. | Mobile Terminal System |
US20040203598A1 (en) * | 2002-10-09 | 2004-10-14 | Naveen Aerrabotu | Contact validation and trusted contact updating in mobile wireless communications devices |
US7426382B2 (en) * | 2002-10-09 | 2008-09-16 | Motorola, Inc. | Contact validation and trusted contact updating in mobile wireless communications devices |
US8019082B1 (en) * | 2003-06-05 | 2011-09-13 | Mcafee, Inc. | Methods and systems for automated configuration of 802.1x clients |
US20050154918A1 (en) * | 2003-11-19 | 2005-07-14 | David Engberg | Distributed delegated path discovery and validation |
US8707030B2 (en) * | 2003-11-19 | 2014-04-22 | Corestreet, Ltd. | Distributed delegated path discovery and validation |
FR2869176A1 (en) * | 2004-04-16 | 2005-10-21 | Sagem | METHOD OF VERIFYING IN A RADIO TERMINAL THE AUTHENTICITY OF DIGITAL CERTIFICATES AND AUTHENTICATION SYSTEM |
EP1587238A1 (en) * | 2004-04-16 | 2005-10-19 | Sagem S.A. | Method for verifying in a radio terminal the authenticity of digital certificates and authentification system |
US20060174124A1 (en) * | 2005-01-25 | 2006-08-03 | Cisco Technology, Inc. | System and method for installing trust anchors in an endpoint |
US8312263B2 (en) * | 2005-01-25 | 2012-11-13 | Cisco Technology, Inc. | System and method for installing trust anchors in an endpoint |
US20060242410A1 (en) * | 2005-04-26 | 2006-10-26 | Microsoft Corporation | Mobile device authentication with a data source using self-signed certificates |
US20070136574A1 (en) * | 2005-12-09 | 2007-06-14 | Samsung Electronics Co., Ltd. | Apparatus and method for managing plurality of certificates |
EP1796310A1 (en) * | 2005-12-09 | 2007-06-13 | Samsung Electronics Co., Ltd. | Apparatus and method for managing certificates |
US8006084B2 (en) | 2005-12-09 | 2011-08-23 | Samsung Electronics Co., Ltd. | Apparatus and method for managing plurality of certificates |
US8041943B2 (en) | 2006-03-29 | 2011-10-18 | Nds Limited | Revocation list improvement |
WO2007110852A3 (en) * | 2006-03-29 | 2009-04-30 | Nds Ltd | Revocation list improvement |
US20090113206A1 (en) * | 2006-03-29 | 2009-04-30 | Nds Limited | Revocation List Improvement |
US8549295B2 (en) * | 2006-05-31 | 2013-10-01 | Microsoft Corporation | Establishing secure, mutually authenticated communication credentials |
US9160740B2 (en) | 2006-05-31 | 2015-10-13 | Microsoft Technology Licensing, Llc | Establishing secure, mutually authenticated communication credentials |
US20070283154A1 (en) * | 2006-05-31 | 2007-12-06 | Microsoft Corporation | Establishing secure, mutually authenticated communication credentials |
US8943323B2 (en) * | 2006-07-20 | 2015-01-27 | Blackberry Limited | System and method for provisioning device certificates |
US20120216042A1 (en) * | 2006-07-20 | 2012-08-23 | Research In Motion Limited | System and Method for Provisioning Device Certificates |
WO2008042524A2 (en) * | 2006-09-29 | 2008-04-10 | Motorola, Inc. | Method and system for displaying trust level on a wireless communication device |
WO2008042524A3 (en) * | 2006-09-29 | 2008-10-02 | Motorola Inc | Method and system for displaying trust level on a wireless communication device |
US8407464B2 (en) * | 2006-10-10 | 2013-03-26 | Cisco Technology, Inc. | Techniques for using AAA services for certificate validation and authorization |
US20080086634A1 (en) * | 2006-10-10 | 2008-04-10 | Cisco Technology, Inc. | Techniques for using AAA services for certificate validation and authorization |
US20100185849A1 (en) * | 2007-06-11 | 2010-07-22 | Telefonaktiebolaget L M Ericsson (Publ) | Method and arrangement for certificate handling |
US8799648B1 (en) * | 2007-08-15 | 2014-08-05 | Meru Networks | Wireless network controller certification authority |
US9692602B2 (en) * | 2007-12-18 | 2017-06-27 | The Directv Group, Inc. | Method and apparatus for mutually authenticating a user device of a primary service provider |
US20090158414A1 (en) * | 2007-12-18 | 2009-06-18 | Kapil Chaudhry | Method and apparatus for mutually authenticating a user device of a primary service provider |
US8539225B2 (en) * | 2008-04-30 | 2013-09-17 | Motorola Solutions, Inc. | Method and device for dynamic deployment of trust bridges in an ad hoc wireless network |
US20090276841A1 (en) * | 2008-04-30 | 2009-11-05 | Motorola, Inc. | Method and device for dynamic deployment of trust bridges in an ad hoc wireless network |
US8751788B2 (en) * | 2008-06-10 | 2014-06-10 | Paymetric, Inc. | Payment encryption accelerator |
US20100070754A1 (en) * | 2008-06-10 | 2010-03-18 | Paymetric, Inc. | Payment encryption accelerator |
US8130146B2 (en) | 2008-07-29 | 2012-03-06 | Motorola Solutions, Inc. | Method for measuring the time of arrival of radio signals |
US8595484B2 (en) | 2008-07-29 | 2013-11-26 | Motorola Solutions, Inc. | Method and device for distributing public key infrastructure (PKI) certificate path data |
US20100026576A1 (en) * | 2008-07-29 | 2010-02-04 | Motorola, Inc. | Method for measuring the time of arrival of radio signals |
US20100031027A1 (en) * | 2008-07-29 | 2010-02-04 | Motorola, Inc. | Method and device for distributing public key infrastructure (pki) certificate path data |
US8285985B2 (en) * | 2008-12-15 | 2012-10-09 | Sap Ag | Systems and methods for detecting exposure of private keys |
US20100153713A1 (en) * | 2008-12-15 | 2010-06-17 | Sap Ag | Systems and methods for detecting exposure of private keys |
US8489894B2 (en) | 2010-05-26 | 2013-07-16 | Paymetric, Inc. | Reference token service |
US9083535B2 (en) * | 2010-11-05 | 2015-07-14 | Nokia Corporation | Method and apparatus for providing efficient management of certificate revocation |
US20130238897A1 (en) * | 2010-11-05 | 2013-09-12 | Atefeh Mashatan | Method and apparatus for providing efficient management of certificate revocation |
US20120303951A1 (en) * | 2011-05-27 | 2012-11-29 | General Instrument Corporation | Method and system for registering a drm client |
US9184917B2 (en) * | 2011-05-27 | 2015-11-10 | Google Technology Holdings LLC | Method and system for registering a DRM client |
US20130145158A1 (en) * | 2011-09-02 | 2013-06-06 | Stephen Pao | System and Web Security Agent Method for Certificate Authority Reputation Enforcement |
US20140101442A1 (en) * | 2011-09-02 | 2014-04-10 | Barracuda Networks, Inc. | System and web security agent method for certificate authority reputation enforcement |
US9281948B2 (en) | 2012-02-09 | 2016-03-08 | Microsoft Technology Licensing, Llc | Revocation information for revocable items |
US10038555B2 (en) * | 2012-03-15 | 2018-07-31 | Mikoh Corporation | Biometric authentication system |
US20150046707A1 (en) * | 2012-03-15 | 2015-02-12 | Mikoh Corporation | Biometric authentication system |
US9112704B2 (en) | 2012-06-22 | 2015-08-18 | Ologn Technologies Ag | Systems, methods and apparatuses for securing root certificates |
US9426146B2 (en) | 2012-06-25 | 2016-08-23 | International Business Machines Corporation | Digital certificate issuer-correlated digital signature verification |
US9749139B2 (en) | 2012-06-25 | 2017-08-29 | International Business Machines Corporation | Digital certificate issuer-correlated digital signature verification |
US9755838B2 (en) | 2012-06-25 | 2017-09-05 | International Business Machines Corporation | Digital certificate issuer-correlated digital signature verification |
US9197631B2 (en) | 2012-06-25 | 2015-11-24 | International Business Machines Corporation | Digital certificate issuer-correlated digital signature verification |
US8959337B2 (en) * | 2012-06-25 | 2015-02-17 | International Business Machines Corporation | Digital certificate issuer-correlated digital signature verification |
US20130346743A1 (en) * | 2012-06-25 | 2013-12-26 | International Business Machines Corporation | Digital certificate issuer-correlated digital signature verification |
US9077546B1 (en) * | 2012-11-27 | 2015-07-07 | Symnatec Corporation | Two factor validation and security response of SSL certificates |
US20140215206A1 (en) * | 2013-01-29 | 2014-07-31 | Certicom Corp. | System and method for providing a trust framework using a secondary network |
US9473309B2 (en) * | 2013-01-29 | 2016-10-18 | Blackberry Limited | System and method for providing a trust framework using a secondary network |
US20230198782A1 (en) * | 2013-03-15 | 2023-06-22 | Poltorak Technologies Llc | System and method for secure relayed communications from an implantable medical device |
US11930126B2 (en) * | 2013-03-15 | 2024-03-12 | Piltorak Technologies LLC | System and method for secure relayed communications from an implantable medical device |
US10218693B2 (en) | 2014-08-21 | 2019-02-26 | International Business Machines Corporation | Management of digital certificates |
US10218692B2 (en) | 2014-08-21 | 2019-02-26 | International Business Machines Corporation | Management of digital certificates |
DE102014222433A1 (en) * | 2014-11-04 | 2016-05-04 | Siemens Aktiengesellschaft | Method and computing device for the adaptive provision of root certificates |
CN104618108A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Safety communication system |
CN104573554A (en) * | 2014-12-30 | 2015-04-29 | 北京奇虎科技有限公司 | Method for loading safety key storage hardware and browser client device |
US20160352521A1 (en) * | 2015-05-27 | 2016-12-01 | International Business Machines Corporation | Automatic root key rollover during digital signature verification |
US10057067B2 (en) * | 2015-05-27 | 2018-08-21 | International Business Machines Corporation | Automatic root key rollover during digital signature verification |
US10110596B2 (en) * | 2015-05-28 | 2018-10-23 | Ricoh Company, Ltd. | Information processing system, information processing apparatus, method for managing electronic certificate |
US10922418B2 (en) | 2015-10-01 | 2021-02-16 | Twistlock, Ltd. | Runtime detection and mitigation of vulnerabilities in application software containers |
US10567411B2 (en) | 2015-10-01 | 2020-02-18 | Twistlock, Ltd. | Dynamically adapted traffic inspection and filtering in containerized environments |
US10706145B2 (en) | 2015-10-01 | 2020-07-07 | Twistlock, Ltd. | Runtime detection of vulnerabilities in software containers |
US10664590B2 (en) | 2015-10-01 | 2020-05-26 | Twistlock, Ltd. | Filesystem action profiling of containers and security enforcement |
US10599833B2 (en) | 2015-10-01 | 2020-03-24 | Twistlock, Ltd. | Networking-based profiling of containers and security enforcement |
US11640472B2 (en) | 2015-10-01 | 2023-05-02 | Twistlock, Ltd. | Profiling of spawned processes in container images and enforcing security policies respective thereof |
US11625489B2 (en) | 2015-10-01 | 2023-04-11 | Twistlock, Ltd. | Techniques for securing execution environments by quarantining software containers |
US11068585B2 (en) | 2015-10-01 | 2021-07-20 | Twistlock, Ltd. | Filesystem action profiling of containers and security enforcement |
US10943014B2 (en) | 2015-10-01 | 2021-03-09 | Twistlock, Ltd | Profiling of spawned processes in container images and enforcing security policies respective thereof |
US10586042B2 (en) | 2015-10-01 | 2020-03-10 | Twistlock, Ltd. | Profiling of container images and enforcing security policies respective thereof |
US10915628B2 (en) | 2015-10-01 | 2021-02-09 | Twistlock, Ltd. | Runtime detection of vulnerabilities in an application layer of software containers |
US10223534B2 (en) | 2015-10-15 | 2019-03-05 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
US10778446B2 (en) * | 2015-10-15 | 2020-09-15 | Twistlock, Ltd. | Detection of vulnerable root certificates in software containers |
US10719612B2 (en) | 2015-10-15 | 2020-07-21 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
US9887975B1 (en) * | 2016-08-03 | 2018-02-06 | KryptCo, Inc. | Systems and methods for delegated cryptography |
US20180041484A1 (en) * | 2016-08-03 | 2018-02-08 | KryptCo, Inc. | Systems and methods for delegated cryptography |
US10587603B2 (en) * | 2016-08-18 | 2020-03-10 | Idaptive, Llc | Zero sign-on using a web browser |
US20180054434A1 (en) * | 2016-08-18 | 2018-02-22 | Centrify Corporation | Zero sign-on using a web browser |
US10771261B1 (en) * | 2016-09-29 | 2020-09-08 | EMC IP Holding Company LLC | Extensible unified multi-service certificate and certificate revocation list management |
US20180262347A1 (en) * | 2017-03-08 | 2018-09-13 | Amazon Technologies, Inc. | Digital certificate usage monitoring systems |
US10615987B2 (en) * | 2017-03-08 | 2020-04-07 | Amazon Technologies, Inc. | Digital certificate usage monitoring systems |
US10516542B2 (en) * | 2017-03-08 | 2019-12-24 | Amazon Technologies, Inc. | Digital certificate issuance and monitoring |
US10812487B2 (en) | 2017-03-08 | 2020-10-20 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10848492B2 (en) | 2017-03-08 | 2020-11-24 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10862892B2 (en) | 2017-03-08 | 2020-12-08 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10484355B1 (en) | 2017-03-08 | 2019-11-19 | Amazon Technologies, Inc. | Detecting digital certificate expiration through request processing |
US10432595B2 (en) | 2017-03-08 | 2019-10-01 | Bank Of America Corporation | Secure session creation system utililizing multiple keys |
US10425417B2 (en) * | 2017-03-08 | 2019-09-24 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10374808B2 (en) | 2017-03-08 | 2019-08-06 | Bank Of America Corporation | Verification system for creating a secure link |
US11621948B2 (en) | 2017-03-08 | 2023-04-04 | Amazon Technologies, Inc. | Detecting digital certificate expiration through request processing |
US10361852B2 (en) | 2017-03-08 | 2019-07-23 | Bank Of America Corporation | Secure verification system |
US20180262504A1 (en) * | 2017-03-08 | 2018-09-13 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US20180262346A1 (en) * | 2017-03-08 | 2018-09-13 | Amazon Technologies, Inc. | Digital certificate issuance and monitoring |
CN107332858A (en) * | 2017-08-07 | 2017-11-07 | 成都汇智远景科技有限公司 | Cloud date storage method |
Also Published As
Publication number | Publication date |
---|---|
US6777383B1 (en) | 2004-08-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20030014629A1 (en) | Root certificate management system and method | |
US8195935B2 (en) | Systems, methods and computer-accessible media for acquiring and authenticating public key certificate status | |
US7383434B2 (en) | System and method of looking up and validating a digital certificate in one pass | |
US8621206B2 (en) | Authority-neutral certification for multiple-authority PKI environments | |
AU2003212723B2 (en) | Single sign-on secure service access | |
US6993652B2 (en) | Method and system for providing client privacy when requesting content from a public server | |
US7290133B1 (en) | Method and apparatus improving efficiency of end-user certificate validation | |
US20020035685A1 (en) | Client-server system with security function intermediary | |
US20040073801A1 (en) | Methods and systems for flexible delegation | |
US9787478B2 (en) | Service provider certificate management | |
JP2005517348A (en) | A secure electronic messaging system that requires a key search to derive a decryption key | |
AU2009225492A1 (en) | System and method for storing client-side certificate credentials | |
Pritikin et al. | Bootstrapping remote secure key infrastructures (BRSKI) | |
US11368450B2 (en) | Method for bidirectional authorization of blockchain-based resource public key infrastructure | |
EP1836798A2 (en) | Method and apparatus providing policy-based revocation of network security credentials | |
US20100306820A1 (en) | Control of message to be transmitted from an emitter domain to a recipient domain | |
Schuba et al. | Countering abuse of name-based authentication | |
US8112535B2 (en) | Securing a server in a dynamic addressing environment | |
KR100501172B1 (en) | System and Method for Status Management of Wireless Certificate for Wireless Internet and Method for Status Verification of Wireless Certificate Using The Same | |
US20050066057A1 (en) | Method and arrangement in a communications network | |
Ahmed et al. | Transparency of SIM profiles for the consumer remote SIM provisioning protocol | |
Berbecaru et al. | On the complexity of public-key certificate validation | |
CN117061251B (en) | PKI certificate suspension revocation method and system for authentication platform | |
Matsumoto | Effective and Practical Improvements to the Web Public-Key Infrastructure | |
CA2374195C (en) | System and method of looking up and validating a digital certificate in one pass |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ENTRUST TECHNOLOGIES LTS., CANADA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ZUCCHERATO, ROBERT J.;REEL/FRAME:012008/0611 Effective date: 20010716 |
|
AS | Assignment |
Owner name: ENTRUST TECHNOLOGIES LIMITED, CANADA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE SPELLING OF THE ADDRESS PREVIOUSLY RECORDED ON REEL 012008 FRAME 0611;ASSIGNOR:ZUCCHERATO, ROBERT J.;REEL/FRAME:012275/0585 Effective date: 20010716 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |