Root certificate management system and method
Abstract
A method and system for validating a certificate maintains a multi-subscriber root certificate store, containing subscriber identification data for a plurality of subscribers along with data representing a plurality of root certificates, such as an index to root certificates or the root certificates themselves, associated with each of the plurality of subscribers. In one example, a table is stored containing specified root CA certificates for a plurality of subscribers in a network such as stored by a network element in a wireless radiotelephone network, or any other suitable wireless network. Subscriber units do not have a root CA store that contains pre-stored root CA certificates. Accordingly, memory is saved in the subscriber units. In addition, a separate server that stores the multi-subscribers root certificate store preferably carries out certificate path validation on behalf of the mobile units so that the wireless mobile unit need not carry out certificate path construction. Instead, a wireless mobile unit simply sends a certificate to be validated along with its subscriber ID data identifying the mobile unit or application to the multi-subscriber root certificate store server and waits for a “yes” or “no” answer from the server to determine whether the certificate is valid.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for validating a certificate comprising:
maintaining a multi-subscriber root certificate store containing subscriber identification data for a plurality of subscribers and data representing a plurality of root certificates associated with each of the plurality of subscribers; receiving data representing a first certificate to be validated; receiving first user identification data in connection with a request to validate the first certificate for a first user; and obtaining, based on the received first user identification data, those root certificates trusted by the first user from the multi-root certificate store.
2 . The method of claim 1 including the step of providing data representing whether validation of the first certificate was successful based on a root certificate from those trusted by the first user as obtained from the multi-user root certificate store.
3 . The method of claim 1 including the step of validating, by a party other than the first user, the first certificate using a first root certificate from those obtained from the multi-root certificate store.
4 . The method of claim 3 wherein validating the first certificate includes constructing a certificate chain between the first certificate and the first root certificate and validating the integrity and correctness of each certificate in the chain.
5 . The method of claim 1 including providing a trusted first certificate validation response indicating whether the first certificate is valid.
6 . The method of claim 1 including the step of sending, by a client unit, user identification data for use in obtaining those root certificates trusted by the first user from the multi-root certificate store and sending the data representing a first certificate to be validated.
7 . The method of claim 1 including the step of sending, by a client unit, user identification data for use in obtaining those root certificates trusted by the first user from the multi-root certificate store and sending data representing an address associated with the multi-user root certificate store.
8 . The method of claim 1 wherein the step of maintaining the multi-user root certificate store containing user identification data for the plurality of subscribers and data representing the plurality of root certificates associated with each of the plurality of subscribers includes the step of storing a table containing user identification data for the plurality of subscribers and data representing the plurality of different classes of root certificates associated with each of the plurality of subscribers.
9 . The method of claim 5 including the step of verifying, by the first user, the trusted first certificate validation response indicating whether the first certificate is valid, without accessing a local root certificate store.
10 . The method of claim 5 wherein the trusted first certificate validation response is digitally signed by a server containing the multi-user root certificate store.
11 . The method of claim 1 including the step of sending a root certification authority certificate selection form containing a list of a plurality of root certification authority certificates, to the first user to allow the first user to select which root certificates in the list should be associated with the identification data of the first user.
12 . The method of claim 1 wherein the step of maintaining the multi-user root certificate store containing user identification data for the plurality of subscribers and data representing the plurality of root certificates associated with each of the plurality of subscribers includes the step of removing common root certificates for a plurality of listed users in response to a compromise of the root certificate.
13 . A method for validating a certificate comprising:
sending, by a first wireless mobile unit, data representing a first certificate to be validated and unit identification data representing the first wireless mobile unit; receiving, by the first wireless mobile unit, a trusted first certificate validation response indicating whether the first certificate is valid based on a multi-user root certificate store containing user identification data for a plurality of wireless mobile units and data representing a plurality of root certificates associated with each of the wireless mobile units; and verifying, by the first wireless mobile unit, the trusted first certificate validation response indicating whether the first certificate is valid, without accessing a local root certificate store.
14 . A method for validating a certificate comprising:
maintaining a multi-user root certificate store containing user identification data for a plurality of subscribers and data representing a plurality of root certificates associated with each of the plurality of subscribers; sending, by a first user, a request to validate a first certificate that includes data representing the first certificate to be validated and user identification data for the fist user; receiving the request to validate the first certificate containing the data representing the first certificate to be validated and the user identification data; obtaining, based on the received first user identification data, those root certificates trusted by the first user from the multi-root certificate store; and receiving, by the first user, a trusted first certificate validation response indicating whether the first certificate is valid based on the multi-user root certificate store containing user identification data for a plurality of subscriber and data representing a plurality of root certificates associated with each of the users; and verifying, by the first user, the trusted first certificate validation response to determine whether the first certificate is valid, without accessing a local root certificate store.
15 . The method of claim 14 including the step of validating, by a party other than the first user, the first certificate using a first root certificate from those obtained from the multi-root certificate store.
16 . The method of claim 15 wherein validating the first certificate includes constructing a certificate chain between the first certificate and the first root certificate and validating the integrity and correctness of each certificate in the chain.
17 . The method of claim 14 wherein the step of maintaining the a multi-user root certificate store containing user identification data for the plurality of subscribers and data representing the plurality of root certificates associated with each of the plurality of subscribers includes the step of storing a table containing user identification data for the plurality of subscribers and data representing the plurality of different classes of root certificates associated with each of the plurality of subscribers.
18 . The method of claim 14 wherein the trusted first certificate validation response is digitally signed by a server containing the multi-user root certificate store.
19 . The method of claim 17 including the step of sending a root certification authority certificate selection form containing a list of a plurality of root certification authority certificates, to the first user to allow the first user to select which root certificates in the list should be associated with the identification data of the first user.
20 . A server comprising:
a central root certificate managing module; and memory containing a multi-user root certificate store containing user identification data for a plurality of subscribers and data representing a plurality of root certificates associated with each of the plurality of subscribers; wherein the central root certificate managing module maintains the multi-user root certificate store by at least responding to subscriber requests to change root CA entries.
21 . The server of claim 20 wherein the central root certificate managing module maintains the multi-user root certificate store by removing unacceptable root certificates that are common for a plurality of subscribers.
22 . The server of claim 20 including an interface operative to communicate with a wireless access protocol based gateway.
23 . The server of claim 20 including an interface operative to communicate with a third party root certificate validation provider.
24 . A wireless mobile unit comprising:
a cryptographic engine operative to determine whether a received certificate is valid without referencing a local root certificate store; and memory, operatively coupled to the cryptographic engine, containing at least data representing a verification key associated with a central root certificate managing unit.
25 . The wireless mobile unit of claim 24 wherein the cryptographic engine includes a digital signature verifier and wherein the memory contains a public key certificate associated with the central root certificate managing unit.
26 . The wireless mobile unit of claim 25 wherein the cryptographic engine sends data representing the certificate to be validated and unit identification data representing a user for the central root certificate managing unit; receives a trusted first certificate validation response indicating whether the first certificate is valid based on a multi-user root certificate store containing user identification data for a plurality of wireless mobile units and data representing a plurality of root certificates associated with each of the wireless mobile units; and verifies the trusted first certificate validation response using the stored verification key associated with the central root certificate managing unit indicating whether the first certificate is valid, without accessing a local root certificate store.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.