US2006236098A1PendingUtilityA1

Multisigning - a protocol for robust multiple party digital signatures

46
Assignee: GANTMAN ALEXANDERPriority: Mar 31, 2005Filed: Jul 15, 2005Published: Oct 19, 2006
Est. expiryMar 31, 2025(expired)· nominal 20-yr term from priority
H04L 63/0823H04L 9/3265H04L 9/3255H04L 2209/80H04L 9/3297H04L 63/0478H04L 63/126
46
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Claims

exact text as granted — not AI-modified
1 . A method for multiple party digital signatures, comprising: 
 establishing an initial validity range for a first key;    establishing a first validity range for at least a second key; and    determining if the initial validity range of the first key overlaps with the first validity range of the at least a second key.    
   
   
       2 . The method of  claim 1 , further comprising: 
 signing a certificate within the initial validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap.    
   
   
       3 . The method of  claim 1 , further comprising: 
 refusing signage of a certificate if the initial validity range of the first key does not overlap with the first validity range of the at least a second key.    
   
   
       4 . The method of  claim 1 , further comprising: 
 establishing a secondary validity range for the first key that is disjoint from the initial validity range; and    establishing a second validity range for the second key that is disjoint from the first validity range.    
   
   
       5 . The method of  claim 4 , further comprising: 
 revoking the initial validity range of the first key and the first validity range of the at least second key; and    determining if the secondary validity range of the first key and the second validity range for the second key overlap.    
   
   
       6 . The method of  claim 5 , further comprising: 
 signing a certificate with the secondary validity range of the first key and the second validity range of the at least a second key if the validity ranges overlap.    
   
   
       7 . The method of  claim 5 , further comprising: 
 refusing certificate signage if the secondary validity range of the first key does not overlap with the second validity range of the at least a second key.    
   
   
       8 . The method of  claim 1 , further comprising 
 providing the initial validity range of the first key a start timestamp and an end timestamp that determines the range of the initial validity range; and    providing the first validity range of the second key a start timestamp and an end timestamp that determines the range of the first validity range.    
   
   
       9 . The method of  claim 8 , further comprising: 
 establishing a secondary validity range for the first key that has a start timestamp and an end timestamp that is separate from the initial validity range of the first key; and    establishing a second validity range for the second key that has a start timestamp and an end timestamp that is separate from the first validity range of the second key.    
   
   
       10 . The method of  claim 9 , further comprising: 
 establishing a third validity range of the first and second keys before an expiration of the secondary validity range of the first key and the second validity range of the second key.    
   
   
       11 . A method of verifying multiple party digital signatures, comprising: 
 signing a block of data by multiple parties;    verifying the block of data with a correct number of verified signatures; and    determining if the number of verified signatures satisfies a verification policy.    
   
   
       12 . The method of  claim 11 , further comprising: 
 trusting the block of data if the number of verified signatures satisfies the verification policy.    
   
   
       13 . The method of  claim 11 , further comprising: 
 denying trust to the block of data if the number of verified signatures does not satisfy the verification policy.    
   
   
       14 . The method of  claim 11 , the number of verified signatures that satisfies the verification policy is a predefined number of signatures less than the number of signers.  
   
   
       15 . The method of  claim 14 , the number of verified signatures is less than the number of multiple parties that signed the certificate.  
   
   
       16 . The method of  claim 11 , revocation of at least one key associated with at least one of the multiple parties that signed the block of data prevents further signing until all multiple parties have regenerated new keys.  
   
   
       17 . An apparatus for creating a digital signature, comprising: 
 a processor that creates a public key and a corresponding private key;    a publisher component that publishes a certificate containing the public key; and    an annotation component that annotates the published certificate with an enforcement range.    
   
   
       18 . The apparatus of  claim 17 , the annotation component establishes a start event and an end event.  
   
   
       19 . The apparatus of  claim 18 , the start event and the end event define the enforcement range.  
   
   
       20 . The apparatus of  claim 17 , the processor creates subsequent public and private key pairs and the publisher component publishes subsequent certificates containing a respective public key.  
   
   
       21 . The apparatus of  claim 20 , the annotation component annotates the subsequent certificates with respective start events and end events.  
   
   
       22 . The apparatus of  claim 21 , the respective start events and end events represent respective enforcement ranges.  
   
   
       23 . The apparatus of  claim 22 , the respective enforcement ranges are not related.  
   
   
       24 . The apparatus of  claim 17 , the processor creates subsequent public and private key pairs before an expiration of the previous enforcement range.  
   
   
       25 . A system for digital signatures comprising: 
 means for creating an initial validity range for a first key;    means for creating a first validity range for at least a second key; and    means for determining if the initial range of the first key overlaps with the first validity range of the at least a second key.    
   
   
       26 . The system of  claim 25 , further comprising: 
 means for signing a certificate with the initial validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap.    
   
   
       27 . The system of  claim 25 , further comprising: 
 means for refusing to sign a certificate if the initial validity range of the first key does not overlap with the first validity range of the at least a second key.    
   
   
       28 . The system of  claim 25 , further comprising: 
 means for creating a subsequent validity range for the first key that is disjoint from the initial validity range; and    means for creating a second validity range for the second key that is disjoint from the first validity range.    
   
   
       29 . The system of  claim 28 , further comprising: 
 means for determining if the subsequent validity range of the first key and the second validity range of the second key overlap.    
   
   
       30 . The system of  claim 29 , further comprising: 
 means for signing a certificate with the subsequent validity range of the first key and the second validity range of the at least a second key if the validity ranges overlap.    
   
   
       31 . The system of  claim 29 , further comprising: 
 means for refusing to sign a certificate if the subsequent validity range of the first key does not overlap with the second validity range of the at least a second key.    
   
   
       32 . The system of  claim 31 , further comprising 
 means for providing the initial validity range of the first key a start timestamp and an end timestamp that determines the range of the first validity range; and    means for providing the first validity range of the second key a start timestamp and an end timestamp that determines the range of the first validity range.    
   
   
       33 . The system of  claim 32 , further comprising: 
 means for establishing a subsequent validity range for the first key that has a start timestamp and an end timestamp that is separate from the first validity range of the first signature; and    means for establishing a second validity range for the second key that has a start timestamp and an end timestamp that is separate from the first validity range of the second signature.    
   
   
       34 . The system of  claim 33 , further comprising: 
 establishing a third validity range of the first and second keys before an expiration of the subsequent validity range and the second validity range.    
   
   
       35 . A computer readable medium having computer-executable instructions for: 
 signing a certificate with a first key that has a predetermined usage range;    signing the certificate with a second key that has a predetermined usage range that overlaps the predetermined usage range of the first key; and    signing the certificate with a third key that has a predetermined usage range that overlaps the predetermined usage ranges of the first and second keys.    
   
   
       36 . The computer readable medium of  claim 35 , further comprising computer-executable instructions for: 
 certifying the certificate during a validity range of the predetermined usage ranges of the first key, second key and third key.    
   
   
       37 . The computer readable medium of  claim 35 , further comprising computer-executable instructions for: 
 creating a fourth key with a predetermined usage range that does not contain the usage range of the first key;    creating a fifth key with a predetermined usage range that does not contain the usage range of the second key; and    creating a sixth key with a predetermined usage range that does not contain the usage range of the third key.    
   
   
       38 . The computer readable medium of  claim 37 , the first, second, third, fourth, fifth and sixth keys are duration keys.  
   
   
       39 . The computer readable medium of  claim 38 , further comprising: 
 an intermediate key with a predetermined usage range that is longer than the predetermined usage ranges of the duration keys and wherein the duration keys are included in a hierarchy of the intermediate key.    
   
   
       40 . The computer readable medium of  claim 39 , further comprising: 
 a root key with a predetermined usage range that is longer than the predetermined usage range of the intermediate key and wherein the intermediate key is included in a hierarchy of the root key.    
   
   
       41 . The computer readable medium of  claim 40 , further comprising computer-executable instructions for: 
 denying certification of the certificate if the intermediate key is not included in the hierarchy of the root key; and    denying certification of the certificate if the duration keys are not included in the hierarchy of the intermediate key.    
   
   
       42 . The computer readable medium of  claim 37 , further comprising computer-executable instructions for: 
 determining if the predetermined usage ranges of the fourth, fifth and sixth keys overlap.    
   
   
       43 . The computer readable medium of  claim 38 , further comprising computer-executable instructions for: 
 validating a second certificate if the predetermined usage ranges of the fourth, fifth and sixth keys overlap.    
   
   
       44 . The computer readable medium of  claim 38 , further comprising computer-executable instructions for: 
 invalidating a second certificate if the predetermined usage ranges of the fourth, fifth and sixth keys do not overlap.    
   
   
       45 . A portable communication device comprising the computer readable medium of  claim 35 .  
   
   
       46 . A method for establishing a certification hierarchy, comprising: 
 creating at least a first root key that has a validity range;    creating at least a first intermediate key that has a validity range; and    determining if the range of the at least a first intermediate key is contained within the validity range of the at least a first root key.    
   
   
       47 . The method of  claim 46 , further comprising: 
 associating a trust level to a certificate signed by the at least a first intermediate key if the range of the at least a first intermediate key is contained within the validity range of at least a first root key.    
   
   
       48 . The method of  claim 46 , further comprising: 
 associating an untrustworthy level to a certificate signed by the at least a first intermediate key if the validity range of the at least a first intermediate key is not contained within the validity range of the at least a first root key.    
   
   
       49 . The method of  claim 46 , further comprising: 
 creating at least a first duration key that has a validity range; and    determining if the validity range of the at least a first root key includes the validity range of the at least a first intermediate key; and    determining if the validity range of the at least a first intermediate key includes the validity range of the at least a first duration key.    
   
   
       50 . The method of  claim 49 , further comprising: 
 associating a trust level to a certificate signed by the at least a first duration key if the validity range of the at least a first root key includes the validity range of the at least a first intermediate key and the validity range of the at least a first duration key is included within the validity range of the at least a first intermediate key.    
   
   
       51 . The method of  claim 49 , further comprising: 
 denying a level of trust to a certificate signed by the at least a first duration key if the validity range of the at least a first intermediate key does not include the validity range of the at least a first duration key or if the validity range of the at least a first root key does not include the validity range of the at least a first intermediate key.    
   
   
       52 . A processor that executes instructions for multiple party signatures, the instructions comprising: 
 establishing a range in which a certificate is valid based upon a plurality of signatures that have predetermined ranges; and    monitoring the predetermined ranges and invalidating the certificate upon expiration of at least one of the plurality of predetermined ranges of the plurality of signatures.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.