Class / Patent application number | Description | Number of patent applications / Date published |
713157000 | Chain or hierarchical certificates | 37 |
20080209209 | METHOD AND SYSTEM FOR AUTHENTICATION WHEN CERTIFICATION AUTHORITY PUBLIC AND PRIVATE KEYS EXPIRE - A system for enabling the use of valid authentication certificates when the public key and private keys of any of the certifying authority have expired. The enabling by the system includes obtaining a server certifying authority chain (SCAC) certificate by the server from the certifying authority, presenting the original valid authentication certificate along with the said server certifying authority chain certificate by the server to the browser during the SSL handshake, accepting the transaction by the browser after verification of the original authentication certificate using the expired public key of the certifying authority, and verifying the said SCAC certificate using the new public key of the said certifying authority. | 08-28-2008 |
20080288775 | EMBEDDED HISTORIANS WITH DATA AGGREGATOR - Systems and methods that aggregate history data collected via embedded historians with additional data that is supplied by third parties. Triggering events can be defined for initiating aggregation of such history data with additional data, which enable a process/application to retrieve the operational metric data of the industrial unit/entity from any of a plurality of systems operatively coupled to such industrial unit/entity. | 11-20-2008 |
20090187762 | TERMINAL DEVICE, SERVER DEVICE, AND CONTENT DISTRIBUTION SYSTEM - To provide a content distribution system which can prevent use of content which has been temporarily stored after the valid period. | 07-23-2009 |
20090210703 | Binding a digital certificate to multiple trust domains - A public key infrastructure comprising a participant that issues digital certificates. Each digital certificate can be relied upon in at least two different trust domains. The public key infrastructure does not employ policy mapping between or among the trust domains. Furthermore, the public key infrastructure does not link any pair of trust domains via cross-certificates. Just one trust domain is bound to the digital certificate at any given moment. The current trust domain that is to be bound to the digital certificate is elected by a relying party at the time of reliance, based upon a specific certificate validation methodology selected by the relying party. | 08-20-2009 |
20090235070 | Creation of User Digital Certificate For Portable Consumer Payment Device - A method for creating a digital certificate for a user issued by a reliant party, where the reliant party relies on an established cryptographic infrastructure by a registration or certificate authority is described. The registration authority, typically a large financial or credit institution, has already performed the initial overhead steps necessary for a digital authentication system using a chip card. These steps include minting and distributing the chip card, establishing that the key pair and card are given to the right person, and creating the certificate library. The reliant party leverages this cryptographic infrastructure to issue its own digital certificate and certificate chain to a user already having a chip card from the registration authority. Consequently, a user can have additional digital certificates issued to him without having his chip card modified in any way. All additional digital certificates created for a user are stored at a user-specific memory are in a remote certificate library. | 09-17-2009 |
20090282242 | METHOD FOR ASSEMBLING AUTHORIZATION CERTIFICATE CHAINS FOR SIGNED XML - A method for assembling authorization certificate chains among an authorizer, a client, and a third party allows the client to retain control over third party access. The client stores a first certificate from the authorizer providing access to a protected resource and delegates some or all of the privileges in the first certificate to the third party in a second certificate. The client stores a universal resource identifier (URI) associated with both the first certificate and the third party and provides the second certificate and the URI to the third party. The third party requests access to the protected resource by providing the second certificate and the URI, without knowledge or possession of the first certificate. When the authorizer accesses the URI, the client provides the first certificate to the authorizer, so that the client retains control over the third party's access. | 11-12-2009 |
20090327707 | Process for creating and managing at least one cryptographic key, and system for its implementation - A process for creating and managing pairs of asymmetrical cryptographic keys and/or certificates associated with the pairs of keys, each pair of keys and associated certificates being intended for an object managed by a computer system. The process includes creating an individual request for creating and/or certifying at least one pair of keys for an object of the system that lacks a pair of keys or a certificate for its pair of keys. | 12-31-2009 |
20100082975 | METHOD AND APPARATUS FOR EXTERNAL ORGANIZATION PATH LENGTH VALIDATION WITHIN A PUBLIC KEY INFRASTRUCTURE (PKI) - A method and apparatus for external organization (EO) path length (EOPL) validation are provided. A relying party node (RPN) stores a current EO path length constraint (EOPLC) value, and an EOPL counter that maintains a count of an actual external organization path length. The RPN obtains a chain of certificates that link a subject node (SN) to its trust anchor, and processes the certificates in the chain. When a certificate has a lower EOPLC than the current EOPLC value, the RPN replaces the current EOPLC value with the lower EOPLC. When the certificate currently being evaluated includes an enabled EO flag, the RPN increments the EOPL counter by one. The EOPL validation fails when the EOPL counter is greater than the current EOPLC value, and is successful when the last remaining certificate in the chain is processed without having the EOPL counter exceed the current EOPLC value. | 04-01-2010 |
20100082976 | SYSTEM AND METHOD FOR RETRIEVING RELATED CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, a certificate synchronization application is programmed to perform certificate searches by querying one or more certificate servers for all certificate authority (CA) certificates and cross-certificates on the certificate servers. In another embodiment, all certificates related to an identified certificate are retrieved from the certificate servers automatically by the certificate synchronization application, where the related certificates comprise at least one of one or more CA certificates and one or more cross-certificates. Embodiments of the invention facilitate at least partial automation of the downloading and establishment of certificate chains, thereby minimizing the need for users to manually search for individual certificates. | 04-01-2010 |
20100100731 | PUSHING CERTIFICATE CHAINS TO REMOTE DEVICES - Rather than managing a certificate chain related to a newly issued identity certificate at a terminal to which a wireless device occasionally connects, a certificate server can act to determine the identity certificates in a certificate chain related to the newly issued identity certificate. The certificate server can also act to obtain the identity certificates and transmit the identity certificates towards the device that requested the newly issued identity certificate. A mail server may receive the newly issued identity certificate and the identity certificates in the certificate chain and manage the timing of the transmittal of the identity certificates. By transmitting the identity certificates in the certificate chain before transmitting the newly issued identity certificate, the mail server allows the user device to verify the authenticity of the newly issued identity certificate. | 04-22-2010 |
20100115269 | Revoking Malware in a Computing Device - A computing device is operated in a manner which provides improved checking to determine whether or not an authentication certificate for a software application being loaded onto the device has been revoked. In the case of trusted certificate chains that contain no revocation information, the device checks using an AuthorityInfoAccess extension (AIA) as selected by the device. In the case of untrusted certificate chains, notably including self-signed certificates, the device is controlled so that it ignores any authentication revocation information provided with the software application and always uses information stored on the device. | 05-06-2010 |
20100217975 | METHOD AND SYSTEM FOR SECURE ONLINE TRANSACTIONS WITH MESSAGE-LEVEL VALIDATION - A method and system for authenticating a client and a server is disclosed. In one contemplated embodiment, the client has a client certificate and the server have a server certificate. The client is validated to an authentication module based upon a certificate request identifier generated thereby, a secure data link certificate, and an authentication module Uniform Resource Locator. The authentication module is validated to the client based upon the client certificate and the certificate request identifier. A password associated with a user identifier that is encrypted with a private client key and signed with a public server key is transmitted to the authentication module. The password is then validated. | 08-26-2010 |
20100223460 | SYSTEM AND METHOD FOR REQUESTING AND ISSUING AN AUTHORIZATION DOCUMENT - A device and method for supporting the issuing of an authorization document ( | 09-02-2010 |
20100268944 | INFORMATION PROCESSING DEVICE, DISC, INFORMATION PROCESSING METHOD, AND PROGRAM - A configuration is provided wherein usage restrictions of an application are determined in accordance with timestamps. A certificate revocation list (CRL) in which the revocation information of a content owner who is a providing entity of an application program recorded in a disc is recorded is referred to verify whether or not a content owner identifier recorded in an application certificate is included in the CRL, and in the case that the content owner identifier is included in the CRL, comparison between a timestamp stored in a content certificate and a CRL timestamp is executed, and in the case that the content certificate timestamp has date data equal to or later than the CRL timestamp, utilization processing of the application program is prohibited or restricted. According to the present configuration, a configuration is realized wherein an unrevoked application is not subjected to utilization restriction, and only a revoked application is subjected to utilization restriction. | 10-21-2010 |
20100275014 | METHOD AND APPARATUS TO CREATE A SECURE WEB-BROWSING ENVIRONMENT WITH PRIVILEGE SIGNING - Devices and methods use digital certificates and digital signatures to enable computing devices, such as mobile devices, to trust a server attempting to access a resource on the computing device. The server may present the computing device with a digital certificate issued by a trusted third party which includes information so that the computing device can determine which resources the server should be trusted to access. The computing device can determine that the digital certificate was issued by a trusted third party by examining the chain of digital certificates that may link the server with an inherently trusted authority. | 10-28-2010 |
20110296173 | METHOD AND APPARATUS FOR ACHIEVING NONCONFORMANT PUBLIC KEY INFRASTRUCTURES - Method and apparatus are described wherein, in one example embodiment, a public key certificate issued by a certificate authority includes at least one characteristic that conforms to at least one rule established for the operation of a public key infrastructure. An attribute certificate is issued to be used to modify the public key certificate in accordance with information contained in the attribute certificate to create a modified public key certificate wherein the at least one characteristic is modified so as to be non-conformant with the at least one rule. According to one example embodiment, the attribute certificates may be distributed by a certificate authority, or embedded in an application that includes an engine that is used to modify the conforming public key certificate. | 12-01-2011 |
20120173874 | Method And Apparatus For Protecting Against A Rogue Certificate - Disclosed is a method for protecting against a rogue certificate. In the method, a web client receives a first certificate from a server during an initial session. The first certificate has a first certificate chain to an authority certificate signed by a certificate authority. The web client receives a second certificate during a subsequent session. The second certificate has a second certificate chain to a signed authority certificate. The web client assigns a signature security rating to each chain certificate in the first and second certificate chains. The web client compares the signature security rating of each corresponding chain certificate in the first and second certificate chains. The web client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from that of a corresponding chain certificate in the first certificate chain. | 07-05-2012 |
20120216035 | VALIDATING A CERTIFICATE CHAIN IN A DISPERSED STORAGE NETWORK - A method begins by a processing module receiving a certificate chain and determining whether at least one of one or more signed certificates of the chain has a valid signature. When the at least one of the one or more signed certificates has a valid signature, the method continues with the processing module identifying one or more certificate authorities (CA) to produce identified CAs, accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted CA IDs, determining whether one or more of the identified CAs is a trusted CA, and when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid, identifying a realm ID based on a trusted CA ID, and generating certificate chain validation information to include the realm ID, trusted CAs, and the indication of the validity of the certificate chain. | 08-23-2012 |
20120265985 | APPLICATION EXECUTING DEVICE, MANAGING METHOD, AND PROGRAM - A playback device reads an application and a digital stream from a recording medium to execute the application with playback of the digital stream. The playback device includes a management unit operable to verify authenticity of the application by judging whether a disc root certificate is identical to a first root certificate, and an execution unit operable to execute the application if authenticity of the application is verified by the management unit. The playback device also includes a storage unit having a storage area that is specified by a file path that uses the provider ID and a hash value of a second root certificate, and a playback unit operable to play back the digital stream in accordance with the playlist information. | 10-18-2012 |
20120303951 | METHOD AND SYSTEM FOR REGISTERING A DRM CLIENT - A client, method and system for registering a DRM client is disclosed. The method ( | 11-29-2012 |
20130007448 | SYSTEM AND METHOD FOR UPDATING MESSAGE TRUST STATUS - Systems and methods for processing encoded messages within a wireless communications system are disclosed. A server within the wireless communications system performs signature verification of an encoded message and provides, together with the message, an indication to the mobile device that the message has been verified. In addition, the server provides supplemental information, such as, for example, a hash of the certificate or certificate chain used to verify the message, to the device, to enable the device to perform additional checks on the certificate, such as, for example, validity checks, trust checks, strength checks, or the like. | 01-03-2013 |
20130042105 | SYSTEMS AND METHODS FOR SECURING DATA IN MOTION - Two approaches are provided for distributing trust among a set of certificate authorities. Each approach may be used to secure data in motion. One approach provides methods and systems in which the secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself. | 02-14-2013 |
20130073846 | PUSHING CERTIFICATE CHAINS TO REMOTE DEVICES - Rather than managing a certificate chain related to a newly issued identity certificate at a terminal to which a wireless device occasionally connects, a certificate server can act to determine the identity certificates in a certificate chain related to the newly issued identity certificate. The certificate server can also act to obtain the identity certificates and transmit the identity certificates towards the device that requested the newly issued identity certificate. A mail server may receive the newly issued identity certificate and the identity certificates in the certificate chain and manage the timing of the transmittal of the identity certificates. By transmitting the identity certificates in the certificate chain before transmitting the newly issued identity certificate, the mail server allows the user device to verify the authenticity of the newly issued identity certificate. | 03-21-2013 |
20130117560 | PROCESSING A DISPERSED STORAGE NETWORK ACCESS REQUEST UTILIZING CERTIFICATE CHAIN VALIDATION INFORMATION - A method begins by a processing module receiving a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain. When the certificate chain is valid, the method continues with the processing module accessing registry information for the DSN. The method continues with the processing module identifying one of a plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain, identifying one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries, and generating, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries. | 05-09-2013 |
20130198512 | INTERCEPTING ENCRYPTED NETWORK TRAFFIC FOR INTERNET USAGE MONITORING - An example method disclosed herein to monitor Internet usage comprises intercepting, using a kernel extension executing in an operating system kernel of a device, a first request to be sent to a content source by a monitored client executing on the device, providing a first certificate to the client in response to intercepting the first request sent by the client to the content source, the first certificate associated with a meter that is to monitor Internet usage, sending a second request to the content source, receiving a second certificate that is associated with the content source in response to sending the second request to the content source, and obtaining a session key to decrypt encrypted traffic exchanged between the content source and the client, the session key being obtained from the client based on the first certificate and being sent to the content source based on the second certificate. | 08-01-2013 |
20130219173 | DESIGNATION OF CLASSES FOR CERTIFICATES AND KEYS - Plural modes of operation may be established on a mobile device. Specific modes of operation of the mobile device may be associated with specific spaces in memory. By using a “class” designation within the existing certificate store structure and key store structure, certificates and keys can be assigned to one space among plural spaces. Accordingly, a personal certificate store and a personal key store may exist in a personal space. Similarly, a corporate certificate store and a corporate key store may exist in a corporate space. APIs designed to work within such a system may be arranged to employ a “class” attribute when managing certificates and cryptographic keys. | 08-22-2013 |
20130318343 | SYSTEM AND METHOD FOR ENABLING UNCONFIGURED DEVICES TO JOIN AN AUTONOMIC NETWORK IN A SECURE MANNER - A method in an example embodiment includes creating an initial information package for a device in a domain of a network environment when the device is unconfigured. The method further includes communicating the initial information package to a signing authority, receiving an authorization token from the signing authority, and sending the authorization token to the unconfigured device, where the unconfigured device validates the authorization token based on a credential in the unconfigured device. In more specific embodiments, the initial information package includes a unique device identifier of the unconfigured device and a domain identifier of the domain. In further embodiments, the signing authority creates the authorization token by applying an authorization signature to the unique device identifier and the domain identifier. In other embodiments, the method includes receiving an audit history report of the unconfigured device and applying a policy to the device based on the audit history report. | 11-28-2013 |
20140040611 | Distributed Validation of Digitally Signed Electronic Documents - Systems and methods are presented for distributed validation of a digitally signed electronic document. A computing device accesses both a representation of the electronic document and a digital signature for the electronic document that includes a digest generated by the digital signature's creator by applying a one-way function to the electronic document. The computing device applies the same one-way function to the accessed representation of the electronic document to generate a new digest, and includes both the digital signature and the new digest in a request sent to a separate validation server. The request does not include the electronic document. The validation server generates validation results that depend on comparing the digest from the digital signature with the new digest, and that do not depend on having the electronic document available to the validation server. The computing device receives the validation results from the separate validation server. | 02-06-2014 |
20140082352 | LAYERED CERTIFICATION - A certification provenance tree (CPT) structure may provide information concerning a layered certification of a device that comprises a hierarchy of components. The CPT structure may include a hierarchy of secure certification provenance document (SCPD) structures. Each SCPD structure in the hierarchy may represent a given component at a given level of the hierarchy of components of the device. Each SCPD structure may include a field that stores a certification proof indicating that security properties of the given component have been certified by a certification authority. An SCPD structure may further include accreditation information fields that store a pointer to an SCPD structure of a component at a next layer of the hierarchy of components of the device. The pointer may provide an indication of assurance that the component at that next layer will perform securely within this component at said given layer. | 03-20-2014 |
20140250298 | METHOD AND DEVICE FOR ENSURING INFORMATION INTEGRITY AND NON-REPUDIATION OVER TIME - The present invention relates to a method and a device for ensuring information integrity and non-repudiation over time. At least one example embodiment provides a mechanism for secure distribution of information, which information relates to an instance in time when usage of cryptographic key pairs associated with a certain brand identity commenced, as well as when the key pairs ceased to be used, i.e. when the key pairs were reyoked. The mechanism further allows a company or an organization to tie administration of cryptographic key pairs and a procedure for verifying information integrity and non-repudiation to their own brand. This can be seen as a complement or an alternative to using a certificate authority (CA) as a trusted third party, which CA guarantees an alleged relation between a public key and the identity of the company or organization using the cryptographic key pair to which that public key belongs. | 09-04-2014 |
20140281502 | METHOD AND APPARATUS FOR EMBEDDING SECRET INFORMATION IN DIGITAL CERTIFICATES - A method and system is provided for embedding cryptographically modified versions of secret in digital certificates for use in authenticating devices and in providing services subject to conditional access conditions. | 09-18-2014 |
20140281503 | CERTIFICATE GRANT LIST AT NETWORK DEVICE - A certificate grant list is provided. The certificate grant list may be stored in a memory, at the network device. The certificate grant list may store information associated with a client-device certificate, where the client-device certificate permits the client-device access to a secure service. | 09-18-2014 |
20140304503 | SYSTEMS AND METHODS FOR SECURING DATA IN MOTION - Two approaches are provided for distributing trust among certificate authorities. Each approach may be used to secure data in motion. One approach provides methods and systems in which a secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach of the present invention provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself. | 10-09-2014 |
20140337619 | Derived Certificate based on Changing Identity - A first device with a changing identity establishes a secure connection with a second device in a network by acting as its own certificate authority. The first device issues itself a self-signed root certificate that binds an identity of the first device to a long-term public key of the first device. The root certificate is digitally signed using a long-term private key, where the long-term public key and the long-term private key form a public/private key pair. The first device provides its root certificate to the second device in any trusted manner The first device can then create a certificate for one or more short-term identities acquired by the first device and sign the newly-created certificate using the long-term private key. The first device can authenticate itself to the second device by sending the newly-created certificate to the second device. | 11-13-2014 |
20150100780 | INTERCEPTING ENCRYPTED NETWORK TRAFFIC FOR INTERNET USAGE MONITORING - Example methods disclosed herein include intercepting, with a meter executing on a computing device, a request sent by a client application to establish a secure communication session with a network server. Such disclosed example methods also include receiving, at the meter in response to forwarding the request to the network server, a first public key provided by the network server for encrypting a session key, and providing, from the meter to the client application, a second public key associated with the meter instead of the first public key provided by the network server in response to the request being intercepted. Such disclosed example methods further include using the first public key and a private key associated with the second public key to enable the meter to access an unencrypted version of the session key, and monitoring, with the meter, the network traffic using the unencrypted version of the session key. | 04-09-2015 |
20150373014 | METHOD FOR ASSEMBLING AUTHORIZATION CERTIFICATE CHAINS - A method for assembling authorization certificate chains among an authorizer, a client, and a third party allows the client to retain control over third party access. The client stores a first certificate from the authorizer providing access to a protected resource and delegates some or all of the privileges in the first certificate to the third party in a second certificate. The client stores a universal resource identifier (URI) associated with both the first certificate and the third party and provides the second certificate and the URI to the third party. The third party requests access to the protected resource by providing the second certificate and the URI, without knowledge or possession of the first certificate. When the authorizer accesses the URI, the client provides the first certificate to the authorizer, so that the client retains control over the third party's access. | 12-24-2015 |
20160099934 | AUTHENTICATED SESSION ESTABLISHMENT - Methods, devices, and machine-readable media are provided to provide secure communications between entities. As provided in this disclosure, this may include receiving a request to begin a new communication session, determining one or more desired parameters of the session, and determining whether the desired parameters of the message match proposed parameters provided by the entity requesting the new communication session. When the one or more proposed parameters match the one or more desired parameters, a secure communication session is established between the entities. | 04-07-2016 |