Intelligent Certificate Discovery in Physical and Virtualized Networks
US-2017054709-A1 · Feb 23, 2017 · US
Partitioning certificate revocation lists
US10911246B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10911246-B2 |
| Application number | US-201715851562-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 21, 2017 |
| Priority date | Oct 2, 2015 |
| Publication date | Feb 2, 2021 |
| Grant date | Feb 2, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Certificates issued by a CA are distributed across multiple CRLs. Each certificate issued by the CA is assigned to a specific CRL, and the address of that CRL is written to the appropriate field of the certificate, such that an authenticating application can subsequently determine if the certificate is revoked. When the CA revokes a specific one of the issued certificates, it determines to which CRL the revoked certificate is assigned, and updates the specific CRL accordingly. In some embodiments, a single one of the multiple CRLs is active for assignment of certificates at any given time, and each certificate issued by the CA is assigned to the currently active CRL. In other embodiments, assignments of issued certificates are distributed between different ones of a pre-determined number of multiple CRLs by applying a statistical distribution formula to each issued certificate to determine a corresponding target CRL.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer implemented method for managing certificate revocation list (CRL) size by distributing digital certificates issued by a certificate authority (CA) across a plurality of different CRLs based on a time at which the digital certificates are generated, the method comprising: generating over a first period of time, using one or more computing devices associated with the CA, a first plurality of digital certificates, wherein each of the first plurality of digital certificates includes a first CRL address, wherein the first CRL address indicates a location of a first CRL, and wherein the first CRL is configured to include a first list of revoked digital certificates that identifies one or more of the first plurality of digital certificates that were generated during the first period of time; obtaining, using the one or more computing devices, an estimated revocation percentage for the first plurality of digital certificates, wherein the estimated revocation percentage is determined prior to a digital certificate of the first plurality of digital certificates being revoked; updating the estimated revocation percentage based on a revocation of one or more digital certificates of the first plurality of digital certificates; generating an estimated revocation number based at least in part on the updated estimated revocation percentage and a number of digital certificates of the first plurality of digital certificates; determining, using the one or more computing devices, to stop generating digital certificates that include the first CRL address based at least in part on the estimated revocation number satisfying a threshold number; and based on the determining to stop generating certificates that include the first CRL address, generating over a second period of time that is different from the first period of time, using the one or more computing devices, a second plurality of digital certificates, wherein each of the second plurality of digital certificates includes a second CRL address, wherein the second CRL address indicates a location of a second CRL, wherein the second CRL is configured to include a second list of revoked digital certificates that identifies one or more of the second plurality of digital certificates that were generated during the second period of time, wherein in response to revocation of a first digital certificate of the first plurality of digital certificates, an indication of the first digital certificate is added to the first list of revoked digital certificates of the first CRL based at least in part on the time at which the first digital certificate was generated, and wherein in response to revocation of a second digital certificate of the second plurality of digital certificates, an indication of the second digital certificate is added to the second list of revoked digital certificates of the second CRL based at least in part on the time at which the second digital certificate was generated. 2. The computer implemented method of claim 1 , further comprising revoking, using the one or more computing devices, a second digital certificate of the first plurality of digital certificates, wherein said revoking includes updating the first list of revoked digital certificates of the first CRL to include an indication of the second digital certificate of the first plurality of digital certificates. 3. The computer implemented method of claim 1 , wherein the CA is associated with a plurality of CRLs that includes the first CRL, wherein over the first period of time the first CRL is active for assignment of digital certificates and during the first period of time all other CRLs of the plurality of CRLs are inactive for assignment of digital certificates. 4. The computer implemented method of claim 3 , wherein the second CRL is created after an expiration of the first period of time. 5. The computer implemented method of claim 1 , wherein the CA is associated with a plurality of CRLs that includes the first CRL and the second CRL, wherein over the second period of time the second CRL is active for assignment of digital certificates and during the second period of time all other CRLs of the plurality of CRLs are inactive for assignment of digital certificates. 6. The computer implemented method of claim 1 , wherein said generating the first plurality of digital certificates comprises assigning the first CRL address to each of the first plurality of digital certificates, wherein said generating the second plurality of digital certificates comprises assigning the second CRL address to each of the second plurality of digital certificates. 7. The computer implemented method of claim 1 , wherein the second period of time occurs after an expiration of the first period of time. 8. A non-transitory computer readable medium for managing certificate revocation list (CRL) size by distributing digital certificates issued by a certificate authority (CA) across a plurality of different CRLs based on a time at which the digital certificates are generated, the non-transitory computer readable medium storing computer executable instructions that, when loaded into computer memory and executed by a processor of a computing device, cause the computing device to perform steps, the steps including: generating over a first period of time, using one or more computing devices associated with the CA, a first plurality of digital certificates, wherein each of the first plurality of digital certificates includes a first CRL address, wherein the first CRL address indicates a location of a first CRL, and wherein the first CRL is configured to include a first list of revoked digital certificates that identifies one or more of the first plurality of digital certificates that were generated during the first period of time; obtaining, using the one or more computing devices, an estimated revocation percentage for the first plurality of digital certificates, wherein the estimated revocation percentage is determined prior to a digital certificate of the first plurality of digital certificates being revoked; updating the estimated revocation percentage based on a revocation of one or more digital certificates of the first plurality of digital certificates; generating an estimated revocation number based at least in part on the updated estimated revocation percentage and a number of digital certificates of the first plurality of digital certificates; determining, using the one or more computing devices, to stop generating digital certificates that include the first CRL address based at least in part on the estimated revocation number satisfying a threshold number; and based on the determining to stop generating certificates that include the first CRL address, generating over a second period of time that is different from the first period of time, using the one or more computing devices, a second plurality of digital certificates, wherein each of the second plurality of digital certificates includes a second CRL address, wherein the second CRL address indicates a location of a second CRL, wherein the second CRL is configured to include a second list of revoked digital certificates that identifies one or more of the second plurality of digital certificates that were generated during the second period of time, wherein in response to revocation of a first digital certificate of the first plurality of digital certificates, an indication of the first digital certificate is added to the first list of revoked digital certificates of the first CRL based at least in part on the time at which the first digital certificate was generated, and wherein in response to revocation of a second digital certificate of the second plurality of digital certificates, an indication
Assignees
Inventors
Classifications
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
- H04L9/3268Primary
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
Electricity · mapped topic
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10911246B2 cover?
- Certificates issued by a CA are distributed across multiple CRLs. Each certificate issued by the CA is assigned to a specific CRL, and the address of that CRL is written to the appropriate field of the certificate, such that an authenticating application can subsequently determine if the certificate is revoked. When the CA revokes a specific one of the issued certificates, it determines to whic…
- Who is the assignee on this patent?
- Digicert Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3268. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 02 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).