Transport layer security latency mitigation
US-2016226827-A1 · Aug 4, 2016 · US
Countersigned certificates
US9912486B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9912486-B1 |
| Application number | US-201514838172-A |
| Country | US |
| Kind code | B1 |
| Filing date | Aug 27, 2015 |
| Priority date | Aug 27, 2015 |
| Publication date | Mar 6, 2018 |
| Grant date | Mar 6, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A digital certificate for an entity is issued and signed by a certificate authority. One or more counter signing entities are identified in an extension to the digital certificate. Each countersigning entity adds a countersignature to the digital certificate using a private cryptographic key maintained by each countersigning entity. A client that receives the digital certificate validates the digital certificate by in part validating the digital signature of the issuing certificate authority and validating the digital signatures of the countersigning entities. In determining whether the digital certificate is valid, the client may consider the geographic regions, legal jurisdictions, and identity verification processes of the certificate authority and of the countersigning entities. In some examples, the client requires that the issuing certificate authority and the countersigning entities represent a minimum amount of geographic and jurisdictional diversity. In other examples, the client requires a minimum threshold number of countersigning entities.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: receiving a digital certificate, the digital certificate identifying a collection of signing entities and having an issuer signature and a countersignature; determining, based at least in part on a plurality of digital certificates that are individually associated with respective individual entities of the collection of signing entities, that the issuer signature and countersignature are valid; determining that the digital certificate is trustworthy based at least in part on a number of signing entities in the collection of signing entities contributing to the issuer signature and countersignature being greater than or equal to a threshold number of signing entities; and performing an operation in accordance with the digital certificate being trusted. 2. The computer-implemented method of claim 1 , further comprising: identifying a collection of geographic regions that are associated with members of the collection of signing entities; and determining that the digital certificate is trustworthy based at least in part on a number of distinct geographic regions in the collection of geographic regions being greater than or equal to a threshold number of geographic regions. 3. The computer-implemented method of claim 1 , further comprising: identifying a collection of legal jurisdictions that are associated with members of the collection of signing entities; and determining that the digital certificate is trustworthy based at least in part on a number of distinct legal jurisdictions in the collection of legal jurisdictions being greater than or equal to a threshold number of legal jurisdictions. 4. The computer-implemented method of claim 1 , further comprising: verifying identities of members of the collection of signing entities using a collection of digital certificates issued by a collection of signature authorities; determining a number of distinct signature authorities in the collection of signature authorities; and determining that the digital certificate is trustworthy based at least in part on the number of distinct signature authorities being greater than or equal to a threshold number of signature authorities. 5. A system, comprising: one or more processors; and memory that stores computer-executable instructions that, as a result of being executed, cause the system to: receive a digital certificate, the digital certificate having an issuer signature and a countersignature, the digital certificate being signed with a first signature of a first entity, and the digital certificate being signed with a second signature of a second entity; verify the first signature using a first public key contained in a first digital certificate of the first entity; verify the second signature using a second public key contained in a second digital certificate of the second entity; and determine that the digital certificate is trustworthy based at least in part on a number of signing entities contributing to the issuer signature and countersignature being greater than or equal to a threshold number of signing entities. 6. The system of claim 5 , wherein: the first digital certificate is issued by a first certificate authority; the second digital certificate is issued by a second certificate authority; and the first certificate authority does not match the second certificate authority. 7. The system of claim 5 , wherein the one or more processors and memory that stores computer-executable instructions that, as a result of being executed, further cause the system to: identify a first country associated with the first entity; identify a second country associated with the second entity; compare the first country to the second country; and determine that the digital certificate is trustworthy based at least in part by determining that the first country and the second country are different countries. 8. The system of claim 5 , wherein the one or more processors and memory that stores computer-executable instructions that, as a result of being executed, further cause the system to: identify a first legal jurisdiction able to assert control over the first entity; identify a second legal jurisdiction able to assert control over the second entity; and determine that the digital certificate is trustworthy based at least in part by determining that the first legal jurisdiction and the second legal jurisdiction are independent of each other. 9. The system of claim 5 , wherein: the digital certificate includes a first certificate extension field that contains a first identifier of the first entity, the first signature of the first entity, and a first algorithm identifier of a first signature algorithm that is used by the first entity to generate the first signature; and the digital certificate includes a second certificate extension field that contains a second identifier of the second entity, the second signature of the second entity, and a second algorithm identifier of a second signature algorithm that is used by the second entity to generate the second signature. 10. The system of claim 5 , wherein the one or more processors and memory that stores computer-executable instructions that, as a result of being executed, further cause the system to: calculate a first trust score for the first entity; calculate a second trust score for the second entity; and determine that the digital certificate is trustworthy based at least in part by determining that a sum of the first trust score and the second trust score is greater than a threshold value. 11. The system of claim 5 , wherein the one or more processors and memory that stores computer-executable instructions that, as a result of being executed, further cause the system to: add a third digital signature to the digital certificate using a private key of a public-private key pair accessible to the system. 12. The system of claim 5 , wherein the one or more processors and memory that stores computer-executable instructions that, as a result of being executed, further cause the system to: retrieve a certificate policy from a certificate policy store, the certificate policy specifying a characteristic, and the certificate policy identifying a limitation for the characteristic; compare the characteristic of the first entity and the characteristic of the second entity; and determine, based at least in part on a result of the comparison, that the limitation is satisfied. 13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: receive a digital certificate that identifies a collection of signing entities and includes an issuer signature and a countersignature; determine based at least in part on a plurality of digital certificates that are individually associated with particular entities that are members of the collection of signing entities, that the issuer signature and countersignature are valid; determine that the digital certificate is trustworthy based at least in part on a number of signing entities in the collection of signing entities contributing to the issuer signature and countersignature being greater than or equal to a threshold number of signing entities; and perform an operation in accordance with the digital certificate being trusted. 14. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more proces
Assignees
Inventors
Classifications
Electricity · mapped topic
involving digital signatures · CPC title
using certificate chains, trees or paths; Hierarchical trust model · CPC title
- H04L9/3268Primary
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
using hash chains, e.g. blockchains or hash trees · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9912486B1 cover?
- A digital certificate for an entity is issued and signed by a certificate authority. One or more counter signing entities are identified in an extension to the digital certificate. Each countersigning entity adds a countersignature to the digital certificate using a private cryptographic key maintained by each countersigning entity. A client that receives the digital certificate validates the d…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3268. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 06 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).