The present invention is related generally to the authentication of a client of an Internet Service provider (ISP) in on-line applications, and particularly to the revocation of certificates issued to such clients.
In on-line applications that use a communication network, such as the Internet or an Internet-like network, it is currently impossible to send caller ID information forward from the service provider with which the client is connected. For example, if a client requests a service or wishes to make a purchase from a supplier through the Internet, it is currently almost impossible to authenticate the client""s identity through the Internet.
Presently, it is possible to authenticate an individual by means of certificates. A certificate is an electronic document used to identify an individual, a company or some other entity and to associate that identity with a public key. The certificate, which can be issued by a Certificate Authority (CA), binds a particular public key to the name of the entity that the certificate identifies. For that purpose, the certificate always includes the name of the entity, the entity""s public key and a digital signature of the issuing CA. As it is well known in the art, a digital signature is a digital signed message. The message serves as a xe2x80x9cletter of introductionxe2x80x9d for the recipients who know and trust the CA but do not know the entity identified by the certificate. In this case, the message is first converted into a digest by a one-way hash function, and the digest is encrypted with the CA""s private key into a digital signature. The digital signature is sent to the message recipient along with a CA""s public key certificate and a copy of the original message. In operation, when the CA sends a signed message with a certificate attached thereto, the recipient verifies the authenticity of the certificate by using the CA""s public key. The recipient also generates a digest of the message sent using the same one-way hash function and compares this digest with the digital signature decrypted using the CA""s public key for an exact match. With this method, the identity of an entity can be authenticated by a certificate.
However, before issuing a certificate, the CA must use its published verification procedures for that type of certificate to ensure that an entity requesting a certificate is, in fact, who it claims to be. Currently, there are a number of ways to obtain public key certificates. Some of these are relatively simple while others can consume a great deal of time with their requirements. Certificates that are easy to get of course have more risk associated with their use as compared to certificates created with greater care. In each case, the risk involved relates to the level of trust associated with the usage of the certificate. The more effort put into the identification of the certificate owner, the more trust there is in the digital signatures generated from the certificate""s associated private key. The level of trust is based on the published Certificate Practice Statement (CPS) that the certificate issuer adheres to when creating a certificate. In the case of this invention, the CPS defines the steps that are performed when using a caller-id capability in the creation of the certificate. Included in the certificate is a reference to the applicable CPS. The Internet Engineering Task Force (IETF) Public Key Infrastructure (PKIX) working group has defined standards for certificate management. Specifically, the most common of these standards is referred to as X.509. Other certificate standards include Simple Public Key Infrastructure (SPKI) and Pretty Good Privacy (PGP). The X.509 certificate includes the following information: version, serial number, signature, algorithm identifier, issuer name, validity period, subject name, issuer and authorization attributes. Such certificates are well known to those skilled in the art.
The above mentioned U.S. patent application Ser. No. 09/698,420 discloses a method and system for more easily issuing a certificate with a high level of trustworthiness. By using the caller-id feature associated with the use of private, or dedicated, communication connectionsxe2x80x94land based telephone line, Digital Subscriber Line (DSL), etc.xe2x80x94it is possible to create a certificate that is easy for the client to obtain and yet can be used to authenticate a client""s identity with a high-degree of confidence.
A related problem for CA""s is certificate revocation. Certificate revocation is a daunting task. It requires that some entity maintain a list or real time system of information about the validity of certificates. This is a costly process.
Thus it is an object of the present invention to provide a method and system for providing trustworthy certificates which can be easily issued and easily reviewed for possible revocation.
The above object is achieved and the disadvantages of the prior art are overcome in accordance with the present invention by means of a method, and a programmable server programmed to carry out such method, where including the steps of: a) selecting a class of certificates for review, each of the certificates including identifying information and a phone number for its owner; b) choosing a next certificate from the class for review; c) accessing a reverse telephone database to determine if the next certificate""s identifying information is still correct; and if not, d) adding the next certificate to a list of revoked certificates; and e) if more certificates in the group remain to be reviewed, returning to step b.
In accordance with one aspect of the present invention the identifying information includes an address for its owner, and the method includes the further steps of accessing an address database to further verify that the address is still correct and, if not, adding the certificate to the list of revoked certificates.
In accordance with another aspect of the present invention the method includes the further steps of accessing a plurality of reverse directories or a plurality of address databases and using a predetermined scoring algorithm to determine if the certificate is added to the list of revoked certificates.
In accordance with still another aspect of the present invention the method includes: a) receiving a request for a certificate on a dedicated communications channel; b) requesting caller identifying information for the request from an operator of the dedicated channel; c) creating the requested certificate using the caller identifying information, the certificate including at least an owner""s phone number determined from the identifying information; and thereafter d) selecting a class of certificates previously created in steps a through c for review; e) choosing a next certificate from the group for review; f) accessing a reverse telephone book database to determine if the next certificate""s identifying information and phone number are still correct; and if not, g) adding the next certificate to a list of revoked certificates; and k) if more certificates in the group remain to be reviewed, returning to step e.
Other objects and advantages of the present invention will be apparent to those skilled in the art from consideration of the detailed description set forth below and the attached drawings.