Security in a communication network can be enhanced through use of a public key infrastructure (PKI). A PKI provides mechanisms to bind public keys to entities, enable other entities to verify public key bindings, and provide the services needed for ongoing management of keys in a distributed system. By supporting public key based authentication, a PKI also improves confidentiality, integrity and authentication of communications. A primary function of a PKI is to provide a relying party assurance of the validity of certificates possessed by a certificate holder. The certificates are issued and signed by a third party, called a certification authority (CA), which is trusted by both the certificate holder and the relying party. Overall network security is thus often dependent on the validity, and hence trustworthiness, of individual certificates.
As all public-key schemes are at least to some degree susceptible to security attacks, such as a brute force key search attack, various PKI security precautions are generally employed. For example, each public key certificate generally has a validity period, beyond which the certificate becomes invalid (equivalently, the certificate is said to have expired). Also, a certificate may be proactively revoked by the CA that issued it, or by a certificate holder if any compromise of key security is detected.
A CA is generally responsible for advertising certificate status information of active certificates to all relying parties, either proactively through publishing certificate revocation lists (CRLs), or reactively by responding to on-demand requests (e.g., through a validation authority (VA) using an Online Certificate Status Protocol (OCSP)). With proactive publication of a CRL, each period between successive advertisements is a vulnerable interval during which revocation of a certificate may be undetectable by a relying party. With on-demand requests, certificate status update delays can be increased by the unavailability of a connection to an OCSP server, or by the inability of an OCSP server to obtain a certificate revocation status from a CA.
A certificate holder conventionally must maintain a valid certificate issued by a CA in order to continue making trustworthy transactions with relying parties that trust the CA. When a certificate approaches expiration, the certificate holder may request the CA to renew the certificate for an extended validity period, but without changing a distinguished name, attributes, or a key associated with the certificate. A certificate holder of a revoked certificate may obtain a new certificate from the CA that issued the original certificate through a certificate update process, by which the CA grants a new certificate with the same distinguished name, but with one or more updated or new attributes, a new key, a new serial number, and possibly a new validity period. Certificate renewals and certificate updates require existence of a secure communication channel between a CA and a certificate holder. Further, confirmation of certificate renewals and certificate updates may require existence of a secure communication channel between a CA and a relying party.
However, even when a secure communication channel between a CA and a certificate holder is unavailable, and/or when a secure communication channel between a CA and a relying party is unavailable, use of an unexpired PKI certificate still may be required.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of embodiments of the present invention.
The apparatus and method components have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the embodiments of the present invention so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein.