One or more aspects of the invention relate to the field of managing time-dependent electronic files. In particular, one or more aspects of the invention relate to managing time-dependent electronic files to enable batch renewal of files.
In distributed networks of systems where transmissions between nodes are likely to travel over unprotected network infrastructure or when nodes may be in unsecured locations, security of communications is key to avoid man-in-the-middle or other various attacks. A typical method of achieving this security is the use of X.509 certificates as proof of identity, with each node or individual elements within each node having individual certificates. Once all elements have appropriate certificates then use of protocols such as Transport Layer Security (TLS) becomes a viable solution to provide authentication and encryption on the wire.
The standard method by which the identity contained in a certificate is authenticated is as follows. The certificate is cryptographically signed by a centralized Certificate Authority (CA) before distribution to the entity it belongs to. When the certificate is authenticated, for example, as part of a TLS handshake when the entity connects to a service, this signature is verified to prove the certificate identity is genuine and trusted by the CA.
Certificates also have a lifespan defined by a validity start and end time. In some systems, these lifespans may be intentionally chosen to be short, so that if that entity's credentials were compromised they would only allow a small window of exposure where they could be used before the certificate expired and could no longer be used for TLS connections. When certificates need to be renewed, the typical mechanism is to generate a Certificate Signing Request and send that request (over some protocol, such as a Certificate Management Protocol (CMP) or Hypertext Transfer Protocol (HTTP)) to the CA, who then generates a new signed certificate for that entity with a validity period starting at the current time and responds. The entity then uses that new certificate for future connections.
In cases where network bandwidth between the nodes and the centralized CA is restricted, it may be costly for every individual entity to send separate requests to the CA to renew their certificates when required, as the overhead of the protocol the request is sent over is incurred for every request. There may also be optimal time windows in which requests would be sent, where the network is under lower load.