With the need for more secure communications, different types of security systems and measures have evolved over time for networking systems. Early models of network security systems involving the use of private keys to encrypt and decrypt information exchanged over a network have been replaced with sophisticated and, at the same time, complicated secure session protocols. Many modem protocols involve certification of peer network devices, such as a client and a server, through a chain of trusted Certificate Authorities (CAs), and the like.
Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols are commonly used secure communication protocols and include provisions for authenticating a client and optionally a server using digital certificates. During an SSL/TLS handshake, the client digitally signs a challenge issued by the server using a private key corresponding to a public key referenced in the client's certificate. The client also sends the server the client's public key certificate during the handshakes. Once the handshake is successfully completed, the client has proven that it possesses the private key corresponding to the public key in the client certificate. In other words, the client proves that it owns the certificate used in the client authentication portion of the SSL/TLS handshake.
Usually, a client and a server on the Internet authenticate each other using certificates that are not known or trusted a priori. This allows for “spontaneous” secure communications, where two parties that have never met or exchanged certificates may still establish trust in each other's certificates and perform authentication with these certificates. In order for this trust to be established, both participants are typically configured to belong to a Public Key Infrastructure (PKI). This means that both participants trusts one or more CAs that issue the certificate. When a server verifies a peer's certificate, the server may validate a chain of certificates linking the peer's certificate with the trusted CA. For each link in the certificate chain, the server may verify a digital signature and potentially check other requirements, such as validity date ranges, actual domain names, and the like, on the links between the certificates. Moreover, the server may also check whether or not each certificate in the chain has been revoked using Certificate Revocation Lists (CRLs), online certificate verification protocols, and the like.
Thus, the configuration and validation required to use certificates in a PKI can be exceedingly complex. Therefore, there is a need in the industry for an improved method and system for authenticating a client. Thus, it is with respect to these considerations, and others, that the present invention has been made.