This invention relates to a technique for verifying the authenticity of participants engaging in electronic commerce.
Today, individuals, businesses, and other organizations conduct an ever-increasing amount of commerce electronically either via private interconnected networks, (xe2x80x9cintranetsxe2x80x9d) or via a public interconnected network such as the Internet. For example, many businesses now exchange all types of documents, such as purchase orders, memorandums, contracts, and request for proposals, for example with other businesses and organizations. Many individuals, businesses, and organizations now purchase and sell all types of goods and services electronically. Indeed, some businesses sell exclusively over the Internet and maintain no retail place of business at all.
In most instances, authentication of an individual, or that individual""s computer terminal, must occur before that individual can engage in commerce. The manner of authentication depends on the type of encryption used to protect transmitted data. Typically, most electronic commerce relies on public key/private key encryption. Generally, senders encrypt data with a symmetric key and then encrypt the symmetric key with the recipient""s public key and send it with a document. Electronic certificates have emerged as the standard method of authenticating an individual""s public key. In fact, the International Telecommunications Union (ITU) has established Standard X.509 for such electronic certificates and most individual web browsers and network servers support that standard. Entities, known as Certificate Authorities (CAs) exist to create and distribute such electronic certificates.
Despite the existence of an ITU standard for electronic certificates, problems remain that have impeded the use of such certificates to facilitate electronic commerce. One such problem is verifying that a presented certificate has not been revoked. For example, certificate revocation may occur as the result from compromise of an associated private key. Alternatively, an individual might change his or her public key. In practice, CAs maintain a local record of revoked certificates and periodically generate and publish from these local records lists of revoked certificates, known as Certificate Revocation Lists (CRLs), that report a snapshot of which certificates have been revoked.
The revocation status of a certificate is hereinafter referred to as the certificate""s xe2x80x9cvalidity.xe2x80x9d The process for determining the revocation status of a particular certificate will hereinafter be referred to as xe2x80x9cvalidatingxe2x80x9d the certificate. There are two approaches employed to validate a certificate. The first approach is to search through the current CRL(s) during certificate verification operation. This approach has the following shortcomings:
1. The CA must deliver a copy of each revision of the CRL to every secure application
2. These redundant copies of CRL must be cached by every secure application
3. Applications that do not have a facility for caching the CRL will need to request the entire CRL during each certificate validation process
4. Each application is burdened with searching through the CRL list during every certificate verification operation
5. Applications must acquire entire CRL in order to verify a single certificate""s status
6. CRLs become outdated and can therefore be inaccurate
7. Determination that a particular certificate is not on the current CRL may lead an inquiring party to conclude that the certificate in question is valid, when in fact, no certificate exists.
Another approach to certificate validation is to undertake a Real-time inquiry of the CA or a Certificate Status server. This approach, for which an implementation protocol as been proposed (Internet draft X.509 Internet Public Key Infrastructurexe2x80x94Online Certificate Status Protocolxe2x80x94OCSP), has the following shortcomings:
1. Real-time access of the CA/Certificate Status Server does not afford scalability
2. This approach is very expensive in terms of network resources
3. Real time CA/Certificate Status Server inquiry inserts network latency into every certificate verification operation
4. The CA/Certificate Status Server must participate in every certificate verification operation.
5. This approach does not allow applications to implement any application-appropriate policy with respect to the required freshness of the certificate status information
6. Each application must execute an inquiry to the CA for the status of that certificate upon presentation to each different application, potentially resulting in the CA answering the same inquiry repeatedly.
In recognition of the scalability shortcomings of the second (real-time query) approach, an extension to the OCSP proposal has been submitted as another internet draft (Internet Public Key Infrastructurexe2x80x94Caching the Online Certificate Status Protocol) to remedy such shortcomings. The Internet draft proposes a mechanism for caching certificate status responses issued by certificate status authorities in intermediate servers so the primary certificate status server does not have to respond directly to every request. Even as modified with the intermediate server caching mechanism, the real-time query approach still suffers from the following shortcomings:
1. This approach requires deployment of intermediate servers
2. Use of intermediate servers is very expensive in terms of network bandwidth
3. Use of intermediate servers does not allow applications to implement application-appropriate policy with respect to the required freshness of the certificate status information
4. As a certificate is presented to different applications during the course of a day, each application must execute an inquiry to some certificate status server (intermediate of primary) for the status of that certificate, resulting in those servers answering the same inquiry repeatedly.
To avoid the problems associated with of the delay in updating certificate validation, some Certificate authorities have experimented with issuing short-lived certificates that cannot be revoked. All certificates that comply with the X509v3 standard have a validity period that defines both the start and end of a certificates period of validity. By choosing a very short period, a CA can issue a certificate that will likely not be revoked prior to expiration. This approach incurs the following disadvantages:
1. Frequent certificate re-issuance imposes a burden on the CA, the network, and the users
2. An application may be unable to determine if a certificate is no longer valid. (Applications must assume that certificates that have not expired are still valid.)
3. This approach does not address the issue of non-existent certificates.
Thus, there is a need for a technique for authenticating participants in electronic commerce that overcomes the aforementioned disadvantages of the standard approaches to certificate status verification. In particular, there is a need to overcome the shortcomings of real-time query of the CA which are (1) very expensive in terms of network resources, (2) insertion of network latency in every certificate validation operation and (3) involvement of the CA in each validation operation. There is also a need to overcome the disadvantages of acquiring, caching and searching each CRL, which are (1) requiring redundant CRL copies cached with each resource, and (2) burdening each server with searching through the CRL during each certificate validation operation.
Briefly, the present invention provides a method for conveying to an application during the authentication process, revocation status information regarding an electronic commerce participant""s authentication certificate that overcomes the aforementioned shortcomings of the current art. The invention improves on present art by relying on participants to obtain, cache, and deliver the status information to applications through a process that allows applications to enforce application-appropriate policy regarding the required xe2x80x9cfreshnessxe2x80x9d of that status information and, thereby, optimize the efficient use of network and status server resources.
The validation process commences upon receipt by a status authority of an inquiry regarding the revocation status of one or more credentials (xe2x80x9cother information), such as a public key certificate, held by a participant. This inquiry is triggered during an authentication process upon determination by an application that
1) The participant does not possess the status information for the other information presented by that participant (and therefore did not deliver it to the application), or
2) Status information for the other information in question was delivered but deficient in some way, based on the application""s local policy. In particular, the status information may be too stale.
Upon receiving the status inquiry, the status server determines the status of the other information and formulates a response consisting of a block of data that contains a plurality of attributes about the other information. In the case of a public certificate, such attributes would include the identity of the certificate, a timestamp, the status of the certificate (e.g., xe2x80x9cnot revokedxe2x80x9d, xe2x80x9crevokedxe2x80x9d, xe2x80x9cunknownxe2x80x9d, xe2x80x9csuspendedxe2x80x9d, etc.), and, if revoked, revocation date, revocation reason, etc., and finally, a digital signature of the aforementioned attributes.
The following discussion of several embodiments of the invention, and subsequent detailed descriptions of the associated processes focus on the use of the present invention in the context of a participant using a web browser to access a web server. That focus is only to simplify the explanation, and should not be construed as a limitation of the applicability of the invention in other contexts.
In one embodiment of the invention, the inquiry originates directly from the participant who issues the inquiry to the status authority spontaneously, possibly as part of a general credential freshening process that participants might perform at the start of a day. In this embodiment of the invention, the status server returns the response to the participant for caching, for example (in the case of a web browser), by inserting it into the participant""s browser as a Cookie.
In a second embodiment of the invention, the inquiry originates directly from the participant who has been redirected to the status authority by an application during the authentication process due to some deficiency in the status information as determined by that application. In this embodiment of the invention, an inquiry URL includes a return URL. The status server returns the response to the participant for caching (as with the previously described embodiment) and redirects the participant back to the return URL specified in the inquiry.
In a third embodiment, the inquiry originates directly from an application in order to acquire other information status (e.g., certificate status) for such other information presented to the application by a participant during an authentication process. This embodiment may be employed for any number of reasons, including for example, if the status authority is part of a foreign domain and, therefore, cannot issue a Cookie for the application""s domain. In this embodiment of the invention, the status server returns the response to the inquiring application and the application in turn, returns the response to the participant for caching (as with the first embodiment of the invention).
When the participant accesses a web site that demands certificate-based authentication, the web site can verify the signature of the participant""s certificate and then, if desired, perform the certificate validation process. The process entails examination of the certificate status information delivered to the application by the participant to determine 1) if it is present, 2) if the timestamp is not too old, and 3) if it indicates the certificate exists and has not been revoked. Depending on the circumstances, including the configuration of the application, if the application determines that the status information is missing or deficient in some way, the application may make an inquiry directly, or may direct the participant to make the inquiry.
The method of the invention affords several advantages over the current approaches described previously. First, the invention caches certificate status information, i.e., responses issued by status authorities, with the user. By caching such status information, the participant can deliver such status information to the application during authentication. Thus, the method of the invention affords the advantage that applications need not obtain and cache the status information from a third party. Additionally, the invention affords the advantage that applications examine the status information provided by the client and determine if it is adequate based on application-appropriate policies regarding the freshness of the information. Only if such status information is too stale for a particular application""s policy, the user client is redirected to the appropriate certificate status authority to refresh the information.