1. Technical Field
This invention relates generally to the field of secure electronic messaging and in particular to checking the status of digital certificates.
2. Description of the State of the Art
Known secure messaging clients, including for example e-mail software applications operating on desktop computer systems, maintain a data store, or at least a dedicated data storage area, for secure messaging information such as digital certificates. A digital certificate normally includes the public key of an entity as well as identity information that is bound to the public key with one or more digital signatures. In Secure Multipurpose Internet Mail Extensions (S/MIME) messaging, for example, a public key is used to verify a digital signature on a received secure message and to encrypt a session key that was used to encrypt a message to be sent. In other secure messaging schemes, public keys may be used to encrypt data or messages. If a public key is not available at the messaging client when required for encryption or digital signature verification, then the digital certificate is loaded onto the messaging client before these operations can be performed.
Normally, a digital certificate is checked against a Certificate Revocation List (CRL) to determine if the digital certificate has been revoked by its issuer. This check is typically performed when a digital certificate is first received and periodically thereafter, for example, when a new CRL is received. However, CRLs tend to be relatively bulky, so that transfer of CRLs to messaging clients consume considerable communication resources, and storage of CRLs at a messaging client may consume significant memory space. CRL-based revocation status checks are also processor-intensive and time consuming. These effects can be particularly pronounced in messaging clients operating on wireless mobile devices, which operate within bandwidth-limited wireless communication networks and may have limited processing and memory resources. In addition, revocation status is updated in CRL-based systems only when a new CRL is distributed.
One alternative scheme for digital certificate revocation status checking involves querying remote systems that maintain digital certificate revocation status information. This type of scheme requires transfer of less information, reduces the complexity of operations that must be performed at a messaging client to check the revocation status of a digital certificate, and may also provide more timely digital certificate revocation status information relative to CRL-based schemes. The Online Certification Status Protocol (OCSP) is an illustrative example of such a scheme. However, wireless communication system bandwidth limitations and latency render these known schemes inappropriate for secure messaging clients operating on wireless mobile devices.