Abstract: A system is provided for protecting a computer system and/or control system against manipulation and functional anomalies. The system includes a monitoring module, which has at least a first interface, a second interface, and at least one memory. The system is configured to receive information characterizing the system state of the computer system and/or control system via the first interface, receive an encrypted request for system state via the second interface and decrypt it using a request key stored in the memory, and generate a response to the request from at least a portion of the information received via the first interface. The system is also configured to encrypt the response with a response key determined using the request and output it via the second interface, determine a new request key which is a shared secret also accessible to the sender of the request, and store this new request key in the memory.

Abstract: Securely loading digital blocks into memory for consumption by a processor. A method includes, at a memory protection shim, receiving a digital block and a manifest for the digital block. The manifest includes a transformation key for the digital block. The transformation key is configured to be used for at least one of validating the digital block or decrypting the digital block. The manifest is encrypted. The method further includes decrypting the manifest to obtain the transformation keys. The method further includes using the transformation keys to perform at least one of validating or decrypting the digital block. The method further includes retransforming the digital block using a memory protection shim ephemeral key to perform at least one of creating an authentication tag or encrypting the digital block. The method further includes storing the retransformed digital block in memory.

Abstract: One or more devices may include a credentials server. The credentials server may be configured to: receive primary Standalone Non-Public Network (SNPN) credentials for a User Equipment device (UE) and SNPN information. The primary SNPN credentials and the SNPN information are associated with the UE and an SNPN. The devices may be configured to generate temporary SNPN credentials based on the primary SNPN credentials and the SNPNN information. The devices may forward the temporary SNPN credentials to the SNPN.

Abstract: A system and methods for mitigating Kerberos ticket attacks within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: The invention relates to creating a secure, decentralized, cloud-based network or physical/virtual infrastructure that enables the payments industry to redefine payment processing and information sharing. The innovative network addresses key pain points by reducing payment delays and touch points, realizing faster and comprehensive payment tracking, real-time sanctions, AML and fraud management tools.

Abstract: Some embodiments are directed to a password generation device that includes an input unit arranged to receive, from a user device, a computer address for accessing a computer resource, a user identifier indicating a user of the user device, a user password, and a password unit arranged to determine a first combined identifier from a base address system-identifier, a user system-identifier, and the user password. Moreover, the password generation device may be configured for password verification and/or validation.

Abstract: A system includes a control computer that is programmed to perform an authentication based on an encryption key, upon being connected to a vehicle communication network. The computer is programmed to control vehicle operation including at least one of propulsion, braking, and steering, upon authentication by a vehicle computer that is physically attached to the communication network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for rollback resistant security are disclosed. In one aspect, a method, during a boot process of a computing device, includes the actions of obtaining a secret key derived from device-specific information for the computing device. The method further includes verifying that a signature for a software module is valid. The method further includes obtaining information indicating a current version of the software module. The method further includes using the secret key to generate a first encryption key corresponding to the current version of the software module and a second encryption key corresponding to a prior version of the software module. The method further includes preventing future access to the secret key until the computing device is rebooted. The method further includes providing the software module access to the first encryption key and the second encryption key.

Abstract: Embodiments of this application disclose a network key processing system, including user equipment, a security anchor network element, and an access and mobility management network element, where the security anchor network element is configured to: obtain a first key parameter from a slice selection network element, where the first key parameter includes identifier information of N network slices; generate N slice-dedicated keys based on the first key parameter; and send the N slice-dedicated keys to the corresponding N network slices respectively; the access and mobility management network element is configured to: obtain the first key parameter, and send the first key parameter to the user equipment; and the user equipment is configured to: generate the N slice-dedicated keys for the N network slices based on the first key parameter, and access the N network slices based on the generated N slice-dedicated keys.

Abstract: Methods and systems described in this disclosure allow customers to quickly be authenticated. In some embodiments, a device and a user verifier are associated with a user profile. When a call is received from the device, the user may be requested to input the user verifier. After verifying that the device is unique to the user and that the user verifier matches the user verifier associated with the user profile, the user may be authenticated to the call or activity.

Abstract: Techniques are provided for multi-cloud authentication of data requests. One method comprises obtaining, by a first authentication entity of a first cloud environment, from a service on the first cloud environment, a request for data stored by a second cloud environment; determining a signature for the service; verifying the determined signature for the service by requesting a signature for the service registered with a second authentication entity of the second cloud environment; requesting the data from the second authentication entity of the second cloud environment in response to the determined signature being verified; and providing the requested data to the service. The requested data from the second cloud environment may be encrypted with an encryption key, and the method may further comprise decrypting the requested data with a decryption key obtained from the second cloud environment. The signature for the service may be registered as part of a deployment of the service.

Abstract: A method including configuring, by an infrastructure device, a user device to encrypt authentication information associated with authenticating the user device with a service provider, the authentication information including first factor authentication information for determining a first factor and second factor authentication information for determining a second factor; configuring, by the infrastructure device, the user device to detect an attempt to access a service to be provided by the service provider; configuring, by the infrastructure device, the user device to determine, based on detecting the attempt, the first factor based on decrypting the first factor authentication information and the second factor based on decrypting the second factor authentication information; and configuring, by the infrastructure device, the user device to enable authentication of the user device with the service provider based on utilizing the first factor and the second factor. Various other aspects are contemplated.

Abstract: Described are automated systems and methods for providing a template design for a public-key infrastructure (PKI) system. For example, certain infrastructure information and stored PKI information can be processed to determine a PKI template, which can specify the configuration for a proposed PKI hierarchy. A configurable representation of the proposed PKI hierarchy can be generated and presented to the user, which can facilitate review, modification, and further customization of the proposed PKI hierarchy. Aspects of the present disclosure can also determine costs associated with the proposed PKI hierarchy, and can create and deploy the proposed PKI hierarchy.

Abstract: The techniques disclosed herein enable systems to centralize access to various digital items irrespective of the location of those digital items. To achieve this, items that are stored at their original location, e.g., within a cloud storage platform, can be selected by a user for storage at a centralized location such as a favorites section. These items are selected using an interface control which can be an operating system component of an item keeping system that is accessible in any context or application. The item keeping system can generate an item alias for selected items which is then stored in the centralized location. In addition, item aliases can be moved to various destinations by the user to enable customized item storage for items of varying types, origin, and location. In addition, functionality of the interface control can be modified to suite selected items.

Abstract: Embodiments of the present invention provide a method, program, and apparatus that may identify a device by using a virtual code generated based on a unique value of a chip inside a device without a separate procedure for identifying the device. Furthermore, embodiments of the present invention provide a method, program, and apparatus that may generate a virtual code, which is not matched with any other code, whenever a code for identifying a device is requested. Moreover, embodiments of the present invention provide a method, program, and apparatus for identifying a device that may add and use only an algorithm without changing a conventional process.

Abstract: The invention relates to a computer-implemented method for connecting a network component to a network, in particular a mobile communications network, with an extended network access identifier. The method involves a receiving of the extended network access identifier from the network component via a network access server, wherein the extended network access identifier comprises at least one network access restriction for connecting the network component to the network. The method also involves a receiving of a requested user access profile from a user profile server via the network access server, wherein the user access profile comprises access authorisations for connecting the network component to the network. The network component is authenticated in the network via the network access server, if the received extended network access identifier fulfills thre access authorisations of the received user access profile.

Abstract: A payment system implemented on a mobile device authenticates transactions made via the mobile device. The mobile device generates a public-private key pair and receives an authenticating input from a user of the device. The public key is sent to a secure payment system, and the authenticating input is used to generate a symmetric key that encrypts the private key. After a transaction is initiated, the mobile device receives an authenticating input from the user. The symmetric key is generated from the authenticating input and the mobile device attempts to decrypt the private key from the encrypted private key using the symmetric key generated by the user's input. The decrypted key is used to sign a transaction authorization message which is sent to the secure payment system, along with payment information, which can verify the signed message via the public key. Additional techniques related to secure payments are also disclosed.

Abstract: The present disclosure includes apparatuses, methods, and systems for validating an electronic control unit of a vehicle. An embodiment includes a memory, and circuitry configured to generate a run-time cryptographic hash based on an identification (ID) number of an electronic control unit of a vehicle and compare the run-time cryptographic hash with a cryptographic hash stored in a portion of the memory.

Abstract: A system for aggregating a user's web browsing data which may include cookies placed on a user's computing device from various websites. The system receives authorization from a user to retrieve cookie and other data associated with the user. The system then accesses cookie data and personal data associated with the user. In some embodiments, the aggregation system communicates with websites that placed the cookie data on the user's computer to determine one or more characteristics of the user based on the cookie data (which may be understandable only by the placing website). The system may then provide the user's aggregated data or a portion thereof to requesting entities. The user may have access to a user interface which provides information about the user's aggregated data and allows the user to determine how much information to share with requesting entities.

Abstract: A method for use with a public cloud network is disclosed. The method includes setting up at least one virtual machine, at least one private cloud call-back server (PCCBS) and at least one smart device client on the side of the PCCBS to provide cloud based web services, and at least one private cloud routing server (PCRS) and at least one smart device client on the side of the PCRS in a client server relationship. The virtual machine and PCCBS usually reside in a hyperscale data center, while the PCRS resides in the client's remote premises. An internet platform owner that maintains the virtual machine, offers to a subscriber to host the PCCBS in the virtual machine, constructs and deploys a community pair of peer-to-peer communication relationship between at least one PCCBS Device Client and a PCRS Device Client.

Abstract: The present disclosure relates to a computer-implemented method of processing a data transfer. The method comprises generating a first identifier for a first entity; linking the first identifier with a second identifier associated with a second entity; sending the first identifier and the second identifier to the first server; verifying the first entity based at least on the first identifier and the second identifier; sending a message to a second server, the message comprising at least the first identifier, the second identifier, and a name associated with the first identifier; and authenticating the data transfer for the first entity based at least on the information contained in the message.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments. An example method can include: receiving, by a first computing device, a request from a second computing device to establish a set of trusted execution environments (TEEs) in the first computing device; establishing a first TEE of the set of TEEs in the first computing device, wherein the trusted execution environment comprises an encrypted memory area and executable code; receiving, by the first TEE, cryptographic key data from the first computing device; establishing, by the first TEE, a second TEE of the set of TEEs in the first computing device, wherein the second TEE comprises a copy of the executable code; providing, by the first TEE, the cryptographic key data to the second TEE; and causing the executable code of the second TEE to communicate with the first computing device using the cryptographic key data.

Abstract: A method of computation executed by a server is provided, wherein constraints on results of the computation from a group of client devices in a distributed system are used in a way that makes it unnecessary to identify the client devices. The constraints from each client device include limit amounts applicable to respective other client devices in the group in combination with the client device. The client devices each form doubly encrypted representations of the limit amounts and send messages with requests and its decryption key to the server. The server doubly decrypts the doubly encrypted representations of the limit amounts using the keys from the messages and determines which pairs of the messages include description keys that produce verified results. The server computes a solution that satisfies the requests from the messages, subject to the limit amounts from the verified results, applied in conjunction with the requests from said pairs of the messages.

Abstract: In some instances, a method for authenticating a user using key pair authentication is provided. The method comprises enrolling the user into key pair authentication by generating a private and public key pair for an authentication domain, accessing the content on the first domain based on enrolling the user into the key pair authentication with a key pair authentication server using the private and public key pair for the authentication domain, requesting access for different content on a second domain, based on enrolling the user into the key pair authentication for the first domain, redirecting a browser from the second domain to the authentication domain, and accessing the different content on the second domain based on performing the key pair authentication with the key pair authentication server using the private and public key pair for the authentication domain.

Abstract: A method including encrypting, by a user device, a file based at least in part on utilizing a file symmetric key and a first encryption algorithm to determine a first-encrypted file; storing, by the user device, the first-encrypted file in a local memory; encrypting, by the user device, the file based at least in part on utilizing a synchronization key and a second encryption algorithm to determine a second-encrypted file, the second encryption algorithm being different from the first encryption algorithm; encrypting, by the user device, metadata associated with the file based at least in part on utilizing a metadata key to determine encrypted metadata; and transmitting, by the user device to a storage device, the second-encrypted file in association with the encrypted metadata is disclosed. Various other aspects are contemplated.

Abstract: The present disclosure relates to a trustworthy data exchange. Embodiments include receiving, from a device, a query, wherein the query comprises a question. Embodiments include identifying particular information related to the query. Embodiments include receiving credentials from a user for retrieving the particular information related to the query. Embodiments include retrieving, using the credentials, the particular information related to the query from one or more data repositories that are part of a distributed database comprising an immutable data store that maintains a verifiable history of changes to information stored in the distributed database. Embodiments include determining, based on the particular information related to the query, an answer to the query. Embodiments include providing the answer to the device.

Abstract: Managing client access token requests is provided. It is determined whether a current time interval between a last allowed access token request matches a regular access token request interval for a client. In response to determining that the current time interval does match the regular access token request interval for the client, a current access token request is allowed. An access token is generated for the client to access a protected resource hosted by a resource server based on allowing the current access token request. The access token is issued to the client via a network.

Abstract: A computer-implemented method is disclosed. The method includes: authenticating a user for login to a service for a first authenticated user session; in response to authenticating the user, generating a first data string associated with a first validity period; sending, to a client device associated with the user, the first data string; receiving, from the client device, a data access request to access a first data set at a remote data source, the data access request including the first data string; determining that the first authenticated user session has been terminated at a time of receiving the data access request; validating the first data string based on checking the first validity period; and in response to determining that the first authenticated user session has been terminated and that the first data string is valid, transmitting, to the client device, a data access response including at least a subset of the first data set.

Abstract: A system for authenticating a requesting device using verified evaluators includes an authenticating device. The authenticating device is designed and configured to receive at least a first digitally signed assertion from a requesting device, the at least a first digitally signed assertion linked to at least a verification datum, evaluate at least a second digitally signed assertion, signed by at least a cryptographic evaluator, conferring a credential to the requesting device, validate the credential, as a function of the at least a second digitally signed assertion, and authenticate the requesting device based on the credential.

Abstract: Apparatus and methods to manage recording of streaming packetized content (such as for example live IP packetized content) for access, retrieval and delivering thereof to one or more users. In one embodiment, the foregoing is accomplished via communication between a recording manager and a receiver/decoder device. The recording manager manages and schedules recording of content on behalf of the receiver/decoder device (and/or mobile devices) disposed at a user's premises. The recording manager runs one or more computer programs designed to receive requests to record packetized content from one or more consumer devices, and use metadata contained within the requests to cause a cloud storage entity or premises storage device to record the content at its scheduled date/time (either via the receiver/decoder device itself, or another network entity).

Abstract: The present disclosure provides systems and methods for secure identification retrieval. The method includes retrieving a value of a periodic variable and calculating a plurality of query tokens from a corresponding plurality of client device identifiers and the value of the periodic variable. Each query token is associated with a corresponding client device identifier in a first database. The method further includes receiving a first query token calculated from a client device identifier of the first client device and the value of the periodic variable and identifying a second query token of the calculated plurality of query tokens in the first database matching the first query token. The method further includes, responsive to the identification, retrieving the associated client device identifier and retrieving one or more characteristics of the first client device according to the associated client device identifier. The method further includes transmitting the retrieved one or more characteristics.

Abstract: Fault-tolerant storage of cryptographic information maintained on a fleet of HSMs may be provided by dividing the cryptographic information into a number of stripes which are distributed and stored on individual HSMs in the HSM fleet. Parity information is generated which allows one or more stripes to be regenerated if one or more stripes becomes corrupt or is lost. The parity information may be stored on an HSM in the HSM fleet, or outside the fleet on a storage service, HSM management hub, tangible computer-readable media, or other device. If an HSM in the HSM fleet fails, resulting in the loss of a stripe, an HSM in the fleet can recover the missing stripe by re-creating the missing stripe from the remaining stripes combined with the parity information. In some examples, stripes are mirrored within the fleet of HSMs.

Abstract: A method for attestation of Control Flow Integrity (CFI) of an application running on an end entity whereby an asymmetric key pair is generated by a Key Management Module (KMM) comprising a private key and a public key, then the public key is signed with a device key unique to the end entity thereby generating a public key certificate which attests to the private key being in possession of the end entity. The asymmetric key pair is based on the executing code of the application and the device key. The attestation claims regarding CFI of the application are signed by the private key in a dedicated signature module.

Abstract: At least one machine readable medium comprising a plurality of instructions that in response to being executed by a system cause the system to send a unique identifier to a license server, establish a secure channel based on the unique identifier, request a license for activating an appliance from a license server over the secure channel, receive license data from the license server over the secure channel; determine whether the license is valid, and activate the appliance in response to a determination that the license data is valid.

Abstract: An authentication system prevents leakage of a key-reading speech during user authentication based on the key-reading speech of a user reading an authentication key. For each user ID, a storage stores a voiceprint of a user in association with a recorded sound including speech spoken previously by the user. A specifier specifies the user ID of a user attempting to receive authorization. An outputter outputs a masking sound that includes the recorded sound recorded in association with the specified user ID. An acquirer acquires a key-reading speech of the user reading the authentication key and the output masking sound. A remover acquires a second sound by removing the masking sound from the acquired first sound. A determiner determines whether the user has authority pertaining to the specified user ID based on the acquired second sound.

Abstract: Configuration methods and systems include a smart vehicle router associated with router information stored in a router file in a cloud network, and a smart mobile device comprising a camera and software application tool. The router information includes a unique authentication certificate to permit a one-to-one pairing such that another pairing is not available. The configuration system is configured to read an image of an identification component associated with the smart vehicle router and the router information, apply an authentication algorithm to the image to provision the tool with the unique authentication certificate, authenticate the smart vehicle based on the image and authentication algorithm, pair the authenticated smart vehicle with the tool in the one-to-one pairing based on the unique authentication certificate and the router information, and automatically configure the tool on the smart mobile device to retrieve data associated with the authenticated smart vehicle.

Abstract: Systems and methods are provided for managing dynamic controls over access to computer resources and, even more particularly, for evaluating and re-evaluating dynamic conditions and changes associated with user sessions. The systems and methods are configured to automatically make a determination as to whether new or additional authentication credentials are required for a user that is already authorized for accessing resources in a user session, in response to triggering events such as the identification of a new or changed condition associated with the user session.

Abstract: The present invention relates a method for ensuring search completeness of searchable public key encryption, applicable to a blockchain network formed by a plurality of computer nodes. The method at least comprises: the blockchain network receiving a keyword ciphertext and a corresponding file-identifier ciphertext generated by a transmitting end based on the public key encryption, and at least one miner storing the ciphertexts in a ciphertext table; the blockchain network receiving a search trapdoor Tw transmitted by a receiving end, generated according to a private key and a keyword w to be searched; the at least one miner in the blockchain network performing a secure search based on information of a state table and the search trapdoor Tw, and outputting a search result to the blockchain network; and the blockchain network feeding the search result back to the receiving end.

Abstract: Risk assessment in an authentication service is performed where an authorization request is received from a third-party application. Risk assessment policies for the authorization request are determined based on a class of the third-party application. The risk assessment policies are applied to the authorization request to determine an action to be performed for the authorization request, such as sending an authorization message in response to the authorization request or taking a remedial action (e.g., suspending the application, limiting the available actions, or sending a notification to a trusted security application).

Abstract: A method is disclosed. The method comprises receiving, from a communication device, a provisioning request message including a user device identifier and a cryptogram in a first message format, which is received from the user device by the communication device during a message exchange process between the user device and the communication device. The method also includes generating an authorization request message in a second message format, the authorization request message comprising the cryptogram, transmitting the authorization request message to an authorizing computer, and receiving an authorization response message from the authorizing computer. The method also includes providing access data to the communication device.

Abstract: A computer-implemented method for generating multiple valid OTP (One Time Password) for a single identity using a shared logic, including using an OTP solution based on the shared logic generating and validating multiple valid OTPs that are capable of transferring additional info in a OTP validation process; changing the shared logic in a OTP client and/or in a OTP server dynamically if there is a logic overlapping in the shared logic in a moving factor value and in one or more rules addressed by a rules-based engine; and/or using the OTP solution for one or more distributed disconnected environments only if the shared logic, the moving factor value, and the one or more rules addressed by the rules-based engine are overlapping.

Abstract: This disclosure leverages multi-attach to block store volumes for more reliable live migration of virtualized resources. A block storage client of a virtualized resource operating on a source host in a first data center can be attached to a block storage volume stored on block storage hosts in the first data center. State data associated with the virtual machine can be transmitted from the source host to a target host, after which the virtual machine can run on the target host and operations of the virtualized resources may be ceased on the source host. Failure of the migration may require roll back to the source host. The source host may remain connected to the volume while the target host client connects to the volume, such that the volume may be accessed by the block storage client on the source host after rollback to provide uninterrupted operation of the virtual machine.

Abstract: Systems and methods of automatically controlling a user's data footprint are provided. Data associated with a user may be analyzed to determine an action the user is preparing to take. Based on the analysis, a potential risk associated with the action the user is preparing to take may be identified. The potential risk associated with the action the user is preparing to take may be, for example, a data security risk, a data privacy risk, a physical risk, a risk of damage to property, and/or a financial risk. A notification indicating the potential risk associated with the action the user is preparing to take may be provided to the user. The notification may include one or more suggestions for mitigating the potential risk associated with the action the user is preparing to take.

Abstract: Cumulative risk-based scoring may be implemented for quorum controls. Requests for authorization of a proposed action may be received. Approvals from members of a quorum set authorized to approve the action may be received. Risk assessments of the members may be used to generate authorization scores. The combined authorization scores may be compared with a quorum authorization threshold to determine whether the proposed action is authorized or denied.

Abstract: Disclosed herein are systems and methods executing a security server that perform various processes using alert elements containing various data fields indicating threats of fraud or attempts to penetrate an enterprise network. Using alert elements, the security server generate integrated alerts that are associated with customers of the system and assign a risk score for the integrated alerts, which the security server uses to store and sort the integrated alerts according to a priority, based on the relative risk scores. Analyst computers may query and fetch integrated alerts from an integrate alert database, and then present the integrate alerts to be addressed by an analyst according to the priority level of the respective integrated alerts. This allows to ensure that the right customer, is worked by the right analyst, at the right time, to maximize fraud prevention and minimize customer impact.

Abstract: A method is disclosed. The method includes constructing a table by encrypting a plurality of unencrypted match values using a public key to produce a plurality of encrypted match values. Each unencrypted match value being an indication of a degree of match between an input biometric template and an enrollment template. The method includes arranging each row so that each row has a match value and a corresponding encrypted match value. The method also includes storing, in a database, the table comprising the plurality of encrypted match values and the plurality of unencrypted match values. The server computer can be programmed to receive an encrypted biometric template and the table is used to determine a match value using the encrypted biometric template, and the match value is used to determine if a person is enrolling a biometric template associated with the encrypted biometric template more than once.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a first service operating within a computing system, a modified identity data object from a second service operating within the computing system, where the modified identity data object includes at least one identifier associated with a client of the computing system determining, by the first service, that the second service performed a first action on an identity data object to generate the modified identity data object, and validating the modified identity data object based on whether the second service is authorized to perform the first action.

Abstract: A system for presenting a clinical process of a patient in a clinical facility having a network, a system backend communicable with the network, and at least one mobile device communicable with the system backend, the mobile device comprising a mobile processor and a display, the mobile processor configured to operate in at least one first user interface mode and at least one second user interface mode, where the mobile processor is configured to enable the operation of at least one built-in function when operating in the at least one first user interface mode and where the mobile processor is configured to disable the operation of the at least one built-in function when operating in the at least one second user interface mode.

Abstract: Certain aspects of the present disclosure provide techniques for entering user credentials through a proxy. One example method generally includes receiving, at a user device, a push request for user data from a cloud server and receiving a request file from an aggregation system. The method further includes injecting user credentials stored on the user device into the request file, wherein when injected the user credentials replace at least one dummy entry of the request file, and transmitting the request file to a data source associated with the request file. The method further includes receiving user data from the data source and transmitting the user data to the aggregation system.

Abstract: Techniques for validating digital certificate information before signing are described. A method of validating digital certificate information before signing may include generating a to-be-signed (TBS) certificate, providing the TBS certificate to a certificate pre-issuance validation service to perform one or more validations on the TBS certificate, and receiving a request to issue a signed certificate based on the TBS certificate following validation of the TBS certificate by the certificate pre-issuance validation service.