Abstract: A set of certificate management methods designed to significantly reduce or eliminate reliance on infrastructure network connectivity after vehicles are sold uses techniques to support certificate management operations in order to reduce the frequency which vehicles need to communicate with the Certificate Authorities (CAs) and the amount of data that needs to be exchanged between vehicles and the CA. These methods include, for example, approaches to use one-way communications and vehicle-to-vehicle (V2V) communications to replace expired certificates, approaches to use one-way communications and V2V communications to replace revoked certificates, and use of a small subset of vehicles as proxies to help retrieve and distribute Certificate Revocation Lists (CRLs) and replacement certificates. The combination of these techniques leads to solutions that can eliminate the need for roadside infrastructure networks completely.

Abstract: A method and system for automatically generating a certificate operation request is described.

Abstract: A computer system (110) provides validity status proofs each of which proves the validity or invalidity of a set (F) of one or more digital certificates (104). The computer system may decide to cache a validity proof for a set F to later provide the cached proof to other parties. The caching decision is based on the caching priority of the set F. The priority may depend on the number of certificates in the set F, the sum of the remaining validity periods for the certificates in the set, and other factors.

Abstract: A license-management system and method is provided. A method of issuing a proxy certificate includes transmitting a proxy-certificate-issuance-request message to a license server in order for the local license manager to acquire an authority to issue a license by a local license manager; enabling the license server to verify the proxy-certificate-issuance-request message; if the proxy-certificate-issuance-request message is valid, transmitting a proxy certificate to the local license manager by the license server, the proxy certificate including information regarding the authority to issue a license; and verifying the proxy certificate by the local license manager.

Abstract: A system and method is provided for managing digital certificates, the system including one or more a certificate authorities and a vehicle-bound digital certificate manager, the apparatus comprising: a mobile client having a wireless transceiver with internet protocol capabilities and a vehicle communication device; the client further including at least one processor and at least one non-transitory computer readable medium encoded with instructions, which when loaded on the at least one computer, establishes processes for information handling, comprising: establishing secure communications with a certificate authority to receive at least one of a Vehicle Identification Digital Certificate (“VIDC”), an Anonymous Vehicle digital Certificate (“AVDC”), and a Certificate Revocation Lists (“CRLs”); storage management of at least one of the VIDC, AVDCs, and CRLs; and forwarding of at least one of the VIDC, AVDCs, and CRLs received from the certificate authority to the digital certificate manager using the vehicle c

Abstract: The disclosure is directed to an enterprise system including a message topic, a monitor definition, a monitoring manager, and an alert topic. The message topic includes a message associated with performance of a distributed computing application. The monitor definition includes performance rules for evaluating data associated with the message associated with the distributed computing application. The monitor definition is associated with a role. The monitoring manager is configured to access the message topic. The alert topic is configured to receive an alert message from the monitoring manager. The monitoring manager provides the alert message in accordance with the monitor definition. The alert message is accessible to a user associated with the role.

Abstract: A computerized intellectual property trading exchange is disclosed for facilitating the trading of license contracts relating to intellectual property rights. The exchange includes at least one intellectual property license contract relating to intellectual property rights and a computer-accessible forum configured to allow a plurality of participants to trade the license contract. The plurality of participants includes at least one seller, which may be the owner, having the license contract and desiring to trade the license contract. The plurality of participants also includes at least one buyer desiring to obtain the license contract. The buyer may be an investor, speculator, market maker, or arbitrageur, who purchases the license contract to achieve appreciation. The buyer also may be a licensee, who purchases the license contract to practice the intellectual property rights.

Abstract: Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific.

Abstract: A system may account for the number of bounced e-mails by adding a number of records over the desired quantity to ensure that a minimum number of e-mails are not returned. To calculate an accurate number of extra records to identify, a system may need to track the percentage of messages returned and add a number of records equal to that percentage over the minimum number required by the particular campaign. However, unless the system accurately identifies a bounced e-mail as one originating from the system, spam or other unsolicited e-mail sent to the system may result in inaccuracies.

Abstract: An online certificate status checking protocol (OCSP) system is provided for use with a first device, an end device and a certificate authority. The first device can provide a certificate. The end device can provide an OCSP request based on the certificate and process an OCSP response. The certificate authority can provide a CRL update. The certificate has a validity period. The OCSP system includes an OCSP responder, and OCSP proxy and a cache. The OCSP responder can provide the OCSP response. The OCSP proxy can receive the OCSP request from the end device, can send the OCSP request to the OCSP responder, can receive the OCSP response from the OCSP responder and can send the OCSP response to the end device. The cache can store information based on the OCSP response. The OCSP proxy can further store, in the cache, information based on the OCSP response and can send a proactive OCSP request to the OCSP responder based on a predetermined policy.

Abstract: An opt-in email system in which a recipient that has opted in to an email list can recognize and trust that an email has actually come from a desired sender. When a recipient desires to opt-in to an e-mail list, the recipient is sent to a trusted third party certification service that generates a certificate associated with a key pair. A key is maintained at the sender's location by a secure cryptographic device that can verify the certificate and create a signature, using a key of the key pair, for messages intended for the recipient. When a message intended for the recipient is received from the sender, the signature will be verified based on the status of the certificate and the corresponding key of the key pair. If the signature does not verify, it indicates that the recipient has not opted-in to receive emails from this sender.

Abstract: The present invention relates to a method for traitor tracing. One embodiment of a method for determining at least one traced private key used by a decoder to decrypt an encrypted message includes defining an input ciphertext, the input ciphertext being associated with a tracing private key and having a sublinear size, calling the decoder on the input ciphertext, and associating the tracing private key with a set of traced private keys if the decoder is able to correctly decrypt the encrypted message in accordance with the input ciphertext, the set of traced private keys including at least one private key.

Abstract: Systems and methods for handling electronic messages. An electronic message that is associated with a digital certificate is to be processed. A decision whether to check the validity of the digital certificate is based upon digital certificate checking criterion. An IT administrator may provide to one or more devices configuration data that establishes the digital certificate checking criterion.

Abstract: The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client.

Abstract: The present invention is directed towards systems and methods for processing an Online Certificate Status Protocol (OCSP) request in parallel to processing a Secure Socket Layer (SSL) handshake. The method includes transmitting, by an OCSP responder of an intermediary device between a plurality of clients and one or more servers, an OCSP request to a OCSP server for a status of a client certificate responsive to receiving the client certificate from a client during a SSL handshake. The intermediary device may continue to perform remaining portions of the SSL handshake while the OCSP request to the OCSP server is outstanding. The intermediary device may establish an SSL connection for the SSL handshake. The intermediary device may determine whether to terminate or maintain the established SSL connection based on the status of the client certificate received via a response from the OCSP server.

Abstract: A method of renewing a plurality of digital certificates includes receiving, at a first time, a request from a user to renew a first digital certificate and determining an expiration date for the first digital certificate. The method also includes receiving, at a second time, a request from the user to renew a second digital certificate and determining an expiration date for the second digital certificate. The expiration date for the second certificate is later than the expiration date for the first certificate. The method further includes determining a new expiration date occurring after the first time and the second time and renewing the first digital certificate. An expiration date for the renewed first digital certificate is equal to the new expiration date. Moreover, the method includes renewing the second digital certificate. An expiration date for the renewed second digital certificate is equal to the new expiration date.

Abstract: A method for managing payment of digital certificates includes receiving a request to issue a digital certificate to a subscriber, capturing and saving payment information of the subscriber, performing a first authentication and verification of the subscriber at a first time, and performing at least one additional authentication and verification of the subscriber at least once every authentication period. A long-lived certificate is issued to the subscriber provided the subscriber is authenticated and verified. The long-lived certificate is valid for an expiration period. However, the long-lived certificate is revoked if (1) the additional authentications and verification produce invalid results, or (2) if payment is not received during a payment period. The authentication period is shorter than the expiration period and there are at least a first and a second authentication period within the expiration period. The expiration period is longer than the authentication period.

Abstract: A method of provisioning a first digital certificate and a second digital certificate based on an existing digital certificate includes receiving information related to the existing digital certificate. The existing digital certificate includes a first name listed in a Subject field and a second name listed in a SubjectAltName extension. The method also includes receiving an indication from a user to split the existing digital certificate and extracting the first name from the Subject field and the second name from the SubjectAltName extension of the existing digital certificate. The method further includes extracting the public key from the existing digital certificate, provisioning the first digital certificate with the first name listed in a Subject field of the first digital certificate and the public key, and provisioning the second digital certificate with the second name listed in a Subject field of the second digital certificate and the public key.

Abstract: Techniques are described for facilitating interactions between computing systems, such as by performing transactions between parties that are automatically authorized via a third-party transaction authorization system. In some situations, the transactions are programmatic transactions involving the use of fee-based Web services by executing application programs, with the transaction authorization system authorizing and/or providing payments in accordance with private authorization instructions previously specified by the parties. The authorization instructions may include predefined instruction rule sets that regulate conditions under which a potential transaction can be authorized, with the instruction rule sets each referenced by an associated reference token.

Abstract: A method of securely initializing subscriber and security data in a mobile routing system when the subscribers are also subscribers of a radio communication network. The method comprises, within the mobile routing system, authenticating subscribers to the mobile routing system using an authentication procedure defined for the radio communication network, collecting subscriber information from relevant nodes of the radio network, and agreeing upon keys by which further communications between the subscribers and the mobile routing system can take place, and using the subscriber information and keys in the provision of mobility services to subscriber mobile nodes and correspondent nodes.

Abstract: A method and apparatus for revoking a digital signature using a signature revocation list. In one embodiment, the method includes generating the signature revocation list to indicate revocation status of a signature. The signature is created from an encryption key and a document. The method also includes computing an identifier of the signature in the signature revocation list based on contents of the signature. The method further includes publishing the signature revocation list for access by users of the document.

Abstract: A method, apparatus, and computer instructions for leasing a unique digital item in a network data processing system. A listing request is received for a payment and a deposit in the account of a first party. A listing request is received for a unique digital item in the account of a second party. Responsive to receiving the listing requests, the respective digital properties are transferred to a temporary storage account in association with retrieval tags. Listings for the digital properties appear on a trusted third-party leasing service. A lease contract is drawn up between the parties. After all parties have signed the lease agreement, the payment is transferred to the second party and the unique digital item is transferred to the first party. The deposit is held by the trusted third-party leasing service until the unique digital item is returned.

Abstract: A system for proactive forced renewal of content protection implementations in devices includes a key generation facility to generate and allocate keys for the devices, and to generate revocation data corresponding to revoked keys in response to at least one of a security compromise and on a periodic basis independent of a security compromise; and a device manufacturer to receive the keys from the key generation facility, to embed the keys in content protection implementations for the devices, to distribute the devices, and to renew the content protection implementations in devices after the devices are distributed, in response to at least one of a security compromise and on a periodic basis independent of a security compromise.

Abstract: A host device comprises a configurable connector. The host device connector can be connected to a configurable connector of an accessory device. The host device can select connector functions to be enabled for connecting to the accessory device connector. The selection of connector functions can be based on accessory device information such as accessory device power consumption, power configuration and application information. The accessory device can exclude connector functions supported by the accessory device from the list of accessory device functions sent to the host device. The accessory device can exclude connector functions based on information about the host and connector devices. Single or mutual authentication can be performed before connection functions are enabled at either device. Host and accessory devices can require that a host device be licensed to use an accessory device connector function or to gain access to accessory device resources. Tiered licensing policies can be supported.

Abstract: Enterprise users access several applications and services routinely to carry out their work-related activities on a day-to-day basis. These applications and services could be hosted within an enterprise or on a third-party data center. The enterprise users login into the applications and services so as to gain access to the applications and services. In the case of single sign-on, it is expected that the users authenticate once to a specific application/service/system and obtain access to any other application/service/system. In such a scenario, it is important to ensure that during the course of this authenticated access grant, the right users are provided access to right information. This is achieved by a re-authentication system that demands minimum re-authentication effort from “right” users and maximum re-authentication effort from “non-right” users. A system and method of on the fly re-authentication involves a novel challenge-response mechanism.

Abstract: We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including wired and wireless networks, secure sensor networks (such as medical networks), emergency alert networks, as well as simply and automatically provisioning network devices whether secure or not.

Abstract: A method and system for key certification in a public key infrastructure. The infrastructure has a network formed of a plurality of nodes. Each node has a private and public key pair. The nodes are either or both a certifying node and a certified node. A certifying node provides a digital certificate referring to the public key of a certified node. The digital certificate is signed by the private key of the certifying node. The method includes providing a root public key for a user, the root public key being at any node in the network chosen by the user, and providing a chain of digital certificates from the node with the root public key across the node network to any other node.

Abstract: A system, and method related thereto, for providing a vehicular communications network public-key infrastructure. The system comprises a plurality of communications infrastructure nodes and a plurality of vehicles each having a communications component. The communications component provides vehicle to vehicle (V2V) communications, and communications via infrastructure nodes. A communications security component in each of the plurality of vehicles provides security for the communications between the plurality of vehicles using a plurality of security modules. The security modules include a certificate management module. A public key interface module may include a public key, a private key, an anonymous key and a management key. The system further includes a detection and response module for attack detection and attack mitigation. The communications security component assigns and installs at least one security key, a certificate of operation, and a current certificate revocation list.

Abstract: A digital signature is applied to digital data in real-time. The digital signature serves as a mark of authenticity assuring a recipient that the digital data did in fact originate from an indicated source. The digital signature may be applied to any digital data, including video signals, audio signals, electronic commerce information, data pertaining to land vehicles, marine vessels, aircraft, or any other data that can be transmitted and received in digital form.

Abstract: A system and method for providing security for an Internet server. The system comprises: a logical security system for processing login and password data received from a client device during a server session in order to authenticate a user; and a physical security system for processing Internet protocol (IP) address information of the client device in order to authenticate the client device for the duration of the server session.

Abstract: There are provided an information processing apparatus and a license distribution system including the information processing apparatus in which the reproduction or duplication of a content can be limited to the interior of a domain and a benefit based on the fact that an external device has participated in the domain can be made available at the time of reissuing a license. A reproducing device 1 transmits a request for reissuing the license for permitting the reproduction of the content in the domain, and participation information (S201). A server 2 receives the request for reissuing the license and the participation information (S202), and confirms validity of the transmitted participation information (S203). When the validity of the participation information is confirmed, the server 2 determines information on a specific privilege related to the license, transmits the information to the external device (S206), and reissues the license (S210).

Abstract: An apparatus for protecting an RSA calculation of an output based on input values by means of the Chinese remainder theorem, the apparatus comprising for a first determining device adapted to determine a first security parameter based on the input values, a computing device adapted to compute a control value based on the first security parameter and the input values, a calculating device adapted to calculate a modified input parameters based on the input values and the first security parameter, for a performing device adapted to perform the RSA calculation based on the modified input values to obtain a single modified output, and for a second determining device adapted to determine whether the single modified output is in a predetermined relation to the control value and applying a countermeasure in case the predetermined relation is not fulfilled.

Abstract: A method and apparatus for managing backup data is disclosed. A data backup system defines a plurality of time windows for creating and maintaining backup data in accordance with a data backup policy. Each of the time windows is assigned a predetermined amount of storage space. When the data backup system creates backup data, the system determines whether a storage space assigned to a time window is large enough to accommodate new backup data. If the storage space is large enough, the new backup data is stored. However, if the storage space is not large enough, the system deletes the oldest backup data until enough storage space is obtained.

Abstract: A method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a key pair (E,D), such that E=F(s,t), F being a publicly known function, and including s and t in the certificate. Related methods, and certificates produced by the various methods, are also described.

Abstract: A system and method for access control is provided. In one embodiment, a system includes a computing device connected to an access server that controls the ability of the computing device to access to a computing resource, such as the Internet. The access server connects to an activation server via a network. The activation server is operable to receive a request for to generate a certificate for the computing device from the activation server. The activation server is operable to generate the certificate and embed a unique identifier of the computing device and/or the access server and/or the like inside the certificate. Once generated, the certificate is installed in the computing device. When the computing device initiates a request to access the computing resource, the computing device initially sends the certificate to the access server.

Abstract: A system, method, and computer program product for establishing mutual trust on a per-deployment basis between two software modules. For example, the first software module may be a Websphere (WS) Information Integrator (II) deployment instance, and the second software module may be a plugin instance. By executing for this deployment an initial handshake between the software modules, both modules identify themselves and exchange digital certificates received from a trusted certification authority and respective public keys. Subsequent communications for this deployment between the software modules proceed with each module encrypting its communications with the public key of the other module; thereby establishing mutual trust between the software modules for each deployment.

Abstract: A system, method, and program product is provided that provides authentication on a per-role basis in a Role-Based Access Control (RBAC) environment. When a user attempts to acquire a role, the improved RBAC system determines whether (a) no authentication is required (e.g., for a non-sensitive role such as accessing a company's product catalog), (b) a user-based authentication (e.g., password) is required, or (c) a role-based authentication (e.g., role-specific password is required).

Abstract: A Secret file access authorization system with fingerprint limitation includes an authorization module, encryption module and certification module in a server linked by programs. A user module of least one client machine contains a kernel encryption/decryption unit embedded in the client operation system kernel, so access authorization to secure files can be limited by environment or time fingerprint. Therein the authorization module provides an authorization secret key (ASK) and fingerprint template. The encryption module accepts the ASK and secret files to be encrypted, and provides a decryption secret key (DSK). The user module accepts the ASK and encrypted secret files, and presents a claim for the ASK certification to the certification module. The certification module accepts the DSK and the claim and the template, and provides the certified DSK for the user module, to start the kernel encryption/decryption unit in the user module, and achieve reading and writing of encrypted files.

Abstract: A system and method for retrieving certificates and/or verifying the revocation status of certificates. In one embodiment, when a user opens a digitally signed message, a certificate that is required to verify the digital signature on the message may be automatically retrieved if it is not stored on the user's computing device (e.g. a mobile device), eliminating the need for users to initiate the task manually. Verification of the digital signature may also be automatically performed by the application after the certificate is retrieved. Verification of the revocation status of a certificate may also be automatically performed if it is determined that the time that has elapsed since the status was last updated exceeds a pre-specified limit.

Abstract: Systems and methods for handling electronic messages. An electronic message that is associated with a digital certificate is to be processed. A decision whether to check the validity of the digital certificate is based upon digital certificate checking criterion. An IT administrator may provide to one or more devices configuration data that establishes the digital certificate checking criterion.

Abstract: An apparatus and method for providing at least one root certificate are disclosed. Specifically, a plurality of root certificates is received and stored. Afterwards, a request is received from a first endpoint device for a desired root certificate, where the desired root certificate is used by the first endpoint device to verify an identity of a second endpoint device. Furthermore, the first endpoint device and the second endpoint device are associated with different certificate hierarchies. The desired root certificate is then sent to at least the first endpoint device.

Abstract: Guest user are enabled to access network resources through an enterprise network using a guest user account. A guest user account may be created for a guest for a limited time. Guest account credentials of the guest account may be provided to the guest to use the guest account using any of a variety of techniques described herein, for example, by scanning a guest access card, credit card or mobile telephone of guest user, and providing the guest account credentials to the user based on the information obtained. A guest access management server may be configured to generate and maintain guest accounts, authenticate guest users, and track and log guest activity. A VLAN technology may be used to separate guest traffic from host enterprise traffic on the host enterprise network. After a guest user is authenticated, communications to and from the guest user may be routed to a guest VLAN.

Abstract: System, method and program product for updating a current encryption certificate with a new encryption certificate in a computer having a first plurality of communication channels which require an encryption certificate and a second plurality of communication channels which do not require an encryption certificate. The computer stores the current encryption certificate. The first plurality of communication channels are active and use the current encryption certificate for communication. The second plurality of communication channels are also active. The first plurality of communication channels are deactivated without deactivating the second plurality of communication channels, while substituting the new encryption certificate for the current encryption certificate for subsequent use by the first plurality of communication channels. After the substitution, the first plurality of communication channels are reactivated.

Abstract: A bidirectional entity authentication method based on the credible third party includes the steps that: entity A receives message 1 sent from entity B including the authentication parameters of said entity B, and sends message 2 to the credible third party TP, said message 2 including the authentication parameters of entity B and the authentication parameters of entity A; entity A receives message 3 sent from said credible third party TP, said message 3 including the checking result after checking that whether said entity A and entity B are legal based on said message 2 by said credible third party TP; entity A gets the authentication result of entity B after authenticating said message 3, and sends message 4 to said entity B to make entity B authenticating based on said message 4 and getting the authentication result of entity A.

Abstract: A method and system for supporting multiple digital certificate status information providers are disclosed. An initial service request is prepared at a proxy system client module and sent to a proxy system service module operating at a proxy system. The proxy system prepares multiple service requests and sends the service requests to respective multiple digital certificate status information providers. One of the responses to the service requests received from the status information providers is selected, and a response to the initial service request is prepared and returned to the proxy system client module based on the selected response.

Abstract: A method and system is presented for configuring a group of OCSP (Online Certificate Status Protocol) responders so that they are highly available. Each of the grouped OCSP responders share a common public key. When responding to an OCSP request, an OCSP responder generates an OCSP response that is signed with a group digital signature; the certificate for the common or group public key can be attached to the OCSP response. An OCSP client uses the group public key to verify the group digital signature on an OCSP response from any of the OCSP responders. For an OCSP client, the availability of this group of responders is greater than the availability of any one member of the group.

Abstract: In accordance with the teachings of the present invention, a system and method for dynamic, multi-attribute authentication are provided. In a particular embodiment, a method for authentication includes receiving, at an authentication web server, an authentication request comprising a workstation message and a user message, wherein the workstation message comprises a workstation object and a workstation signature, the workstation object comprises a workstation certificate associated with a workstation, the user message comprises a user object and a user signature, and the user object comprises a copy of the workstation message and a user certificate associated with a user of the workstation.

Abstract: A memory device and method for updating a security module are disclosed. In one embodiment, a memory device is provided comprising a memory operative to store content and a controller in communication with the memory. The controller is configured to send an identification of the memory device's security module to a host and receive an identification of the host's security module. If the memory device's security module is out-of-date with respect to the host's security module, the memory device receives a security module update from the host. If the host's security module is out-of-date with respect to the memory device's security module, the memory device sends a security module update to the host.

Abstract: A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data.

Abstract: The present invention is directed towards systems and methods for maintaining Certificate Revocation Lists (CRLs) for client access in a multi-core system. A first core may generate a secondary CRL corresponding to a master CRL maintained by the first core. The CRLs may identify certificates to revoke. The first core can store the secondary CRL to a memory element accessible by the cores. A second core may receive a request to validate a certificate. The second core can provisionally determine, via access to the secondary CRL, whether the certificate is revoked. The second core may also determine not to revoke the certificate. Responsive to the determination, the second core may request the first core to validate the certificate. The first core can determine whether to revoke the certificate based on the master CRL. The first core may send a message to the second core based on the determination.