Abstract: Systems and methods are provided for creating authentic baseline data from high-resolution and high-definition audio and video data and for using the authentic baseline data to determine if an unknown video is real or fake. A method, according to one implementation, includes examining a questionable video of a prominent individual, wherein the questionable video shows the prominent individual speaking. The method also includes detecting speech characteristics of the prominent individual from the questionable video and detecting bodily movements of the prominent individual from the questionable video while the prominent individual is speaking. Furthermore, the method includes comparing the detected speech characteristics and detected bodily movements with reliable baseline characteristics that are certified as authentic. Based on the comparing step, the method also includes tagging the questionable video as fake or real.

Abstract: Features are disclosed for a dynamic security seal indicating a security of an application. A computing device can receive a request to implement a dynamic security seal for an application. The computing device can validate a relationship between an entity and the application and between an image and the application. Based on validating these relationships, the computing device can generate a dynamic security seal. When implemented, the dynamic security seal may display a plurality of faces. A face of the plurality of faces may be the image. The dynamic security seal can sequentially display the plurality of faces based on various criteria.

Abstract: Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, consumes the new OCSP responses using the cache keys.

Abstract: A trust chain having client system and a remote system in a secure connection, wherein an intermediary system associated with the network flow path serves as a signing entity to establish an end to end transitive trust. The intermediate system is a corroborative entity in the operations technology realm of the client system. The remote system serves as the host for a plurality of services in the information technology realm. A two way handshake during the initial secure exchange protocol between a local client application and a remote service is extended to a three way handshake that includes a nonce issued by the remote service on the remote system and a digital signature for the nonce issued by a signature service on an associated intermediate system. The nonce signature is verified authoritatively at the remote system based on the signing certificate of the intermediate system for explicit proof of association.

Abstract: A system and method for digitally signing an object. An object signing agent sends a signing request for an object to a remote signing server, which, in response to receiving the request, generates a virtual machine executing code for signing the object. The object is signed within the virtual machine and returned to the object signing agent.

Abstract: A method, system and apparatus for authenticating target recipients for digital certificates. A certificate authority authentication system receives a request from an entity for a digital certificate including untrusted certificate validation data. The authentication system initiates a communication link using to untrusted certificate validation data to generate verified untrusted certificate validation data. Subsequently or concurrently, the system obtains, from a confirmation computing system, trusted certificate validation data. The authentication system compares the verified untrusted certificate validation data with the trusted certificate validation data and, based on the comparison, authenticates the entity and issues the requested digital certificate.

Abstract: Techniques are disclosed for dynamically generating a digital certificate for a customer server. A customer server creates a certificate profile and receives an associated profile identifier from a certificate authority (CA). The customer server installs an agent application received from the CA. The agent application generates a public/private key pair and an identifier associated with the customer server. The agent application sends a signed request to the CA that includes the profile identifier, server identifier, and the public key corresponding to the key pair. Upon receiving the credentials, the CA generates a dynamically updatable certificate. Thereafter, if the customer changes information associated with the certificate (or if external conditions require a change to the certificate, such as a key compromise or change in security standards), the CA may generate an updated certificate based on the certificate profile changes and the public key.

Abstract: Certificates issued by a CA are distributed across multiple CRLs. Each certificate issued by the CA is assigned to a specific CRL, and the address of that CRL is written to the appropriate field of the certificate, such that an authenticating application can subsequently determine if the certificate is revoked. When the CA revokes a specific one of the issued certificates, it determines to which CRL the revoked certificate is assigned, and updates the specific CRL accordingly. In some embodiments, a single one of the multiple CRLs is active for assignment of certificates at any given time, and each certificate issued by the CA is assigned to the currently active CRL. In other embodiments, assignments of issued certificates are distributed between different ones of a pre-determined number of multiple CRLs by applying a statistical distribution formula to each issued certificate to determine a corresponding target CRL.

Abstract: A method, system and apparatus for requesting a plurality of credentials from a trusted entity. A local validation device (LVD) receives a credential request or an identifier from each of a plurality of user devices. The LVD generates or compiles a bundle of credential requests corresponding to the plurality of user devices. The LVD transmits the bundle of credentials requests to the MVD. The MVD receives the bundle of request and performs a validation for each request in the bundle and then communicates the credentials and/or the results of the validations to the LVD. The LVD communicates credentials to each of the plurality of user devices. In some cases, the LVD performs the validation for each credential request. For instance, the LVD can receive a local enforcement policy from the MVD, which can provide instructions or guidance to the LVD as to how to perform the validations.

Abstract: Techniques are disclosed to automate secure propagation of a configuration to a plurality of servers in a server cluster. For example, the techniques may include a method. The method may include receiving, at a first computing device, a first public key associated with a target computing device, the first computing device having an updated configuration. The method may further include encrypting, at the first computing device, the updated configuration using the first public key. The method may further include sending the encrypted configuration to the target computing device. The method may further include decrypting, at the target computing device, the encrypted configuration using a first private key associated with the target computing device, wherein the first public key and the first private key are a first keypair associated with the target computing device. The method may further include updating the target computing device with the updated configuration.

Abstract: For zero-touch provisioning of devices at scale using device configuration templates by device type, a secure element, a provisioning wizard, a provisioning client, an enrollment client, an update client, an enrollment service, an update publisher service, signing and encryption certificates, a method including generating device configuration templates for enrollment and update by device type, sending device configuration templates signed with a device owner signing certificate, and a device owner encryption certificate to the device manufacturer, generating a device configuration for a device based on the device configuration templates using a secure element on the device for immutable device identity, an extended configuration for the device, signing the device configuration with a device manufacturer signing certificate and a secure element signing certificate, encrypting the doubly signed device configuration with an owner encryption certificate, configuring bootstrap metadata, and configuring the device

Abstract: A method, system and apparatus for requesting a plurality of credentials from a trusted entity. A local validation device (LVD) receives a credential request or an identifier from each of a plurality of user devices. The LVD generates or compiles a bundle of credential requests corresponding to the plurality of user devices. The LVD transmits the bundle of credentials requests to the MVD. The MVD receives the bundle of request and performs a validation for each request in the bundle and then communicates the credentials and/or the results of the validations to the LVD. The LVD communicates credentials to each of the plurality of user devices. In some cases, the LVD performs the validation for each credential request. For instance, the LVD can receive a local enforcement policy from the MVD, which can provide instructions or guidance to the LVD as to how to perform the validations.

Abstract: A method of building a device historian, across a supply chain of device manufactures and managers, by a plurality of device management services comprising an enrollment service, an update service, a policy service, and an analytics service, a transaction connector, a blockchain broker service participating as a node in a blockchain network, and transaction filters. The method comprises sending, by the plurality of device management services a transaction record over the transaction connector to the blockchain broker service, receiving, by the blockchain broker service, the transaction record, filtering, by the blockchain broker service, information in the transaction record based on the transaction filters, preparing, by the blockchain broker service, a versioned block based on the filtered information from the transaction record, and adding, by the blockchain broker service, the versioned block to the blockchain network.

Abstract: A trust chain having client system and a remote system in a secure connection, wherein an intermediary system associated with the network flow path serves as a signing entity to establish an end to end transitive trust. The intermediate system is a corroborative entity in the operations technology realm of the client system. The remote system serves as the host for a plurality of services in the information technology realm. A two way handshake during the initial secure exchange protocol between a local client application and a remote service is extended to a three way handshake that includes a nonce issued by the remote service on the remote system and a digital signature for the nonce issued by a signature service on an associated intermediate system. The nonce signature is verified authoritatively at the remote system based on the signing certificate of the intermediate system for explicit proof of association.

Abstract: A method of provisioning a first digital certificate and a second digital certificate based on an existing digital certificate includes receiving information related to the existing digital certificate. The existing digital certificate includes a first name listed in a Subject field and a second name listed in a SubjectAltName extension. The method also includes receiving an indication from a user to split the existing digital certificate and extracting the first name from the Subject field and the second name from the SubjectAltName extension of the existing digital certificate. The method further includes extracting the public key from the existing digital certificate, provisioning the first digital certificate with the first name listed in a Subject field of the first digital certificate and the public key, and provisioning the second digital certificate with the second name listed in a Subject field of the second digital certificate and the public key.

Abstract: Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, consumes the new OCSP responses using the cache keys.

Abstract: Techniques are disclosed for dynamically generating a digital certificate for a customer server. A customer server creates a certificate profile and receives an associated profile identifier from a certificate authority (CA). The customer server installs an agent application received from the CA. The agent application generates a public/private key pair and an identifier associated with the customer server. The agent application sends a signed request to the CA that includes the profile identifier, server identifier, and the public key corresponding to the key pair. Upon receiving the credentials, the CA generates a dynamically updatable certificate. Thereafter, if the customer changes information associated with the certificate (or if external conditions require a change to the certificate, such as a key compromise or change in security standards), the CA may generate an updated certificate based on the certificate profile changes and the public key.

Abstract: A method, system and apparatus for authenticating target recipients for digital certificates. A certificate authority authentication system receives a request from an entity for a digital certificate including untrusted certificate validation data. The authentication system initiates a communication link using to untrusted certificate validation data to generate verified untrusted certificate validation data. Subsequently or concurrently, the system obtains, from a confirmation computing system, trusted certificate validation data. The authentication system compares the verified untrusted certificate validation data with the trusted certificate validation data and, based on the comparison, authenticates the entity and issues the requested digital certificate.

Abstract: Techniques are disclosed for identifying and authenticating prospective certificate authority customers of a secure socket layer (SSL) certificate prior to receiving an order from the customer. The CA generates a list of prospective customers of digital certificates (e.g., by scanning networked servers via the Internet for the presence of an installed digital certificate). The CA retrieves data for each customer on the list and determines, based on a set of approval criteria, which prospective customers to target in enrollment campaigns. For each approved customer, the CA initiates an enrollment process prior to receiving a request from the customer to provide a certificate.

Abstract: A system and method for digitally signing an object. An object signing agent sends a signing request for an object to a remote signing server, which, in response to receiving the request, generates a virtual machine executing code for signing the object. The object is signed within the virtual machine and returned to the object signing agent.