Abstract: A process of extending retention periods of records. In operation, an electronic computing device identifies a retention period associated with the record. The device obtains information related to a future event. The information includes a time period during which the future event is predicted or scheduled to occur and a location at which the future event is predicted or scheduled to occur. When the device determines that the record is contextually related to the future event based at least in part on the time period or the location of the future event, the retention period associated with the record is extended. The device may also automatically extend retention periods of records based on a number of other retention-related factors associated with the record including recording content, record trustworthiness, recording time, recording location, recording data type, recording source, recording officers' profile and their association, crime statistics, incident severity, and the like.

Abstract: Systems and methods for authenticating public key infrastructure certificate enrollment using certificate entitlement licenses. One example system includes a device manager including an electronic processor. The electronic processor is configured to receive a request for software for an electronic device including a unique electronic device identifier. The electronic processor is configured to determine, based on the request, whether the electronic device is entitled to participate in a certificate management service. The electronic processor is configured to, responsive to determining that the electronic device is entitled to participate in a certificate management service, transmit a certificate entitlement license request including the unique device identifier to a certificate entitlement license manager. The electronic processor is configured to receive, from the certificate entitlement license manager, a certificate entitlement license for the unique device identifier.

Abstract: A process of extending retention periods of records. In operation, an electronic computing device identifies a retention period associated with the record. The device obtains information related to a future event. The information includes a time period during which the future event is predicted or scheduled to occur and a location at which the future event is predicted or scheduled to occur. When the device determines that the record is contextually related to the future event based at least in part on the time period or the location of the future event, the retention period associated with the record is extended. The device may also automatically extend retention periods of records based on a number of other retention-related factors associated with the record including recording content, record trustworthiness, recording time, recording location, recording data type, recording source, recording officers’ profile and their association, crime statistics, incident severity, and the like.

Abstract: Techniques for redaction of data that is incidentally recorded are provided. A request for information is received from a user. The requested information includes confidential information. The request is received via a first device. The requested information is sent to the first device for output to the user by the first device. A second device within proximity to the first device is determined. The second device causes the output from the first device to be recorded based on the proximity of the second device to the first device. The recording from the second device is marked as redactable. A portion of the recording from the second device that includes the confidential information is redacted when the recording from the second device is output.

Abstract: A process of redacting records based on a contextual correlation with a previously redacted record. In operation, an electronic computing device obtains redaction metadata associated with a previously redacted record and uses the redaction metadata to identify a segment within an unredacted record that was redacted to generate the previously redacted record. The device then processes the segment to detect characteristics of a person or the object captured in the unredacted record and further redacted in the redacted record. The device also determines a context in which the redacted person or object was captured within the segment of the unredacted record. The device then redacts a person or object captured in other unredacted records when such person or object is contextually related to the redacted person or object captured in the unredacted record corresponding to the previously redacted record.

Abstract: A system and process for performing a touchless key provisioning operation for a communication device. In operation, a key management facility (KMF) imports a public key and a public key identifier uniquely identifying the public key of the communication device. The public key is associated with an asymmetric key pair generated at the communication device during its factory provisioning and configuration. The KMF registers the communication device and assigns a key encryption key (KEK) for the communication device. The KMF then provisions the communication device by deriving a symmetric touchless key provisioning (TKP) key based at least in part on the public key of the communication device, encrypting the KEK with the symmetric TKP key to generate a key wrapped KEK, and transmitting the key wrapped KEK to the communication device for decryption by the communication device.

Abstract: A system and process for performing a touchless key provisioning operation for a communication device. In operation, a key management facility (KMF) imports a public key and a public key identifier uniquely identifying the public key of the communication device. The public key is associated with an asymmetric key pair generated at the communication device during its factory provisioning and configuration. The KMF registers the communication device and assigns a key encryption key (KEK) for the communication device. The KMF then provisions the communication device by deriving a symmetric touchless key provisioning (TKP) key based at least in part on the public key of the communication device, encrypting the KEK with the symmetric TKP key to generate a key wrapped KEK, and transmitting the key wrapped KEK to the communication device for decryption by the communication device.

Abstract: A mobile device and method are provided that allow for registering the mobile device using a machine readable optical label. The mobile device receives a machine readable optical label, such as a QR code or a bar code. The machine readable optical label includes authentication data and security information. The mobile device scans machine readable optical label to read the authentication data and the security information. The mobile device validates the machine readable optical label and generates certificate request, the certificate request digitally signed using the authentication data and the security information. The mobile device transmits the certificate signing request to a registration authority.

Abstract: A method and apparatus is provided for updating certificates in a trust chain and managing versions of the trust chain. A first electronic processor determines that a first certificate in a first level of the trust chain is to be updated, updating the first certificate and each certificate in a lower level in the trust chain that is lower than the first level, creates a second version of the trust chain including an updated first certificate and an updated certificate at each lower level in the trust chain, and transmits the second version of the trust chain to one or more entities.

Abstract: A method and Key Management Facility (KMF) for managing keys of a single user having a plurality of devices is provided. The KMF receives an Over-The-Air Rekeying (OTAR) message relating to a first device and including an interworking bit. If the interworking bit is set, the KMF retrieves a main source RSI and a Sub-RSI field from the OTAR message. If the main source RSI matches other main source RSIs from other devices, the KMF manages keys for all devices that have the same main source RSI in an identical manner.

Abstract: A method, mobile device, and PKI are provided for enrolling a mobile device into a PKI domain for certificate management is provided. A first asymmetric key pair and a unique identifier is established in a device. The first asymmetric key pair includes a public key and a private key. The public key and the unique identifier are transferred to the PKI domain. The public key and the unique identifier are imported into the PKI domain. The device generates a second asymmetric kay pair and sends a certificate signing request (CSR) that is protected with the digital signature of the first asymmetric key pair. The CSR is transferred to the PKI domain. The PKI domain authenticates the CSR using the first public key and the unique identifier. Upon validation, the PKI domain issues a certificate to the device.

Abstract: A method, mobile device, and PKI are provided for enrolling a mobile device into a PKI domain for certificate management is provided. A first asymmetric key pair and a unique identifier is established in a device. The first asymmetric key pair includes a public key and a private key. The public key and the unique identifier are transferred to the PKI domain. The public key and the unique identifier are imported into the PKI domain. The device generates a second asymmetric kay pair and sends a certificate signing request (CSR) that is protected with the digital signature of the first asymmetric key pair. The CSR is transferred to the PKI domain. The PKI domain authenticates the CSR using the first public key and the unique identifier. Upon validation, the PKI domain issues a certificate to the device.

Abstract: A method and Key Management Facility (KMF) for managing keys of a single user having a plurality of devices is provided. The KMF receives an Over-The-Air Rekeying (OTAR) message relating to a first device and including an interworking bit. If the interworking bit is set, the KMF retrieves a main source RSI and a Sub-RSI field from the OTAR message. If the main source RSI matches other main source RSIs from other devices, the KMF manages keys for all devices that have the same main source RSI in an identical manner.

Abstract: A mobile device and method are provided that allow for registering the mobile device using a machine readable optical label. The mobile device receives a machine readable optical label, such as a QR code or a bar code. The machine readable optical label includes authentication data and security information. The mobile device scans machine readable optical label to read the authentication data and the security information. The mobile device validates the machine readable optical label and generates certificate request, the certificate request digitally signed using the authentication data and the security information. The mobile device transmits the certificate signing request to a registration authority.

Abstract: A method and apparatus is provided for updating certificates in a trust chain and managing versions of the trust chain. A first electronic processor determines that a first certificate in a first level of the trust chain is to be updated, updating the first certificate and each certificate in a lower level in the trust chain that is lower than the first level, creates a second version of the trust chain including an updated first certificate and an updated certificate at each lower level in the trust chain, and transmits the second version of the trust chain to one or more entities.

Abstract: Method and management server for revoking group server identifiers of compromised group servers. One method includes determining, with a management server, an identity-based cryptographic signing key based on a group server identifier. The method also includes distributing, via the management server, the identity-based cryptographic signing key to a group server. The method further includes receiving, at the management server, a security status indicating that the security of the group server is compromised. The method also includes, responsive to receiving the security status, distributing, via the management server, a revocation of the group server identifier to a plurality of communication devices.

Abstract: Method and management server for revoking group server identifiers of compromised group servers. One method includes determining, with a management server, an identity-based cryptographic signing key based on a group server identifier. The method also includes distributing, via the management server, the identity-based cryptographic signing key to a group server. The method further includes receiving, at the management server, a security status indicating that the security of the group server is compromised. The method also includes, responsive to receiving the security status, distributing, via the management server, a revocation of the group server identifier to a plurality of communication devices.

Abstract: A Public Key Infrastructure (PM) device receives a certificate signing request (CSR) from an end entity. The PKI device obtains at least one of: a controlling attribute of at least one PKI device associated with processing of the certificate signing request and a controlling attribute associated with the CSR. The PKI device obtains an end entity policy object (EEPO) to be associated with the end entity based on at least one obtained controlling attribute. Based on the obtained EEPO, the PKI device determines at least one attribute and at least one value associated with the attribute this is to be included in a certificate and issues, to the end entity, the certificate including the at least one attribute.

Abstract: A certificate management processor (CMP) in a public key infrastructure (PKI) receives a request for a certificate management operation. The CMP determines that the request is associated with at least one of an end entity and a service. The CMP identifies a certificate management identifier associated with at least one of the end entity and the service. The CMP retrieves at least one status associated with the certificate management identifier and/or at least one status associated with the certificate management operation. The CMP performs the certificate management operation on a certificate when the retrieved at least one status is determined to not be suspended.

Abstract: Disclosed is a radio system, method, and device for a mobile station to indicate to an authentication controller, in an authentication response message, which of a plurality of group key link layer encryption keys (GKEK)s it currently has in its possession, and to work with the authentication controller to more intelligently manage multiple GKEKs. The authentication controller can use the information obtained from the authentication response message to determine which of a plurality of GKEKs to advertise in a key announcement broadcast. Furthermore, individual requests for a future LLE key (LEK) to be used for link layer encryption (LLE) encrypting and decrypting inbound and outbound group communications between base station(s) and mobile station(s) are responded to with a broadcast GKEK-encrypted transmission including the future LEK. Only the requesting mobile station transmits an acknowledgment packet in response to the broadcast.