Abstract: Concurrent recipient resolution and certificate acquisition. If a client-entered input data may be resolved without further client input, the server resolves the input data into a recipient entry that has an associated routing address. The server then transmits a response to the client that includes the associated full display name, routing address and certificate. If the server determines that the recipient entry cannot be resolved without further input from the client, the server identifies a number of possible recipient entries, and for each possible recipient generates a token, which is then communicated to the client. The server receives a subsequent request from the client identifying a selected one of the possible associated recipients using the associated token. The server then acquires a certificate associated with the selected recipient using the token, and then sends the certificate to the client.

Abstract: An autodiscovery service for clients in an electronic messaging system is disclosed. Client devices in the system request messaging system configuration settings from an autodiscover server. Clients may derive the address of the autodiscover server from user input, such as an email address, or the address may be obtained by other means. The autodiscover server responds to the request with settings for that client. The settings requested may include addresses of electronic mail servers and other servers that provide client services. The autodiscover server may determine the settings for the client based on various criteria, including client location and user mailbox location. Third party servers may participate in the autodiscovery service, and addresses of third party servers may be included in the settings provided to the client devices.

Abstract: The principles of the present invention provide for delegating certificate validation. A client computer system sends a certificate validation request to a server computer system over a trusted link. The certificate validation request includes at least enough certificate information for a certificate authority to identify a digital certificate that binds a sending entity to a private key. The server computer system checks a validation path to determine if the digital certificate is valid and at least one certificate revocation list to determine if the certificate has been compromised. The server computer system sends a certificate status indication to the client computer system over the trusted link. Accordingly, the resources of the server computer system, instead of the client computer system, are utilized to validate a digital certificate. Further, digital certificate validation can be delegated to a server computer system that attempts to pre-validate a digital certificate.

Abstract: The present invention provides for securely processing client credentials used for Web-based access to resources. A login page with an interface for entering user credentials is presented at a client and entered user credentials are sent to the server. In response to receiving user credentials, the server generates a unique session identifier for the client. The server also derives a digital signature for the user credentials based on a current key in a rotating key store and the unique session identifier. The server then encrypts the digital signature and the user credentials based on an encryption key derived from the current key and the unique session identifier. When encrypted credentials are received back at the client, keys from the rotating key store are used to attempt to validate the credentials. If user credentials can not be validated, a user is again presented with the login page.

Abstract: A certificate-based encryption mechanism in which a source client does not access the entire certificate corresponding to a destination client when encrypting an electronic message to be sent to the destination client. Instead, the source client only requests a portion of the certificate from a certificate server. That portion includes encryption information, but may lack some or even all of the self-verification information in the certificate. The certificate server preferably performs any validation of the certificate prior to sending the encryption information to the source client. The certificate need not be separately validated by the source client, especially if the certificate server is trusted by the source client.

Abstract: Disclosed is a policy based method for blocking the automatic dereferencing of web beacon links in an e-mail message sent in HTML format with a minimum sacrifice in the HTML body rendering quality. HTML content that potentially contains web beacons is replaced with non-dereferencing elements prior to HTML rendering by the e-mail browser so that the remaining HTML can be rendered as complete as possible without rendering the potential web beacons. Additionally, the present invention also provides a method for removing the HTTP Referer header from referenced external links and activated images. An HTTP redirector service is implemented as a server-based link redirection evaluator application which serves to eliminate the Referer header for the URL requested. Embodiments of the present invention provide for blocking web beacons and removing HTTP Referer headers in both a “down-level” e-mail client and a client which can make programmatic use of an HTML rendering engine.

Abstract: Concurrent recipient resolution and certificate acquisition. If a client-entered input data may be resolved without further client input, the server resolves the input data into a recipient entry that has an associated routing address. The server then transmits a response to the client that includes the associated full display name, routing address and certificate. If the server determines that the recipient entry cannot be resolved without further input from the client, the server identifies a number of possible recipient entries, and for each possible recipient generates a token, which is then communicated to the client. The server receives a subsequent request from the client identifying a selected one of the possible associated recipients using the associated token. The server then acquires a certificate associated with the selected recipient using the token, and then sends the certificate to the client.

Abstract: A certificate-based encryption mechanism in which a source client does not access the entire certificate corresponding to a destination client when encrypting an electronic message to be sent to the destination client. Instead, the source client only requests a portion of the certificate from a certificate server. That portion includes encryption information, but may lack some or even all of the self-verification information in the certificate. The certificate server preferably performs any validation of the certificate prior to sending the encryption information to the source client. The certificate need not be separately validated by the source client, especially if the certificate server is trusted by the source client.

Abstract: The present invention provides for securely processing client credentials used for Web-based access to resources. A login page with an interface for entering user credentials is presented at a client and entered user credentials are sent to the server. In response to receiving user credentials, the server generates a unique session identifier for the client. The server also derives a digital signature for the user credentials based on a current key in a rotating key store and the unique session identifier. The server then encrypts the digital signature and the user credentials based on an encryption key derived from the current key and the unique session identifier. When encrypted credentials are received back at the client, keys from the rotating key store are used to attempt to validate the credentials. If user credentials can not be validated, a user is again presented with the login page.