Abstract: A relying party obtains a certificate of a certificate subject and acquires a status information object for the certificate. The relying party validates the certificate using information in the status information object and compares authorization attributes present in the status information object with policy attributes associated with the requested service. A policy attribute is a set of constraints used by the relying party to determine if the authorization attributes associated with the certificate subject are sufficient to allow the certificate subject to access the requested service. If the authorization attributes present in the status information object match the policy attributes associated with the requested service, the relying party may grant the certificate subject access to the requested service.

Abstract: A method and device for confirming authenticity of a public key infrastructure (PKI) transaction event between a relying node and a subject node in a communication network enables improved network security. According to some embodiments, the method includes establishing at a PKI event logging (PEL) server a process to achieve secure communications with the relying node (step 705). Next, the PEL server processes reported PKI transaction event data received from the relying node (step 710). The reported PKI transaction event data describe the PKI transaction event between the relying node and the subject node. The reported PKI transaction event data are then transmitted from the PEL server to the subject node (step 715). The subject node can thus compare the reported PKI transaction event data with corresponding local PKI transaction event data to confirm the authenticity of the PKI transaction event.

Abstract: Methods for establishing secure point-to-point communications in a trunked radio system include receiving, at a trunking controller, a request from a source endpoint for a traffic channel for confidential communications between the source endpoint and a destination endpoint using a shared unique first symmetric key. The trunking controller provides keying material related to the symmetric key over the secured control channel to at least one of the source or destination endpoints and assigns a traffic channel. Moreover, in response to the request, the controller assigns a traffic channel. The keying material enables the unique first symmetric key to be securely established between the source and destination endpoints.

Abstract: A method and device is provided for dynamically maintaining and updating public key infrastructure (PKI) certificate path data across remote trusted domains to enable relying parties to efficiently authenticate other nodes in an autonomous ad-hoc network. A certificate path management unit (CPMU) monitors a list of sources for an occurrence of a life cycle event capable of altering an existing PKI certificate path data. Upon determining that the life cycle event has occurred, the CPMU calculates a new PKI certificate path data to account for the occurrence of the life cycle event and provides the new PKI certificate path data to at least one of a relying party in a local domain or a remote CPMU in a remote domain.

Abstract: A method and device for distributing public key infrastructure (PKI) certificate path data enables relying nodes to efficiently authenticate other nodes in an autonomous ad-hoc network. The method includes compiling, at a certificate path management unit (CPMU), the PKI certificate path data (step 405). One or more available certificate paths are then determined at the CPMU for at least one relying node (step 410). Next, the PKI certificate path data are distributed by transmitting a certificate path data message from the CPMU to the at least one relying node (step 415). The certificate path data message includes information identifying one or more trusted certification authorities associated with the one or more available certificate paths.

Abstract: A sending device generates a first and a second KMM, wherein the first KMM includes a first KEK and a KMM encryption key, and the second KMM includes a set of symmetric encryption keys. The sending device further encrypts the set of symmetric encryption keys using the first KEK; encrypts the first KEK and the KMM encryption key using a first public key of a receiving device; and encrypts the second KMM using the KMM encryption key to generate an encrypted second KMM before sending the first KMM and the encrypted second KMM to the receiving device. The receiving device decrypts the first KEK and the KMM encryption key using a first private key that corresponds to the first public key; and decrypts the encrypted second KMM using the KMM encryption key to obtain the encrypted set of symmetric keys.

Abstract: A certificate issuer (210) can periodically request, receive, and store current server-based certificate validation protocol (SCVP) staples (225) for supported relying parties (205) from at least one server-based certificate validation protocol (SCVP) responder (215). The certificate issuer (210) can receive a contact initiation request (220) from one of the relying parties (205). Responsive to receiving the contact initiation request (220), the certificate issuer (210) can identify a current SCVP staple from the saved staples that is applicable to the relying party (205). The certificate issuer (210) can conveying a response to the contact initiation request (220) to the relying party (205). The response can comprise the identified SCVP staple and a public key infrastructure (PKI) certificate (230) of the certificate issuer. The SCVP staple can validate a certification path between the PKI certificate (230) and a different certificate trusted by the relying party (205).

Abstract: A relying party obtains a certificate of a certificate subject and acquires a status information object for the certificate. The relying party validates the certificate using information in the status information object and compares authorization attributes present in the status information object with policy attributes associated with the requested service. A policy attribute is a set of constraints used by the relying party to determine if the authorization attributes associated with the certificate subject are sufficient to allow the certificate subject to access the requested service. If the authorization attributes present in the status information object match the policy attributes associated with the requested service, the relying party may grant the certificate subject access to the requested service.

Abstract: A method and apparatus for distributing Certificate Revocation List (CRL) information in an ad hoc network are provided. Ad hoc nodes in an ad hoc network can each transmit one or more certificate revocation list advertisement message(s) (CRLAM(s)). Each CRLAM includes an issuer certification authority (CA) field that identifies a certification authority (CA) that issued a particular certificate revocation list (CRL), a certificate revocation list (CRL) sequence number field that specifies a number that specifies the version of the particular certificate revocation list (CRL) that was issued by the issuer certification authority (CA). Nodes that receive the CRLAMs can then use the CRL information provided in the CRLAM to determine whether to retrieve the particular certificate revocation list (CRL).

Abstract: A first communication device managing a communication group of communication devices in a communication network is disclosed. The first communication device sends one or more data objects to the communication group and receives an affiliation request from a second communication device. The first communication device determines the one or more data objects that have not been received by a user of the second communication device and provides the data objects to the second communication device by establishing a communication session between the second communication device and the first communication device.

Abstract: Methods and apparatuses for validating the status of digital certificates include a relying party receiving at least one digital certificate and determining if the at least one digital certificate is to be validated against a private certificate status database. The relying party accesses the private certificate status database and cryptographically validates the authenticity of data in the private certificate status database. The relying party also validates the at least one digital certificate based on information in at least one of the private certificate status database and a public certificate status database.

Abstract: Methods, systems and apparatus are provided for distributing wireless local area network (WLAN) access information to a wireless communication device based on a current coverage area that the wireless communication device is located in. A location services server can determine, based on a current location of the wireless communication device, a current coverage area of the wireless communication device, and transmit information identifying the current coverage area to a directory services server. Based on the current coverage area, the public safety directory services server can determine relevant WLAN access information for the current coverage area, and transmit a message to the wireless communication device that includes the relevant WLAN access information.

Abstract: A method and apparatus for attaching a wireless device to a foreign wireless domain of a 3GPP communication system using an alternative authentication mechanism, wherein wireless device performs the method, which includes: sending a first attach request message to an infrastructure device in the foreign wireless domain; receiving an attach reject message from the infrastructure device upon an unsuccessful attempt to obtain authentication credentials for the wireless device from a home wireless domain of the wireless device using a standard 3GPP authentication mechanism; responsive to the attach reject message sending a second attach request message to the infrastructure device, wherein the second attach request message indicates an alternative authentication mechanism to the standard 3GPP authentication mechanism; and receiving an attach accept message from the infrastructure device when the wireless device is successfully authenticated using the alternative authentication mechanism.

Abstract: A method for enabling group communications includes: establishing a group identity for a communication group comprising a first set of communication devices, and storing an identity for each of the communication devices in the first set; establishing a session to associate a second set of communication devices with the group identity, wherein the communication devices in the second set are different from the communication devices in the first set, wherein the session with the second set of communication devices is set up irrespective of a call being initiated for the communication group; detecting a first event associated with the initiation of a call for the communication group; and in response to detecting the first event, using the stored identities to join at least one of the communication devices in the first set to the session.

Abstract: Methods for establishing secure point-to-point communications in a trunked radio system include receiving, at a trunking controller, a request from a source endpoint for a traffic channel for confidential communications between the source endpoint and a destination endpoint using a shared unique first symmetric key. The trunking controller provides keying material related to the symmetric key over the secured control channel to at least one of the source or destination endpoints and assigns a traffic channel. Moreover, in response to the request, the controller assigns a traffic channel. The keying material enables the unique first symmetric key to be securely established between the source and destination endpoints.

Abstract: A certificate manager transmits a certificate service advertisement to a plurality of certificate clients. The certificate service advertisement identifies the certificate manager and includes segregation data. The segregation data indicates a set of services offered or a set of clients for which the certificate manager offers service. Responsive to the transmitting of the certificate service advertisement, the certificate manager receives a certificate service request from at least one certificate client of the plurality of certificate clients. The certificate manager verifies that the at least one certificate client is associated with the set of clients for which the certificate manager offers service, and the certificate manager fulfills the certificate service request.

Abstract: A method and system for establishing floor control in a communication session enables remote control of devices in a network and provides a status update concerning floor ownership. The method includes processing at a floor controller a floor request message received from a first endpoint, where the floor request message requests that floor ownership be provided to a second endpoint (step 305). A floor control announcement message is then transmitted from the floor controller to at least both the first endpoint and the second endpoint, where the floor control announcement message indicates that the second endpoint has floor ownership (step 315).

Abstract: A certificate policy management tool (100) is provided which targets the automated creation of customized certificate policies and the management of these policies within a public key infrastructure (PKI). A certificate policy parser 108, a certificate policy creation engine (110), a policy query engine (112), and an audit engine (114) interoperate to automate certificate policy creation, interpretation, and enforcement.

Abstract: A sending device generates a first and a second KMM, wherein the first KMM includes a first KEK and a KMM encryption key, and the second KMM includes a set of symmetric encryption keys. The sending device further encrypts the set of symmetric encryption keys using the first KEK; encrypts the first KEK and the KMM encryption key using a first public key of a receiving device; and encrypts the second KMM using the KMM encryption key to generate an encrypted second KMM before sending the first KMM and the encrypted second KMM to the receiving device. The receiving device decrypts the first KEK and the KMM encryption key using a first private key that corresponds to the first public key; and decrypts the encrypted second KMM using the KMM encryption key to obtain the encrypted set of symmetric keys.

Abstract: A method for enabling group communications includes: establishing a group identity for a communication group comprising a first set of communication devices, and storing an identity for each of the communication devices in the first set; establishing a session to associate a second set of communication devices with the group identity, wherein the communication devices in the second set are different from the communication devices in the first set, wherein the session with the second set of communication devices is set up irrespective of a call being initiated for the communication group; detecting a first event associated with the initiation of a call for the communication group; and in response to detecting the first event, using the stored identities to join at least one of the communication devices in the first set to the session.