Browse Prior Art Database

Efficient programmatic computation of user name from cryptographic materials Disclosure Number: IPCOM000201725D
Publication Date: 2010-Nov-19
Document File: 2 page(s) / 20K

Publishing Venue

The Prior Art Database


Disclosed is a method to compute an alias for the private key that identifies the client, thus more efficiently managing user identification based on the certificate presented in the SSL/TLS handshake. In addition, the method prevents the computation from changing over a certificate reissuance.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 2

Efficient programmatic computation of user name from cryptographic materials

There are a number of environments where user identities need to be computed for entities making remote secure application program interface (API) calls. In particular, there are a number that rely on certificate-based approaches, including a couple more modern applications like XML-based Web Services Security (WSS) and the Key Management Interoperability Protocol (KMIP).

The certificate-based approaches may attempt to have the Certificate issuer insert a serial number in the certificate body, or compute a subject key identifier as an X509v3 extension.

The serial number is not a highly favored mechanism in that the Certificate Authority (CA) has the freedom to pick the number ad hoc, so relying on the serial number for uniqueness is a risky practice. It is certainly not a good practice in an open system, where certificates from a number of different CAs may be in play.

The SubjectKeyIdentifier mechanism is somewhat more dependable, in that it relies on a hashing of the public key, but suffers from its optionality and a couple of different valid computations. With the development of Web Services Security, engineers put in place a universal mechanism to handle the need to refer to a certificate without always having to send the certificate. The mechanism that was chosen in WSS1.1 was to refer to certificates by a digest of the entire certificate's content. Since SHA1 was the digest mechanism of choice, this mechanism was called a "ThumbPrintSHA1". More recently, in the Key Management Interoperability Protocol, the main authentication mechanism is client-side certificates, and the servers are expected to enforce access control based on the client's identity.

Doing this efficiently with an object as large as a certificate is a challenge, and the lifetimes of the keys that are being managed by KMIP suggests that the KMIP server may need to handle certificate renewals as well.

The KMIP specification does not address these issues at...