UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`COMPASS BANK, COMMERCE BANCSHARES, INC., and
`FIRST NATIONAL BANK OF OMAHA,
`Petitioners,
`
`v.
`
`INTELLECTUAL VENTURES II, LLC
`Patent Owner.
`
`Case IPR20 14-00724
`Patent 5,745,574
`
`DECLARATION OF JEFFREY WHITE
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page i
`
`

`

`I, Jeffrey White, do hereby declare as follows:
`
`1.
`
`I am an attorney at the law firm of Jones Day, 2727 North Harwood
`
`Street, Dallas, Texas 75201-1515. Other attorneys at my firm have been
`
`appointed as lead and backup counsel for Petitioners in IPR2014-00724.
`
`2.
`
`3.
`
`I am over twenty-one years of age and not under any legal disability.
`
`I have personal knowledge of the following facts and, if called to testifY
`
`as a witness, could and would testifY competently thereto.
`
`4.
`
`Attached hereto as Exhibit A is a true and correct copy of Exhibit 1004
`
`from IPR2014-00724.
`
`5.
`
`Exhibit A includes an article titled A Certificate 11!/anagement System:
`
`Structure, Functions and Protocols ("the Kapidzic Article"), which
`
`identifies Nada Kapidzic and Alan Davidson as its authors and appears at
`
`pages 153 through 160 of the Proceedings of the Symposium on Network
`
`and Distributed System Security.
`
`6.
`
`Exhibit A includes exhibit page numbers in the bottom right hand comer
`
`of each page. Using these exhibit page numbers, indications that the
`
`Proceedings of the Symposium on Network and Distributed System
`
`Security were published by the IEEE Computer Society Press appear on
`
`1-3 and 19-20.
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page 1
`
`

`

`7.
`
`Using the exhibit page numbers of Exhibit A once again, indications that
`
`the Symposium on Network and Distributed System Security took place
`
`from February 16, 1995, through February 17, 1995, appear on pages 1
`
`and 2, and a copyright date of 1995 appears on page 3.
`
`8.
`
`The Kapidzic Article is available to the public on the IEEE Xplore
`
`Digital Library website at the following URL:
`
`http://ieeexplore.ieee.org/xpl/login.jsp?tp=&amumber=390637&url=http
`
`%3A%2F%2Fieeexplore.ieee.orgo/o2Fxpls%2Fabs_all.jsp%3Farnumber
`
`%3D390637. Attached hereto as Exhibit B is a true and correct copy of
`
`this webpage, which was created on December 4, 2014 ("the IEEE
`
`Webpage"). Attached hereto as Exhibit C is a true and correct copy of
`
`the Kapidzic Article that was obtained via the IEEE W ebpage on
`
`December 4, 2014.
`
`9.
`
`The IEEE Webpage indicates that the Kapidzic Article was published at
`
`pages 153 through 160 of the Proceedings of the Symposium on Network
`
`and Distributed System Security; that the symposium took place from
`
`February 16, 1995, through February 1 1995; and that the IEEE is the
`
`publisher.
`
`10. The Kapidzic Article is also available to the public on the
`
`at
`
`URL:
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page 2
`
`

`

`http:/ /www.computer.org/csdl/proceedings/sndss/1995/7027 /00/7027015
`
`3-abs.html. Attached hereto as Exhibit Dis a true and correct copy of
`
`this webpage created on December 4, 2014 ("the Computer Society
`
`Webpage"). Attached hereto as Exhibit E is a true and correct copy of
`
`the Kapidzic Article that was obtained via the Computer Society
`
`Webpage on December 4, 2014.
`
`11. The Computer Society W ebpage indicates that the Kapidzic Article was
`
`published at page 153 of the Symposium on Network and Distributed
`
`System Security and that the conference took place from February 16,
`
`1995, through February 17, 1995.
`
`12. The Kapdzic Article obtained from the IEEE Webpage (Exhibit C) and
`
`the Kapidzic Article obtained from the Computer Society Webpage
`
`(Exhibit E) are both identical to the Kapidzic Article in Exhibit 1004
`
`from IPR2014-00724 (Exhibit A).
`
`13. Attached hereto as Exhibit F is a true and correct copy of an article titled
`
`Formalizing Certificate Afanagement Systems, which cites the Kapidzic
`
`Article in Section 1 and in the list of reterences. The list of references
`
`indicates that the Kapidzic Article was published in February 1995 in the
`
`Society Syn1posium on Network and Distributed System Security.
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page 3
`
`

`

`14. Attached hereto as Exhibit G is a true and correct copy of an article titled
`
`Creating Security Applications Based on the Global Certificate
`
`A1anagement System, which cites the Kapidizic Article in Section 1 and
`
`in the list of references. The list of references indicates that the Kapidzic
`
`Article was published in February 1995 in the Internet Society
`
`Symposium on Network and Distributed System Security.
`
`15. Attached hereto as Exhibit H is a true and correct copy of the Handbook
`
`of Applied Cryptography, which cites the Kapidzic Article on page 589
`
`and in Appendix A-Bibliography of Papers from Selected
`
`Cryptographic Forums on page 730. Appendix A (at page 730) indicates
`
`that the Kapidzic Article was published in 1995 in the Proceedings of the
`
`Internet Society Symposium on Network and Distributed System Security.
`
`16. Attached hereto as Exhibit I is a true and correct copy ofExhibit 1005
`
`from IPR20 14-00724.
`
`17.
`
`Exhibit I is titled Public Key Irifrastructure Study: Final Report ("the
`
`PKI Study") and identifies Dr. Shimshon Berkovits, Dr. Santosh
`
`Chokhani, Judith A. Furlong, Jisoo A. Geiter, and Jonathan C. Guild as
`
`its authors.
`
`18.
`
`PKI Study indicates that the National Institute of Standards and
`
`(NIST)
`
`it
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page 4
`
`

`

`Information Assurance Technology Analysis Center (IA T AC) was the
`
`performing organization and the Defense Technical Information Center
`
`(DTIC-IA) was the sponsoring I monitoring agency.
`
`19. The PKI Study is available to the public on the Defense Technical
`
`Information Center ("OTIC") website at the following URL:
`
`http://www.dtic.mil/dtic/tr/fulltext/u2/a391528.pdf. Attached hereto as
`
`Exhibit J is a true and correct copy of the PKI Study obtained from the
`
`URL in the previous sentence on December 4, 2014, and attached hereto
`
`as Exhibit K is a true and correct copy of a search for "public key
`
`infrastructure study" performed on the OTIC website on December 4,
`
`2014, which provides the URL in the previous sentence as its first result.
`
`20. The PKI Study available on the OTIC website (Exhibit J) is identical to
`
`Exhibit 1005 from IPR20 14-00724 (Exhibit I).
`
`21. Attached hereto as Exhibit L is a true and correct copy of Exhibit 1006
`
`from IPR20 14-00724.
`
`Exhibit L is titled Privacy Enhancement for Internet Electronic Alai!:
`
`Part IV: Key Certification and Related Services ("RFC 1424"), identities
`
`Burton S. Kaliski, Jr. as its author, and identifies the article as "Request
`
`for Comments: 1424" and "RFC 1424."
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page 5
`
`

`

`23. RFC 1424 is available to the public on the RFC Editor website at the
`
`following URL: http://www.rfc-editor.org/rfc/pdfrfc/rfc1424.txt.pdf.
`
`Attached hereto as Exhibit M is a true and correct copy of RFC 1424
`
`obtained from the URL in the previous sentence on December 4, 2014,
`
`and attached hereto as Exhibit N is a true and correct copy of the page on
`
`the RFC Editor website (http://\\<ww.rfc-editor.org/info/rfc1424) on
`
`which a link to the URL in the previous sentence is provided, which was
`
`obtained on December 4, 2014.
`
`24. The RFC Editor website includes a webpage explaining its publication
`
`process, and attached hereto as Exhibit 0 is a true and correct copy of
`
`this webpage, which was obtained on December 4, 2014.
`
`25.
`
`I hereby declare that all statements made herein of my own knowledge
`
`are true and that all statements made on information and belief are
`
`believed to be true, and I further declare that these statements were made
`
`with the knowledge that willful false statements and the like are
`
`punishable by fine or imprisonment, or both, under 18 U.S.C. § 1001.
`
`Date: December 5, 2014
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page 6
`
`

`

`Exhibit A
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-i
`
`

`

`, FJ<S- Li b ?ROCEEDINGS
`
`I
`
`"
`
`~ymposium on
`Network. and Distributed
`System Security
`
`1995
`
`-
`
`-·-· u--
`
`-11 ·--I
`
`,.
`
`February 16-17, 1995
`
`San Diego,California
`
`~ IEEE Computer Society Press
`
`. . The Institute of Electrical and Electronics Engineers, Inc.
`
`Compass Bank, et al.
`Exhibit 1004
`Page 1
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-1
`
`

`

`Proceedings of the
`
`Symposium on Network and Distributed
`System Security
`
`February 16-17, 1995
`
`San Diego, California
`
`Sponsored by
`The Internet Society
`
`f
`
`IEEE Computer Society Press
`Los Alamitos, California
`
`Washington
`
`•
`
`Brussels
`
`•
`
`Tokyo
`
`Compass Bank, et al.
`Exhibit 1004
`Page 2
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-2
`
`

`

`IEEE Computer Society Press
`10662 Los Vaqueros Circle
`P.O. Box 3014
`Los Alamitos, CA 90720-1264
`
`Copyright © 1995 by The Institute of Electrical and Electronics Engineers, Inc.
`All rights reserved.
`
`1
`
`Copyright and Reprint Permissions: Abstracting is permitted with credit to the source. Libraries may
`photocopy beyond the limits of US copyright Jaw, for private use of patrons, those articles in this volume
`that carry a code at the bottom of the first page, provided that the per-copy fee indicated in the code is paid
`through the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923.
`
`IEEE Copyrights Manager, IEEE
`Other copying, reprint, or republication requests should be addressed to:
`Service Center, 445 Hoes Lane, P.O. Box 1331 , Piscataway, NJ 08855-1331.
`
`The papers in this book comprise the proceedings of the meeting mentioned on the cover and title page. They
`reflect the authors' opinions and, in the interests of timely dissemination, are published as presented and
`without change:. Their inclusion in this publication does not necessarily constitute endorsement by the
`editors, the IEEE Computer Society Press, or the Institute of Electrical and Electronics Engineers, Inc.
`
`IEEE Computer Society Press Order Number PR7027
`Library of Congress Number 94-74194
`ISBN 0-8186-7027-4 (paper)
`ISBN 0-8186-7028-2 (microfiche)
`
`Additional copies may be ordered from :
`
`IEEE Computer Society Press
`Customer Service Center
`10662 Los Vaqueros Circle
`P.O. Box 3014
`Los Alamitos, CA 90720-1264
`Tel : +l-714-821-8380
`Fax: +1-714-821-4641
`Email : cs.books@computer.org
`
`IEEE Computer Society
`13, Avenue de I'Aquilon
`B-1 200 Brussels
`BELGIUM
`Tel: +32-2-770-2198
`Fax: +32·2-770-8505
`
`IEEE Computer Society
`Ooshima Building
`2-19-1 Minami-Aoyama
`Minato-ku, Tokyo 107
`JAPAN
`Tel: +81-3-3408-3118
`Fax: +81 -3-3408-3553
`
`Editorial production by Mary E . Kavanaugh
`Cover design by Danny Nessett, additional layout by Joseph Daigle
`Printed in the United States of America by Braun-Brumfield, Inc.
`
`•
`
`The Institute of Electrical and Electronics Engineers, Inc.
`
`Compass Bank, et al.
`Exhibit 1004
`Page 3
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-3
`
`

`

`.. sJIS'
`\..\t3'
`/}(
`. 5)0552}
`~//6
`19"7C:'
`
`Table of Contents
`
`General Chair's Message .......... ................ ... ... .. .. .............. ........ ......... ...................................... vii
`Program Chairs' Message ................ .. ............. .............. .. ...... ......... .. .......... ............................. viii
`Organizing and Program Committee ...................................................... ...... .. .. ....................... ix
`PSRG Members ................... .... .... .. ... ... .. ... ... ........................ ... ...................................................... . x
`
`Session 1 - Diverse Approaches to Security at the Network Layer
`Chair: Stephen T. Kent- Bolt, Beranek and Newman, USA
`Multicast-Specific Security Threats and Counter-Measures .............. .. ...... ....... .... ............................... 2 y
`T. Ballardie anti J. Crowcroft
`Design of a Key Agile Cryptographic System for OC-12c Rate A TM ........ .. ...... .............................. 17 ;(
`D. Stevenson, N. Hillery, 'G. Byrd, F. Gong, and D. Winkelstein
`IpAccess - An Internet Service Access System for Firewall Installations ......... .................. .. .. ~ ...... 31
`S. Stempel
`
`Session 2 -Panel: Security Architecture for the Internet Infrastructure ......... .. ..... 43
`Chair: Robert W. Shirey- The MITRE Corporation, USA
`
`Security for the Internet Protocol (IP) and IP Next Generation
`P.A. Lambert
`fpresentation only]
`Security for the Internet Domain Name System
`J.M. Galvin
`fpresentation only]
`Security of Routing Protocols in the Internet
`G.S. Malkin
`fpresentation only]
`Security Approaches to Routing in the Internet
`S.L. Murphy
`fpresentation only]
`
`Session 3- Off-Line Object Distribution Security
`Chair: Jeffrey I. Schiller- Massachusetts Institute of Technology, USA
`Trusted Distribution of Software Over the Internet ...... .. ..... .. ..................... ................... .. ......... ....... .47
`A.D. Rubin
`Location-Independent Information Object Security .................. .. ........ ..... ,: .. ..................................... 54
`J. Lowry
`
`Internet Payments
`Session 4 -
`Chair: Ravi Ganesan -Bell Atlantic, USA
`Electronic Cash on the Internet .... .. ................. .. ....... ..... .. ....... .. ....... ................ .. .............. ...... ........... 64
`S. Brands
`Panel- Internet Payment Mechanisms: Requirements and Architectures ...... ....... ......................... 85
`Chair: Ravi Ganesan- Bell Atlantic, USA
`Panelists: Cliff Neuman - USC lSI
`Dave Crocker - Brandenburg Consulting
`[additional panelists to be announced]
`
`{
`
`v
`
`Compass Bank, et al.
`Exhibit 1004
`Page 4
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-4
`
`

`

`Session 5 - Security Monitoring Tools: Practice and Experience
`Chair: Michael St. Johns- Advanced Research Projects Agency, USA
`NERD: Network Event Recording Device- An Automated System for Network Anomaly
`Detection and Notification ... .. .......... .. .... , ........ ...... ............. .. ............. ...... .. ......... .. .. ... ... .... ... .. ........... 87
`D. G. Simmons and R. Wilkins
`An Overview of SNIF: A Tool for Surveying Network Information Flow .. .. .. ... ... ... ... ....... .. ............ 94
`J. Alves-Foss
`Distributed Audit Trail Analysis ....... .. ............................... .. .. .. ............ ....... .......... ... .... ........ .. ........ 102
`A. Mounji, B. Le Charlier, D. Zampunieris, and N. Habra
`
`J
`
`Session 6 -Authentication and Auth~rization
`Chair: B. Clifford Neuman -Information Sciences Institute, USA
`,.../ SESAME V2 Public Key and Authorisation Extensions to Kerberos ............... ............. ........... ...... 114
`P.V. McMahon
`Yaksha: Augmenting Kerberos with Public Key Cryptography .... .. ... .... .. ... ................................... 132
`R. Ganesan
`GSS-API Security for ONC RPC .... .. .. ..... .. .... .. ...... .. .... .. .. ..... ... ... ... ... ... ........................... ....... ....... 144
`B. Jaspan
`
`Session 7 - Mechanisms of Identity: The Certificate Infrastructure
`Chair: Hilarie Orman - University of Arizona, USA
`A Certificate Management System: Structure, Functions and Protocols ... : .. .......... .. ....................... 153
`N. Kapidzic and A. Davidson
`PEMToolKit: Building a Top-Down Certification Hierarchy for PEM from the
`Bottom Up .................. ............................................................................ .. ...................... .. ............ 161
`A. Bahreman
`A New Approach to the X.509 Framework: Allowing a Global Authentication
`Infrastructure Without a Global Trust Model .............................. .. ..................... .. .. ........................ 172
`S. Mendes and C. Huitema
`
`Session 8- Panel: Security Issues for Mosaic and the World Wide Web .............. 191
`Chair: Fred Avolio - Trusted Information Systems, USA
`Panelists: Peter J. Churchyard- Trusted Information Systems, USA
`Phillip M. Hallam-Baker- CERN, Switzerland
`Allan M. Schiffman- Enterprise Integration Technologies, USA
`
`Author Index ....................................................................................................................... 192
`
`I
`~ I
`
`vi
`
`Compass Bank, et al.
`Exhibit 1004
`Page 5
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-5
`
`

`

`General Chair's Message
`
`Welcome to the second ISOC Symposium on Network and Distributed System Security!
`Building on last year's very successful symposium and 1993's workshop, we are looking
`forward to another set of thought-provoking presentations and lively panel discussions.
`
`Connections to international distributed networks, and the Internet in particular, are no longer a
`luxury for many organizations. As these networks continue to grow, the need for security
`services will increase and become more complex. At the same time, this connectivity provides
`potential intruders with greater access to botQ other systems and other intruders. Sophisticated
`attacks which were once scarce due to the relatively small number of intruders able to mount
`them, have increased greatly because of the sharing of toolkits that implement the attacks.
`Increasingly, the- very infrastructure of the networks is being attacked and flaws exploited.
`Although much research has been done in network security and much practical experience is
`available, that knowledge has yet to be widely deployed and used.
`
`This symposium was created specifically to draw together researchers, implementors, and users
`of network and distributed system security facilities. The fact that we provide a unique focus on
`this widely shared need is reflected by growth in both attendance and responses to the Call for
`Papers. The number of submissions increased 50% this year and we continue to enjoy a strong
`international representation in the presentations.
`
`I am grateful to the Internet Society for again sponsoring the· symposium. I particularly
`appreciate the vision and guidance of the Privacy and Security Research Group (PSRG), which
`conceived this symposium, and especially Dan Nessett who led its development during the first
`two years.
`
`Organizing a symposium of this size is a time-consuming task, and I want to thank all the
`symposium chairs for the tremendous time and effort they have given to pull all the details
`together. Tom Hutton has taken care of the many local details, while Gloria Carriker and Heidi
`Stefani have done a superb job in handling the registration activities. Terry Mayfield navigated a
`maze of unexpected pitfalls to produce the proceedings you are now holding.
`
`A special thanks is in order for the Program Committee and its co-chairs, Dave Balenson and
`Rob Shirey, as they have put together another excellent program that is timely for Internet
`designers and implementors worldwide. Much behind-the-scenes effort went into working with
`the paper authors and panel leaders, and a huge debt of appreciation is owed to the members of
`this committee.
`
`Finally, I would like to thank all the authors who submitted papers and the panelists who are
`participating for sharing their knowledge and experiences with us.
`
`{
`
`James Ellis
`CERT Coordination Center- Carnegie Mellon University
`Pittsburgh, Pennsylvania
`E-mail: Jte@cert.org
`
`vii
`
`Compass Bank, et al.
`Exhibit 1004
`Page 6
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-6
`
`

`

`r
`I
`
`A
`
`D
`
`Sc
`
`~ S.E
`1
`
`Ya
`
`GS
`
`Ses
`
`AC
`
`PE!v
`Bott
`
`ANt
`Infra
`
`Sessi
`c
`
`Auth
`
`Program Co-Chairs' Message
`
`Everyone knows that the Internet is experiencing explosive growth. But it is more important
`to notice that the Internet is also changing from an academic research tool into a ubiquitous
`platform for education and commerce. Every day, more users become dependent upon
`Internet services to do their jobs and to carry their data. Every day, more of the data found on
`the Internet is sensitive data that needs protection. Thus, there is an urgent need to secure the
`Internet in all of its aspects.
`
`Happily, network security has been studied since before the Internet began. At the same time
`that computing and communication technology were developed to make the Internet's
`growth possible, security technology was also being developed. Now, the Internet
`community is beginning to apply that technology. There is security activity in many places,
`especially in the Internet Society's Internet Research Task Force (IRTF) and Internet
`Engineering Task Force (IETF). These activities are incorporating security techniques
`into Internet protocols and components, and are producing practical implementations of
`security technology.
`
`Many security tools and systems are already available for use, such as the Kerberos system,
`the Generic Security Service API, the Privacy-Enhanced Mail system, and security features
`for Point-to-Point Protocol, Telnet, and Simple Network Management Protocol. Additional
`security tools are in the works, including security for the underlying Internet Protocol (IP),
`the File Transfer Protocol (FTP), the Domain Name System, and routing protocols.
`
`Still, there is a much work to be done. The increasingly popular network information
`discovery and retrieval protocols -
`such as Gopher, W AIS, and World-Wide Web -
`need
`protection. So .do protocols for time services, transaction processing, and voice and video
`conferencing. And, in every case, the security must be made user-friendly and low-cost, or
`else users will avoid it.
`
`The organizers of this Symposium seek to enable and encourage the Internet community to
`deploy the available security technology, as well as develop new technology in areas where
`it is lacking. Hopefully, all protocols and components used in the Internet eventually will
`include or use suitable security facilities. This will make possible a protected Internet
`environment that can meet the wide range of security needs found among the diverse, global
`community of users.
`
`David Balenson
`Trusted Information Systems
`Glenwood, Maryland
`E-mail: Balenson@TIS.com
`
`Rob Shirey
`The MITRE Corporation
`McLean, Virginia
`E-mail: Shirey@MITRE.org
`
`viii
`
`Compass Bank, et al.
`Exhibit 1004
`Page 7
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-7
`
`

`

`'{
`I
`
`[l
`d
`0
`)f
`
`to
`:re
`•ill
`1et
`bal
`
`Organizing and Program Committee
`
`General Chair
`James T. Ellis
`CERT Coordination Center
`Carnegie Mellon University
`
`Program Co-Chairs
`David M. Balenson
`Trusted Information Systems
`
`Robert W. Shirey
`The MITRE Corporation
`
`Program Committee
`
`Thomas A. Berson- Anagram Laboratories
`Matt Bishop - University of California at Davis
`Ravi Ganesan -Bell Atlantic
`Stephen T. Kent- Bolt, Beranek and Newman
`Paul A. Lambert- Motorola
`John Linn- Open Vision Technologies
`B. Clifford Neuman -Information Sciences Institute
`Hilarie Orman- University of Arizona
`Michael Roe- University of Cambridge, UK
`Robert Rosenthal- U.S. National Institue of Standards and Technology
`Jeffrey I. Schiller- Massachusetts Institute of Technology
`Peter Yee- U.S. National Aeronautics and Space Administration
`Robert Zamparo - Telia Research, Sweden
`
`Publications Chair
`Terry Mayfield,
`Institute for Defense Analyses
`
`Registrations Chair
`Gloria Carrier,
`The MITRE Corporation .
`
`Local Arrangements Chair
`Thomas Hutton,
`San Diego Supercomputer Center
`
`Steering Group
`Internet Research Task Force, Privacy and Security Research Group
`
`ix
`
`Compass Bank, et al.
`Exhibit 1004
`Page 8
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-8
`
`

`

`Privacy and Security Research Group
`of the
`Internet Research Task Force
`
`1
`
`Chair
`Stephen T. Kent
`Bolt Beranek and Newman
`Kenl:@bbn.com
`
`Members
`
`David M. Balenson
`Trusi'ed Information Systems
`Balenson@ tis.com
`
`Matt Bishop
`University of California at Davis
`Bishop@cs.ucdavis.edu
`
`Russell D. Housley
`Spyrus
`Housley@ spyrus.com
`
`Danny M. Nessett
`Sun Microsystems
`Nessett@ jurassic .sun.com
`
`Michael Roe
`University of Cambridge, UK
`Michael.roe @cl.cam.ac. uk
`
`Burton S. Kaliski, Jr.
`RSA Laboratories
`Burt@rsa.com
`
`B. Clifford Neuman
`Information Sciences Institute
`Ben @isi.edu
`
`Robert Rosenthal
`U.S. National Institute of Standards
`and Technology
`Rosenthal @ecf.ncsl.nist.gov
`
`Jeffrey I. Schiller
`Massachusetts Institute of Technology
`Jis@mit.edu
`
`Robert V{. Shirey
`The MITRE Corporation
`Shirey@ mitre.org_
`
`Roberto Zamparo
`Telia Research
`Roberto.Zamparo@ haninge.trab.se
`
`X
`
`Compass Bank, et al.
`Exhibit 1004
`Page 9
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-9
`
`

`

`A Certificate Management System: Structure, Functions and Protocols
`
`Nada Kapidzic
`nadak @dsv.su.se
`
`Alan Davidson
`alan@dsv.su.se
`
`Department of Computer and System Sciences
`Stockholm University & Royal Institute of Technology
`Electrum 230, 164 40 Kista, Sweden
`
`Abstract
`The Certificate Management System (CMS) is a net(cid:173)
`worked syste_m for generation, distribution, storage and
`verification of certificates for use in a variety of security
`enhanced applications. The structure of a certificate is
`defined in the X.509 standard. The Internet PEM specifi(cid:173)
`cation describes the structure and functionality of a
`global certification hierarchy, as well as the structure of
`its internal messages. The approach described in this
`paper specifies new roles and responsibilities for certifi(cid:173)
`cation authorities. By extending the existing specifications
`with functions for the storage and retrieval of certificates,
`the CMS becomes functionally complete and immediately
`operable. Furthermore, it can operate either as an
`autonomous hierarchy, or integrated into a global system.
`
`1 Introduction
`
`Many security protocols, in particular those that
`support widely distributed security services,
`require
`authenticated public keys, i.e. certificates. The admini(cid:173)
`stration of certificates includes their creation, storage,
`distribution, and verification.
`The CCITT 1988 X.SOO series of recommendations
`(1] specify that creation of certificates should be performed
`by Certification Authorities (CAs). The format of certifi(cid:173)
`cates and the method for their verification are defined in
`the X.509 standard. The responsibility for storage and
`distribution of certificates is deferred to X.500 directories,
`though as yet such directories are not widely established.
`RFC 1422 [3] supplements the X.509 standard with a
`framework for the creation and verification of certificates.
`It specifies an Internet wide hierarchical infrastructure of
`CAs with the Internet Policy Registration Authority
`(IPRA) as the single root. RFCs 1421-1424 [2-5] define a
`set of functions for the administration of the certificates.
`They define the structure of PEM letters, which are in
`themselves a medium for the exchange of certificates. The
`
`PEM description of the administrative functions does not
`address the problem of certificate storage in the absence of
`'
`the X.500 directories.
`This paper presents a Certificate Management System
`that implements all necessary functions for the admini(cid:173)
`stration of certificates. This makes the system immediately
`operational without being dependant on other systems for
`certificate storage and distribution. By integrating all
`functions in one system it becomes possible to add new
`functionality as well as enhance the original functions.
`The paper contributes a description of relationships and
`roles of the system's agents, followed by a detailed and
`structured description of their functions .
`Compared to RFC 1422, the main differences in this
`approach are as follows:
`• It allows for the establishment of the autonomous
`hierarchies, each under a single PCA.
`• It defines additional functions for storage and distri(cid:173)
`bution of certificates.
`It elaborates on existing specifications by including
`design decisions that are relevant for the functional
`description of this system.
`
`2 The CMS structure
`
`{
`
`The CMS is comprised of a number of co-operating
`CAs. The CA's principle role is in signing certificates,
`either of users or of other CAs, and thereby testifying that
`the certificate has a legitimate binding to the owner's
`Distinguished Name (DN) [1]. The CAs are required to
`uphold a single root hierarchical infrastructure. This
`simplifies certificate verification, since all certificate
`verification paths within the system are known to con(cid:173)
`verge, in the worst case at the top.
`.It is assumed that the system infrastructure is a strict
`hierarchy with unlimited depth, where each CA is certified
`by only one parent CA. This is not (strictly speaking) the
`case in the PEM specifications where one CA may be
`
`0-8186-7027-4/95 $4.00 © 1995 IEEE
`
`153
`
`L
`
`Compass Bank, et al.
`Exhibit 1004
`Page 10
`
`Compass Bank, et al. Exhibit 1012
`Compass Bank, et al. v. Intellectual Ventures II LLC
`IPR2014-00724
`Page A-10
`
`

`

`certified by several PCAs. In fact from the PEM perspec(cid:173)
`tive this discussion is limited to cover only part of the
`global structure, i.e. the sub-hierarchy underneath a single
`PCA.
`Such a limitation may seem unreasonable if the CMS
`is primarily intended to support secure e-mail. However, a
`shift of perspective is warranted since this CMS is aimed
`not only to providing services for global security applica(cid:173)
`tions but also for other security enhanced applications that
`do not presuppose global inter-connectivity. A CMS
`according to this perspective can function as an autono(cid:173)
`mous system, though the section 7 discusses issues regard(cid:173)
`ing integration of such local systems to the global certifi(cid:173)
`cation hierarchy.
`
`2.1 The roles of CMS agents
`
`Within the certification hierarchy, some CAs are
`given special roles and responsibilities (see Figure 1). The
`Policy Certification Authority (PCA) is the root of the
`hierarchy, which makes it the common point of trust for
`verification of all certificates in the system. Leaf CAs are
`responsible for the administration of users. Because of
`their special role in relation to the users, these CAs are
`named User Certification Authorities (UCAs).
`
`1
`
`Figure 1 - A Certificate Management System
`
`The PCA defines the security policy that all the CAs
`in its hierarchy are bound to follow. The policy specifies,
`among other things, technical and procedural security
`measures that are imposed on all the CMS agents of that
`hierarchy. In a global system the PCA must be responsible
`for making its policy available to all users of the system.
`The importance of this role is reduced in autonomous
`hierarchies.
`The PCA is responsible for Jhe administration of the
`hierarchy structure. No CA can be added to the hierarchy
`without first registering its DN with the PCA. If a DN has
`
`1
`
`j
`
`not been previously assigned to that CA by some other
`authority, the PCA will create it by deriving it from the
`parent's DN. If the DN has been previously assigned, the
`PCA will check that it conforms to the DN subordination
`requirement. For each CA in the system the PCA stores its
`DN and address 1. The PCA uses this information to
`resolve certificate requests when the address of the certifi(cid:173)
`cate owner is not known (see 4.2).
`A separate role of the PCA is to serve as a repository
`for Certificate Revocation Lists (CRLs) [3] of all CAs in
`the system. Each CA and UCA periodically issues a CRL
`and sends it to the PCA. The users of the system can
`retrieve the CRLs from the PCA when needed for the
`verification of certificates.
`The registration of users' DNs is performed by t