Validating a certificate chain in a dispersed storage network

摘要

A method begins by a processing module receiving a certificate chain and determining whether at least one of one or more signed certificates of the chain has a valid signature. When the at least one of the one or more signed certificates has a valid signature, the method continues with the processing module identifying one or more certificate authorities (CA) to produce identified CAs, accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted CA IDs, determining whether one or more of the identified CAs is a trusted CA, and when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid, identifying a realm ID based on a trusted CA ID, and generating certificate chain validation information to include the realm ID, trusted CAs, and the indication of the validity of the certificate chain.

主权项

1. A method for authenticating a certificate chain within a dispersed storage network (DSN) by one or more computing devices of the DSN, wherein the method comprises:
receiving the certificate chain from a requesting device, wherein the certificate chain includes a plurality of signed certificates that includes a signed certificate of the requesting device, a signed certificate of a root certificate authority, and one or more signed certificates of one or more intervening certificate authorities, wherein the certificate chain corresponds to a set of error coded (EC) data slices, wherein a data segment is dispersed error encoded to produce the set of EC data slices, and wherein the plurality of sets of EC data slices are stored among a plurality of distributed storage (DS) units within the DSN; validating signature of one of the plurality of signed certificates based on a public key of a corresponding certificate authority and a verification algorithm affiliated with the one of the plurality of signed certificates; when the signature of the one of the plurality of signed certificates is validated, validating remaining signatures of the plurality of signed certificates based on registry information that includes a list of trusted network certificates and vault information; and when the remaining signatures of the plurality of signed certificates are validated, generating certificate chain validation information to include a realm identifier, a list of trusted certificate authorities that have signed one or more of the plurality of signed certificates, and an indication of the validity of the certificate chain that indicates authorization for the requesting device to retrieve a minimum number of EC data slices within the set of EC data slices required to reconstruct the data segment.