| 摘要 |
A method includes sending an open request to a directory server for a first key, the first key being a trusted key wrapped in a public key. The open request includes an authentication request value that identifies the open request as a verified setup directory service, the public key, an email address and a specified out-of-band communication channel. The directory server sends a first reply after generating the first key, which first reply is sent directly back with a first half of the first key offset by a unique value and wrapped using the public key. The second reply is sent via email to the email address, which second reply includes a second half of the first key offset by the first half of the first key. The third reply is sent to the out-of-band channel, which third reply includes the unique value. |
| 主权项 |
1. A non-transitory computer readable media have encoded thereon instructions for a processor and memory to cause the processor in conjunction with the memory to perform a method for performing real-time authentication between a first directory server and a second directory server, the first directory server having obtained a first key from a common directory server and the second directory server having obtained a second key from the common directory server comprising:
sending by the first directory server a first request to the common directory server wrapped in the first key in an SSLX-EA communication to obtain a first directory server session master key to use in subsequent communication with the second directory server, wherein the first request includes a first authentication request value that indicates to the common directory server with which one of a plurality of directory servers that the first directory server wishes to communicate; generating the first directory server session master key by the common directory server; sending by the common directory server a first of two replies after generating the first directory server session master key, wherein the first reply is sent to the second directory server with the first directory server session master key wrapped in an SSLX-EA message using the second key; sending a second reply of the two replies back to the first directory server with the first directory server session master key wrapped in an SSLX-EA message using the first key; sending by a first directory server a first open request to a common directory server for a first key, said first key being a trusted embedded authentication common directory service key wrapped in a first public key of a first public-private key pair of the first directory server, wherein the first open request includes a first authentication request value that identifies the first open request as a verified setup directory service, the first public key, a first email address and a first specified third additional out-of-band communication channel; sending to the first directory server by the common directory server a first reply of three replies after generating the first key, said first reply being sent directly back to the first directory server with a first half of the first key offset by a first unique value and wrapped using the first public key; sending a second reply of the three replies via email to the first email address, said second reply including a second half of the first key offset by the first half of the first key; sending a third reply of the three replies to the first specified third additional out-of-band channel, said third reply including the first unique value; combining by the first directory server the first half of the first key and the second half of the first key to form the first key using an offset specified by the first unique value; sending by the first directory server a first confirmation message wrapped in the first key to the common directory server; sending by a second directory server a second open request to a common directory server for a second key, said second key being a trusted embedded authentication common directory service key wrapped in a second public key of a second public-private key pair of the second directory server, wherein the second open request includes a second authentication request value that identifies the second open request as a verified setup directory service, the second public key, a second email address and a second specified third additional out-of-band communication channel; sending to the second directory server by the common directory server a first reply of three replies after generating the second key, said first reply being sent directly back to the second directory server with a first half of the second key offset by a second unique value and wrapped using the second public key; sending by the common directory server to the second directory server a second reply of the three replies to the second directory server via email to the second email address, said second reply to the second directory server including a second half of the second key offset by the first half of the second key; sending a third reply of the three replies to the second directory server to the second specified third additional out-of-band channel, said third reply to the second directory server including the second unique value; combining by the second directory server the first half of the second key and the second half of the second key to form the second key using an offset specified by the second unique value; sending by the second directory server a second confirmation message wrapped in the second key to the common directory server; sending by the first directory server a first request to the common directory server wrapped in the first key in an SSLX-EA communication to obtain a first directory server session master key to use in subsequent communication with the second directory server, wherein the first request includes a first authentication request value that indicates to the common directory server with which one of a plurality of directory servers that the first directory server wishes to communicate; generating the first directory server session master key by the common directory server; sending by the common directory server a first of two replies after generating the first directory server session master key, wherein the first reply is sent to the second directory server with the first directory server session master key wrapped in an SSLX-EA message using the second key; and sending a second reply of the two replies back to the first directory server with the first directory server session master key wrapped in an SSLX-EA message using the first key. |
