IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0614860
(2006-12-21)
|
등록번호 |
US-7395550
(2008-07-01)
|
발명자
/ 주소 |
- Weeks,Stephen P.
- Serret Avila,Xavier
|
출원인 / 주소 |
- Intertrust Technologies Corp.
|
대리인 / 주소 |
Finnegan, Henderson, Farabow, Garrett and Dunner LLP
|
인용정보 |
피인용 횟수 :
6 인용 특허 :
42 |
초록
▼
The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for
The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals.
대표청구항
▼
What is claimed is: 1. In a computer-implemented authorization management system, a method for controlling a user's access to a computing resource that is managed by said computer-implemented authorization management system, the method including: receiving an electronic request for the computing re
What is claimed is: 1. In a computer-implemented authorization management system, a method for controlling a user's access to a computing resource that is managed by said computer-implemented authorization management system, the method including: receiving an electronic request for the computing resource from a first principal; identifying a set of principals associated with a group of computer-readable authorization certificates, each certificate in the group of computer-readable authorization certificates containing at least one computer-readable authorization by at least one principal, at least one certificate having been issued by a second principal; initializing a set of authorization values associated with the principals of said set of principals; evaluating a certificate as a monotone function, at least in part, of one or more authorization values associated with one or more of the principals; updating the one or more authorization values associated with the one or more of the principals if the result of said evaluating step indicates that an authorization value of a principal should be changed; and repeating said evaluating and updating steps until an endpoint is reached. 2. A method as in claim 1, further including: constructing a dependency graph representation in a memory device in communication with the computer-implemented authorization system, the dependency graph containing a node corresponding to each principal in the set of principals; and associating at least two nodes in the dependency graph with a certificate that expresses a dependency of one node on the state of another node; wherein the dependency graph representation is used, at least in part, during said evaluating, updating, and repeating to determine which certificates to evaluate. 3. A method as in claim 1, in which said updating is performed after all of the certificates have been evaluated. 4. A method as in claim 1, further comprising: receiving the group of computer-readable authorization certificates from the first principal, wherein the request for the computing resource is received in the same communication as at least one computer-readable authorization certificate. 5. A method as in claim 1, in which the certificates comprise Simple Public Key Infrastructure (SPKI) certificates. 6. A method as in claim 1, in which the electronic request includes at least one of a request to access a piece of electronic content; use a computer program; execute a transaction; access a computer; and/or access a network. 7. A method as in claim 1, wherein the endpoint includes a steady state of the set of authorization values. 8. A method as in claim 1, wherein the endpoint includes an authorization of the electronic request. 9. A method as in claim 1, wherein at least one of the computer-readable authorization certificates includes at least one of a multi-way delegation and/or an inter-assertion delegation. 10. A computer-implemented system for controlling access to electronic resources, the system comprising: a first computer system for processing electronic requests for access to electronic resources, the first computer system comprising: a computer network interface configured to receive digital certificates from a second computer system and for electronically receiving and processing requests to access electronic resources, wherein at least some of the requests are received from the second computer system; a memory device in communication with said first computer system for storing electronic resources and one or more computer-readable authorization certificates relating to authorization for controlling access thereto; and a trust management engine for processing digital certificates and requests for electronic resources, and for making access control decisions by creating a set of monotone authorization values and performing an endpoint computation using said authorization values. 11. A system as in claim 10, further comprising: a third computer system for generating a first digital certificate, the first digital certificate including an authorization value that is generated from a first monotone function, the authorization value effective for authorizing, at least in part, the second computer system to access a predefined electronic resource, the third computer system being operable to send the first digital certificate to the second computer system. 12. A system as in claim 10, further comprising: a fourth computer system, the fourth computer system being operable to generate a second digital certificate including an authorization value that is generated from a second monotone function, the second digital certificate authorizing, at least in part, the third computer system to authorize, at least in part, the user of the second computer system to access the predefined system resource. 13. A system as in claim 12, in which the third computer system is operable to transmit the first digital certificate to the second computer system, the second computer system is operable to transmit the first digital certificate to the first computer system in connection with said request, and the fourth computer system is operable to transmit the second digital certificate to the first computer system. 14. A system as in claim 12, in which the first computer system further comprises a public key stored in a memory device in communication with said first computer system, said public key being associated with the fourth computer system, the public key corresponding to a private key used to sign the second digital certificate. 15. A system as in claim 10, in which at least some of the digital certificates comprise SPKI certificates. 16. A system as in claim 10, in which at least some of the digital certificates comprise Keynote certificates. 17. A system as in claim 10, wherein the endpoint computation includes a steady state of said set of authorization values. 18. A system as in claim 10, wherein the endpoint computation includes an authorization of the electronic request.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.