公开(公告)号：US07500097B2

公开(公告)日：2009-03-03

申请号：US11069803

申请日：2005-02-28

申请人： Gregory Kostal ,  Muthukrishnan Paramasivam ,  Ravindra Nath Pandya ,  Scott C. Cottrille ,  Vasantha K Ravula ,  Vladimir Yarmolenko ,  Charles F. Rose, III ,  Yuhui Zhong

发明人： Gregory Kostal ,  Muthukrishnan Paramasivam ,  Ravindra Nath Pandya ,  Scott C. Cottrille ,  Vasantha K Ravula ,  Vladimir Yarmolenko ,  Charles F. Rose, III ,  Yuhui Zhong

IPC分类号： H04L9/00 ,  G06F7/04 ,  G06F17/30

CPC分类号： H04L63/0823

摘要： An improved certificate issuing system may comprise a novel arrangement for expressing certificate issuing policy. The policy may be expressed in a human-readable policy expression language and stored for example in a file that is consumed by a certificate issuing system at runtime. The policy may thus be easily changed by altering the digital file. Certain techniques are also provided for extending the capabilities of the certificate issuing system so it may apply and enforce new policies.

摘要翻译： 改进的证书颁发系统可以包括用于表达证书颁发策略的新颖的安排。 该策略可以以人类可读的策略表达语言表示，并且存储在例如在运行时由证书颁发系统消耗的文件中。 因此，通过改变数字文件可以容易地改变策略。 还提供了某些技术来扩展证书颁发系统的能力，以便它可以应用和执行新的策略。

公开(公告)号：US07509489B2

公开(公告)日：2009-03-24

申请号：US11077920

申请日：2005-03-11

申请人： Gregory Kostal ,  Muthukrishnan Paramasivam ,  Ravindra Nath Pandya ,  Scott C. Cottrille ,  Vasantha K Ravula ,  Vladimir Yarmolenko ,  Charles F. Rose, III ,  Yuhui Zhong

发明人： Gregory Kostal ,  Muthukrishnan Paramasivam ,  Ravindra Nath Pandya ,  Scott C. Cottrille ,  Vasantha K Ravula ,  Vladimir Yarmolenko ,  Charles F. Rose, III ,  Yuhui Zhong

IPC分类号： H04L9/00 ,  G06F7/04 ,  G06F17/30

CPC分类号： G06F21/33 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/102 ,  H04L2209/68

摘要： An improved certificate issuing system may comprise a certificate translation engine for translating incoming certificates and certificate requests from a first format into a second format. A certificate issuing engine may then operate on incoming requests in the common format. The issuing engine can issue certificates to clients according to its certificate issuing policy. The policy may be expressed as data in a policy expression language that can be consumed at runtime, which provides for flexible and efficient changing of issuing policy. Issued certificates can be translated back into a format that is consumed by the requesting client. Such translation can be performed by the translation engine prior to delivery of certificates to requesting clients.

摘要翻译： 改进的证书颁发系统可以包括用于将来自证书和证书请求从第一格式转换为第二格式的证书转换引擎。 然后证书颁发引擎可以以通用格式的传入请求进行操作。 发卡引擎可以根据证书颁发政策向客户颁发证书。 该策略可以表示为可以在运行时消费的策略表达式语言中的数据，其提供了灵活且有效地改变发布策略。 发放的证书可以翻译成请求客户端使用的格式。 在将证书交付给请求的客户端之前，这种翻译可由翻译引擎执行。

公开(公告)号：US20060195690A1

公开(公告)日：2006-08-31

申请号：US11069803

申请日：2005-02-28

申请人： Gregory Kostal ,  Muthukrishnan Paramasivam ,  Ravindra Pandya ,  Scott Cottrille ,  Vasantha Ravula ,  Vladimir Yarmolenko ,  Charles Rose ,  Yuhui Zhong

发明人： Gregory Kostal ,  Muthukrishnan Paramasivam ,  Ravindra Pandya ,  Scott Cottrille ,  Vasantha Ravula ,  Vladimir Yarmolenko ,  Charles Rose ,  Yuhui Zhong

IPC分类号： H04L9/00

CPC分类号： H04L63/0823

摘要： An improved certificate issuing system may comprise a novel arrangement for expressing certificate issuing policy. The policy may be expressed in a human-readable policy expression language and stored for example in a file that is consumed by a certificate issuing system at runtime. The policy may thus be easily changed by altering the digital file. Certain techniques are also provided for extending the capabilities of the certificate issuing system so it may apply and enforce new policies.

公开(公告)号：US20060206707A1

公开(公告)日：2006-09-14

申请号：US11077920

申请日：2005-03-11

申请人： Gregory Kostal ,  Muthukrishnan Paramasivam ,  Ravindra Pandya ,  Scott Cottrille ,  Vasantha Ravula ,  Vladimir Yarmolenko ,  Charles Rose ,  Yuhui Zhong

发明人： Gregory Kostal ,  Muthukrishnan Paramasivam ,  Ravindra Pandya ,  Scott Cottrille ,  Vasantha Ravula ,  Vladimir Yarmolenko ,  Charles Rose ,  Yuhui Zhong

IPC分类号： H04L9/00

CPC分类号： G06F21/33 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/102 ,  H04L2209/68

摘要： An improved certificate issuing system may comprise a certificate translation engine for translating incoming certificates and certificate requests from a first format into a second format. A certificate issuing engine may then operate on incoming requests in the common format. The issuing engine can issue certificates to clients according to its certificate issuing policy. The policy may be expressed as data in a policy expression language that can be consumed at runtime, which provides for flexible and efficient changing of issuing policy. Issued certificates can be translated back into a format that is consumed by the requesting client. Such translation can be performed by the translation engine prior to delivery of certificates to requesting clients.

公开(公告)号：US07770206B2

公开(公告)日：2010-08-03

申请号：US11077574

申请日：2005-03-11

申请人： Blair Brewster Dillaway ,  Brian LaMacchia ,  Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Ravindra Nath Pandya

发明人： Blair Brewster Dillaway ,  Brian LaMacchia ,  Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Ravindra Nath Pandya

IPC分类号： G06F7/04

CPC分类号： G06F21/62 ,  G06F21/33 ,  G06F2221/2145

摘要： A resource of a first organization provides access thereto to a requestor of a second organization. A first administrator of the first organization issues a first credential to a second administrator of the second organization, including policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator. The second administrator issues the second credential to the requester, including the issued first credential. The requestor requests access from the resource and includes the issued first and second credentials. The resource validates that the issued first credential ties the first administrator to the second administrator, and that the issued second credential ties the second administrator to the requester. The resource thus knows that the request is based on rights delegated from the first administrator to the requester by way of the second administrator.

摘要翻译： 第一组织的资源提供对第二组织的请求者的访问。 第一个组织的第一个管理员向第二个组织的第二个管理员颁发第一个凭据，包括第二个管理员可以代表第一个管理员向请求者发出第二个凭证的策略。 第二个管理员向请求者发出第二个凭证，包括发出的第一个凭证。 请求者请求从资源的访问，并且包括发出的第一和第二凭证。 该资源验证所发出的第一个凭证将第一个管理员与第二个管理员相关联，并且发出的第二个凭证将第二个管理员与请求者联系起来。 因此，该资源知道该请求基于通过第二管理员从第一管理员委派给请求者的权限。

公开(公告)号：US07882539B2

公开(公告)日：2011-02-01

申请号：US11445778

申请日：2006-06-02

申请人： Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

发明人： Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： H04L63/102 ,  G06F21/604 ,  H04L63/20

摘要： Abstracting access control policy from access check mechanisms allows for richer expression of policy, using a declarative model with semantics, than what is permitted by the access check mechanisms. Further, abstracting access control policy allows for uniform expression of policy across multiple access check mechanisms. Proof-like reasons for any access query are provided, such as who has access to what resource, built from the policy statements themselves, independent of the access check mechanism that provide access. Access is audited and policy-based reasons for access are provided based on the access control policy.

摘要翻译： 来自访问检查机制的抽象访问控制策略允许使用具有语义的声明性模型，而不是访问检查机制允许的策略的更丰富的表达。 此外，抽象访问控制策略允许在多个访问检查机制之间统一表达策略。 提供任何访问查询的类似原因，例如谁可以访问从策略语句本身构建的什么资源，独立于提供访问的访问检查机制。 访问被审计，基于访问控制策略提供基于策略的访问原因。

公开(公告)号：US20060173788A1

公开(公告)日：2006-08-03

申请号：US11048087

申请日：2005-02-01

申请人： Ravindra Nath Pandya ,  Peter Waxman ,  Vinay Krishnaswamy ,  Muthukrishnan Paramasivam ,  Marco DeMello ,  Steven Bourne

发明人： Ravindra Nath Pandya ,  Peter Waxman ,  Vinay Krishnaswamy ,  Muthukrishnan Paramasivam ,  Marco DeMello ,  Steven Bourne

IPC分类号： H04L9/00

CPC分类号： G06F21/10

摘要： A license is issued to a user as decryption and authorization portions. The decryption portion is accessible only by such user and has a decryption key (KD) for decrypting corresponding encrypted digital content and validating information including an identification of a root trust authority. The authorization portion sets forth rights granted in connection with the digital content and conditions that must be satisfied to exercise the rights granted, and has a digital signature that is validated according to the identified root trust authority in the decryption portion. The user issued accesses the decryption portion and employs the validation information therein to validate the digital signature of the authorization portion. If the conditions in the authorization portion so allow, the rights in the authorization portion are exercised by decrypting the encrypted content with the decryption key (KD) from the decryption portion and rendering the decrypted content.

摘要翻译： 向用户颁发许可证作为解密和授权部分。 解密部分仅由该用户访问，并且具有用于解密对应的加密数字内容的解密密钥（KD）以及验证包括根信任授权的标识的信息。 授权部分列出与数字内容和条件相关的权利，该数字内容和条件必须满足以行使所授予的权利，并且具有根据所述解密部分中确定的根信任权限验证的数字签名。 用户发出访问解密部分并在其中采用验证信息来验证授权部分的数字签名。 如果授权部分中的条件允许，则通过使用来自解密部分的解密密钥（KD）解密加密内容并呈现解密内容来执行授权部分中的权限。

公开(公告)号：US20070283411A1

公开(公告)日：2007-12-06

申请号：US11445778

申请日：2006-06-02

申请人： Muthukrishnan Paramasivam ,  Charles F. Rose ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

发明人： Muthukrishnan Paramasivam ,  Charles F. Rose ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

IPC分类号： H04L9/00

CPC分类号： H04L63/102 ,  G06F21/604 ,  H04L63/20

摘要： Abstracting access control policy from access check mechanisms allows for richer expression of policy, using a declarative model with semantics, than what is permitted by the access check mechanisms. Further, abstracting access control policy allows for uniform expression of policy across multiple access check mechanisms. Proof-like reasons for any access query are provided, such as who has access to what resource, built from the policy statements themselves, independent of the access check mechanism that provide access. Access is audited and policy-based reasons for access are provided based on the access control policy.

摘要翻译： 来自访问检查机制的抽象访问控制策略允许使用具有语义的声明性模型，而不是访问检查机制允许的策略的更丰富的表达。 此外，抽象访问控制策略允许在多个访问检查机制之间统一表达策略。 提供任何访问查询的类似原因，例如谁可以访问从策略语句本身构建的什么资源，独立于提供访问的访问检查机制。 访问被审计，基于访问控制策略提供基于策略的访问原因。

公开(公告)号：US20080244736A1

公开(公告)日：2008-10-02

申请号：US11694014

申请日：2007-03-30

申请人： Butler Lampson ,  Ravindra Nath Pandya ,  Paul J. Leach ,  Muthukrishnan Paramasivam ,  Carl M. Ellison ,  Charles William Kaufman

发明人： Butler Lampson ,  Ravindra Nath Pandya ,  Paul J. Leach ,  Muthukrishnan Paramasivam ,  Carl M. Ellison ,  Charles William Kaufman

IPC分类号： G06F12/14

CPC分类号： G06F21/604 ,  G06F21/6218

摘要： Access control as it relates to policies or permissions is provided based on a created model. A security policy is abstracted and can be independent of a mechanism used to protect resources. An asbstract model of a potential user, user role and/or resource is created without associating a specific individual and/or resource with a model. These abstract user models and abstract resource models can be used across applications or within disparate applications. The abstracted security policies can be selectively applied to the model. Specific users and/or resources can be associated with one or more abstract user model or abstract resource model. The models can be nested to provide configurations for larger systems.

摘要翻译： 基于创建的模型提供与策略或权限相关的访问控制。 安全策略被抽象出来，可以独立于用于保护资源的机制。 创建潜在用户，用户角色和/或资源的抽象模型，而不将特定个人和/或资源与模型相关联。 这些抽象用户模型和抽象资源模型可以跨应用程序或不同的应用程序使用。 抽象的安全策略可以选择性地应用于模型。 特定用户和/或资源可以与一个或多个抽象用户模型或抽象资源模型相关联。 这些型号可以嵌套，以提供更大系统的配置。

公开(公告)号：US07860802B2

公开(公告)日：2010-12-28

申请号：US11048087

申请日：2005-02-01

申请人： Ravindra Nath Pandya ,  Peter David Waxman ,  Vinay Krishnaswamy ,  Muthukrishnan Paramasivam ,  Marco A. DeMello ,  Steven Bourne

发明人： Ravindra Nath Pandya ,  Peter David Waxman ,  Vinay Krishnaswamy ,  Muthukrishnan Paramasivam ,  Marco A. DeMello ,  Steven Bourne

IPC分类号： G06F21/00

CPC分类号： G06F21/10

摘要： A license is issued to a user as decryption and authorization portions. The decryption portion is accessible only by such user and has a decryption key (KD) for decrypting corresponding encrypted digital content and validating information including an identification of a root trust authority. The authorization portion sets forth rights granted in connection with the digital content and conditions that must be satisfied to exercise the rights granted, and has a digital signature that is validated according to the identified root trust authority in the decryption portion. The user issued accesses the decryption portion and employs the validation information therein to validate the digital signature of the authorization portion. If the conditions in the authorization portion so allow, the rights in the authorization portion are exercised by decrypting the encrypted content with the decryption key (KD) from the decryption portion and rendering the decrypted content.

摘要翻译： 向用户颁发许可证作为解密和授权部分。 解密部分仅由该用户访问，并且具有用于解密对应的加密数字内容的解密密钥（KD）以及验证包括根信任授权的标识的信息。 授权部分列出与数字内容和条件相关联的权利，该数字内容和条件必须满足以行使所授予的权利，并且具有根据所述解密部分中确定的根信任权限验证的数字签名。 用户发出访问解密部分并在其中采用验证信息来验证授权部分的数字签名。 如果授权部分中的条件允许，则通过使用来自解密部分的解密密钥（KD）解密加密内容并呈现解密内容来执行授权部分中的权限。