公开(公告)号：US20080313712A1

公开(公告)日：2008-12-18

申请号：US11764034

申请日：2007-06-15

申请人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

发明人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

IPC分类号： H04L9/32

CPC分类号： H04L63/101 ,  H04L63/0823

摘要： The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.

摘要翻译： 本发明涉及利用证书来管理访问控制的系统和方法。 本文描述的系统和方法旨在将访问控制列表中表示的访问策略映射到一组证书。 该证书集可用于以ACL所描述的方式授予对资源的访问权限。 证书可以分发给实体以用于获取资源访问。 实体可以向资源提供证书，作为获取资源的权利的证据。 顺序ACL的访问逻辑可以转换或映射到一组与订单无关的证书。 特别地，可以分析每个条目，列表中的条目的位置和任何前面的条目。 该分析可用于生成根据ACL中传达的访问策略提供访问权限的独立凭证。

公开(公告)号：US20070283443A1

公开(公告)日：2007-12-06

申请号：US11443638

申请日：2006-05-30

申请人： Dave McPherson ,  Muthukrishnan Paramasivam ,  Paul J. Leach

发明人： Dave McPherson ,  Muthukrishnan Paramasivam ,  Paul J. Leach

IPC分类号： H04L9/32 ,  H04N7/16 ,  H04L9/00 ,  G06K9/00 ,  G06F17/30 ,  G06F7/04 ,  H03M1/68 ,  H04K1/00

CPC分类号： G06F21/6218

摘要： Translation of role-based authoring models for managing RBAC “roles” to resource authorization policy (RAP), such as ACL-based applications, is provided. A generic RBAC system is defined from which mappings to other authorization enforcement mechanism make possible the translation of RBAC “roles” to resource authorization policies applied to resources managed by a resource manager, e.g., a file system resource manager. An implementation is described that uses Windows Authorization Manager as a storage mechanism and object model to manage object types and relationships translated from an RBAC system.

摘要翻译： 提供了基于角色的创作模式，用于将RBAC“角色”转换为资源授权策略（RAP），如基于ACL的应用程序。 定义了一个通用的RBAC系统，其中与其他授权执行机制的映射使RBAC“角色”能够应用于资源管理器（例如，文件系统资源管理器）管理的资源的资源授权策略成为可能。 描述了使用Windows Authorization Manager作为存储机制和对象模型来管理从RBAC系统转换的对象类型和关系的实现。

公开(公告)号：US07062539B2

公开(公告)日：2006-06-13

申请号：US10968731

申请日：2004-10-19

申请人： Paul J. Leach ,  Chris Kaler ,  Ferhan Elvanoglu ,  Mark H. Lucovsky ,  Shaun D. Pierce

发明人： Paul J. Leach ,  Chris Kaler ,  Ferhan Elvanoglu ,  Mark H. Lucovsky ,  Shaun D. Pierce

IPC分类号： G06F15/16

CPC分类号： G06F21/6218 ,  G06F21/6227 ,  G06F21/6245 ,  G06Q10/109 ,  H04L12/1859 ,  H04L12/1863 ,  H04L67/02 ,  H04L67/142 ,  H04L67/16 ,  H04L67/2804 ,  H04L67/288 ,  H04L67/303 ,  H04L67/306 ,  H04L67/325 ,  H04L67/40 ,  H04L67/42 ,  H04L69/329

摘要： Processing a response to a network request using information that was transplanted into the response from a specific portion of the request. A requesting computer system generates an electronic request that includes the specific portion. The requesting computer system then submits the request to a responding computer system, which processes the request to form a response to the request. During processing of the request, the responding system transplants the specific portion of the request to the response. The responding computer system then transmits the response to the request to a processing computer system that processes the request. The processing computer system receives the response and extracts the information from the specific portion of the response. The processing computer system then uses the extracted information to process the request.

公开(公告)号：US06892230B1

公开(公告)日：2005-05-10

申请号：US09496318

申请日：2000-02-01

申请人： Ye Gu ,  Peter S. Ford ,  Holly Knight ,  Yaron Y. Goland ,  Paul J. Leach

发明人： Ye Gu ,  Peter S. Ford ,  Holly Knight ,  Yaron Y. Goland ,  Paul J. Leach

IPC分类号： H04L12/28 ,  H04L12/46 ,  H04L12/56 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12 ,  G06F15/177

CPC分类号： H04L67/16 ,  H04L12/2805 ,  H04L12/2809 ,  H04L12/2856 ,  H04L12/2898 ,  H04L12/4633 ,  H04L29/12235 ,  H04L29/1232 ,  H04L29/12594 ,  H04L47/2408 ,  H04L61/2023 ,  H04L61/2092 ,  H04L61/303 ,  H04L67/02 ,  H04L67/025 ,  H04L67/125 ,  H04L67/14 ,  H04L69/329

摘要： A device control model provides an integrated set of addressing, naming, discovery and description processes that enables automatic, dynamic and ad-hoc self-setup by devices to interoperate with other devices on a network. This permits a computing device when introduced into a network to automatically configure so as to connect and interact with other computing devices available on the network, without a user installation experience and without downloading driver software or persisting a configuration setup for connecting and interacting with such other computing devices. Upon completing interaction with such other devices, the computing device automatically releases the setup for such other devices so as to avoid persistent device configurations that might create a configuration maintenance and management burden.

摘要翻译： 设备控制模型提供了一套集成的寻址，命名，发现和描述过程，使设备能够自动，动态和自组织自我设置，以与网络上的其他设备进行互操作。 这允许计算设备被引入到网络中以自动配置以便连接并与网络上可用的其他计算设备进行交互，而无需用户安装体验，并且不下载驱动程序软件或者持续配置设置来连接和与这些其他设备进行交互 计算设备。 在完成与这样的其他设备的交互时，计算设备自动释放这些其他设备的设置，以避免可能产生配置维护和管理负担的持续设备配置。

公开(公告)号：US06324182B1

公开(公告)日：2001-11-27

申请号：US09266439

申请日：1999-03-11

申请人： Gregory Burns ,  Paul J. Leach

发明人： Gregory Burns ,  Paul J. Leach

IPC分类号： H04L1202

CPC分类号： H04L65/4084 ,  G06F17/30902 ,  H04B7/18582 ,  H04L29/06 ,  H04L29/06027 ,  H04L67/2819 ,  H04L67/2847 ,  H04L67/2852 ,  H04L67/325 ,  H04L69/329

摘要： A network system includes a content provider connected to local service providers via an interactive distribution network, such as the Internet. The local service providers facilitate delivery of the content from the content provider to multiple subscribers. The local service providers schedule delivery of frequently requested content from the content provider prior to a peak time when the subscribers are likely to request the content. The content is downloaded from the content provider during the off-peak hours and cached at the local service providers for serving to the subscribers during the ensuing peak time. In this manner, the frequently requested content is already present at the local service providers and ready to be served to the subscribers before they actually request it. When the content is finally requested, the data is streamed continuously in real-time for just-in-time rendering at the subscribers computer. Another aspect of this invention involves supplementing content delivery over the Internet with delivery of content over a secondary network, such as a broadcast satellite network. The supplemental broadcast link offers additional bandwidth at a fraction of the cost that would be incurred if the local service provider installed additional Internet connections, such as T1 or T3 connections.

摘要翻译： 网络系统包括经由诸如因特网的交互式分发网络连接到本地服务提供商的内容提供商。 本地服务提供商便于将内容从内容提供商传递到多个订阅者。 本地服务提供商在用户可能请求内容的高峰时间之前从内容提供商调度经常请求的内容的传送。 在非高峰时段，内容从内容提供商下载，并在随后的高峰时段缓存在本地服务提供商处供服务。 以这种方式，频繁请求的内容已经存在于本地服务提供商处，并且在其实际请求之前准备被发送给订户。 当最终请求内容时，数据将在用户计算机上实时连续流式传输以便及时呈现。 本发明的另一方面涉及通过诸如广播卫星网络的辅助网络上的内容传送来补充因特网上的内容传送。 如果本地服务提供商安装了​​诸如T1或T3连接的其他互联网连接，补充广播链路将以一小部分成本提供额外的带宽。

公开(公告)号：US06275496B1

公开(公告)日：2001-08-14

申请号：US09260933

申请日：1999-03-02

申请人： Gregory Burns ,  Paul J. Leach

发明人： Gregory Burns ,  Paul J. Leach

IPC分类号： H04L1256

CPC分类号： H04L65/4084 ,  G06F17/30902 ,  H04B7/18582 ,  H04L29/06 ,  H04L29/06027 ,  H04L67/2819 ,  H04L67/2847 ,  H04L67/2852 ,  H04L67/325 ,  H04L69/329

摘要： A network system includes a content provider connected to local service providers via an interactive distribution network, such as the Internet. The local service providers facilitate delivery of the content from the content provider to multiple subscribers. The local service providers schedule delivery of frequently requested content from the content provider prior to a peak time when the subscribers are likely to request the content. The content is downloaded from the content provider during the off-peak hours and cached at the local service providers for serving to the subscribers during the ensuing peak time. In this manner, the frequently requested content is already present at the local service providers and ready to be served to the subscribers before they actually request it. When the content is finally requested, the data is streamed continuously in real-time for just-in-time rendering at the subscriber computer. Another aspect of this invention involves supplementing content delivery over the Internet with delivery of content over a secondary network, such as a broadcast satellite network. The supplemental broadcast link offers additional bandwidth at a fraction of the cost that would be incurred if the local service provider installed additional Internet connections, such as T1 or T3 connections.

公开(公告)号：US09058467B2

公开(公告)日：2015-06-16

申请号：US13224255

申请日：2011-09-01

申请人： Mark Novak ,  Paul J. Leach ,  Yi Zeng ,  Saurav Sinha ,  K Michiko Short ,  Gopinathan Kannan

发明人： Mark Novak ,  Paul J. Leach ,  Yi Zeng ,  Saurav Sinha ,  K Michiko Short ,  Gopinathan Kannan

IPC分类号： G06F21/00 ,  H04L29/06 ,  G06F21/62 ,  G06F15/16 ,  H04L9/32

CPC分类号： G06F21/00 ,  G06F21/6218 ,  H04L9/32 ,  H04L63/0846

摘要： A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

摘要翻译： 分布式系统，其中根据不同的本地时间操作的控制器提供时间依赖的凭证。 通过识别在过渡间隔期间生成的凭证可以避免控制器因产生时间偏差而产生不一致凭据的错误，其中不同的控制器可能会在同一绝对时间产生不同的凭据。 在转换间隔期间，控制器和其他设备可以基于认证功能的性质差异地使用凭证。 每个控制器可以基于自调度续订或基于来自其他设备的请求来定期更新其凭证，使得更新时间被随机延迟抵消以避免过多的网络流量。 控制器可以基于与该时间相关联的加密安全密钥以及识别与该凭证相关联的实体的信息来确定哪个凭证对于任何给定时间是有效的。

公开(公告)号：US08468579B2

公开(公告)日：2013-06-18

申请号：US11764034

申请日：2007-06-15

申请人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

发明人： Carl Melvin Ellison ,  Paul J. Leach ,  Butler Wright Lampson ,  Melissa W. Dunn ,  Ravindra Nath Pandya ,  Charles William Kaufman

IPC分类号： G06F21/00

CPC分类号： H04L63/101 ,  H04L63/0823

摘要： The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.

摘要翻译： 本发明涉及利用证书来管理访问控制的系统和方法。 本文描述的系统和方法旨在将访问控制列表中表示的访问策略映射到一组证书。 该证书集可用于以ACL所描述的方式授予对资源的访问权限。 证书可以分发给实体以用于获取资源访问。 实体可以向资源提供证书，作为获取资源的权利的证据。 顺序ACL的访问逻辑可以转换或映射到一组与订单无关的证书。 特别地，可以分析每个条目，列表中的条目的位置和任何前面的条目。 该分析可用于生成根据ACL中传达的访问策略提供访问权限的独立凭证。

公开(公告)号：US08381306B2

公开(公告)日：2013-02-19

申请号：US11443638

申请日：2006-05-30

申请人： Dave McPherson ,  Muthukrishnan Paramasivam ,  Paul J. Leach

发明人： Dave McPherson ,  Muthukrishnan Paramasivam ,  Paul J. Leach

IPC分类号： G06F21/00

CPC分类号： G06F21/6218

摘要： Translation of role-based authoring models for managing RBAC “roles” to resource authorization policy (RAP), such as ACL-based applications, is provided. A generic RBAC system is defined from which mappings to other authorization enforcement mechanism make possible the translation of RBAC “roles” to resource authorization policies applied to resources managed by a resource manager, e.g., a file system resource manager. An implementation is described that uses Windows Authorization Manager as a storage mechanism and object model to manage object types and relationships translated from an RBAC system.

摘要翻译： 提供了基于角色的角色创作模型，用于将RBAC角色管理到资源授权策略（RAP），如基于ACL的应用程序。 定义了一个通用的RBAC系统，其中与其他授权执行机制的映射可以将RBAC角色转换为应用于资源管理器（例如文件系统资源管理器）管理的资源的资源授权策略。 描述了使用Windows Authorization Manager作为存储机制和对象模型来管理从RBAC系统转换的对象类型和关系的实现。

公开(公告)号：US07882539B2

公开(公告)日：2011-02-01

申请号：US11445778

申请日：2006-06-02

申请人： Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

发明人： Muthukrishnan Paramasivam ,  Charles F. Rose, III ,  Dave M. McPherson ,  Raja Pazhanivel Perumal ,  Satyajit Nath ,  Paul J. Leach ,  Ravindra Nath Pandya

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： H04L63/102 ,  G06F21/604 ,  H04L63/20

摘要： Abstracting access control policy from access check mechanisms allows for richer expression of policy, using a declarative model with semantics, than what is permitted by the access check mechanisms. Further, abstracting access control policy allows for uniform expression of policy across multiple access check mechanisms. Proof-like reasons for any access query are provided, such as who has access to what resource, built from the policy statements themselves, independent of the access check mechanism that provide access. Access is audited and policy-based reasons for access are provided based on the access control policy.

摘要翻译： 来自访问检查机制的抽象访问控制策略允许使用具有语义的声明性模型，而不是访问检查机制允许的策略的更丰富的表达。 此外，抽象访问控制策略允许在多个访问检查机制之间统一表达策略。 提供任何访问查询的类似原因，例如谁可以访问从策略语句本身构建的什么资源，独立于提供访问的访问检查机制。 访问被审计，基于访问控制策略提供基于策略的访问原因。