公开(公告)号：US07779265B2

公开(公告)日：2010-08-17

申请号：US11302047

申请日：2005-12-13

申请人： Kendarnath A. Dubhashi ,  Balan Sethu Raman ,  Paul J. Leach ,  Prasanna V. Krishnan

发明人： Kendarnath A. Dubhashi ,  Balan Sethu Raman ,  Paul J. Leach ,  Prasanna V. Krishnan

IPC分类号： G06F17/30 ,  G06F21/00

CPC分类号： G06F21/6218 ,  G06F2221/2141 ,  G06F2221/2145 ,  H04L63/101

摘要： An item inheritance system and method are provided. The item inheritance system can be employed to propagate access control information (e.g., an access control list) to one or more item(s), thus facilitating security of item(s). At least one of the item(s) is a compound item.The item inheritance system includes an input component that receives information associated with one or more items. The items can include container(s), object(s) and/or compound item(s). The system can be triggered by a change in security policy to the item(s), for example, adding and/or deleting a user's access to the item(s). Additionally, moving and/or copying a collection of items can further trigger the system.The system further includes a propagation component that propagates access control information to the item(s). For example, the propagation component can enforce the ACL propagation policies when a change to the security descriptor takes place at the root of a hierarchy.

摘要翻译： 提供了项目继承系统和方法。 可以采用项目继承系统将访问控制信息（例如，访问控制列表）传播到一个或多个项目，从而促进项目的安全性。 至少一个项目是复合项目。 项目继承系统包括接收与一个或多个项目相关联的信息的输入组件。 物品可以包括容器，物体和/或复合物品。 可以通过对项目的安全策略的改变来触发系统，例如添加和/或删除用户对项目的访问。 此外，移动和/或复制物品的集合可以进一步触发系统。 该系统还包括将访问控制信息传播到该项目的传播组件。 例如，当安全描述符的更改发生在层次结构的根目录下时，传播组件可以强制执行A​​CL传播策略。

公开(公告)号：US07757275B2

公开(公告)日：2010-07-13

申请号：US11153631

申请日：2005-06-15

申请人： Christopher J. Crall ,  Karthik Jaganathan ,  Liqiang Zhu ,  Paul J. Leach

发明人： Christopher J. Crall ,  Karthik Jaganathan ,  Liqiang Zhu ,  Paul J. Leach

IPC分类号： G06F21/00 ,  H04L29/06

CPC分类号： H04L9/3247 ,  H04L9/083 ,  H04L9/0863 ,  H04L9/3213 ,  H04L63/0807 ,  H04L63/0838

摘要： A domain controller (DC) side plugin supports one time passwords natively in Kerberos, Part of the key material is static and the other part is dynamic, thereby leveraging properties unique to each to securely support one time passwords in an operating system. The user is permitted to type in the one time passcode into a logon user interface. Rather than calling the SAM APIs to get the static passwords, vendors may register callbacks on the DC to plugin their algorithm. These callback functions will return the dynamically calculated passcodes for the user at a specific point in time. This passcode will then be treated as a normal password by the DC.

摘要翻译： 域控制器（DC）侧插件在Kerberos中本地支持一次密码，部分密钥材料是静态的，另一部分是动态的，从而利用每个密钥的属性来安全地支持操作系统中的一次密码。 允许用户将一次性密码输入登录用户界面。 供应商可以在DC上注册回调来插入其算法，而不是调用SAM API来获取静态密码。 这些回调函数将在特定时间点返回动态计算的用户密码。 然后，该密码将被DC视为正常密码。

公开(公告)号：US20090055921A1

公开(公告)日：2009-02-26

申请号：US11843752

申请日：2007-08-23

申请人： Scott A. Field ,  Paul J. Leach ,  Roopesh C. Battepati ,  Michael C. Johnson

发明人： Scott A. Field ,  Paul J. Leach ,  Roopesh C. Battepati ,  Michael C. Johnson

IPC分类号： G06F15/16

CPC分类号： G06F21/6236

摘要： Aspects of the subject matter described herein relate to providing file access in a multi-protocol environment. In aspects, a file server is operable to receive requests formatted according to two or more file access protocols. If a request is formatted according to a first file access protocol, the file server applies access rights associated with the file to an account associated with a requester to determine whether to grant access. If the request is formatted according to the second file access protocol, the file server may first attempt to find an account for the requester. If an account is not found, the file server may then grant access based on access rights associated with the file as applied to information in the request without consulting an account on the file server.

摘要翻译： 本文描述的主题的方面涉及在多协议环境中提供文件访问。 在方面中，文件服务器可操作以接收根据两个或多个文件访问协议格式化的请求。 如果根据第一文件访问协议格式化请求，则文件服务器将与文件相关联的访问权限应用于与请求者相关联的帐户，以确定是否授予访问权限。 如果根据第二文件访问协议来格式化请求，则文件服务器可以首先尝试找到请求者的帐户。 如果没有找到一个帐户，则文件服务器可能会根据应用于请求中的信息的与该文件相关联的访问权限来授予访问权限，而不咨询文件服务器上的一个帐户。

公开(公告)号：US20080022368A1

公开(公告)日：2008-01-24

申请号：US11450597

申请日：2006-06-09

申请人： Scott A. Field ,  Liqiang Zhu ,  Peter T. Brundrett ,  Paul J. Leach

发明人： Scott A. Field ,  Liqiang Zhu ,  Peter T. Brundrett ,  Paul J. Leach

IPC分类号： H04L9/32

CPC分类号： H04L63/102

摘要： Remote administrative privileges in a distributed system are disabled by default. To administer a remote system, express action is taken to elevate a user status to obtain remote administrative privileges. When local and remote systems communicate, information pertaining to the status of the logged on user is included in the communications. If the user wishes to legitimately administer a remote system, the user provides an explicit request. The request is processed. If the user is configured as an administrator of the remote system and the request contains an indication that the user's administrative status has been elevated, an authorization token is generated. The authorization token is utilized by the remote system to allow the user to administer the remote system.

摘要翻译： 默认情况下，分布式系统中的远程管理权限将被禁用。 要管理远程系统，请采取行动来提升用户状态以获得远程管理权限。 当本地和远程系统进行通信时，通信中包含与登录用户状态有关的信息。 如果用户希望合法地管理远程系统，则用户提供明确的请求。 请求被处理。 如果用户配置为远程系统的管理员，并且该请求包含用户的管理状态提升的指示，则会生成授权令牌。 远程系统利用授权令牌允许用户管理远程系统。

公开(公告)号：US07046689B2

公开(公告)日：2006-05-16

申请号：US09824901

申请日：2001-04-02

申请人： Gregory Burns ,  Paul J. Leach

发明人： Gregory Burns ,  Paul J. Leach

IPC分类号： H04L12/54 ,  H04J3/16

CPC分类号： H04L65/4084 ,  G06F17/30902 ,  H04B7/18582 ,  H04L29/06 ,  H04L29/06027 ,  H04L67/2819 ,  H04L67/2847 ,  H04L67/2852 ,  H04L67/325 ,  H04L69/329

摘要： A network system includes a content provider connected to local service providers via an interactive distribution network, such as the Internet. The local service providers facilitate delivery of the content from the content provider to multiple subscribers. The local service providers schedule delivery of frequently requested content from the content provider prior to a peak time when the subscribers are likely to request the content. The content is downloaded from the content provider during the off-peak hours and cached at the local service providers for serving to the subscribers during the ensuing peak time. In this manner, the frequently requested content is already present at the local service providers and ready to be served to the subscribers before they actually request it. When the content is finally requested, the data is streamed continuously in real-time for just-in-time rendering at the subscriber computer. Another aspect of this invention involves supplementing content delivery over the Internet with delivery of content over a secondary network, such as a broadcast satellite network. The supplemental broadcast link offers additional bandwidth at a fraction of the cost that would be incurred if the local service provider installed additional Internet connections, such as T1 or T3 connections.

摘要翻译： 网络系统包括经由诸如因特网的交互式分发网络连接到本地服务提供商的内容提供商。 本地服务提供商便于将内容从内容提供商传递到多个订阅者。 本地服务提供商在用户可能请求内容的高峰时间之前从内容提供商调度经常请求的内容的传送。 在非高峰时段，内容从内容提供商下载，并在随后的高峰时段缓存在本地服务提供商处供服务。 以这种方式，频繁请求的内容已经存在于本地服务提供商处，并且在其实际请求之前准备被发送给订户。 当最终请求内容时，数据在用户计算机上实时连续流式传输以便及时呈现。 本发明的另一方面涉及通过诸如广播卫星网络的辅助网络上的内容传送来补充因特网上的内容传送。 如果本地服务提供商安装了​​诸如T1或T3连接的其他互联网连接，补充广播链路将以一小部分成本提供额外的带宽。

公开(公告)号：US06910068B2

公开(公告)日：2005-06-21

申请号：US09811362

申请日：2001-03-16

申请人： William M. Zintel ,  Amar S. Gandhi ,  Ye Gu ,  Shyamalan Pather ,  Jeffrey C. Schlimmer ,  Christopher M. Rude ,  Daniel R. Weisman ,  Donald R. Ryan ,  Paul J. Leach ,  Ting Cai ,  Holly N. Knight ,  Peter S. Ford

发明人： William M. Zintel ,  Amar S. Gandhi ,  Ye Gu ,  Shyamalan Pather ,  Jeffrey C. Schlimmer ,  Christopher M. Rude ,  Daniel R. Weisman ,  Donald R. Ryan ,  Paul J. Leach ,  Ting Cai ,  Holly N. Knight ,  Peter S. Ford

IPC分类号： H04L12/28 ,  H04L12/46 ,  H04L12/56 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12 ,  G06F15/177

CPC分类号： H04L29/12235 ,  H04L12/2803 ,  H04L12/2805 ,  H04L12/2807 ,  H04L12/2818 ,  H04L12/2856 ,  H04L12/2898 ,  H04L12/4633 ,  H04L29/06 ,  H04L29/0602 ,  H04L29/1232 ,  H04L29/12594 ,  H04L47/2408 ,  H04L61/2023 ,  H04L61/2092 ,  H04L61/30 ,  H04L67/02 ,  H04L67/025 ,  H04L67/125 ,  H04L67/14 ,  H04L67/16 ,  H04L69/329

摘要： A universal plug and play (UPnP) device makes itself known through a set of processes-discovery, description, control, eventing, and presentation. Following discovery of a UPnP device, an entity can learn more about the device and its capabilities by retrieving the device's description. The description includes vendor-specific manufacturer information like the model name and number, serial number, manufacturer name, URLs to vendor-specific Web sites, etc. The description also includes a list of any embedded devices or services, as well as URLs for control, eventing, and presentation. The description is written by a vendor, and is usually based on a device template produced by a UPnP forum working committee. The template is derived from a template language that is used to define elements to describe the device and any services supported by the device. The template language is written using an XML-based syntax that organizes and structures the elements.

公开(公告)号：US06584489B1

公开(公告)日：2003-06-24

申请号：US09038759

申请日：1998-03-11

申请人： Michael B. Jones ,  Paul J. Leach ,  Richard P. Draves, Jr. ,  Joseph S. Barrera, III ,  Steven P. Levi ,  Richard F. Rashid ,  Robert P. Fitzgerald

发明人： Michael B. Jones ,  Paul J. Leach ,  Richard P. Draves, Jr. ,  Joseph S. Barrera, III ,  Steven P. Levi ,  Richard F. Rashid ,  Robert P. Fitzgerald

IPC分类号： G06F900

CPC分类号： G06F9/50 ,  G06F2209/5014

摘要： A method and system for scheduling the use of a computer system resource using a resource planner and a resource provider are provided. In a preferred embodiment, a resource is scheduled for use by a plurality of consumer entities. Each consumer entity may request the commitment of a share of the resource. The method and system use representations of resource usage policy, present commitments of shares of the resource, and present commitments of specified amounts of the resource over a specified period of time. The method and system first receive a request from a consumer entity for the commitment of a specified share of the resource. In response, the method and system determine whether the specified share of the resource should be committed to the requesting consumer entity. This determination is based on the representations of resource usage policy and present commitments of shares of the resource. If it is determined that the specified share of the resource should be committed to the requesting consumer entity, then the method and system modify the representation of present commitments of shares of the resource to commit the specified share of the resource to the requesting consumer entity. The method and system then schedule the use of the resource by the plurality of consumer entities based on the modified representation of present commitments of shares of the resource.

摘要翻译： 提供了一种用于使用资源规划器和资源提供者调度计算机系统资源的使用的方法和系统。 在优选实施例中，资源被调度为由多个消费者实体使用。 每个消费者实体可以请求资源份额的承诺。 资源使用政策的方法和系统使用表示，资源份额的现有承诺以及在指定时间段内指定资源量的现有承诺。 该方法和系统首先从消费者实体接收对资源的指定份额的承诺的请求。 作为响应，方法和系统确定资源的指定份额是否应该提交给请求的消费者实体。 这一决定是基于资源使用政策的表示和资源份额的现有承诺。 如果确定资源的指定份额应该提交给请求的消费者实体，则方法和系统将修改资源共享的当前承诺的表示，以将该资源的指定份额提交给请求的消费者实体。 该方法和系统随后基于对资源的份额的当前承诺的修改的表示来安排多个消费者实体的资源的使用。

公开(公告)号：US06298373B1

公开(公告)日：2001-10-02

申请号：US09260932

申请日：1999-03-02

申请人： Gregory Burns ,  Paul J. Leach

发明人： Gregory Burns ,  Paul J. Leach

IPC分类号： G06F1300

CPC分类号： H04L65/4084 ,  G06F17/30902 ,  H04B7/18582 ,  H04L29/06 ,  H04L29/06027 ,  H04L67/2819 ,  H04L67/2847 ,  H04L67/2852 ,  H04L67/325 ,  H04L69/329

摘要： A network system includes a content provider connected to local service providers via an interactive distribution network, such as the Internet. The local service providers facilitate delivery of the content from the content provider to multiple subscribers. The local service providers schedule delivery of frequently requested content from the content provider prior to a peak time when the subscribers are likely to request the content. The content is downloaded from the content provider during the off-peak hours and cached at the local service providers for serving to the subscribers during the ensuing peak time. In this manner, the frequently requested content is already present at the local service providers and ready to be served to the subscribers before they actually request it. When the content is finally requested, the data is streamed continuously in real-time for just-in-time rendering at the subscriber computer. Another aspect of this invention involves supplementing content delivery over the Internet with delivery of content over a secondary network, such as a broadcast satellite network. The supplemental broadcast link offers additional bandwidth at a fraction of the cost that would be incurred if the local service provider installed additional Internet connections, such as T1 or T3 connections.

摘要翻译： 网络系统包括经由诸如因特网的交互式分发网络连接到本地服务提供商的内容提供商。 本地服务提供商便于将内容从内容提供商传递到多个订阅者。 本地服务提供商在用户可能请求内容的高峰时间之前从内容提供商调度经常请求的内容的传送。 在非高峰时段，内容从内容提供商下载，并在随后的高峰时段缓存在本地服务提供商处供服务。 以这种方式，频繁请求的内容已经存在于本地服务提供商处，并且在其实际请求之前准备被发送给订户。 当最终请求内容时，数据在用户计算机上实时连续流式传输以便及时呈现。 本发明的另一方面涉及通过诸如广播卫星网络的辅助网络上的内容传送来补充因特网上的内容传送。 如果本地服务提供商安装了​​诸如T1或T3连接的其他互联网连接，补充广播链路将以一小部分成本提供额外的带宽。

公开(公告)号：US09032492B2

公开(公告)日：2015-05-12

申请号：US13224246

申请日：2011-09-01

申请人： Mark Novak ,  Paul J. Leach ,  Yi Zeng ,  Saurav Sinha ,  K Michiko Short ,  Gopinathan Kannan

发明人： Mark Novak ,  Paul J. Leach ,  Yi Zeng ,  Saurav Sinha ,  K Michiko Short ,  Gopinathan Kannan

IPC分类号： G06F21/00 ,  H04L29/06 ,  H04W12/06 ,  H04L9/32 ,  G06F21/34

CPC分类号： G06F21/00 ,  G06F21/34 ,  H04L63/065 ,  H04L63/068 ,  H04L67/10 ,  H04L2463/121 ,  H04W12/06

摘要： A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

公开(公告)号：US08627440B2

公开(公告)日：2014-01-07

申请号：US12647327

申请日：2009-12-24

申请人： David R. Mowers ,  Daniel R. Simon ,  Paul J. Leach ,  John A. Banes

发明人： David R. Mowers ,  Daniel R. Simon ,  Paul J. Leach ,  John A. Banes

IPC分类号： G06F15/16

CPC分类号： H04L63/08 ,  H04L63/0442 ,  H04L63/0807 ,  H04L63/0869 ,  H04L63/10 ,  H04L63/12 ,  H04L63/166 ,  H04L67/42

摘要： This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

摘要翻译： 本公开通常涉及客户端认证。 本公开的一个方面涉及一种用于向第一认证上下文的域控制器（DC）呈现证据的第一服务器，该第一认证上下文从客户端提交到第一服务器以获得可委托的证书，其中该凭证可用于请求第二认证上下文 认证上下文从该客户端到第二个服务器。 另一方面涉及第一台服务器向DC提供证据。 证据涉及从客户端向第一服务器提交的第一个身份验证上下文，它获取了一个可委托凭证。 通过与凭证组合使用以从客户端请求第二认证上下文到第二服务器。