公开(公告)号：US09350556B1

公开(公告)日：2016-05-24

申请号：US14691138

申请日：2015-04-20

Applicant: Google Inc.

Inventor： Ankur Taly ,  Asim Shankar ,  Gautham Thambidorai ,  David Presotto

IPC: G06F21/60 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/3265 ,  H04L9/321 ,  H04L63/0823 ,  H04L2209/64 ,  H04L2209/76

Abstract: A client device communicates with a target entity server and one or more third party devices. The client device has a client credential that includes a client public key and a client certificate chain. The client certificate chain includes a chain of human-readable names. The client device delegates a third party device access to a service on the server by creating a delegate certificate chain for the third party device. The delegate certificate chain is bound to a public key for the third party device and includes a human-readable name with an extension selected for the third party device. The delegate certificate chain also may include a section of the human-readable name that identifies the client device. The client device transmits or otherwise presents the delegate certificate chain to the third party device.

Abstract translation: 客户端设备与目标实体服务器和一个或多个第三方设备进行通信。 客户端设备具有客户端凭证，其包括客户端公钥和客户端证书链。 客户端证书链包括一系列可读的名称。 客户端设备通过为第三方设备创建代理证书链来委托第三方设备对服务器上的服务的访问。 委托证书链被绑定到第三方设备的公共密钥，并且包括具有为第三方设备选择的扩展名的可读的名称。 委托证书链还可以包括识别客户端设备的人类可读名称的一部分。 客户端设备向第三方设备发送或以其他方式呈现代理证书链。

公开(公告)号：US09397990B1

公开(公告)日：2016-07-19

申请号：US14074941

申请日：2013-11-08

Applicant: Google Inc.

Inventor： Ankur Taly ,  Ulfar Erlingsson ,  Arnar Birgisson ,  Joseph Gibbs Politz ,  Mark Lentczner

IPC: G06F21/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/0807 ,  H04L63/10

Abstract: A method of controlling the sharing of data between entities that are in electronic communication with each other may include generating an authentication credential comprising an identifier for the target service and a unique signature, attenuating the authentication credential, and determining whether a client device is authorized to access the target service, and, only if so, providing the authentication credential to the client device. In an embodiment, the method may include receiving an access request from the client device, identifying that the authentication credential includes the unique signature and a third party caveat that is associated with a third party authentication service, in response to the identifying, determining whether the request also comprises a discharge credential for the third party caveat, and if the request includes the discharge credential, providing the client device with the requested service, otherwise denying the request.

Abstract translation: 控制彼此进行电子通信的实体之间的数据共享的方法可以包括生成包括目标服务的标识符和唯一签名的认证证书，衰减认证证书，以及确定客户端设备是否被授权 访问目标服务，并且只有在此情况下，向客户端设备提供验证凭据。 在一个实施例中，该方法可以包括从客户端设备接收访问请求，识别认证证书包括唯一签名和与第三方验证服务相关联的第三方注意事项，以响应于识别，确定是否 请求还包括用于第三方警告的排出凭证，并且如果请求包括排出凭证，则向客户端设备提供所请求的服务，否则拒绝该请求。

公开(公告)号：US20160352744A1

公开(公告)日：2016-12-01

申请号：US14824727

申请日：2015-08-12

Applicant: Google Inc.

Inventor： Michael Burrows ,  Martin Abadi ,  Himabindu Pucha ,  Adam Sadovsky ,  Asim Shankar ,  Ankur Taly

IPC: H04L29/06

CPC classification number: H04L63/101 ,  G06F21/604 ,  G06F21/6218 ,  G06F2221/2141 ,  H04L63/102

Abstract: In a method of controlling sharing of an object between entities in a distributed system, a processor will identify an object and generate an access control list (ACL) for the object so that the ACL includes a list of clauses. Each clause will include a blessing pattern that will match one or more blessings, and at least one of the clauses also may include a reference to one or more groups. Each group represents a set of strings that represent blessing patterns or fragments of blessing patterns. The processor may generate each clause of the ACL as either a permit clause or a deny clause to indicate whether an entity or entities that have a blessing matched by the blessing pattern are permitted to access the object. The processor will save the ACL to a data store for use in responding to a request to access the object.

Abstract translation: 在控制分布式系统中的实体之间的对象共享的方法中，处理器将识别对象并生成对象的访问控制列表（ACL），使得ACL包括子句列表。 每个条款都将包含一个与一个或多个祝福相匹配的祝福模式，至少有一个条款也可能包括对一个或多个组的引用。 每个组代表一组表示祝福模式或祝福模式片段的字符串。 处理器可以将ACL的每个子句生成为permit子句或deny子句，以指示具有与祝福模式匹配的祝福的实体是允许访问该对象。 处理器将将ACL保存到数据存储，以用于响应访问对象的请求。

公开(公告)号：US20170099150A1

公开(公告)日：2017-04-06

申请号：US15284116

申请日：2016-10-03

Applicant: Google Inc.

Inventor： Michael Burrows ,  Himabindu Pucha ,  Raja Daoud ,  Jatin Lodhia ,  Ankur Taly

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L9/3247 ,  G06F21/64 ,  G06F2221/0711 ,  G06F2221/2141 ,  H04L63/0442

Abstract: In a distributed system, data is shared between three or more electronic devices. The first device generates and signs an object that includes the data. A second device receives the signed object and determines whether the signed object is valid. If valid, the second device will generate a validated signed object and send it to a third device. The third device will validate the object by determining whether the object includes valid signatures of both the first and second devices.