公开(公告)号：US06985958B2

公开(公告)日：2006-01-10

申请号：US10003754

申请日：2001-10-22

申请人： Mark Lucovsky ,  Shaun D. Pierce ,  Alexander T. Weinert ,  Michael G. Burner ,  Richard B. Ward ,  Paul J. Leach ,  George M. Moore ,  Arthur Zwiegincew ,  Vivek Gundotra ,  Robert M. Hyman ,  Jonathan D. Pincus ,  Daniel R. Simon

发明人： Mark Lucovsky ,  Shaun D. Pierce ,  Alexander T. Weinert ,  Michael G. Burner ,  Richard B. Ward ,  Paul J. Leach ,  George M. Moore ,  Arthur Zwiegincew ,  Vivek Gundotra ,  Robert M. Hyman ,  Jonathan D. Pincus ,  Daniel R. Simon

IPC分类号： G06F13/00

CPC分类号： H04L63/101 ,  G06F21/6218 ,  G06F21/6227 ,  G06F21/6245 ,  G06Q10/109 ,  H04L12/1859 ,  H04L12/1863 ,  H04L29/06 ,  H04L63/104 ,  H04L63/123 ,  H04L63/1425 ,  H04L67/02 ,  H04L67/16 ,  H04L67/303 ,  H04L67/306 ,  H04L67/325 ,  H04L67/40 ,  H04L67/42 ,  H04L69/329

摘要： A messaging data structure for accessing data in an identity-centric manner. An identity may be a user, a group of users, or an organization. Instead of data being maintained on an application-by-application basis, the data associated with a particular identity is stored by one or more data services accessible by many applications. The data is stored in accordance with a schema that is recognized by a number of different applications and the data service. The messaging data structure includes fields that identify the target data object to be operated upon using an identity field, a schema field, and an instance identifier field. In addition, the desired operation is specified. Thus, the target data object is operated on in an identity-centric manner.

公开(公告)号：US07284271B2

公开(公告)日：2007-10-16

申请号：US10003767

申请日：2001-10-22

申请人： Mark Lucovsky ,  Shaun D. Pierce ,  Michael G. Burner ,  Richard B. Ward ,  Paul J. Leach ,  George M. Moore ,  Arthur Zwiegincew ,  Robert M. Hyman ,  Jonathan D. Pincus ,  Daniel R. Simon

发明人： Mark Lucovsky ,  Shaun D. Pierce ,  Michael G. Burner ,  Richard B. Ward ,  Paul J. Leach ,  George M. Moore ,  Arthur Zwiegincew ,  Robert M. Hyman ,  Jonathan D. Pincus ,  Daniel R. Simon

IPC分类号： H04L9/32 ,  G06F12/14

CPC分类号： H04L63/101 ,  G06F21/6218 ,  G06F21/6227 ,  G06F21/6245 ,  G06Q10/109 ,  H04L12/1859 ,  H04L12/1863 ,  H04L29/06 ,  H04L63/08 ,  H04L63/1425 ,  H04L67/02 ,  H04L67/16 ,  H04L67/303 ,  H04L67/306 ,  H04L67/325 ,  H04L67/40 ,  H04L67/42 ,  H04L69/329

摘要： Authorizing a requesting entity to have a service perform a particular action in a manner that is at least partially independent of the underlying target data structure. An authorization station maintains a number of role templates that each define basic access permissions with respect to a number of command methods. The authorization station also maintains a number of role definitions that each define access permissions for specific requesting entities by using one or more of the role templates. When the authorization station receives a request from the requesting entity, the authorization station then identifies the appropriate role definition. Using this role definition, the authorization station determines access permissions for the requesting entity with respect to the requested action.

摘要翻译： 授权请求实体使服务以至少部分独立于基础目标数据结构的方式执行特定动作。 授权站维护多个角色模板，每个角色模板定义关于多个命令方法的基本访问权限。 授权站还维护多个角色定义，每个角色定义通过使用一个或多个角色模板定义特定请求实体的访问权限。 当授权站从请求实体接收到请求时，授权站然后识别适当的角色定义。 使用该角色定义，授权站根据所请求的动作确定请求实体的访问权限。

公开(公告)号：US07136859B2

公开(公告)日：2006-11-14

申请号：US10003753

申请日：2001-10-22

申请人： Mark Lucovsky ,  Shaun D. Pierce ,  Alexander T. Weinert ,  Michael G. Burner ,  Richard B. Ward ,  Paul J. Leach ,  George M. Moore ,  Arthur Zwiegincew ,  Robert M. Hyman ,  Jonathan D. Pincus ,  Daniel R. Simon

发明人： Mark Lucovsky ,  Shaun D. Pierce ,  Alexander T. Weinert ,  Michael G. Burner ,  Richard B. Ward ,  Paul J. Leach ,  George M. Moore ,  Arthur Zwiegincew ,  Robert M. Hyman ,  Jonathan D. Pincus ,  Daniel R. Simon

IPC分类号： G06F7/00 ,  G06F17/30

CPC分类号： H04L67/16 ,  G06F17/3061 ,  G06F17/30908 ,  G06F21/6218 ,  G06F21/6227 ,  G06F21/6245 ,  G06Q10/109 ,  H04L12/1859 ,  H04L12/1863 ,  H04L29/06 ,  H04L63/101 ,  H04L67/02 ,  H04L67/28 ,  H04L67/2819 ,  H04L67/303 ,  H04L67/306 ,  H04L67/325 ,  H04L67/40 ,  H04L67/42 ,  H04L69/329 ,  Y10S707/99944

摘要： Directly operating on data structures in a generic manner regardless of the type of data structure being operated upon and without requiring dedicated executable code for manipulating data structures of the particular data type. A common set of commands (e.g., insert, delete, replace, update, query) are recognized that may be used to operate on data structures of a number of different data types. A navigation module accesses a request to execute one of the common command methods on at least an identified portion of an identified data structure. Then, the navigation module accesses a navigation assistance module to access a set of rules associated with the particular data type, the set of rules allowing the navigation module to find the portion of the data structure that is to be operated on. If appropriate, the command operation is then executed on the identified portion of the data structure.

公开(公告)号：US07200599B2

公开(公告)日：2007-04-03

申请号：US09887524

申请日：2001-06-21

申请人： Daniel R. Simon ,  Valentin N. Razmov ,  Jonathan D. Pincus

发明人： Daniel R. Simon ,  Valentin N. Razmov ,  Jonathan D. Pincus

IPC分类号： G06F17/30

CPC分类号： G06F21/316 ,  Y10S707/922 ,  Y10S707/99933 ,  Y10S707/99936 ,  Y10S707/99943

摘要： An implementation of a technology, described herein, for facilitating the automated generation of input-validation software filters. The implementation of the invention provides an easy graphical user interface (GUI). With this GUI, a user (such as a system administrator) is able to quickly enter a set of parameters defining what valid inputs constitute—in particular, when such inputs come from a computing component. Consequently, the user does not have to manually generate filtering instructions on how to filter input from a computing component. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

摘要翻译： 本文所述的技术的实现，用于促进输入验证软件过滤器的自动生成。 本发明的实现提供了一种简单的图形用户界面（GUI）。 使用该GUI，用户（例如系统管理员）能够快速输入一组定义什么有效输入构成的参数 - 特别是当这样的输入来自计算组件时。 因此，用户不必手动生成关于如何过滤来自计算组件的输入的过滤指令。 本摘要本身并不旨在限制本专利的范围。 在所附权利要求中指出了本发明的范围。

公开(公告)号：US20100100953A1

公开(公告)日：2010-04-22

申请号：US12647327

申请日：2009-12-24

申请人： David R. Mowers ,  John Banes ,  Daniel R. Simon ,  Paul J. Leach

发明人： David R. Mowers ,  John Banes ,  Daniel R. Simon ,  Paul J. Leach

IPC分类号： H04L9/32 ,  H04L9/00

CPC分类号： H04L63/08 ,  H04L63/0442 ,  H04L63/0807 ,  H04L63/0869 ,  H04L63/10 ,  H04L63/12 ,  H04L63/166 ,  H04L67/42

摘要： This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

摘要翻译： 本公开通常涉及客户端认证。 本公开的一个方面涉及一种用于向第一认证上下文的域控制器（DC）呈现证据的第一服务器，该第一认证上下文从客户端提交到第一服务器以获得可委托的证书，其中该凭证可用于请求第二认证上下文 认证上下文从该客户端到第二个服务器。 另一方面涉及第一台服务器向DC提供证据。 证据涉及从客户端向第一服务器提交的第一个身份验证上下文，它获取了一个可委托凭证。 通过与凭证组合使用以从客户端请求第二认证上下文到第二服务器。

公开(公告)号：US08627440B2

公开(公告)日：2014-01-07

申请号：US12647327

申请日：2009-12-24

申请人： David R. Mowers ,  Daniel R. Simon ,  Paul J. Leach ,  John A. Banes

发明人： David R. Mowers ,  Daniel R. Simon ,  Paul J. Leach ,  John A. Banes

IPC分类号： G06F15/16

CPC分类号： H04L63/08 ,  H04L63/0442 ,  H04L63/0807 ,  H04L63/0869 ,  H04L63/10 ,  H04L63/12 ,  H04L63/166 ,  H04L67/42

摘要： This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

摘要翻译： 本公开通常涉及客户端认证。 本公开的一个方面涉及一种用于向第一认证上下文的域控制器（DC）呈现证据的第一服务器，该第一认证上下文从客户端提交到第一服务器以获得可委托的证书，其中该凭证可用于请求第二认证上下文 认证上下文从该客户端到第二个服务器。 另一方面涉及第一台服务器向DC提供证据。 证据涉及从客户端向第一服务器提交的第一个身份验证上下文，它获取了一个可委托凭证。 通过与凭证组合使用以从客户端请求第二认证上下文到第二服务器。

公开(公告)号：US07644275B2

公开(公告)日：2010-01-05

申请号：US10413799

申请日：2003-04-15

申请人： David R. Mowers ,  John Banes ,  Daniel R. Simon ,  Paul J. Leach

发明人： David R. Mowers ,  John Banes ,  Daniel R. Simon ,  Paul J. Leach

IPC分类号： H04L9/00

CPC分类号： H04L63/08 ,  H04L63/0442 ,  H04L63/0807 ,  H04L63/0869 ,  H04L63/10 ,  H04L63/12 ,  H04L63/166 ,  H04L67/42

摘要： This disclosure pertains generally to client authentication. One aspect of the disclosure relates to a first server for presenting evidence to a Domain Controller (DC) of a first authentication context being submitted from a client to the first server to obtain a delegable credential, wherein the credential can be used to request a second authentication context from that client to a second server. Another aspect relates to the first server providing a pass-thru with evidence to a DC. The evidence relates to a first authentication context being submitted from a client to the first server that it obtained a delegable credential. The pass-thru is used in combination with the credential to request a second authentication context from the client to a second server.

摘要翻译： 本公开通常涉及客户端认证。 本公开的一个方面涉及一种用于向第一认证上下文的域控制器（DC）呈现证据的第一服务器，该第一认证上下文从客户端提交到第一服务器以获得可委托的证书，其中该凭证可用于请求第二认证上下文 认证上下文从该客户端到第二个服务器。 另一方面涉及第一台服务器向DC提供证据。 证据涉及从客户端向第一服务器提交的第一个身份验证上下文，它获取了一个可委托凭证。 通过与凭证组合使用以从客户端请求第二认证上下文到第二服务器。

公开(公告)号：US08681995B2

公开(公告)日：2014-03-25

申请号：US12974590

申请日：2010-12-21

申请人： Shyam Seshadri ,  Jeffrey J. Westhead ,  Vamshi Krishna Kancharla ,  Daniel R. Simon ,  Anthony G. Jones ,  Frank Ronneburg ,  Guillaume V. Bailey

发明人： Shyam Seshadri ,  Jeffrey J. Westhead ,  Vamshi Krishna Kancharla ,  Daniel R. Simon ,  Anthony G. Jones ,  Frank Ronneburg ,  Guillaume V. Bailey

IPC分类号： H04L29/06

CPC分类号： H04L29/12066 ,  H04L9/083 ,  H04L9/3247 ,  H04L29/12132 ,  H04L29/12301 ,  H04L61/1511 ,  H04L61/1552 ,  H04L61/2076 ,  H04L63/1416

摘要： Multiple peer domain name system (DNS) servers are included in a multi-master DNS environment. One of the multiple peer DNS servers is a key master peer DNS server that generates one or more keys for a DNS zone serviced by the multiple peer DNS servers. The key master peer DNS server can also generate a signing key descriptor that identifies the set of one or more keys for the DNS zone, and communicate the signing key descriptor to the other ones of the multiple peer DNS servers.

摘要翻译： 多个对等域名系统（DNS）服务器包含在多主机DNS环境中。 多个对等DNS服务器之一是主要对等DNS服务器，为多个对等DNS服务器所服务的DNS区域生成一个或多个密钥。 关键的主对等DNS服务器还可以生成标识DNS区域的一个或多个密钥的集合的签名密钥描述符，并将签名密钥描述符传送到多个对等DNS服务器中的其他密钥描述符。

公开(公告)号：US08380841B2

公开(公告)日：2013-02-19

申请号：US11608126

申请日：2006-12-07

申请人： John Dunagan ,  Gregory D. Hartrell ,  Daniel R. Simon

发明人： John Dunagan ,  Gregory D. Hartrell ,  Daniel R. Simon

IPC分类号： G06F15/173 ,  G06F11/00

CPC分类号： H04L63/1433 ,  G06F21/577 ,  G06F2221/2101

摘要： A strategy is described for assessing and mitigating vulnerabilities within a data processing environment. The strategy collects access data that reflects actual log-in behavior exhibited by users in the environment. The strategy also collects rights data that reflects the rights possessed by one or more administrators within the environment. Based on the access data and rights data, the strategy identifies how a user or other entity that gains access to one part of the environment can potentially compromise additional parts of the environment. The strategy can recommend and implement steps aimed at reducing any identified vulnerabilities.

摘要翻译： 描述了一种用于评估和减轻数据处理环境中的漏洞的策略。 该策略收集反映用户在环境中展示的实际登录行为的访问数据。 该策略还收集反映环境中一个或多个管理员拥有的权利的权限数据。 根据访问数据和权限数据，该策略将识别获得对环境一部分访问权限的用户或其他实体如何潜在地危及环境的其他部分。 该策略可以推荐并实施旨在减少任何已识别的漏洞的步骤。

公开(公告)号：US08205252B2

公开(公告)日：2012-06-19

申请号：US11460929

申请日：2006-07-28

申请人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

发明人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

IPC分类号： H04L29/06

CPC分类号： H04L63/1433 ,  H04L12/66 ,  H04L45/74 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0263 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/1458 ,  H04L2463/146

摘要： Accountability among Autonomous Systems (ASs) in a network ensures reliable identification of various customers within the ASs and provides defensibility against malicious customers within the ASs. In one implementation, reliable identification is achieved by implementing ingress filtering on data packets originating within individual ASs and defensibility is provided by filtering data packets on request. To facilitate on-request filtering, individual ASs are equipped with a Filter Request Server (FRS) to filter data packets from certain customers identified in a filter request. Thus, when a requesting customer makes a filter request against an offending customer, the FRS within the AS to which the offending customer belongs conducts on-request filtering and installs an on-request filter on a first-hop network infrastructure device for the offending customer. Consequently, the first-hop network infrastructure device filters any data packet sent from the offending customer to the requesting customer.

摘要翻译： 网络中的自治系统（AS）的责任确保对AS内各种客户的可靠识别，并为AS内的恶意客户提供防御性。 在一个实现中，通过对源自各个AS的数据分组进行入口过滤来实现可靠的识别，并且通过根据请求过滤数据分组来提供防御性。 为了便于按需请求过滤，单个AS配备了过滤器请求服务器（FRS），用于过滤来自过滤请求中标识的某些客户端的数据包。 因此，当请求客户对违规客户进行过滤请求时，违规客户所属的AS内的FRS进行按需请求过滤，并在违规客户的第一跳网络基础设施设备上安装请求过滤器 。 因此，第一跳网络基础设施设备将从违规客户发送的任何数据包过滤到请求的客户。