摘要:
Disclosed herein is a technique for certifying distributable objects. The technique involves creating a certification for each distributable object to indicate properties of the object. Using certifications such as this, it is possible to accept objects having certain properties only from specified entities.
摘要:
A resource of a first organization provides access thereto to a requestor of a second organization. A first administrator of the first organization issues a first credential to a second administrator of the second organization, including policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator. The second administrator issues the second credential to the requester, including the issued first credential. The requestor requests access from the resource and includes the issued first and second credentials. The resource validates that the issued first credential ties the first administrator to the second administrator, and that the issued second credential ties the second administrator to the requester. The resource thus knows that the request is based on rights delegated from the first administrator to the requester by way of the second administrator.
摘要:
Supporting statements are provided to help safely and efficiently construct and verify proofs necessary for deciding whether to grant a request from one entity for accessing a resource owned or administered by another entity.
摘要:
An improved certificate issuing system may comprise a certificate translation engine for translating incoming certificates and certificate requests from a first format into a second format. A certificate issuing engine may then operate on incoming requests in the common format. The issuing engine can issue certificates to clients according to its certificate issuing policy. The policy may be expressed as data in a policy expression language that can be consumed at runtime, which provides for flexible and efficient changing of issuing policy. Issued certificates can be translated back into a format that is consumed by the requesting client. Such translation can be performed by the translation engine prior to delivery of certificates to requesting clients.
摘要:
Abstracting access control policy from access check mechanisms allows for richer expression of policy, using a declarative model with semantics, than what is permitted by the access check mechanisms. Further, abstracting access control policy allows for uniform expression of policy across multiple access check mechanisms. Proof-like reasons for any access query are provided, such as who has access to what resource, built from the policy statements themselves, independent of the access check mechanism that provide access. Access is audited and policy-based reasons for access are provided based on the access control policy.
摘要:
An improved certificate issuing system may comprise a novel arrangement for expressing certificate issuing policy. The policy may be expressed in a human-readable policy expression language and stored for example in a file that is consumed by a certificate issuing system at runtime. The policy may thus be easily changed by altering the digital file. Certain techniques are also provided for extending the capabilities of the certificate issuing system so it may apply and enforce new policies.
摘要:
Disclosed herein is a technique for certifying distributable objects. The technique involves creating a certification for each distributable object to indicate properties of the object. Using certifications such as this, it is possible to accept objects having certain properties only from specified entities.
摘要:
Techniques for distributed knowledge access control are disclosed herein. These techniques may enable access control information to be provided in the form of a statement that includes an assertion and a construct that targets the assertion to one or more intended entities. By targeting the statement to intended entities, the construct may help protect resources from unauthorized use and may also help protect the issuer of the statement from accountability resulting from misuse of the statement.
摘要:
An improved certificate issuing system may comprise a certificate translation engine for translating incoming certificates and certificate requests from a first format into a second format. A certificate issuing engine may then operate on incoming requests in the common format. The issuing engine can issue certificates to clients according to its certificate issuing policy. The policy may be expressed as data in a policy expression language that can be consumed at runtime, which provides for flexible and efficient changing of issuing policy. Issued certificates can be translated back into a format that is consumed by the requesting client. Such translation can be performed by the translation engine prior to delivery of certificates to requesting clients.
摘要:
A license is issued to a user as decryption and authorization portions. The decryption portion is accessible only by such user and has a decryption key (KD) for decrypting corresponding encrypted digital content and validating information including an identification of a root trust authority. The authorization portion sets forth rights granted in connection with the digital content and conditions that must be satisfied to exercise the rights granted, and has a digital signature that is validated according to the identified root trust authority in the decryption portion. The user issued accesses the decryption portion and employs the validation information therein to validate the digital signature of the authorization portion. If the conditions in the authorization portion so allow, the rights in the authorization portion are exercised by decrypting the encrypted content with the decryption key (KD) from the decryption portion and rendering the decrypted content.