-
公开(公告)号:US06801998B1
公开(公告)日:2004-10-05
申请号:US09439246
申请日:1999-11-12
IPC分类号: H04L900
CPC分类号: H04L63/045 , H04L63/065 , H04L63/105
摘要: A method and system for granting an applicant associated with a client computer in a client-server system access to a requested service without providing the applicant with intelligible information regarding group membership. The applicant transmits a request for service to an application server over a computer network. In response, the application server prepares an encrypted message which includes the identification of the group or groups having access privileges and transmits the encrypted message to the client along with a request that the client prove membership in at least one of the groups. The message is encrypted with an encryption key which can be decrypted by a group membership server.
摘要翻译: 一种方法和系统,用于在客户机 - 服务器系统中授予与客户端计算机相关联的申请人访问所请求的服务,而不向申请人提供关于组成员身份的可理解信息。 申请人通过计算机网络向应用服务器发送服务请求。 作为响应,应用服务器准备加密的消息,其包括具有访问权限的组或组的标识,并且将客户端证明成员资格的请求与客户端一起发送给客户端。 消息使用加密密钥进行加密,加密密钥可以由组成员服务器进行解密。
-
公开(公告)号:US06263434B1
公开(公告)日:2001-07-17
申请号:US09399899
申请日:1999-09-21
IPC分类号: A61F238
CPC分类号: H04L9/3247 , G06Q20/3821 , H04L2209/60
摘要: A method and apparatus for identifying an applicant as a member of a group without explicitly listing all possible applicants. A test is defined which specifies the criteria for group membership. The test definition and an optional group identifier code are supplied to a criterion generator. The criterion generator generates an authenticated message based, at least in part, upon said test definition. The authenticated message is delivered to one or more criterion evaluators that verify the authenticated message. In one embodiment, once the authenticated message has been verified, the applicant for access to a resource presents a credential to the criterion evaluator. If the credential satisfies the test definition, the applicant is granted access to the specified resource and denied access if the credential does not satisfy the test definition. In another embodiment, upon presentation of a suitable credential to the criterion evaluator, the criterion evaluator produces a group membership credential that may be presented to an actuator that is not in communication with the criterion evaluator. If the actuator determines that the group membership credential is authentic, the applicant is granted access to the resource.
摘要翻译: 用于将申请人识别为组的成员而不明确列出所有可能的申请人的方法和装置。 定义了一个测试,该测试指定了组成员资格的标准。 测试定义和可选组标识符代码被提供给标准生成器。 标准生成器至少部分地基于所述测试定义生成认证消息。 已验证的消息被传递给验证已验证消息的一个或多个标准评估器。 在一个实施例中,一旦经过认证的消息已被验证,对资源的访问的申请人向标准评估者呈现凭证。 如果凭证满足测试定义,则授予申请人访问指定的资源,如果凭证不符合测试定义,则拒绝访问。 在另一个实施例中,在向标准评估器呈现合适的凭证之后,标准评估器产生可以呈现给不与标准评估器通信的致动器的组成员凭证。 如果执行器确定组成员凭证是真实的,则授予申请人对该资源的访问权限。
-
3.发明授权Method and system for proving membership in a nested group using chains of credentials 有权使用凭证链验证嵌套组成员资格的方法和系统公开(公告)号:US07213262B1
公开(公告)日:2007-05-01
申请号:US09310165
申请日:1999-05-10
CPC分类号: G06F21/6218 , G06F2221/2115
摘要: In accordance with the invention, a presenter of credentials presents to a recipient of credentials one or more chains of group credentials to prove entity membership or non-membership in a nested group in a computer network. The ability to present a chain of credentials is particularly important when a client is attempting the prove membership or non-membership in a nested group and one or more of the group servers in the family tree are off-line. A chain of group credentials includes two or more proofs of group membership and/or proofs of group non-membership Furthermore, the proofs of group membership may include one or more group membership certificates and/or one or more group membership lists; and proofs of group non-membership may include one or more group non-membership certificates and/or one or more group membership lists.
摘要翻译: 根据本发明,凭证的呈现者向凭证的接收者呈现一个或多个组凭证链以证明计算机网络中的嵌套组的实体成员资格或非成员资格。 当客户端尝试证明成员身份或嵌套组中的非成员身份并且家庭树中的一个或多个组服务器离线时,呈现证书链的能力尤其重要。 一组组凭证包括两个或多个组成员资格证明和/或组非会员证明。此外,组成员资格的证明可以包括一个或多个组成员证书和/或一个或多个组成员资格表; 并且组非隶属的证明可以包括一个或多个组非会员证书和/或一个或多个组成员资格列表。
-
公开(公告)号:US07058798B1
公开(公告)日:2006-06-06
申请号:US09547183
申请日:2000-04-11
IPC分类号: G06F7/04
CPC分类号: G06F21/6218
摘要: The basic concept is that before a resource is accessed, the entity that has the burden of gathering the credentials, pro-actively refreshes the credentials and keeps them current. In one instance, a presenter of credentials, for example, a client, pro-actively refreshes the credentials such that at the time of presentation, the credentials meet the resource-specific constraints of a recipient of credentials, for example, a resource server. For each resource that it protects, a resource server typically establishes various constraints such as a recency requirement, which specifies how recently a credential has to have been issued to be accepted as an adequate credential. Other constraints may include maximum certificate chain length, trust level and so forth. In another instance, a recipient of credentials pro-actively gathers and refreshes credentials to prevent un-authorized access to the various resources it is protecting.
摘要翻译: 基本概念是,在访问资源之前,负责收集凭据的实体主动刷新凭据并保持最新状态。 在一个实例中,凭证的呈现者(例如,客户端)主动地刷新证书,使得在呈现时,证书满足凭证的接收方的资源特定约束,例如资源服务器。 对于其保护的每个资源,资源服务器通常建立各种约束,例如新近要求,其指定证书必须最近被发布以被接受为足够证书。 其他约束可能包括最大证书链长度,信任级别等。 在另一个实例中,凭据的接收方主动收集和刷新凭据,以防止对其保护的各种资源的未授权访问。
-
公开(公告)号:US07085925B2
公开(公告)日:2006-08-01
申请号:US09825100
申请日:2001-04-03
CPC分类号: H04L9/3263
摘要: A method and system for evaluating a set of credentials that includes at least one group credential and that may include one or more additional credentials. A trust rating is provided in association with the at least one group credential within the set of credentials and trust ratings may also be provided in other credentials within the set of credentials. Each trust rating provides an indication of the level of confidence in the information being certified in the respective credential. In response to a request for access to a resource or service, an evaluation of the group credentials is performed by an access control program to determine whether access to the requested resource or service should be provided. In one embodiment, within any given certification path a composite trust rating for the respective path is determined. An overall trust rating for the set of credentials is determined based upon the composite trust ratings. Upon a determination that a user requesting access to a resource has an acceptable set of credentials and a satisfactory trust rating, access to the requested resource or service is granted to the user.
-
6.发明授权Replacing an email attachment with an address specifying where the attachment is stored 有权用指定附件存储位置的地址替换电子邮件附件公开(公告)号:US07054905B1
公开(公告)日:2006-05-30
申请号:US09539269
申请日:2000-03-30
申请人: Stephen R. Hanna , David C. Douglas , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan , Anne H. Anderson
发明人: Stephen R. Hanna , David C. Douglas , Yassir K. Elley , Radia J. Perlman , Sean J. Mullan , Anne H. Anderson
CPC分类号: H04L51/08 , G06Q10/107 , H04L51/30
摘要: One embodiment of the present invention provides a system that replaces an attachment to an email message with a reference to a location where the attachment is stored. Upon receiving the email message, the system examines the email message to determine if the email message includes an attachment. If the email message includes the attachment, the system stores the attachment at a location on a communication network from which the attachment can be retrieved. The system also modifies the email message by replacing the attachment with a reference specifying the location of the attachment, and sends the modified email message to a recipient of the email message. In one embodiment of the present invention, the recipient receives the modified email message and uses the reference specifying the location of the attachment to retrieve the attachment across the communication network.
摘要翻译: 本发明的一个实施例提供一种系统,该系统用参考存储附件的位置来替代电子邮件消息的附件。 在接收到电子邮件消息时,系统检查电子邮件消息以确定电子邮件消息是否包括附件。 如果电子邮件消息包含附件,则系统将附件存储在通信网络上可从中检索附件的位置。 该系统还通过使用指定附件的位置的引用替换附件来修改电子邮件消息,并将修改的电子邮件消息发送给电子邮件的接收者。 在本发明的一个实施例中,接收者接收经修改的电子邮件消息,并使用指定附件的位置的引用来检索跨越通信网络的附件。
-
公开(公告)号:US07010690B1
公开(公告)日:2006-03-07
申请号:US09612057
申请日:2000-07-07
IPC分类号: H04L9/00
CPC分类号: G06F21/31
摘要: A method and apparatus for authenticating and authorizing a user of a device connected to a network. In one embodiment, a set of credential descriptors is generated that describes credentials that must be built for authenticating the user. The set of credential descriptors is provided to a first device, which includes a first master credential builder for building credentials corresponding to at least one of the credential descriptors. In the event that the first master credential builder does not build all of the credentials corresponding to the set of credential descriptors, another set of credential descriptors is provided to a second device, which includes a second master credential builder for building at least one credential remaining to be built. This process continues until all credentials have been built or a determination is made that they cannot be built. After all credentials have been built, the credentials are provided to a master credential evaluator, which may be included in the first device, the second device, or another device. If the master credential evaluator successfully evaluates the built credentials, then user authentication is completed. Advantageously, credential builders and credential evaluators can be added to or removed from the master credential builders and the master credential evaluator, respectively, to allow dynamic modification of the master credential builders and the master credential evaluator to suit specific and changing requirements for user authentication/authorization.
摘要翻译: 一种用于认证和授权连接到网络的设备的用户的方法和装置。 在一个实施例中,生成一组凭证描述符,其描述必须构建用于认证用户的凭证。 证书描述符集合被提供给第一设备,该第一设备包括用于构建与至少一个凭证描述符相对应的证书的第一主凭证构建器。 如果第一主凭证构建器不构建与该组凭证描述符对应的所有凭证,则将另一组凭证描述符提供给第二设备,该第二设备包括用于构建至少一个凭证剩余的第二主凭证构建器 待建 这个过程一直持续到所有的凭证被建立或确定它们是不能被建立的。 在所有凭证已经构建之后,凭证被提供给主凭证评估器,其可以包括在第一设备,第二设备或另一设备中。 如果主凭证评估器成功评估内置凭证,则完成用户验证。 有利地,可以分别将凭证构建器和凭证评估器添加到主凭证建立者和主凭证评估器中或从主凭证建立者和主凭证评估器移除,以允许动态修改主凭证建立者和主凭证评估器,以适应用户认证/ 授权
-
公开(公告)号:US06883100B1
公开(公告)日:2005-04-19
申请号:US09309045
申请日:1999-05-10
CPC分类号: G06F21/6218 , G06F21/629
摘要: In accordance with the invention, on-line group servers issue group membership or group non-membership certificates upon request. Furthermore, when a requester requests a group certificate for a particular entity, the associated group server makes a dynamic decision regarding the entity's membership in the group rather than simply referring to a membership list. These capabilities provide for, among other things, the implementation of “nested” groups, wherein an entity may indirectly prove membership in a first, or nested, group by proving membership in a second group which is a member of the first group. In the nested group situation, the dynamic decision may involve the group server of the nested group obtaining proof of the entity's membership or non-membership in the second group. Proof of membership or non-membership may include a group certificate and/or a group membership list.
摘要翻译: 根据本发明,在线组服务器根据请求发布组成员或组非会员证书。 此外,当请求者请求特定实体的组证书时,相关联的组服务器就组织中的实体成员进行动态决定,而不是简单地参考会员列表。 这些功能尤其规定了“嵌套”组的实现,其中实体可以通过证明作为第一组的成员的第二组中的成员身份间接地证明第一组或嵌套组中的成员资格。 在嵌套组的情况下,动态决策可能涉及嵌套组的组服务器获得实体成员资格的证明或第二组中的非成员资格。 会籍或非会员证明可能包括团体证明和/或团体会员名单。
-
公开(公告)号:US06973569B1
公开(公告)日:2005-12-06
申请号:US09608264
申请日:2000-06-30
申请人: Anne H. Anderson , Stephen R. Hanna
发明人: Anne H. Anderson , Stephen R. Hanna
CPC分类号: G06F21/33 , H04L9/3263
摘要: A certification authority generates certificates in response to respective certification requests. The certification authority generally includes a computer that is bootable from a removable medium and a removable medium. The removable medium includes a machine readable medium having encoded thereon an operating system module configured to enable the computer to boot from the removable medium and a certificate generation module configured to, after the computer has been booted, control the computer to facilitate the generation of at least one certificate in response to an associated certificate request, the certification authority module being configured to provide that the computer not be remotely controlled during a certificate generation session.
摘要翻译: 证书颁发机构根据各自的认证请求生成证书。 认证机构通常包括可从可移动介质和可移动介质引导的计算机。 可移动介质包括其上编码有操作系统模块的机器可读介质,操作系统模块被配置为使得计算机能够从可移除介质引导;以及证书生成模块,其被配置为在计算机启动之后控制计算机以便于生成 至少一个证书响应于相关联的证书请求,所述认证机构模块被配置为提供所述计算机在证书生成会话期间不被远程控制。
-
公开(公告)号:US20090265753A1
公开(公告)日:2009-10-22
申请号:US12104141
申请日:2008-04-16
申请人: Anne H. Anderson , Seth T. Proctor
发明人: Anne H. Anderson , Seth T. Proctor
IPC分类号: G06F21/00
CPC分类号: H04L63/0421 , H04L63/08 , H04L63/104
摘要: A system and method for using an opaque group within a federated identity management environment, to prevent disclosure of identities of the group. An opaque group is constructed at an identity provider within the system and has a group identity that references primary system identities of its members (e.g., electronic mail addresses, public key certificates, network addresses). Services to the group (e.g., distribution of an object such as a document or electronic mail message, invitation to an online meeting, authentication as a member of the group) can be requested from service providers, but because service providers do not have access to members' primary identities, the service providers forward the requests to an identity provider that has access to the group identity. That identity provider retrieves the members' identities and completes the action.
摘要翻译: 在联合身份管理环境中使用不透明组的系统和方法,以防止组内的身份公开。 在系统内的身份提供者处构造不透明组,并具有引用其成员的主要系统标识(例如,电子邮件地址,公共密钥证书,网络地址)的组身份。 可以向服务提供商请求向集团提供的服务(例如,诸如文档或电子邮件消息的对象的分发,对在线会议的邀请,作为组的成员的认证),但是由于服务提供商无法访问 成员的主要身份,服务提供商将请求转发给可访问组身份的身份提供者。 身份提供者检索成员的身份并完成该操作。
-
-
-
-
-
-
-
-
-
搜索结果
15 条记录 (耗时 0.021 秒)
