Digital identity management

US 20040162786A1
Filed: 02/13/2003
Published: 08/19/2004
Est. Priority Date: 02/13/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

managing lifecycles of digital IDs for application programs; and

abstracting multiple types of credentials for application programs through a digital identity management service (DIMS) and a common application programming interface (API) layer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One aspect relates to a process and associated device for managing digital ID lifecycles for application programs, and abstracting application programs for multiple types of credentials through a common Digital Identity Management System (DIMS) and Application Programming Interface (API) layer.

272 Citations

115 Claims

1. A method comprising:
- managing lifecycles of digital IDs for application programs; and
  
  abstracting multiple types of credentials for application programs through a digital identity management service (DIMS) and a common application programming interface (API) layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34, 35)
- - 2. The method of claim 1, in which the method includes a life cycle management process.
  - 3. The method of claim, 2, wherein the life cycle management process includes an auto-enrollment process.
  - 4. The method of claim 3, wherein the auto-enrollment process can be applied to different credential types.
  - 5. The method of claim 1, further comprising unification of credential management retrieval and storage through a generalized mechanism.
  - 6. The method of claim 5, wherein the generalized mechanism is an Application Programming Interface (API).
  - 7. The method of claim 1, further comprising a client-based service that operates on behalf of the system, users, and the application programs to perform the lifecycle management.
  - 8. The method of claim 1, wherein the credentials include a data object associated with a digital identity (ID) or proof of possession.
  - 9. The method of claim 8, wherein the digital ID or proof of possession is for the purpose of authentication.
  - 10. The method of claim 8, wherein the digital ID or proof of possession is for the purpose of authorization.
  - 11. The method of claim 8, wherein the digital ID or proof of possession is for the purpose of digital signature.
  - 12. The method of claim 8, wherein the digital ID or proof of possession is for the purpose of encryption.
  - 13. The method of claim 1, wherein the credentials include possession of a physical token.
  - 14. The method of claim 13, wherein the credentials are included on a smartcard.
  - 15. The method of claim 1, wherein the method further comprises maintaining the digital ID in at least one digital ID store(s).
  - 16. The method of claim 1, wherein the data abstraction includes a security context or opaque data.
  - 17. The method of claim 16, wherein the trusted data is not exposed to the application program.
  - 18. The method of claim 16, wherein the security context or opaque data may include a handle reference.
  - 19. The method of claim 16, wherein the security context or opaque data may include a token.
  - 20. The method of claim 1, wherein the managing digital ID lifecycles is performed at least partially on a non-domain joined computer.
  - 21. The method of claim 1, wherein the multiple types of credentials are abstracted through the DIMS and the common Application Programming Interface (API) layer at least partially on a non-domain joined computer.
  - 22. The method of claim 21, wherein the DIMS may communicate to a security token service (STS)
  - 23. The method of claim 22, wherein the STS includes a certificate authority.
  - 24. The method of claim 22, wherein the STS includes a key distribution center.
  - 25. The method of claim 22, wherein the STS includes a license server.
  - 26. The method of claim 1, wherein the digital ID includes an x.509 certificate.
  - 27. The method of claim 1, wherein the digital ID includes a public/private key pair.
  - 28. The method of claim 1, wherein the digital ID includes a token.
  - 29. The method of claim 1, wherein the digital ID includes an eXtensible Markup Language (XML) assertion.
  - 30. The method of claim 1, wherein the DIMS provides an abstraction layer as an Application Programming Interface (API).
  - 31. The method of claim 1, wherein the DIMS can provide the lifecycle management for the digital IDs without user interaction or user interaction.
  - 32. The method of claim 1, wherein the DIMS relies on local policies to establish a lifecycle management criteria.
  - 34. The method of claim 1, wherein the managing lifecycles of digital IDs includes managing credentials.
  - 35. The method of claim 1, wherein the DIMS can manage licenses for a user or application program for a Digital Rights Management (DRM) system.

33. The method of claim l, wherein the DIMS relies on central policies to establish a lifecycle management criteria.

36. An apparatus, comprising:
- a non-domain joined computer portion including;
  
  a lifecycle manager for managing digital ID lifecycles for application programs, and an abstraction layer portion for abstracting data from application programs for multiple types of credentials through a digital identity management system (DIMS) and a common Application Programming Interface (API) layer.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 37. The apparatus of claim 36, wherein the abstracted data includes a security context or opaque data.
  - 38. The apparatus of claim 36, wherein trusted data is not included with the data returned to the application program.
  - 39. The apparatus of claim 36, wherein the DIMS is configured as a simple trust that applies to home users that are not connected to any managed services.
  - 40. The apparatus of claim 36, wherein the DIMS is configured as an enterprise trust that applies to a corporate or business user operating a computer that belongs to an active directory environment.
  - 41. The apparatus of claim 36, wherein the DIMS causes the application program to perform an authentication process using digital IDs.
  - 42. The apparatus of claim 36, wherein the DIMS can manage a trust for users.
  - 43. The apparatus of claim 36, wherein the DIMS can manage a trust for application programs.
  - 44. The apparatus of claim 36, wherein the DIMS can provide lifecycle management for digital IDs without user interaction or application program interaction.
  - 45. The apparatus of claim 36, wherein the DIMS relies on local policies to define lifecycle management criteria.
  - 46. The apparatus of claim 36, wherein the DIMS relies on central policies to define lifecycle management criteria.
  - 47. The apparatus of claim 36, wherein the DIMS interacts with a central service to obtain a digital ID.
  - 48. The apparatus of claim 47, wherein the central service is a security token service (STS).
  - 49. The apparatus of claim 48, wherein the STS includes a certificate authority.
  - 50. The apparatus of claim 48, wherein the STS includes a key distribution center.
  - 51. The apparatus of claim 48, wherein the STS includes a license server.
  - 52. The apparatus of claim 36, wherein the DIMS automatically manages the digital IDs.
  - 53. The apparatus of claim 36, wherein the DIMS includes an underlying trust store structure, and wherein the application program is abstracted from an underlying trust store structure.
  - 54. The apparatus of claim 36, wherein the digital IDs are managed in domain-joined machines.
  - 55. The apparatus of claim 36, wherein the digital IDs are managed in non-domain-joined machines.
  - 56. The apparatus of claim 36, wherein the digital IDs include key pairs.
  - 57. The apparatus of claim 36, wherein the digital IDs include username and password combinations.
  - 58. The apparatus of claim 36, wherein the digital IDs include licenses.
  - 59. The apparatus of claim 36, wherein the digital IDs include assertions.
  - 60. The apparatus of claim 36, wherein the digital IDs include certificates.
  - 61. The apparatus of claim 36, wherein the DIMS can manage licenses for a user or application program for a Digital Rights Management (DRM) system.

62. A method, comprising:
- enumerating data from a digital identity (ID) store(s);
  
  reading properties of at least one of the digital IDs;
  
  determining digital ID memberships, reading the policies for digital IDs, calculating housekeeping criterion for the digital ID; and
  
  applying the policies and memberships to the store(s).
- View Dependent Claims (63, 64)
- - 63. The method of claim 62, wherein if further housekeeping action is necessary, then the method further comprises:
    - determining whether the further housekeeping action involves user interaction;
      
      if the other further action involves interaction with other services, then interfacing with a trusted digital ID source, and logging the housekeeping changes; and
      
      if the other further action does not involve interaction with other services, then asking the user for further user input, and logging the housekeeping changes.
  - 64. The method of claim 62, wherein the determining digital ID memberships includes determining digital ID subscriptions.

65. An apparatus for authenticating a user of a non-domain joined computer connected to the Internet, comprising:
- an application program attempting to access a Digital Identity Management System (DIMS);
  
  the application program searching for credentials based on some attributes;
  
  the application program returning results of the credential search to the DIMS;
  
  the DIMS opening the credentials based on a cryptographic key;
  
  the DIMS returning a handle to the application program; and
  
  the application program using the handle to perform an operation.
- View Dependent Claims (66, 67, 68, 69, 70)
- - 66. The apparatus of claim 65, wherein the application program uses the result of the operation to present the handle to a security token service (STS).
  - 67. The method of claim 66, further comprising expanding the result of the operation.
  - 68. The method of claim 65, wherein the application program finds the credentials based on some attributes, and wherein the DIMS returns the results to the application program within an Application Programming Interface (API);
  - 69. The method of claim 65, wherein the DIMS opens the credentials based on the cryptographic key and the DIMS returns the handle to the application program within the API.
  - 70. The method of claim 65, wherein the DIMS can view all credentials associated with the DIMS.

71. An apparatus, comprising:
- an application program attempting to access a Digital Identity Management System (DIMS);
  
  the application program attempting to find credentials based on some attributes;
  
  the DIMS returning results in response to the attempt to find credentials to the application program; and
  
  the DIMS opening at least some of the credentials based on a cryptographic key.
- View Dependent Claims (72, 73, 74, 75, 76, 77, 78, 79)
- - 72. The apparatus as set forth in claim 71, wherein:
    - the DIMS returns a handle to the application program; and
      
      the application program presents the handle to a security token service (STS).
  - 73. The apparatus of claim 71, wherein the apparatus performs the operation of authentication.
  - 74. The apparatus of claim 71, wherein the apparatus performs the operations of digitally signing.
  - 75. The apparatus of claim 71, wherein the apparatus performs the operations of encryption.
  - 76. The apparatus of claim 71, wherein the apparatus performs the operations of decryption.
  - 77. The apparatus of claim 71, wherein the DIMS program finds the credentials based on some attributes and the DIMS program returns the results to the application program is performed within an Application Programming Interface.
  - 78. The apparatus of claim 71, wherein the application program opens the credentials based on the cryptographic key and the DIMS returns the handle to the application program within an Application Programming Interface.
  - 79. The apparatus of claim 71, wherein the application program can view those credentials associated with the DIMS.

80. An apparatus, comprising a digital identity management system (DIMS) that views at least some of the credentials associated with the DIMS.
- View Dependent Claims (81, 82, 83, 84, 85, 86, 87)
- - 81. The apparatus of claim 80, further comprising a client, wherein the DIMS is at least partially located within a domain-joined computer.
  - 82. The apparatus of claim 80, wherein the DIMS is at least partially located in a computer.
  - 83. The apparatus of claim 80, wherein at least some of the credentials are included at least partially in a digital ID.
  - 84. The apparatus of claim 80, wherein the digital ID includes a certificate.
  - 85. The apparatus of claim 80, further comprising user interface tools that can determine a complete set of digital Identities (IDs) associated with a given security context.
  - 86. The apparatus of claim 80, further comprising a client, wherein the DIMS is located at least partially within a client computer.
  - 87. The apparatus of claim 80, wherein the DIMS is located at least partially in a non-domain joined computer.

88. A method, comprising:
- performing lifecycle management for a digital IDs within a non-domain joined computer, the lifecycle management including;
  
  enumerating store(s) within the non-domain joined computer, reading the policies, and determining the membership of the digital IDs, applying rules to the store(s), and determining whether an action is necessary, if the action is necessary, determining whether the action involves interaction with a trusted security token service (STS), if the action involves interaction with the trusted STS, then interacting with the STS to perform the action, and if the action does not involves interaction with the trusted STS, providing a user interface for the user to provide input to perform the action.
- View Dependent Claims (89, 90, 91, 92, 93, 94, 95)
- - 89. The method of claim 88, wherein the action includes the digital ID enrollment.
  - 90. The method of claim 88, wherein the action includes the digital ID renewal.
  - 91. The method of claim 88, wherein the action includes the digital ID end of life.
  - 92. The method of claim 88, wherein the action includes exchanging a credential.
  - 93. The method of claim 88, wherein the digital ID provides a mechanism for content protection.
  - 94. The method of claim 88, wherein the digital ID provides a mechanism for and media and content management.
  - 95. The method of claim 88, further comprising managing licenses for a user or application program for a digital rights management (DRM) system.

96. An apparatus comprising:
- a digital identity (ID) management system that is aware of its own state and is aware of policies that apply to it, and can act to ensure consistency for purposes of housekeeping.
- View Dependent Claims (97, 98, 99)
- - 97. The apparatus of claim 96, wherein the digital ID management system performs lifecycle management.
  - 98. The apparatus of claim 96, wherein the digital ID management system performs lifecycle management for non-domain joined computers.
  - 99. The apparatus of claim 96, wherein the digital ID management system performs lifecycle management for domain joined computers.

100. A method comprising:
- allowing a user to roam a digital identity (ID) using a Digital ID Management System (DIMS), comprising;
  
  enumerating a data store(s), receiving user input at the DIMS indicating whether the user desires to roam the digital ID, if the user desires to roam the digital ID, determining a remote data storage location that corresponds to the user;
  
  determining the policy relative to the user and the digital ID; and
  
  based on the policy, synchronizing data relating to the digital ID to the remote data storage location.
- View Dependent Claims (101, 102)
- - 101. The method of claim 100, wherein the roaming includes replicating.
  - 102. The method of claim 100, wherein the roaming includes synchronizing.

103. A computer readable medium having computer executable instructions for performing digital identity (ID) management within a non-domain joined computer, comprising:
- performing lifecycle management for digital IDs, the lifecycle management including;
  
  enumerating store(s) within the non-domain joined computer, reading the policies, and determining the membership of the digital IDs, applying lifecycle rules to the store(s), determining whether action is necessary based on the lifecycle rules, and if the action is necessary, interacting with a security token service (STS) to perform the action.

104. A system comprising:
- a processor;
  
  a memory containing instructions that when executed by the processor causes the processor to;
  
  perform lifecycle management for the digital IDs within a non-domain joined computer, the lifecycle management including;
  
  enumerate at least one store(s) within the non-domain joined computer, read policies, and determine the membership of the digital IDs, apply rules to the store(s), and determine whether an action is necessary, if the actions are necessary, determine whether the action involves interaction with a trusted security token service (STS), if the action involves interaction with the trusted STS, interact with the trusted STS to perform the action, and if the action does not involves interaction with the trusted STS, provide a user interface for the user to provide input to perform the action.

105. A Digital Identity Management System (DIMS) that is partially contained within a non-domain joined computer environment, the DIMS:
- managing digital ID lifecycles for digital identities (IDs) running within the non-domain joined computer; and
  
  abstracting application programs for multiple types of digital IDs through a common security token service (STS) and application programming interface (API) layer.
- View Dependent Claims (106, 107, 109, 110, 111, 112, 113, 115)
- - 106. The DIMS of claim 105, wherein the application program is abstracted at least partially using an Application Programming Interface (API) that includes the API layer.
  - 107. The DIMS of claim 105, wherein identity management includes credential management.
  - 109. The method of claim 107, wherein the DIMS can manage licenses for a user or application program for a digital rights management (DRM) system.
  - 110. The method of claim 107, wherein the DIMS can manage digital ID lifecycles without user interaction.
  - 111. The method of claim 107, wherein the DIMS can manage digital ID lifecycles without application program interaction.
  - 112. The method of claim 107, wherein the DIMS relies on central services to manage digital ID lifecycles.
  - 113. The method of claim 107, wherein the DIMS relies on local services to manage digital ID lifecycles.
  - 115. The method of claim 113, wherein the digital ID includes a certificate.

108. A digital identity (ID) management system (DIMS) comprising:
- a non-domain joined computer portion including a stand-alone computer connected to the Internet, the non-domain joined computer portion including a management lifecycle portion for managing digital ID lifecycles for application programs;
  
  the non-domain joined computer portion including an abstraction layer for abstracting multiple types of credentials through a common security token service (STS) and Application Programming Interface (API) layer; and
  
  a domain joined computer portion including at least one client computer and at least one server computer.

114. An auto-enrollment method, comprising:
- submitting a digital ID request;
  
  retrieving the disposition, last status, and identifier of a request;
  
  retrieving the digital ID issued for the request;
  
  retrieving pending digital IDs for previous requests; and
  
  retrieving the digital IDs for the digital ID server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jones, Thomas C., Thomlinson, Matthew W., Cross, David B., Hallin, Philip J.

Granted Patent

US 7,703,128 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/59
CPC Class Codes

G06F 21/33   using certificates

G06F 21/45   Structures or tools for the...

H04L 2209/603   Digital right managament [DRM]

H04L 63/06   for supporting key manageme...

H04L 9/006   involving public key infras...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

Digital identity management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

272 Citations

115 Claims

Specification

Solutions

Use Cases

Quick Links

Digital identity management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

272 Citations

115 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links