SELECTING POLICY FOR COMPATIBLE COMMUNICATION

US 20070294743A1
Filed: 06/15/2006
Published: 12/20/2007
Est. Priority Date: 06/15/2006
Status: Active Grant

First Claim

Patent Images

1. At a computer system, a method for selecting communication options for communicating with another computer system, the method comprising:

an act of accessing a first hierarchical policy document corresponding to the computer system, the first hierarchal policy document arranged in a hierarchical format to describe compatible combinations of communication options appropriate for communicating with the computer system, communication options higher in the hierarchical format providing context for related communication options lower in the hierarchical format;

an act of accessing a second hierarchical policy document corresponding to the other computer system, the second hierarchal policy document arranged in a hierarchical format to describe compatible combinations of communication options appropriate for communicating with the other computer system, communication options higher in the hierarchical format providing context for related communication options lower in the hierarchical format;

an act of matching a portion of the first hierarchical policy document to corresponding portion of the second hierarchical policy document for a specified communication option;

an act of recursively matching a second lower portion of the first hierarchical policy document to a corresponding second lower portion of the second hierarchical policy document for a corresponding specified communication sub-option of the specified communication option in the context of the specified communication option; and

an act of determining that compatible communication between the computer system and the other computer system is possible using the specified communication option along with the corresponding communication sub-option.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to methods, systems, and computer program products for selecting policy for compatible communication. Hierarchical policy document data structures represent communication (e.g., security) aspects and options such that lower aspects and options are accessed in the context of corresponding higher aspects and options to define applicable scope. Use of a hierarchical description also facilitates separation of what is being protected from how it is being protected thereby allowing security policy to be considered at different locations of a description document.

Citations

20 Claims

1. At a computer system, a method for selecting communication options for communicating with another computer system, the method comprising:
- an act of accessing a first hierarchical policy document corresponding to the computer system, the first hierarchal policy document arranged in a hierarchical format to describe compatible combinations of communication options appropriate for communicating with the computer system, communication options higher in the hierarchical format providing context for related communication options lower in the hierarchical format;
  
  an act of accessing a second hierarchical policy document corresponding to the other computer system, the second hierarchal policy document arranged in a hierarchical format to describe compatible combinations of communication options appropriate for communicating with the other computer system, communication options higher in the hierarchical format providing context for related communication options lower in the hierarchical format;
  
  an act of matching a portion of the first hierarchical policy document to corresponding portion of the second hierarchical policy document for a specified communication option;
  
  an act of recursively matching a second lower portion of the first hierarchical policy document to a corresponding second lower portion of the second hierarchical policy document for a corresponding specified communication sub-option of the specified communication option in the context of the specified communication option; and
  
  an act of determining that compatible communication between the computer system and the other computer system is possible using the specified communication option along with the corresponding communication sub-option.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein the act of accessing hierarchical policy document corresponding comprises an act of accessing hierarchical policy document that describes security policy for the computer system.
  - 3. The method as recited in claim 2, wherein the act of accessing hierarchical policy document corresponding comprises an act of accessing hierarchical policy document that describes at least of one integrity-protection policies and confidentiality polices for the computer system.
  - 4. The method as recited in claim 1, wherein the act of accessing hierarchical policy document corresponding comprises an act of accessing hierarchical policy document that describes polices for one or more of services, protocols, end-points, messages, addressing-information, and Web services used by the computer system.
  - 5. The method as recited in claim 1, wherein the act of matching a portion of the first hierarchical policy document to corresponding portion of the second hierarchical policy document for a specified communication option comprises an act of matching a portion of a security policy for the computer system to a corresponding portion of security policy for the other computer system.
  - 6. The method as recited in claim 1, wherein the act of matching a portion of a security policy for the computer system to a corresponding portion of security policy for the other computer system comprises an act of matching a portion of at least one of an integrity-protection policy and confidentiality policy for the computer system to a corresponding portion of security policy for the other computer system.
  - 7. The method as recited in claim 1, wherein the act of recursively matching a second lower portion of the first hierarchical policy document to a corresponding second lower portion of the second hierarchical policy document for a corresponding specified communication sub-option of the specified communication option in the context of the specified communication option comprises an act of matching an integrity projection sub-option in the context of integrity protection for a specified portion of communication selected from among a service, a protocol, a message, a message part, addressing information, and an end-point.
  - 8. The method as recited in claim 1, wherein the act of recursively matching a second lower portion of the first hierarchical policy document to a corresponding second lower portion of the second hierarchical policy document for a corresponding specified communication sub-option of the specified communication option in the context of the specified communication option comprises an act of matching a confidentiality sub-option in the context of confidentiality for a specified portion of communication selected from among a service, a protocol, a message, a message part, addressing information, and an end-point.
  - 9. The method as recited in claim 1, wherein the act of determining that compatible communication between the computer system and the other computer system is possible comprises an act of detecting appropriate matches between the first hierarchical policy document and the second hierarchical policy document up a spine from a leaf node to a root node at each of the first hierarchical policy document and the second hierarchical policy document.

10. At a computer system, a method for selecting security options for communicating with another computer system, the method comprising:
- an act of accessing a security intent for the other computer system, the security intent indicative how communication with the other computer system is to be secured;
  
  an act of determining that the computer system is compatible with the security intent of the other computer system;
  
  an act of accessing a security target for the other computer system, the security target indicating what portion of communication with the other computer system is to be secured;
  
  an act of identifying one or more security options compatible with both the computer system and the other computer system that can be used to implement the security intent for the security target.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method as recited in claim 10, wherein the act of accessing a security intent for the other computer system comprises an act of accessing a security intent indicating that a portion of communication is to be secured in accordance with at least one of integrity-protection and confidentiality.
  - 12. The method as recited in claim 10, wherein the act of determining that the computer system is compatible with the security intent of the other computer system comprises referring to a hierarchy policy document for the computer system to determine if the hierarchy policy document indicates that the security intent is supported.
  - 13. The method as indicated in claim 10, wherein the act of accessing a security target for the other computer system comprises an act of accessing a security target that indicates a portion of communication selected from among a service, a protocol, a message, a message part, an endpoint, and a Web service, is to be secured in accordance with the supported security intent.
  - 14. The method as indicated in claim 13, wherein the act of accessing a security target that indicate a portion of communication selection from among a service, a protocol, a message, a message part, and an endpoint, is to be secured in accordance with the supported security intent comprises an act of security target that indicate a portion of communication selection from among a service, a protocol, a message, a message part, an endpoint, and a Web service, is to be integrity-protected or render confidential.
  - 15. The method as recited in claim 10, wherein the act of identifying one or more security options compatible with both the computer system and the other computer system comprises an act of referring to a hierarchy policy document for the computer system to determine if the hierarchy policy document indicates compatible security options.

16. At a computer system, a method for securely communicating with another computer system, the method comprising:
- an act of accessing a security intent for the other computer system, the security intent indicative how communication with the other computer system is to be secured, the security intent associated with a higher level node in a hierarchical policy document corresponding to the other computer system;
  
  an act of matching a corresponding higher level node in the hierarchical policy document corresponding the computer system to the higher level node in the hierarchical policy document corresponding to the other computer system, the match indicative of the computer system being compatible with the security intent of the other computer system;
  
  an act of accessing a security target for the other computer system, the security target indicating what portion of communication with the other computer system is to be secured;
  
  an act of matching one or more lower level nodes in the hierarchical policy document for the computer system to corresponding one or more lower level nodes in the hierarchical policy document for the other computer system to identify one or more security options that can be used to implement the security intent of the other computer system; and
  
  an act of securing the security target in accordance with the identified security options to implement the security intent of the other computer system when communicating with the other computer system.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method as recited in claim 16, wherein the act of accessing a security intent for the other computer system comprises an act of accessing a security intent that indicates communication is to be integrity-protected or security.
  - 18. The method as recited in claim 16, wherein the an act of accessing a security target for the other computer system comprises an act of comprises an act of accessing a security target that indicates a portion of communication selected from among a service, a protocol, a message, a message part, addressing information, an endpoint, and a Web service is to be secured in accordance with the supported security intent.
  - 19. The method as recited in claim 16, wherein the act of an act of matching one or more lower level nodes in the hierarchical policy document for the computer system to corresponding one or more lower level nodes in the hierarchical policy document for the other computer system comprises an act of matching communication options in the context of integrity-protection or confidentially in context of a portion of communication selected form among a service, a protocol, a message, a message part, addressing information, an endpoint, and a Web service.
  - 20. The method as recited in claim 16, wherein the act of securing the security target in accordance with the identified security options to implement the security intent of the other computer system when communicating with the other computer system comprises an act of securing communication using options that were matched along a spine from a leaf node to the root node of a hierarchical policy document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kaler, Christopher G., Walter, Douglas A., Gudgin, Martin

Granted Patent

US 7,836,489 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

SELECTING POLICY FOR COMPATIBLE COMMUNICATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SELECTING POLICY FOR COMPATIBLE COMMUNICATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links