LICENSING PROTECTED CONTENT TO APPLICATION SETS

US 20090328134A1
Filed: 06/27/2008
Published: 12/31/2009
Est. Priority Date: 06/27/2008
Status: Active Grant

First Claim

Patent Images

1. At a computer system, a method for providing access to protected content, the method comprising:

an act of detecting that a user is attempting to access protected content through an application at the computer system, the protected content protected in accordance with a protection policy managed by a digital rights management system that includes a separate digital rights management server, the protection policy including an application set, the application set identifying a set of applications that are allowed to access the content;

prior to allowing the application to access the protected content;

an act of the computer system exchanging information with digital rights management server to obtain a user key corresponding to the user, the user key for accessing the protected content; and

an act of the computer system determining that the application is in the application set; and

an act of the computer system allowing the application to use the user key to access the protected content in response to the determination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to methods, systems, and computer program products for licensing protected content to application sets. Embodiments of the invention permit a local machine to increase its participation in authorizing access to protected content. For example, an operating system within an appropriate computing environment is permitted to determine if an application is authorized to access protected content. Thus, the application is relieved from having to store a publishing license. Further, authorization decisions are partially distributed, easing the resource burden on a protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.

Citations

20 Claims

1. At a computer system, a method for providing access to protected content, the method comprising:
- an act of detecting that a user is attempting to access protected content through an application at the computer system, the protected content protected in accordance with a protection policy managed by a digital rights management system that includes a separate digital rights management server, the protection policy including an application set, the application set identifying a set of applications that are allowed to access the content;
  
  prior to allowing the application to access the protected content;
  
  an act of the computer system exchanging information with digital rights management server to obtain a user key corresponding to the user, the user key for accessing the protected content; and
  
  an act of the computer system determining that the application is in the application set; and
  
  an act of the computer system allowing the application to use the user key to access the protected content in response to the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 14, 15, 16)
- - 2. The method as recited in claim 1, wherein the act of detecting that a user is attempting to access protected content through an application at the computer system comprises an act of detecting that a user is attempting to access protected content protected in accordance with a protection policy, the protection policy including the application set and one or more computing environments that are appropriate for evaluating application set membership in the application set.
  - 3. The method as recited in claim 1, wherein the act of detecting that a user is attempting to access protected content through an application at the computer system comprises an act of detecting that a user is attempting to access protected content protected in accordance with a protection policy, the protection policy including an application set, wherein the application set includes one or more application IDs for applications that are authorized to access the protected content.
  - 4. The method as recited in claim 1, wherein the act of detecting that a user is attempting to access protected content through an application at the computer system comprises an act of detecting that a user is attempting to access protected content, the protected content protected in accordance with a protection policy of the business owner of the protected content.
  - 5. The method as recited in claim 1, wherein the act of the computer system exchanging information with digital rights management server to obtain a user key corresponding to the user comprises:
    - an act of sending user authentication information for the user to the DRM server; and
      
      an act of sending attributes of the computer system'"'"'s operating environment to the DRM server.
  - 6. The method as recited in claim 5, wherein the attributes of the computer system'"'"'s operating environment indicate one or more of a network location, a boot path for the operating system, a code integrity policy for the operating system, boot options for the operating system, information from a system health agent (“
    - SHA”
      
      ), and information from a system health validator (“
      
      SHV”
      
      ).
  - 7. The method as recited in claim 1, wherein the act of the computer system determining that the application is in the application set comprises an act of an operating system at the computer system determining that the application is in the application set.
  - 8. The method as recited in claim 1, wherein the act of the computer system determining that the application is in the application set comprises:
    - an act of an the computer system comparing an application ID of the application to application IDs included in the application set; and
      
      an act of determining that the application ID of the application is included in the application set.
  - 14. The method as recited in claim 1, wherein the act of the operating system determining if the application is included in the set of applications in the protection policy comprises an act of the operating system comparing an application ID for the application to application IDs included in the protection policy.
  - 15. The method as recited in claim 1, wherein the act of the operating system determining if the application is included in the set of applications in the protection policy comprises an act of the operating system determining that the application is included in the set of applications.
  - 16. The method as recited in claim 1, wherein the act of permitting the application to access the protected content comprises an act of the application enforcing operations authorized users are permitted to perform with respect to the protected content

9. At a computer system, a method for providing access to protected content, the method comprising:
- an act of detecting that a user is attempting to access protected content through an application at the computer system, the protected content protected in accordance with a protection policy, the protection policy specified by a business owner of a business that originated the protected content, the protection policy indicating;
  
  users that are authorized to access the content, operations authorized users are permitted to perform with respect to the protected content, computing environments that are permitted to access the content, and a set of applications that are permitted to access the content;
  
  an act of sending user identity information for the user to a content protection server;
  
  an act of sending the computing environment of the computer system to the content protection server;
  
  an act of receiving a user key from the content protection server, the user key usable by the user to access the protected content, the user key returned from the content protection server to the computer system in response to authenticating the user and in response to determining that the computing environment is appropriate for evaluating application set membership;
  
  an act of an operating system at the computer system determining if the application is included in the set of applications in the protection policy; and
  
  an act of the operating system appropriately regulating the application'"'"'s access to the protected content based on the determination, including;
  
  an act of permitting the application to access the protected content when the application is included in the set of applications in the protection policy; and
  
  an act of preventing the application form accessing the protected content when the application is not included in the set of applications in the protection policy.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method as recited in claim 9, wherein the act of detecting that a user is attempting to access protected content through an application at the computer system, the protected content protected in accordance with a protection policy comprises an act of detecting that a user is attempting to access protected content through an application at the computer system, the protected content protected in accordance with a protection policy, wherein computing environments that are permitted to access the content comprise computing environments that are sufficiently trusted to evaluate application set membership.
  - 11. The method as recited in claim 9, wherein the act of detecting that a user is attempting to access protected content through an application at the computer system, the protected content protected in accordance with a protection policy comprises an act of detecting that a user is attempting to access protected content through an application at the computer system, the protected content protected in accordance with a protection policy, wherein authorized applications are applications trusted to appropriately enforce the operations users are permitted to perform.
  - 12. The method as recited in claim 9, wherein an act of sending user identity information for the user to a content protection server comprises an act of sending user credentials to the protection server.
  - 13. The method as recited in claim 9, wherein the sending the computing environment of the computer system to the content protection server comprises an act of sending attributes indicating one or more of a network location, a boot path for the operating system, a code integrity policy for the operating system, boot options for the operating system, information from a system health agent (“
    - SHA”
      
      ), and information from a system health validator (“
      
      SHV”
      
      ).

17. A computer system, the computer system comprising:
- one or more processors;
  
  system memory; and
  
  one or more computer-readable media having stored there computer executable instructions that, when executed by one of the processors, cause the computer system to providing access to protected content, including the following;
  
  detect that a user is attempting to access protected content through an application at the computer system, the protected content protected in accordance with a DRM protection policy, the DRM protection policy specified by a business owner of a business that originated the protected content, the protection policy indicating;
  
  users that are authorized to access the content, operations authorized users are permitted to perform with respect to the protected content, computing environments that are permitted to access the content, and a set of applications that are permitted to access the content;
  
  send user credentials for the user to a DRM server;
  
  send system attributes of the computer system to the DRM server to indicate the computing environment of the computer system to the DRM server;
  
  receive a user key from the DRM server, the user key usable by the user to access the protected content, the user key returned from the DRM server to the computer system in response to authenticating the user and in response to determining that the system attributes indicate a computing environment that is appropriate for evaluating application set membership;
  
  an operating system at the computer system determining if the application is included in the set of applications in the protection policy, inclusion in the set of applications indicative of an application that is trusted to enforce operations authorized users are permitted to perform with respect to the protected content; and
  
  the operating system appropriately regulating the application'"'"'s access to the protected content based on the determination, including;
  
  permitting the application to enforce operations authorized users are permitted to perform with respect to the protected content when the application is included in the set of applications in the protection policy; and
  
  preventing the application from accessing the protected content when the application is not included in the set of applications in the protection policy.
- View Dependent Claims (18, 19, 20)
- - 18. The system as recited in claim 17, wherein untrusted applications excluded from set membership are tagged as unusable by the operating system to enforce operations authorized users are permitted to perform with respect to the protected content.
  - 19. The system as recited in claim 17, wherein computer executable instructions that, when executed by one of the processors, cause the computer system to determine if the application is included in the set of applications in the protection policy comprise computer executable instructions that, when executed by one of the processors, cause the computer system to compare an application ID for the application to application IDs in the set of the applications.
  - 20. The system as recited in claim 17, wherein computer executable instructions that, when executed by one of the processors, cause the computer system to send system attributes of the computer system to the DRM server, to indicate the computing environment of the computer system to the DRM server comprise computer executable instructions that, when executed by one of the processors, cause the computer system to send one or more of:
    - a network location, a boot path for the operating system, a code integrity policy for the operating system, boot options for the operating system, information from a system health agent (“
      
      SHA”
      
      ), and information from a system health validator (“
      
      SHV”
      
      ).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Karamifilov, Krassimir E., McDowell, John, Leach, Paul J., Herron, Andrew, Tipton, William R., Ray, Kenneth D., Bryce, Duncan G., Kaufman, Charles W., Kamat, Pankaj M., Setzer, Matthew C., Schwartz, Jonathan D.

Granted Patent

US 8,225,390 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/105 Arrangements for software l...

LICENSING PROTECTED CONTENT TO APPLICATION SETS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

LICENSING PROTECTED CONTENT TO APPLICATION SETS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links