CREDENTIAL GATHERING WITH DEFERRED INSTANTIATION

US 20100205649A1
Filed: 02/06/2009
Published: 08/12/2010
Est. Priority Date: 02/06/2009
Status: Abandoned Application

First Claim

Patent Images

1. One or more computer-readable storage media that store executable instructions that, when executed by a computer, cause the computer to perform acts to facilitate obtaining access to a resource, the acts comprising:

identifying a first set of assertions that a first provider will make, said first set of assertions including at least a first assertion, said first assertion comprising a variable, said first assertion, when made to a guard of the resource, supporting access to the resource;

generating a second assertion that asserts a first fact asserted in said first assertion and that imposes, as a condition on asserting said first fact, that a second provider, or said second provider'"'"'s delegate, instantiate said variable;

generating a third assertion that delegates, to said second provider, a right to instantiate said variable;

creating a first template that comprises said second assertion and said third assertion; and

sending said first template to said second provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Credentials may be gathered to support an access request. In one example, a template describes the credentials to be gathered. A set of credential providers may be consulted, in a particular sequence, to provide the credentials. Credentials may contain variables, and each credential provider may impose its own constraints on the values to be assigned to the variables. Instantiation of the variables may be deferred to a downstream credential provider, thereby allowing each credential provider to specify its constraints on the variables before specific values for the variables are chosen. In one example, an instantiation fact (or “inst fact”) is used to represent the deferred instantiation. A provider may use an inst fact to make its credentials conditional on the instantiation of the variables that the credential contains, where some downstream provider may attempt to instantiate the variables to specific values.

85 Citations

View as Search Results

20 Claims

1. One or more computer-readable storage media that store executable instructions that, when executed by a computer, cause the computer to perform acts to facilitate obtaining access to a resource, the acts comprising:
- identifying a first set of assertions that a first provider will make, said first set of assertions including at least a first assertion, said first assertion comprising a variable, said first assertion, when made to a guard of the resource, supporting access to the resource;
  
  generating a second assertion that asserts a first fact asserted in said first assertion and that imposes, as a condition on asserting said first fact, that a second provider, or said second provider'"'"'s delegate, instantiate said variable;
  
  generating a third assertion that delegates, to said second provider, a right to instantiate said variable;
  
  creating a first template that comprises said second assertion and said third assertion; and
  
  sending said first template to said second provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The one or more computer-readable storage media of claim 1, further comprising:
    - receiving a second template that identifies a second set of assertions that are to be obtained to support access to the resource.
  - 3. The one or more computer-readable storage media of claim 2, wherein said identifying comprises:
    - finding existing credentials that satisfy said one or more assertions.
  - 4. The one or more computer-readable storage media of claim 2, wherein said identifying comprises:
    - consulting a policy to determine which new assertions can be made to satisfy said one or more assertions.
  - 5. The one or more computer-readable storage media of claim 2, wherein said second template is generated by abducting said one or more assertions from a query that requests access to the resource.
  - 6. The one or more computer-readable storage media of claim 1, further comprising:
    - imposing a constraint on said variable; and
      
      including said constraint in said first template.
  - 7. The one or more computer-readable storage media of claim 1, wherein the resource comprises a physical resource, and wherein the guard physically gates access to the resource.
  - 8. The one or more computer-readable storage media of claim 1, wherein said first provider and second provider are physically separate components that are communicatively connected by a network, and wherein said first provider sends said first template to said second provider after said creating act.
  - 9. The one or more computer-readable storage media of claim 1, wherein said variable is instantiated by asserting an instantiation fact on said variable, and wherein said condition is imposed on said first fact by including as a conditional fact, in said second assertion, a second fact that comprises said instantiation fact.

10. A system to obtain credentials to gain access to a resource, the system comprising:
- a first credential provider that receives a template that describes a set of assertions that, when presented to a guard of the resource, cause the guard to grant access to the resource, said first credential provider identifying a first assertion that said first credential provider is willing to provide that that satisfies a second assertion contained in said set of assertions, said first assertion comprising a variable, said first credential provider creating a third assertion that comprises said first assertion with instantiation of said variable as a conditional fact, said first credential provider further creating a fourth assertion that delegates to a second credential provider a right to instantiate said variable, said first credential provider being communicatively connected to said second credential provider through a network, said first credential provider sending, to said second credential provider, a template comprising said third assertion and said fourth assertion.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein said second credential provider receives said template from said first credential provider and creates a fifth assertion that instantiates said variable.
  - 12. The system of claim 10, wherein said second credential provider receives said template from said first credential provider and creates a fifth assertion that delegates, to a third credential provider, a right to instantiate said variable.
  - 13. The system of claim 10, wherein further comprising:
    - an abducer that generates said set of assertions from a query that requests access to the resource, and from a policy that the guard uses to determine whether access requested by the query is allowed.
  - 14. The system of claim 10, wherein the resource comprises a medical record that describes a human body of a patient or a treatment of said human body.
  - 15. The system of claim 10, wherein said first credential provider provides a constraint on said variable, and wherein said second credential provider instantiates said variable to a value that satisfies said constraint.

16. A method of allowing access to a resource, the method comprising using a processor to perform acts comprising:
- receiving, from a first credential provider at a second credential provider, a template that comprises a first set of assertions to be made to support access to the resource, said first set of assertions comprising a first assertion that asserts instantiation of a variable and a second assertion in which said first credential provider delegates to said second credential provider a right to instantiate said variable, said template further comprising a first constraint on said variable;
  
  finding a ground substitution that assigns a value to said variable that satisfies said first constraint;
  
  providing a third assertion that asserts an instantiation fact to instantiate said variable at said value;
  
  issuing a credential that comprises said third assertion; and
  
  providing said credential to a guard of said resource.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - gaining access to said resource from said resource guard.
  - 18. The method of claim 16, wherein said resource comprises a physical resource, and wherein said guard takes a tangible action to allow access to said physical resource.
  - 19. The method of claim 16, further comprising:
    - abducting, from a policy under which a guard gates access to the resource and from a query that requests access to the resource, a second set of assertions that, if presented to the guard, cause the guard to grant access to the resource.
  - 20. The method of claim 16, wherein said second credential provider imposes a second constraint on said variable, and wherein the method further comprises:
    - conjoining said first constraint with said second constraint to generate a conjoined constraint,wherein said ground substitution satisfies said first constraint by satisfying said conjoined constraint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Becker, Moritz Y., Mackay, Jason F.

Application Number

US12/367,502
Publication Number

US 20100205649A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6218 to a system of files or obj...

CREDENTIAL GATHERING WITH DEFERRED INSTANTIATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CREDENTIAL GATHERING WITH DEFERRED INSTANTIATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links