Deputization in a distributed computing system
First Claim
Patent Images
1. A method for delegating rights in a distributed computing system, the method comprising the steps of:
- receiving at a deputization point in the system a request from a principal for delegation of at least one right of the principal to at least one deputy, the request identifying the principal and the rights to be delegated, the principal having a public key and a corresponding private key;
creating at least one deputy having an identity which is different from the identity of the principal such that the deputy can persist even after the principal is logged off of the computing system;
providing the deputy with a public key and a corresponding private key; and
forming a deputy credential which identifies the principal, identifies the rights delegated to the deputy by the principal, contains the deputy private key encrypted with the principal public key, contains the deputy public key, and is signed by the deputization point;
wherein the deputy is a first deputy and the method further comprises the step of delegating at least one right from the first deputy to a second deputy by conducting delegation steps with the first deputy acting as the principal and the second deputy as the deputy; and
wherein the deputization point is a first deputization point, and the step of delegating at least one right from the first deputy to a second deputy utilizes a second deputization point.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods, signals, devices, and systems are provided for delegating rights in a distributed computer system from a principal to one or more deputies. The deputies have identities separate from the principal. This allows the deputies to persist after the principal logs off the system, and permits deputization across boundaries imposed by namespaces and particular network protocols. A deputy may also delegate rights to additional deputies. Deputization is accomplished using certificates, credentials, public and private keys, process creation, and other tools and techniques.
-
Citations
18 Claims
-
1. A method for delegating rights in a distributed computing system, the method comprising the steps of:
-
receiving at a deputization point in the system a request from a principal for delegation of at least one right of the principal to at least one deputy, the request identifying the principal and the rights to be delegated, the principal having a public key and a corresponding private key;
creating at least one deputy having an identity which is different from the identity of the principal such that the deputy can persist even after the principal is logged off of the computing system;
providing the deputy with a public key and a corresponding private key; and
forming a deputy credential which identifies the principal, identifies the rights delegated to the deputy by the principal, contains the deputy private key encrypted with the principal public key, contains the deputy public key, and is signed by the deputization point;
wherein the deputy is a first deputy and the method further comprises the step of delegating at least one right from the first deputy to a second deputy by conducting delegation steps with the first deputy acting as the principal and the second deputy as the deputy; and
wherein the deputization point is a first deputization point, and the step of delegating at least one right from the first deputy to a second deputy utilizes a second deputization point. - View Dependent Claims (2, 3, 4, 5)
authenticating to a distributed deputization point which is known by a different network in the distributed computing system, that is, a network other than the network containing the principal; and
obtaining a deputy identifier from that distributed deputization point.
-
-
6. A distributed computing system supporting deputization, the system comprising:
-
at least two computers, each having a memory and a processor;
a communications link between the computers;
principal located on one of the computers contained within a first network included within the distributed computing system;
a deputization point located on another of the computers, the principal and the deputization point configured to communicate with one another through the communications link, wherein the deputization point is known by a different network in the distributed computing system, the different network being a network other than the first network containing the principal;
authentication means for authenticating the principal to the deputization point; and
deputization means for delegating at least one right of the principal to at least one deputy after the principal is authenticated to the deputization point, wherein the at least one deputy has an identity which is different from the identity of the principal. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer storage medium having a configuration that represents data and instructions which will cause performance of method steps for delegating rights in a distributed computing system, the method comprising the steps of:
-
authenticating to a deputization point in the system;
requesting that the deputization point delegate at least one right, the request identifying the requester and the rights to be delegated; and
delegating the rights to a deputy which has an identity different from the identity of the requester, the delegation being recorded in a deputy credential which identifies the requester, identifies the deputy, identifies the rights delegated, and is signed by the deputization point;
wherein the system spans at least two namespaces, the requester being in one namespace and the deputy being in a second namespace. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A distributed computing system supporting deputization, the system comprising:
-
at least two computers, each having a memory and a processor;
a communications link between the computers;
a principal located on one of the computers;
a deputization point located on another of the computers, the principal and the deputization point configured to communicate with one another through the communications link;
authentication means for authenticating the principal to the deputization point; and
deputization means for delegating at least one right of the principal to at least one deputy after the principal is authenticated to the deputization point;
wherein the system spans at least two namespaces, the principal is in one namespace, and the deputy is in a second namespace.
-
Specification