Mechanism for merging multiple policies

US 6,721,888 B1
Filed: 01/14/2000
Issued: 04/13/2004
Est. Priority Date: 11/22/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for processing a plurality of source policies to derive a resultant policy, each of the source policies comprising zero or more entries with each entry comprising an identifier and one or more limitations, said method comprising:

selecting a current entry from a first source policy;

determining whether a second source policy comprises a corresponding entry which corresponds to said current entry;

in response to a determination that said second source policy comprises a corresponding entry, processing the limitations in said current entry and the limitations in said corresponding entry to derive a set of resultant limitations, said resultant limitations comprising the limitations of said current entry and said corresponding entry which are most restrictive; and

creating in a resultant policy a new entry comprising said resultant limitations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for merging multiple source policies to derive a resultant policy is disclosed. The source policies, which may represent sets of laws/regulations, and which may comprise zero or more entries with each entry comprising an identifier and a set of one or more limitations, are merged by first selecting a current entry in a first source policy. Then a determination is made as to whether there is an entry in a second source policy which corresponds to the current entry. If so, then the limitations in the current entry are processed with the limitations in the corresponding entry to derive a set of resultant limitations. The limitations are processed such that the resultant limitations comprise the most restrictive limitations of the current entry and the corresponding entry. By doing so, it is ensured that the resultant limitations comply with both the first and the second source policies. Once the resultant limitations are derived, a new entry is created in the resultant policy which comprises the resultant limitations. The resultant policy is thus populated.

Citations

49 Claims

1. A method for processing a plurality of source policies to derive a resultant policy, each of the source policies comprising zero or more entries with each entry comprising an identifier and one or more limitations, said method comprising:
- selecting a current entry from a first source policy;
  
  determining whether a second source policy comprises a corresponding entry which corresponds to said current entry;
  
  in response to a determination that said second source policy comprises a corresponding entry, processing the limitations in said current entry and the limitations in said corresponding entry to derive a set of resultant limitations, said resultant limitations comprising the limitations of said current entry and said corresponding entry which are most restrictive; and
  
  creating in a resultant policy a new entry comprising said resultant limitations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein determining whether a second source policy comprises a corresponding entry comprises:
3. The method of claim 2, wherein the identifier of each entry comprises an encryption algorithm identifier.
4. The method of claim 2, wherein the identifier of each entry comprises an encryption algorithm identifier and an exemption mechanism identifier.
5. The method of claim 1, wherein the limitations of each entry comprises encryption limitations to be imposed on one or more encryption algorithms.
6. The method of claim 5, wherein said encryption limitations comprise a maximum encryption key size.
7. The method of claim 6, wherein said encryption limitations further comprise a maximum number of encryption rounds.
8. The method of claim 1, wherein said resultant limitations are derived on a limitation by limitation basis.
9. The method of claim 1, wherein said first source policy represents a first set of laws/regulations, and said second source policy represents a second and different set of laws/regulations.
10. The method of claim 9, wherein said first set of laws/regulations is export laws/regulations, and wherein said second set of laws/regulations is local import laws/regulations.
11. The method of claim 1, wherein each of said source policies comprises a default component which specifies default limitations to impose on one or more encryption algorithms.
12. The method of claim 1, wherein each of said source policies comprises an exempt component which specifies limitations to impose on one or more encryption algorithms when one or more exemption mechanisms are enforced.
13. The method of claim 1, further comprising:
- in response to a determination that said second source policy does not comprise a corresponding entry, determining whether said second source policy comprises a wildcard entry;
  
  in response to a determination that said second source policy comprises a wildcard entry, processing the limitations in said current entry and the limitations in said wildcard entry to derive a set of alternative resultant limitations, said alternative resultant limitations comprising the limitations of said current entry and said wildcard entry which are most restrictive; and
  
  creating in said resultant policy a new entry comprising said alternative resultant limitations.
14. The method of claim 13, further comprising:
- determining whether said first source policy comprises a wildcard entry; and
  
  in response to a determination that said first source policy does not comprise a wildcard entry, terminating processing of said first and second source policies.
15. The method of claim 14, further comprising:
- in response to a determination that said first source policy comprises a wildcard entry, selecting a next entry in said second source policy;
  
  determining whether said resultant policy comprises an entry which corresponds to said next entry;
  
  in response to a determination that said resultant policy does not comprise an entry corresponding to said next entry, processing the limitations in said next entry and the limitations in the wildcard entry of said first source policy to derive a second set of alternative resultant limitations, said second set of alternative resultant limitations comprising the limitations of said next entry and the wildcard entry of said first source policy which are most restrictive; and
  
  creating in said resultant policy a new entry comprising said second set of resultant limitations.
16. The method of claim 1, further comprising:
- in response to a determination that said resultant policy comprises an entry corresponding to said next entry, selecting another entry in said second source policy to process.

17. A computer system, comprising:
- a mechanism for processing multiple source policies to derive a set of specified limitations;
  
  a mechanism for determining a set of restrictions based at least upon said set of specified limitations; and
  
  a mechanism for enforcing said restrictions on an implementation of a service.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 18. The system of claim 17, wherein each of the source policies comprises zero or more entries with each entry comprising an identifier and one or more limitations, and wherein the mechanism for processing multiple source policies to derive a set of specified limitations, comprises:
19. The system of claim 18, wherein the mechanism for determining whether a second source policy comprises a corresponding entry comprises:
- a mechanism for comparing the identifier of said current entry with the identifier of at least one entry in said second source policy.
20. The system of claim 19, wherein the identifier of each entry comprises an encryption algorithm identifier.
21. The system of claim 19, wherein the identifier of each entry comprises an encryption algorithm identifier and an exemption mechanism identifier.
22. The system of claim 18, wherein the limitations of each entry comprises encryption limitations to be imposed on one or more encryption algorithms.
23. The system of claim 22, wherein said encryption limitations comprise a maximum encryption key size.
24. The system of claim 23, wherein said encryption limitations further comprise a maximum number of encryption rounds.
25. The system of claim 18, wherein said resultant limitations are derived on a limitation by limitation basis.
26. The system of claim 18, wherein said first source policy represents a first set of laws/regulations, and said second source policy represents a second and different set of laws/regulations.
27. The system of claim 26, wherein said first set of laws/regulations is export laws/regulations, and wherein said second set of laws/regulations is local import laws/regulations.
28. The system of claim 18, wherein each of said source policies comprises a default component which specifies default limitations to impose on one or more encryption algorithms.
29. The system of claim 18, wherein each of said source policies comprises an exempt component which specifies limitations to impose on one or more encryption algorithms when one or more exemption mechanisms are enforced.
30. The system of claim 18, wherein the mechanism for processing multiple source policies further comprises:
- a mechanism for determining, in response to a determination that said second source policy does not comprise a corresponding entry, whether said second source policy comprises a wildcard entry;
  
  a mechanism for processing, in response to a determination that said second source policy comprises a wildcard entry, the limitations in said current entry and the limitations in said wildcard entry to derive a set of alternative resultant limitations, said alternative resultant limitations comprising the limitations of said current entry and said wildcard entry which are most restrictive; and
  
  a mechanism for creating in said resultant policy a new entry comprising said alternative resultant limitations.
31. The system of claim 30, wherein the mechanism for processing multiple source policies further comprises:
- a mechanism for determining whether said first source policy comprises a wildcard entry; and
  
  a mechanism for terminating, in response to a determination that said first source policy does not comprise a wildcard entry, processing of said first and second source policies.
32. The system of claim 31, wherein the mechanism for processing multiple source policies further comprises:
- a mechanism for selecting, in response to a determination that said first source policy comprises a wildcard entry, a next entry in said second source policy;
  
  a mechanism for determining whether said resultant policy comprises an entry which corresponds to said next entry;
  
  a mechanism for processing, in response to a determination that said resultant policy does not comprise an entry corresponding to said next entry, the limitations in said next entry and the limitations in the wildcard entry of said first source policy to derive a second set of alternative resultant limitations, said second set of alternative resultant limitations comprising the limitations of said next entry and the wildcard entry of said first source policy which are most restrictive; and
  
  a mechanism for creating in said resultant policy a new entry comprising said second set of resultant limitations.
33. The system of claim 32, wherein the mechanism for processing multiple source policies further comprises:
- a mechanism for selecting, in response to a determination that said resultant policy comprises an entry corresponding to said next entry, another entry in said second source policy to process.

34. A computer readable medium having stored thereon instructions which, when executed by one or more processors, cause the one or more processors to process a plurality of source policies to derive a resultant policy, wherein each of the source policies comprises zero or more entries with each entry comprising an identifier and one or more limitations, said computer readable medium comprising:
- instructions for causing one or more processors to select a current entry from a first source policy;
  
  instructions for causing one or more processors to determine whether a second source policy comprises a corresponding entry which corresponds to said current entry;
  
  instructions for causing one or more processors to process, in response to a determination that said second source policy comprises a corresponding entry, the limitations in said current entry and the limitations in said corresponding entry to derive a set of resultant limitations, said resultant limitations comprising the limitations of said current entry and said corresponding entry which are most restrictive; and
  
  instructions for causing one or more processors to create in a resultant policy a new entry comprising said resultant limitations.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 35. The computer readable medium of claim 34, wherein the instructions for causing one or more processors to determine whether a second source policy comprises a corresponding entry comprises:
36. The computer readable medium of claim 35, wherein the identifier of each entry comprises an encryption algorithm identifier.
37. The computer readable medium of claim 35, wherein the identifier of each entry comprises an encryption algorithm identifier and an exemption mechanism identifier.
38. The computer readable medium of claim 34, wherein the limitations of each entry comprises encryption limitations to be imposed on one or more encryption algorithms.
39. The computer readable medium of claim 38, wherein said encryption limitations comprise a maximum encryption key size.
40. The computer readable medium of claim 39, wherein said encryption limitations further comprise a maximum number of encryption rounds.
41. The computer readable medium of claim 34, wherein said resultant limitations are derived on a limitation by limitation basis.
42. The computer readable medium of claim 34, wherein said first source policy represents a first set of laws/regulations, and said second source policy represents a second and different set of laws/regulations.
43. The computer readable medium of claim 42, wherein said first set of laws/regulations is export laws/regulations, and wherein said second set of laws/regulations is local import laws/regulations.
44. The computer readable medium of claim 34, wherein each of said source policies comprises a default component which specifies default limitations to impose on one or more encryption algorithms.
45. The computer readable medium of claim 34, wherein each of said source policies comprises an exempt component which specifies limitations to impose on one or more encryption algorithms when one or more exemption mechanisms are enforced.
46. The computer readable medium of claim 34, further comprising:
- instructions for causing one or more processors to determine, in response to a determination that said second source policy does not comprise a corresponding entry, whether said second source policy comprises a wildcard entry;
  
  instructions for causing one or more processors to process, in response to a determination that said second source policy comprises a wildcard entry, the limitations in said current entry and the limitations in said wildcard entry to derive a set of alternative resultant limitations, said alternative resultant limitations comprising the limitations of said current entry and said wildcard entry which are most restrictive; and
  
  instructions for causing one or more processors to create in said resultant policy a new entry comprising said alternative resultant limitations.
47. The computer readable medium of claim 46, further comprising:
- instructions for causing one or more processors to determine whether said first source policy comprises a wildcard entry; and
  
  instructions for causing one or more processors to terminate, in response to a determination that said first source policy does not comprise a wildcard entry, processing of said first and second source policies.
48. The computer readable medium of claim 47, further comprising:
- instructions for causing one or more processors to select, in response to a determination that said first source policy comprises a wildcard entry, a next entry in said second source policy;
  
  instructions for causing one or more processors to determine whether said resultant policy comprises an entry which corresponds to said next entry;
  
  instructions for causing one or more processors to process, in response to a determination that said resultant policy does not comprise an entry corresponding to said next entry, the limitations in said next entry and the limitations in the wildcard entry of said first source policy to derive a second set of alternative resultant limitations, said second set of alternative resultant limitations comprising the limitations of said next entry and the wildcard entry of said first source policy which are most restrictive; and
  
  instructions for causing one or more processors to create in said resultant policy a new entry comprising said second set of resultant limitations.
49. The computer readable medium of claim 48, further comprising:
- instructions for causing one or more processors to select, in response to a determination that said resultant policy comprises an entry corresponding to said next entry, another entry in said second source policy to process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Luehe, Jan, Liu, Sharon S.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/483,247
Time in Patent Office

1,551 Days
Field of Search

713/191, 713/200, 713/201
US Class Current

713/191
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/52   during program execution, e...

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

G06F 21/6236   between heterogeneous systems

G06F 21/629   to features or functions of...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 63/10   for controlling access to d...

H04L 9/3247   involving digital signatures

H04L 9/3273   for mutual authentication n...

Mechanism for merging multiple policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism for merging multiple policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links