Deputization in a distributed computing system

US 6,742,114 B1
Filed: 11/18/1999
Issued: 05/25/2004
Est. Priority Date: 02/18/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for delegating rights in a distributed computing system containing at least one of a domain and a realm, the method comprising the steps of:

receiving at a deputization point in the system a request from a principal for delegation of at least one right of the principal to at least one deputy such that the deputy can perform one or more computational tasks for the principal, the request identifying the principal and the rights to be delegated to the deputy such that the deputy can perform the one or more computational tasks for the principal, the principal having a public key and a corresponding private key;

creating at least one deputy having an identity which is different from the identity of the principal;

providing the deputy with a public key and a corresponding private key; and

forming a deputy credential which identifies the principal, identifies the rights delegated to the deputy by the principal, contains the deputy private key encrypted with the principal public key, contains the deputy public key, contains a domain/realm-specific credential identifying rights of the deputy within a specific group of computers in a network, and is signed by the deputization point.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, signals, devices, and systems are provided for delegating rights in a distributed computer system from a principal to one or more deputies. The deputies have identities separate from the principal. This allows the deputies to persist after the principal logs off the system, and permits deputization across boundaries imposed by namespaces and particular network protocols. A deputy may also delegate rights to additional deputies. Deputization is accomplished using certificates, domain/realm-specific credentials, public and private keys, process creation, and other tools and techniques.

165 Citations

24 Claims

1. A method for delegating rights in a distributed computing system containing at least one of a domain and a realm, the method comprising the steps of:
- receiving at a deputization point in the system a request from a principal for delegation of at least one right of the principal to at least one deputy such that the deputy can perform one or more computational tasks for the principal, the request identifying the principal and the rights to be delegated to the deputy such that the deputy can perform the one or more computational tasks for the principal, the principal having a public key and a corresponding private key;
  
  creating at least one deputy having an identity which is different from the identity of the principal;
  
  providing the deputy with a public key and a corresponding private key; and
  
  forming a deputy credential which identifies the principal, identifies the rights delegated to the deputy by the principal, contains the deputy private key encrypted with the principal public key, contains the deputy public key, contains a domain/realm-specific credential identifying rights of the deputy within a specific group of computers in a network, and is signed by the deputization point.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising the step of authenticating the principal to the deputization point prior to forming the deputy credential.
  - 3. The method of claim 1, further comprising the step of using the deputy credential to authenticate the deputy after the principal has logged off the system.
  - 4. The method of claim 1, wherein the deputy is a first deputy, and the method further comprises the step of delegating at least one right from the first deputy to a second deputy by repeating the receiving, creating, providing, and forming steps with the first deputy as the principal and the second deputy as the deputy.
  - 5. The method of claim 4, wherein the deputization point is a first deputization point, and the step of delegating at least one right from the first deputy to a second deputy utilizes a second deputization point.
  - 6. The method of claim 1, further comprising the step of deputizing a function using the deputy credential, the function being provided by the principal.
  - 7. The method of claim 1, wherein the distributed computing system includes at least two networks, one of which networks contains the principal, and the step of creating a deputy comprises the steps of:

8. A distributed computing system supporting deputization, the system comprising at least one domain or realm, and also comprising:
- at least two computers, each having a memory and a processor;
  
  a communications link between the computers;
  
  a principal located on one of the computers;
  
  a deputization point located on another of the computers, the principal and the deputization point configured to communicate with one another through the communications link;
  
  domain/realm-specific authentication means for authenticating the principal to the deputization point with respect to the rights of the principal within a specific group of computers in a network; and
  
  deputization means for delegating at least one right of the principal to at least one deputy after the principal is authenticated to the deputization point such that the deputy can perform one or more tasks for the principal.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The distributed computing system of claim 8, wherein the principal is a user task.
  - 10. The distributed computing system of claim 8, wherein the principal is a system task.
  - 11. The distributed computing system of claim 8, wherein the system spans at least two namespaces, the principal is in one namespace, and the deputy is in a second namespace.
  - 12. The distributed computing system of claim 11, wherein at least one of the namespaces is maintained using a distributed directory service.

13. A deputization signal embodied in a distributed computer system, the deputization signal comprising a principal identifier, a rights identifier identifying permitted tasks that may be conducted by a principal and are being delegated to a deputy, a deputy private key encrypted with a principal public key, a deputy public key, a domain/realm-specific credential identifying rights of a deputy within a specific group of computers in a network, and a signature of a distributed deputization point.
- View Dependent Claims (14, 15)
- - 14. The deputization signal of claim 13, further comprising a deputy life span.
  - 15. The deputization signal of claim 13, further comprising a deputized function.

16. A computer storage medium having a configuration that represents data and instructions which will cause performance of method steps for delegating rights in a distributed computing system, the method comprising the steps of:
- authenticating to a deputization point in the system using a domain/realm-specific credential;
  
  requesting that the deputization point delegate at least one right to a deputy such that a deputy can perform one or more tasks for a principal, the request identifying the requester and the rights to be delegated; and
  
  delegating the rights to a deputy which has an identity different from the identity of the requester, the delegation being recorded in a deputy credential which identifies the requester, identifies the deputy, identifies the rights delegated to the deputy, includes a domain/realm-specific credential identifying rights of the deputy within a specific group of computers in a network, and is signed by the deputization point.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The configured storage medium of claim 16, further comprising the step of using the deputy credential to authenticate the deputy after the requester has logged off the system.
  - 18. The configured storage medium of claim 16, wherein the requester previously received rights which were delegated to it as a deputy, the rights having been delegated to the requester by previously executed authenticating, requesting, and delegating steps.
  - 19. The configured storage medium of claim 16, wherein the method further comprises the step of specifying an expiration event, upon a subsequent occurrence of which the delegated rights would expire.
  - 20. The configured storage medium of claim 19, wherein the expiration event specifies a life span for the delegated rights.
  - 21. The configured storage medium of claim 16, wherein the method further comprises a step in which the requester deputizes a function using the deputy credential.
  - 22. The configured storage medium of claim 16, wherein at least the requesting and delegating steps are repeated to generate at least three deputies whose rights are directly or indirectly traceable through delegation back to the requester.
  - 23. The configured storage medium of claim 16, wherein the deputy credential includes a Microsoft Windows NT domain-specific credential.
  - 24. The configured storage medium of claim 16, wherein the deputy credential includes a Kerberos realm-specific credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Nevarez, Carlos A., Carter, Stephen R.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Baum, Ronald

Application Number

US09/442,521
Time in Patent Office

1,650 Days
Field of Search

713/156, 713/175, 709/229
US Class Current

713/156
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/108   when the policy decisions a...

Deputization in a distributed computing system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

165 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Deputization in a distributed computing system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

165 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links