Deputization in a distributed computing system
First Claim
1. A method for delegating rights in a distributed computing system containing at least one of a domain and a realm, the method comprising the steps of:
- receiving at a deputization point in the system a request from a principal for delegation of at least one right of the principal to at least one deputy such that the deputy can perform one or more computational tasks for the principal, the request identifying the principal and the rights to be delegated to the deputy such that the deputy can perform the one or more computational tasks for the principal, the principal having a public key and a corresponding private key;
creating at least one deputy having an identity which is different from the identity of the principal;
providing the deputy with a public key and a corresponding private key; and
forming a deputy credential which identifies the principal, identifies the rights delegated to the deputy by the principal, contains the deputy private key encrypted with the principal public key, contains the deputy public key, contains a domain/realm-specific credential identifying rights of the deputy within a specific group of computers in a network, and is signed by the deputization point.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods, signals, devices, and systems are provided for delegating rights in a distributed computer system from a principal to one or more deputies. The deputies have identities separate from the principal. This allows the deputies to persist after the principal logs off the system, and permits deputization across boundaries imposed by namespaces and particular network protocols. A deputy may also delegate rights to additional deputies. Deputization is accomplished using certificates, domain/realm-specific credentials, public and private keys, process creation, and other tools and techniques.
165 Citations
24 Claims
-
1. A method for delegating rights in a distributed computing system containing at least one of a domain and a realm, the method comprising the steps of:
-
receiving at a deputization point in the system a request from a principal for delegation of at least one right of the principal to at least one deputy such that the deputy can perform one or more computational tasks for the principal, the request identifying the principal and the rights to be delegated to the deputy such that the deputy can perform the one or more computational tasks for the principal, the principal having a public key and a corresponding private key;
creating at least one deputy having an identity which is different from the identity of the principal;
providing the deputy with a public key and a corresponding private key; and
forming a deputy credential which identifies the principal, identifies the rights delegated to the deputy by the principal, contains the deputy private key encrypted with the principal public key, contains the deputy public key, contains a domain/realm-specific credential identifying rights of the deputy within a specific group of computers in a network, and is signed by the deputization point. - View Dependent Claims (2, 3, 4, 5, 6, 7)
authenticating to a distributed deputization point which is known by a different network in the distributed computing system, that is, a network other than the network containing the principal; and
obtaining a deputy identifier from that distributed deputization point.
-
-
8. A distributed computing system supporting deputization, the system comprising at least one domain or realm, and also comprising:
-
at least two computers, each having a memory and a processor;
a communications link between the computers;
a principal located on one of the computers;
a deputization point located on another of the computers, the principal and the deputization point configured to communicate with one another through the communications link;
domain/realm-specific authentication means for authenticating the principal to the deputization point with respect to the rights of the principal within a specific group of computers in a network; and
deputization means for delegating at least one right of the principal to at least one deputy after the principal is authenticated to the deputization point such that the deputy can perform one or more tasks for the principal. - View Dependent Claims (9, 10, 11, 12)
-
- 13. A deputization signal embodied in a distributed computer system, the deputization signal comprising a principal identifier, a rights identifier identifying permitted tasks that may be conducted by a principal and are being delegated to a deputy, a deputy private key encrypted with a principal public key, a deputy public key, a domain/realm-specific credential identifying rights of a deputy within a specific group of computers in a network, and a signature of a distributed deputization point.
-
16. A computer storage medium having a configuration that represents data and instructions which will cause performance of method steps for delegating rights in a distributed computing system, the method comprising the steps of:
-
authenticating to a deputization point in the system using a domain/realm-specific credential;
requesting that the deputization point delegate at least one right to a deputy such that a deputy can perform one or more tasks for a principal, the request identifying the requester and the rights to be delegated; and
delegating the rights to a deputy which has an identity different from the identity of the requester, the delegation being recorded in a deputy credential which identifies the requester, identifies the deputy, identifies the rights delegated to the deputy, includes a domain/realm-specific credential identifying rights of the deputy within a specific group of computers in a network, and is signed by the deputization point. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
Specification