Controlling access to content based on certificates and access predicates
First Claim
1. A computerized method for enforcing digital rights on content downloaded from a provider comprising:
- downloading the content from the provider encrypted for a particular combination of an operating system and a central processing unit (CPU) of the computer;
downloading an access predicate, for the content, that specifies properties an application running on a computer is to have in order to process the content;
checking the access predicate against a rights manager certificate for the application requesting access to the content;
checking the access predicate against a certificate for the operating system running on the computer;
permitting access to the content only if both the rights manager certificate and the certificate for the operating system satisfy the access predicate wherein accessing the content comprises decrypting the content.
2 Assignments
0 Petitions
Accused Products
Abstract
Digital rights for content downloaded to a subscriber computer from a provider are specified in an access predicate. The access predicate is compared with a rights manager certificate associated with an entity, such as an application, that wants access to the content. If the rights manager certificate satisfies the access predicate, the entity is allowed access to the content. A license that specifies limitations on the use of the content can also be associated with the content and provided to the entity. The use the entity makes of the content is monitored and terminated if the entity violates the license limitations. In one aspect of the invention, the access predicate and the license are protected from tampering through cryptographic techniques.
261 Citations
36 Claims
-
1. A computerized method for enforcing digital rights on content downloaded from a provider comprising:
-
downloading the content from the provider encrypted for a particular combination of an operating system and a central processing unit (CPU) of the computer;
downloading an access predicate, for the content, that specifies properties an application running on a computer is to have in order to process the content;
checking the access predicate against a rights manager certificate for the application requesting access to the content;
checking the access predicate against a certificate for the operating system running on the computer;
permitting access to the content only if both the rights manager certificate and the certificate for the operating system satisfy the access predicate wherein accessing the content comprises decrypting the content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
downloading a license for the content; and
monitoring the application accessing the content to determine if the license is being violated.
-
-
3. The computerized method of claim 1, further comprising:
terminating the access by the application if the license is violated.
-
4. The computerized method of claim 1, further comprising:
-
downloading a license for the content; and
providing the license to the application accessing the content to enforce the license.
-
-
5. The computerized method of claim 4, further comprising:
-
storing the content on persistent storage; and
storing the license for the content on the persistent storage in an encrypted form.
-
-
6. The computerized method of claim 1, further comprising:
-
storing the content on persistent storage; and
storing the access predicate for the content on the persistent storage in an encrypted form.
-
-
7. The computerized method of claim 1 wherein the elements are processed in the order recited.
-
8. The computerized method of claim 1, wherein the access predicate specifies that the application must allow only reading of the content.
-
9. The computerized method of claim 1, wherein the access predicate specifies that the application must render the content at no greater than a maximum resolution.
-
10. The computerized method of claim 1, wherein the access predicate specifies that the application must not allow the content to be copied.
-
11. The computerized method of claim 1, wherein the access predicate specifies that the application must not allow the content to be copied in greater than a maximum resolution.
-
12. The computerized method of claim 1, wherein the access predicate specifies that the application must not allow the content to be copied unless the content is accompanied by a particular license.
-
13. The computerized method of claim 1, wherein the access predicate specifies that the application must not allow the content to be stored unless the content is encrypted for storage.
-
14. The computerized method of claim 1, wherein the access predicate specifies that the application must restrict the ability to store the content to only certain devices.
-
15. The computerized method of claim 1, wherein the content comprises media content, and further comprising checking the access predicate against a certificate for the CPU of the computer, and wherein the permitting comprises permitting access to the content only if each of the rights manager certificate, the certificate for the operating system, and the certificate for the CPU satisfies the access predicate.
-
16. The computerized method of claim 15, wherein the media content comprises audio content.
-
17. The computerized method of claim 15, wherein the media content comprises video content.
-
18. The computerized method of claim 1, further comprising:
-
submitting the rights manger certificate to the provider; and
wherein downloading the content comprises downloading the content from the provider only if the provider determines, based at least in part on the rights manger certificate, that the provider should establish a trust relationship with the operating system.
-
-
19. A computer system comprising:
-
a processing unit;
a system memory coupled to the processing unit through a system bus;
a computer-readable medium coupled to the processing unit through the system bus;
an application executed from the computer-readable medium by the processing unit and having a rights manager certificate, wherein the application causes the processing unit to access content;
an operating system executed from the computer-readable medium and certified by the processing unit, wherein the operating system determines whether the application includes a set of properties necessary to be able to process the content by causing the processing unit to compare an access predicate associated with the content against the rights manager certificate for the application when the application causes the processing unit to access the content, and wherein the content is encrypted by a provider for the particular combination of the operating system and the processing unit; and
wherein the operating system decrypts the content only if the application includes the set of properties.- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 33)
a helper application executed from the computer-readable medium by the processing unit and under the control of the application, wherein the helper application causes the processing unit to perform additional processing the content.
-
-
26. The computer system of claim 19, further comprising:
a different application executed from the computer-readable medium by the processing unit, wherein the different application causes the processing unit to access the content for the different application using the rights manager certificate of the application.
-
27. The computer system of claim 19, wherein the content comprises media content, wherein the operating system determines whether the application includes the set of properties necessary to be able to process the content by further causing the processing unit to compare a certificate for the operating system to the access predicate and compare a certificate for the processing unit to the access predicate, and wherein the operating system permits access to the content only if each of the rights manager certificate, the certificate for the operating system, and the certificate for the processing unit satisfies the access predicate.
-
28. The computer system of claim 19, wherein the operating system further causes the processing unit to submit the rights manager certificate to a provider of the content, and wherein the application downloads the content only if the provider determines, based at least in part on the rights manager certificate, that the provider should establish a trust relationship with the operating system.
-
33. The computer system of claim 19, wherein the access predicate includes properties that specify that the application must do one or more of the following:
- allow only reading of the content, render the content at no greater than a maximum resolution, not allow the content to be copied, not allow the content to be copied in greater than a maximum resolution, not allow the content to be copied unless the content is accompanied by a particular license, not allow the content to be stored unless the content is encrypted for storage, and restrict the ability to store the content to only certain devices.
-
29. One or more computer-readable media having stored thereon a computer program that, when executed by one or more processors, enforces digital rights on content downloaded from a provider by causing the one or more processors to:
-
download the content from a provider encrypted for a particular combination of an operating system and the one or more processors;
download an access predicate, for the content, that specifies properties an application executed by the one or more processors is to have in order to process the content;
check the access predicate against a rights manager certificate for the application requesting access to the content;
check the access predicate against a certificate for the operating system executed by the one or more processors;
permit access to the content only if both the rights manager certificate and the certificate for the operating system satisfy the access predicate wherein access to the content comprises decrypting the content. - View Dependent Claims (30, 31, 32, 34, 35, 36)
download the access predicate with the content.
-
-
31. One or more computer-readable media as recited in claim 29, wherein the computer program further causes the one or more processors to:
-
download a license for the content; and
monitor the application accessing the content to determine if the license is being violated.
-
-
32. One or more computer-readable media as recited in claim 29, wherein the computer program further causes the one or more processors to:
-
store the content on persistent storage; and
store the access predicate for the content on the persistent storage in an encrypted form.
-
-
34. One or more computer-readable media as recited in claim 29, wherein the properties an application is to have in order to process the content comprises both a name of the application and a version of the application.
-
35. One or more computer-readable media as recited in claim 29, wherein the content comprises media content, and wherein the computer program further causes the one or more processors to:
check the access predicate against a certificate for the one or more processors, and wherein the computer program causes the one or more processor to permit access to the content only if each of the rights manger certificate, the certificate for the operating system, and the certificate for the one or more processors satisfies the access predicate.
-
36. One or more computer-readable media as recited in claim 29, wherein the computer program further causes the one or more processors to:
-
submit the rights manager certificate to the provider; and
download the content from the provider only if the provider determines, based at least in part on the rights manager certificate, that the provider should establish a trust relationship with the operating system.
-
Specification