Method and system for dynamic issuance of group certificates
First Claim
1. A method of employing a resource server to provide resources to a client, the method comprising:
- associating each resource with a respective age threshold on the basis of a level of security desired for the resource, in which the age threshold represents the oldest allowable age of a membership certificate that can be associated with a request for the resource, such that the resource can be provided in reply to the request only if the membership certificate has an age that is not older than the oldest allowable age, receiving a request from the client for at least one of the resources, the request being associated with a membership certificate that was issued by a server other than the resource server and that certifies at least one of group membership and group non-membership of the client as of a time, determining an age of the membership certificate relative to that time, for each of the at least one resource that is requested by the client;
comparing the age of the membership certificate with the age threshold associated with the resource, and providing the resource to the client only if the age is not older than the age threshold.
3 Assignments
0 Petitions
Accused Products
Abstract
In accordance with the invention, on-line group servers issue group membership or group non-membership certificates upon request. Furthermore, when a requester requests a group certificate for a particular entity, the associated group server makes a dynamic decision regarding the entity'"'"'s membership in the group rather than simply referring to a membership list. These capabilities provide for, among other things, the implementation of “nested” groups, wherein an entity may indirectly prove membership in a first, or nested, group by proving membership in a second group which is a member of the first group. In the nested group situation, the dynamic decision may involve the group server of the nested group obtaining proof of the entity'"'"'s membership or non-membership in the second group. Proof of membership or non-membership may include a group certificate and/or a group membership list.
111 Citations
12 Claims
-
1. A method of employing a resource server to provide resources to a client, the method comprising:
-
associating each resource with a respective age threshold on the basis of a level of security desired for the resource, in which the age threshold represents the oldest allowable age of a membership certificate that can be associated with a request for the resource, such that the resource can be provided in reply to the request only if the membership certificate has an age that is not older than the oldest allowable age, receiving a request from the client for at least one of the resources, the request being associated with a membership certificate that was issued by a server other than the resource server and that certifies at least one of group membership and group non-membership of the client as of a time, determining an age of the membership certificate relative to that time, for each of the at least one resource that is requested by the client;
comparing the age of the membership certificate with the age threshold associated with the resource, and providing the resource to the client only if the age is not older than the age threshold. - View Dependent Claims (2, 3)
-
-
4. A system for providing resources to a client, the system comprising:
-
a resource server that is in communication with the client, that controls access to the resources, and that is configured to;
associate each resource with a respective age threshold on the basis of a level of security desired for the resource, in which the age threshold represents the oldest allowable age of a membership certificate that can be associated with a request for the resource, such that the resource can be provided in reply to the request only if the membership certificate has an age that is not older than the oldest allowable age, receive a request from the client for at least one of the resources, the request being associated with a membership certificate that was issued by a server other than the resource server and that certifies at least one of group membership and group non-membership of the client as of a time, determine an age of the membership certificate relative to that time, for each of the at least one resource that is requested by the client;
compare the age of the membership certificate with the age threshold associated with the resources, and provide the resource to the client only if the age is within the age threshold. - View Dependent Claims (5, 6)
-
-
7. A processor-readable medium including instructions to cause a processor of a resource server to:
-
associate each of two or more resources with a respective age threshold on the basis of a level of security desired for the resource, in which the age threshold represents the oldest allowable age of a membership certificate that can be associated with a request for the resource, such that the resource can be provided in reply to the request only if the membership certificate has an age that is not older than the oldest allowable age, receive a request from a client for at least one of the two or more resources, the request being associated with a membership certificate that was issued by a server other than the resource server and that certifies at least one of group membership and group non-membership of the client as of a time, determine an age of the membership certificate relative to that time, for each of the at least one resource that is requested by the client;
compare the age of the membership certificate with the age threshold associated with the resource, and provide the resource to the client only if the age is within the age threshold. - View Dependent Claims (8, 9)
-
-
10. A processor data-signal embodied in a carrier wave and representing instructions to cause a processor of a resource server to:
-
associate each of two or more resources with a respective age threshold on the basis of a level of security desired for the resource, in which the age threshold represents the oldest allowable age of a membership certificate that can be associated with a request for the resource, such that the resource can be provided in reply to the request only if the membership certificate has an age that is not older than the oldest allowable age, receive a request from a client for at least one of the two or more resources, the request being associated with a membership certificate that was issued by a server other than the resource server and that certifies at least one of group membership and group non-membership of the client as of a time, determine an age of the membership certificate relative to that time, for each of the at least one resource that is requested by the client;
compare the age of the membership certificate with the age threshold associated with the resource, and provide the resource to the client only if the age is within the age threshold. - View Dependent Claims (11, 12)
-
Specification