Method and system for proving membership in a nested group using chains of credentials

US 7,213,262 B1
Filed: 05/10/1999
Issued: 05/01/2007
Est. Priority Date: 05/10/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of controlling access by a client to a resource that is controlled by a resource server and is made available to members of a nested group, the method comprising:

(a) presenting from the client to the resource server a first request to access the resource;

(b) in response to the first request, sending a challenge from the resource server to the client to prove membership in the nested group;

(c) in response to the challenge, performing a search at the client to obtain a chain of group credentials that proves membership in the nested group; and

(d) presenting from the client to the resource server a second request to access the resource, the second request including the chain of group credentials.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with the invention, a presenter of credentials presents to a recipient of credentials one or more chains of group credentials to prove entity membership or non-membership in a nested group in a computer network. The ability to present a chain of credentials is particularly important when a client is attempting the prove membership or non-membership in a nested group and one or more of the group servers in the family tree are off-line. A chain of group credentials includes two or more proofs of group membership and/or proofs of group non-membership Furthermore, the proofs of group membership may include one or more group membership certificates and/or one or more group membership lists; and proofs of group non-membership may include one or more group non-membership certificates and/or one or more group membership lists.

Citations

64 Claims

1. A method of controlling access by a client to a resource that is controlled by a resource server and is made available to members of a nested group, the method comprising:
- (a) presenting from the client to the resource server a first request to access the resource;
  
  (b) in response to the first request, sending a challenge from the resource server to the client to prove membership in the nested group;
  
  (c) in response to the challenge, performing a search at the client to obtain a chain of group credentials that proves membership in the nested group; and
  
  (d) presenting from the client to the resource server a second request to access the resource, the second request including the chain of group credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein membership in each group is controlled by a group server and wherein step (c) comprises contacting with the client at least one group server to obtain therefrom group credentials proving membership in the group controlled by that server.
  - 3. The method of claim 2 wherein step (c) further comprises providing from the client to the at least one group server group credentials proving membership in a group nested in the group controlled by that server.
  - 4. The method of claim 1, wherein one of said chains of group credentials comprise one or more proofs of group membership.
  - 5. The method of claim 4, wherein said proofs of group membership comprise one or more group membership certificates.
  - 6. The method of claim 4, wherein said proofs of group membership comprise one or more group membership lists.
  - 7. The method of claim 1, wherein one of said chains of group credentials comprise one or more proofs of group non-membership.
  - 8. The method of claim 7, wherein said proofs of group non-membership comprise one or more group non-membership certificates.
  - 9. The method of claim 7, wherein said proofs of group non-membership comprise one or more group membership lists.

10. A method of controlling access by a client to a resource that is controlled by a resource server and is made available to non-members of a nested group, the method comprising:
- (a) presenting from the client to the resource server a first request to access the resource;
  
  (b) in response to the first request, sending a challenge from the resource server to the client to prove non-membership in the nested group;
  
  (c) in response to the challenge, performing a search at the client to obtain a chain of group credentials that proves non-membership in the nested group; and
  
  (d) presenting from the client to the resource server a second request to access the resource, the second request including the chain of group credentials.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 wherein membership in each group is controlled by a group server and wherein step (c) comprises contacting with the client at least one group server to obtain therefrom group credentials proving non-membership in the group controlled by that server.
  - 12. The method of claim 11 wherein step (c) further comprises providing from the client to the at least one group server group credentials proving non-membership in a group nested in the group controlled by that server.
  - 13. The method of claim 10, wherein one of said chains of group credentials comprise one or more proofs of group membership.
  - 14. The method of claim 13, wherein said proofs of group membership comprise one or more group membership certificates.
  - 15. The method of claim 13, wherein said proofs of group membership comprise one or more group membership lists.
  - 16. The method of claim 10, wherein one of said chains of group credentials comprise one or more proofs of group non-membership.
  - 17. The method of claim 16, wherein said proofs of group non-membership comprise one or more group non-membership certificates.
  - 18. The method of claim 16, wherein said proofs of group non-membership comprise one or more group membership lists.

19. A computer system having a resource to which a client desires access and which is controlled by a resource server so that the resource is made available to members of a nested group, the system comprising:
- a mechanism in the client that presents to the resource server a first request to access the resource;
  
  a mechanism in the resource server and operable in response to the first request, that sends a challenge to the client to prove membership in the nested group;
  
  a mechanism in the client and operable in response to the challenge, that performs a search to obtain a chain of group credentials that proves membership in the nested group; and
  
  a mechanism in the client that presents to the resource server a second request to access the resource, the second request including the chain of group credentials.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system of claim 19 wherein membership in each group is controlled by a group server and wherein the mechanism that obtains a chain of group credentials comprises a mechanism that contacts at least one group server to obtain therefrom group credentials proving membership in the group controlled by that server.
  - 21. The system of claim 20 wherein the mechanism that obtains a chain of group credentials further comprises a mechanism that provides to the at least one group server group credentials proving membership in a group nested in the group controlled by that server.
  - 22. The system of claim 19, wherein one of said chains of group credentials comprise one or more proofs of group membership.
  - 23. The system of claim 22, wherein said proofs of group membership comprise one or more group membership certificates.
  - 24. The system of claim 22, wherein said proofs of group membership comprise one or more group membership lists.
  - 25. The system of claim 19, wherein one of said chains of group credentials comprise one or more proofs of group non-membership.
  - 26. The system of claim 25, wherein said proofs of group non-membership comprise one or more group non-membership certificates.
  - 27. The system of claim 25, wherein said proofs of group non-membership comprise one or more group membership lists.

28. A computer system having a resource to which a client desires access and which is controlled by a resource server so that the resource is made available to non-members of a nested group, the system comprising:
- a mechanism in the client that presents to the resource server a first request to access the resource;
  
  a mechanism in the resource server and operable in response to the first request, that sends a challenge to the client to prove non-membership in the nested group;
  
  a mechanism in the client and operable in response to the challenge, that performs a search to obtain a chain of group credentials that proves non-membership in the nested group; and
  
  a mechanism in the client that presents to the resource server a second request to access the resource, the second request including the chain of group credentials.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The system of claim 28 wherein membership in each group is controlled by a group server and wherein the mechanism that obtains a chain of group credentials comprises a mechanism that contacts at least one group server to obtain therefrom group credentials proving non-membership in the group controlled by that server.
  - 30. The system of claim 29 wherein the mechanism that obtains a chain of group credentials further comprises a mechanism that provides to the at least one group server group credentials proving non-membership in a group nested in the group controlled by that server.
  - 31. The system of claim 28, wherein one of said chains of group credentials comprise one or more proofs of group membership.
  - 32. The system of claim 31, wherein said proofs of group membership comprise one or more group membership certificates.
  - 33. The system of claim 31, wherein said proofs of group membership comprise one or more group membership lists.
  - 34. The system of claim 28, wherein one of said chains of group credentials comprise one or more proofs of group non-membership.
  - 35. The system of claim 34, wherein said proofs of group non-membership comprise one or more group non-membership certificates.
  - 36. The system of claim 34, wherein said proofs of group non-membership comprise one or more group membership lists.

37. A client device on a computer network, said client device configured for requesting one or more resources from a server on the network, in which access to said resources is so controlled by said server as to make them available to members of a nested group, said client device comprising:
- A. means for presenting to the server a first request to access the resource;
  
  B. means operable in response to a challenge from the server generated by the first request for performing a search to obtain one or more chains of group credentials that prove client membership in the nested group, andC. means for transmitting to the server a second request for one or more of the resources, said second request including the one or more chains of group credentials that prove client membership in the nested group.
- View Dependent Claims (38, 39, 40, 41, 42, 43)
- - 38. The client device of claim 37, wherein one of said chains of group credentials comprise one or more proofs of group membership.
  - 39. The client device of claim 38, wherein said proofs of group membership comprise one or more group membership certificates.
  - 40. The client device of claim 38, wherein said proofs of group membership comprise one or more group membership lists.
  - 41. The client device of claim 37, wherein one of said chains of group credentials comprise one or more proofs of group non-membership.
  - 42. The client device of claim 41, wherein said proofs of group non-membership comprise one or more group non-membership certificates.
  - 43. The client device of claim 41, wherein said proofs of group non-membership comprise one or more group membership lists.

44. A client device on a computer network, said client device configured for requesting one or more resources from a server on the network, in which access to said resources is so controlled by said server as to make them available to non-members of a nested group, said client device comprising:
- A. means for presenting to the server a first request to access the resource,B. means operable in response to a challenge from the server generated by the first request for performing a search to obtain one or more chains of group credentials that prove client non-membership in the nested group, andC. means for transmitting to the server a second request for one or more of the resources, said second request including the one or more chains of group credentials that prove client non-membership in the nested group.
- View Dependent Claims (45, 46, 47, 48, 49, 50)
- - 45. The client device of claim 44, wherein one of said chains of group credentials comprise one or more proofs of group membership.
  - 46. The client device of claim 45, wherein said proofs of group membership comprise one or more group membership certificates.
  - 47. The client device of claim 45, wherein said proofs of group membership comprise one or more group membership lists.
  - 48. The client device of claim 44, wherein one of said chains of group credentials comprise one or more proofs of group non-membership.
  - 49. The client device of claim 48, wherein said proofs of group non-membership comprise one or more group non-membership certificates.
  - 50. The client device of claim 48, wherein said proofs of group nonmembership comprise one or more group membership lists.

51. A computer program product comprising a computer usable medium having thereon computer readable program code representing a sequence of instructions that, when executed by a processor in a network device requesting one or more resources from a server, in which access to said resources is so controlled by said server as to make them available to members of a nested group, configures the network device to operate as a client device that:
- A. presents to the server a first request to access the resource,B. in response to a challenge from the server generated by the first request performs a search to obtain one or more chains of group credentials that prove client membership in the nested group, andC. transmits to the server a second request for one or more resources, said second request including the one or more chains of group credentials that prove membership in the nested group.
- View Dependent Claims (52, 53, 54, 55, 56, 57)
- - 52. The computer program product of claim 51, wherein one of said chains of group credentials comprise one or more proofs of group membership.
  - 53. The computer program product of claim 52, wherein said proofs of group membership comprise one or more group membership certificates.
  - 54. The computer program product of claim 52, wherein said proofs of group membership comprise one or more group membership lists.
  - 55. The computer program product of claim 51, wherein one of said chains of group credentials comprise one or more proofs of group non-membership.
  - 56. The computer program product of claim 55, wherein said proofs of group non-membership comprise one or more group non-membership certificates.
  - 57. The computer program product of claim 55, wherein said proofs of group non-membership comprise one or more group membership lists.

58. A computer program product comprising a computer usable medium having thereon computer readable program code representing a sequence of instructions that, when executed by a processor in a network device requesting one or more resources from a server, in which access to said resources is so controlled by said server as to make them available to non-members of a nested group, configures the network device to operate as a client device that:
- A. presents to the server a first request to access the resource,B. in response to a challenge from the server generated by the first request performs a search to obtain one or more chains of group credentials that prove client non-membership in the nested group, andC. transmits to the server a second request for one or more resources, said second request including the one or more chains of group credentials that prove non-membership in the nested group.
- View Dependent Claims (59, 60, 61, 62, 63, 64)
- - 59. The computer program product of claim 58, wherein one of said chains of group credentials comprise one or more proofs of group membership.
  - 60. The computer program product of claim 59, wherein said proofs of group membership comprise one or more group membership certificates.
  - 61. The computer program product of claim 59, wherein said proofs of group membership comprise one or more group membership lists.
  - 62. The computer program product of claim 58, wherein one of said chains of group credentials comprise one or more proofs of group non-membership.
  - 63. The computer program product of claim 62, wherein said proofs of group non-membership comprise one or more group non-membership certificates.
  - 64. The computer program product of claim 62, wherein said proofs of group non-membership comprise one or more group membership lists.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Perlman, Radia J., Hanna, Stephen R., Anderson, Anne H., Mullan, Sean J., Elley, Yassir K.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US09/310,165
Time in Patent Office

2,913 Days
Field of Search

713155-158, 713/182, 713200-202, 713/150, 713/168, 713/175, 380/277, 380/278, 380/286, 707/1.9, 709/200, 709227-229
US Class Current

726/10
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2115 Third party

Method and system for proving membership in a nested group using chains of credentials

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for proving membership in a nested group using chains of credentials

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links