Method and system for proving membership in a nested group using chains of credentials
First Claim
1. A method of controlling access by a client to a resource that is controlled by a resource server and is made available to members of a nested group, the method comprising:
- (a) presenting from the client to the resource server a first request to access the resource;
(b) in response to the first request, sending a challenge from the resource server to the client to prove membership in the nested group;
(c) in response to the challenge, performing a search at the client to obtain a chain of group credentials that proves membership in the nested group; and
(d) presenting from the client to the resource server a second request to access the resource, the second request including the chain of group credentials.
2 Assignments
0 Petitions
Accused Products
Abstract
In accordance with the invention, a presenter of credentials presents to a recipient of credentials one or more chains of group credentials to prove entity membership or non-membership in a nested group in a computer network. The ability to present a chain of credentials is particularly important when a client is attempting the prove membership or non-membership in a nested group and one or more of the group servers in the family tree are off-line. A chain of group credentials includes two or more proofs of group membership and/or proofs of group non-membership Furthermore, the proofs of group membership may include one or more group membership certificates and/or one or more group membership lists; and proofs of group non-membership may include one or more group non-membership certificates and/or one or more group membership lists.
-
Citations
64 Claims
-
1. A method of controlling access by a client to a resource that is controlled by a resource server and is made available to members of a nested group, the method comprising:
-
(a) presenting from the client to the resource server a first request to access the resource; (b) in response to the first request, sending a challenge from the resource server to the client to prove membership in the nested group; (c) in response to the challenge, performing a search at the client to obtain a chain of group credentials that proves membership in the nested group; and (d) presenting from the client to the resource server a second request to access the resource, the second request including the chain of group credentials. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of controlling access by a client to a resource that is controlled by a resource server and is made available to non-members of a nested group, the method comprising:
-
(a) presenting from the client to the resource server a first request to access the resource; (b) in response to the first request, sending a challenge from the resource server to the client to prove non-membership in the nested group; (c) in response to the challenge, performing a search at the client to obtain a chain of group credentials that proves non-membership in the nested group; and (d) presenting from the client to the resource server a second request to access the resource, the second request including the chain of group credentials. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer system having a resource to which a client desires access and which is controlled by a resource server so that the resource is made available to members of a nested group, the system comprising:
-
a mechanism in the client that presents to the resource server a first request to access the resource; a mechanism in the resource server and operable in response to the first request, that sends a challenge to the client to prove membership in the nested group; a mechanism in the client and operable in response to the challenge, that performs a search to obtain a chain of group credentials that proves membership in the nested group; and a mechanism in the client that presents to the resource server a second request to access the resource, the second request including the chain of group credentials. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer system having a resource to which a client desires access and which is controlled by a resource server so that the resource is made available to non-members of a nested group, the system comprising:
-
a mechanism in the client that presents to the resource server a first request to access the resource; a mechanism in the resource server and operable in response to the first request, that sends a challenge to the client to prove non-membership in the nested group; a mechanism in the client and operable in response to the challenge, that performs a search to obtain a chain of group credentials that proves non-membership in the nested group; and a mechanism in the client that presents to the resource server a second request to access the resource, the second request including the chain of group credentials. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A client device on a computer network, said client device configured for requesting one or more resources from a server on the network, in which access to said resources is so controlled by said server as to make them available to members of a nested group, said client device comprising:
-
A. means for presenting to the server a first request to access the resource; B. means operable in response to a challenge from the server generated by the first request for performing a search to obtain one or more chains of group credentials that prove client membership in the nested group, and C. means for transmitting to the server a second request for one or more of the resources, said second request including the one or more chains of group credentials that prove client membership in the nested group. - View Dependent Claims (38, 39, 40, 41, 42, 43)
-
-
44. A client device on a computer network, said client device configured for requesting one or more resources from a server on the network, in which access to said resources is so controlled by said server as to make them available to non-members of a nested group, said client device comprising:
-
A. means for presenting to the server a first request to access the resource, B. means operable in response to a challenge from the server generated by the first request for performing a search to obtain one or more chains of group credentials that prove client non-membership in the nested group, and C. means for transmitting to the server a second request for one or more of the resources, said second request including the one or more chains of group credentials that prove client non-membership in the nested group. - View Dependent Claims (45, 46, 47, 48, 49, 50)
-
-
51. A computer program product comprising a computer usable medium having thereon computer readable program code representing a sequence of instructions that, when executed by a processor in a network device requesting one or more resources from a server, in which access to said resources is so controlled by said server as to make them available to members of a nested group, configures the network device to operate as a client device that:
-
A. presents to the server a first request to access the resource, B. in response to a challenge from the server generated by the first request performs a search to obtain one or more chains of group credentials that prove client membership in the nested group, and C. transmits to the server a second request for one or more resources, said second request including the one or more chains of group credentials that prove membership in the nested group. - View Dependent Claims (52, 53, 54, 55, 56, 57)
-
-
58. A computer program product comprising a computer usable medium having thereon computer readable program code representing a sequence of instructions that, when executed by a processor in a network device requesting one or more resources from a server, in which access to said resources is so controlled by said server as to make them available to non-members of a nested group, configures the network device to operate as a client device that:
-
A. presents to the server a first request to access the resource, B. in response to a challenge from the server generated by the first request performs a search to obtain one or more chains of group credentials that prove client non-membership in the nested group, and C. transmits to the server a second request for one or more resources, said second request including the one or more chains of group credentials that prove non-membership in the nested group. - View Dependent Claims (59, 60, 61, 62, 63, 64)
-
Specification