Issuing a digital rights management (DRM) license for content based on cross-forest directory information

US 7,827,156 B2
Filed: 02/26/2003
Issued: 11/02/2010
Est. Priority Date: 02/26/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for determining whether a user from an organization is a member of a group pre-defined within the organization, wherein the group is identified in a signed rights label that delimits digital licenses that a license server has validated, each digital license specifying a set of rights, the signed rights label naming one or more groups and specifying a set of corresponding rights for each group, the organization maintaining a computer network comprising at least a forest A and a forest B, forest A having a directory A and a querying entity A directory A, forest B having a directory B and a querying entity B configured to query directory B, the group being native to either forest A or forest B, the method comprising:

querying entity A receiving a request from the user within forest A for a digital license to render a corresponding piece of digital content within forest A, the request including an identification of the user and an identification of the group;

querying entity A querying directory A of forest A to return any object therein associated with the group, the group instead being native to forest B such that directory B of forest B has therein a record object corresponding to the group, the record object for the group in directory B including all direct members of the group, directory A of forest A having therein a pointer object corresponding to the group, the pointer object in directory A including an address of forest B;

querying entity A receiving in response from directory A the pointer object for the group, thus signifying that the group is not native to forest A;

querying entity A retrieving the address of forest B from the received pointer object;

querying entity A employing the address of forest B to query directory B of forest B for an address of querying entity B of forest B;

querying entity A receiving in response from directory B the address of querying entity B; and

querying entity A contacting querying entity B of forest B at the address of querying entity B and requesting querying entity B to query directory B whether the group currently exists, and if the group currently exists, whether the user is a member of the group in forest B, wherein if the group does not currently exist, the user is not a member of the group, and querying entity B queries directory B whether the user is a member of another of the one or more groups named in the signed rights label;

querying entity A receiving in response from querying entity B whether the user is in fact a member of the group in forest B; and

querying entity A granting the request within forest A from the user within forest A based at least in part on whether the user is a member of the group in forest B, wherein the querying entity A is a digital rights management (DRM) server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An organization maintains a computer network comprising at least a forest A and a forest B, where forest A has a directory A and a querying entity A capable of querying directory A, and forest B has a directory B and a querying entity B capable of querying directory B. Querying entity A receives a request from the user and decides whether to grant the request based at least in part on whether the user is a member of the group. Thus, querying entity A queries directory A to return information on the group, is directed to forest B, contacts querying entity B, requests querying entity B to query directory B whether the user is a member of the group, receives a response, and grants the request from the user based at least in part on whether the user is a member of the group.

Citations

13 Claims

1. A method for determining whether a user from an organization is a member of a group pre-defined within the organization, wherein the group is identified in a signed rights label that delimits digital licenses that a license server has validated, each digital license specifying a set of rights, the signed rights label naming one or more groups and specifying a set of corresponding rights for each group, the organization maintaining a computer network comprising at least a forest A and a forest B, forest A having a directory A and a querying entity A directory A, forest B having a directory B and a querying entity B configured to query directory B, the group being native to either forest A or forest B, the method comprising:
- querying entity A receiving a request from the user within forest A for a digital license to render a corresponding piece of digital content within forest A, the request including an identification of the user and an identification of the group;
  
  querying entity A querying directory A of forest A to return any object therein associated with the group, the group instead being native to forest B such that directory B of forest B has therein a record object corresponding to the group, the record object for the group in directory B including all direct members of the group, directory A of forest A having therein a pointer object corresponding to the group, the pointer object in directory A including an address of forest B;
  
  querying entity A receiving in response from directory A the pointer object for the group, thus signifying that the group is not native to forest A;
  
  querying entity A retrieving the address of forest B from the received pointer object;
  
  querying entity A employing the address of forest B to query directory B of forest B for an address of querying entity B of forest B;
  
  querying entity A receiving in response from directory B the address of querying entity B; and
  
  querying entity A contacting querying entity B of forest B at the address of querying entity B and requesting querying entity B to query directory B whether the group currently exists, and if the group currently exists, whether the user is a member of the group in forest B, wherein if the group does not currently exist, the user is not a member of the group, and querying entity B queries directory B whether the user is a member of another of the one or more groups named in the signed rights label;
  
  querying entity A receiving in response from querying entity B whether the user is in fact a member of the group in forest B; and
  
  querying entity A granting the request within forest A from the user within forest A based at least in part on whether the user is a member of the group in forest B, wherein the querying entity A is a digital rights management (DRM) server.
- View Dependent Claims (2, 3, 4, 5, 11)
- - 2. The method of claim 1 further comprising querying entity B querying directory B of forest B to determine whether the user is a member of the group by:
    - querying entity B querying directory B of forest B to return any object therein for the group, the group being native to forest B such that directory B of forest B has therein a record object corresponding to the group, the record object for the group in directory B including all direct members of the group;
      
      querying entity B receiving in response from directory B the record object for the group, thus signifying that the group is native to forest B; and
      
      querying entity B reviewing the direct members of the group as set forth in the record object to determine whether the user is a direct member of the group.
  - 3. The method of claim 2, wherein the user is determined not to be a direct member of the group, and further comprising querying entity B querying directory B to return any object for the user and thus proceeding to determine whether the user is an indirect member of the group by attempting within directory B to find a membership path from the user to the group, whereby a membership path is found from the user to the group establishes that the user is in fact a member of the group;
    - querying entity B reporting to querying entity A whether the user within forest A is in fact a member of the group based on whether the membership path was found.
  - 4. The method of claim 2 wherein the querying entity B is a DRM server, the method further comprising querying entity A sending to querying entity B an identification of querying entity A as being a DRM server and querying entity B determining based on the sent identification that querying entity A is entitled to be informed whether the user is a member of the group.
  - 5. The method of claim 4 comprising querying entity A sending to querying entity B a digital certificate with a certificate chain leading back to a trusted root of authority as recognized by querying entity B, and querying entity B verifying the certificate.
  - 11. The method of claim 2, wherein the user is determined to be a direct member of the group, and further comprising querying entity B reporting to querying entity A that the user is in fact a member of the group.

6. A computer-readable storage medium having stored thereon computer-executable instructions for performing a method for determining whether a user from an organization is a member of a group pre-defined within the organization, wherein the group is identified in a signed rights label that delimits digital licenses that a license server has validated, each digital license specifying a set of rights, the signed rights label naming one or more groups and specifying a set of corresponding rights for each group, the organization maintaining a computer network comprising at least a forest A and a forest B, forest A having a directory A and a querying entity A configured to query directory A, forest B having a directory B and a querying entity B configured to query directory B, the group being native to either forest A or forest B, the method comprising:
- Querying entity A receiving a request from the user within forest A for a digital license to render a corresponding piece of digital content within forest A, the request including an identification of the user and an identification of the group;
  
  querying entity A querying directory A of forest A to return any object therein associated with the group, the group instead being native to forest B such that directory B of forest B has therein a record object corresponding to the group, the record object for the group in directory B including all direct members of the group, directory A of forest A having therein a pointer object corresponding to the group, the pointer object in directory A including an address of forest B;
  
  querying entity A receiving in response from directory A the pointer object for the group, thus signifying that the group is not native to forest A;
  
  querying entity A retrieving the address of forest B from the received pointer object;
  
  querying entity A employing the address of forest B to querying directory B of forest B for an address of querying entity B of forest B;
  
  querying entity A receiving in response from directory B the address of querying entity B; and
  
  querying entity A contacting querying entity B of forest B at the address of querying entity B and requesting querying entity B to query directory B whether the group currently exists, and if the group currently exists, whether the user is a member of the group in forest B, wherein if the group does not currently exist, the user is not a member of the group, and querying entity B queries directory B whether the user is a member of another of the one or more groups named in the signed rights label;
  
  querying entity A receiving in response from querying entity B whether the user is in fact a member of the group in forest B; and
  
  querying entity A granting the request within forest A from the user within forest A based at least in part on whether the user is a member of the group in forest B, wherein the querying entity A is a digital rights management (DRM) server.
- View Dependent Claims (7, 8, 9, 10, 12)
- - 7. The medium of claim 6 in combination with another computer-readable medium having stored thereon computer-executable instructions for performing a method comprising querying entity B querying directory B of forest B to determine whether the user is a member of the group by:
    - querying entity B querying directory B of forest B to return any object therein for the group, the group being native to forest B such that directory B of forest B has therein a record object corresponding to the group, the record object for the group in directory B including all direct members of the group;
      
      querying entity B receiving in response from directory B the record object for the group, thus signifying that the group is native to forest B; and
      
      querying entity B reviewing the direct members of the group as set forth in the record object to determine whether the user is a direct member of the group.
  - 8. The another medium of claim 7 wherein the method further comprises:
    - wherein the user is determined to not be a direct member of the group, and further comprising querying entity B querying directory B to return any object for the user and thus proceeding to determine whether the user is an indirect member of the group by attempting within directory B to find a membership path from the user to the group, whereby a membership path found from the user to the group establishes that the user is in fact a member of the group; and
      
      querying entity B reporting to querying entity A whether the user within forest A is in fact a member of the group based on whether [a] the membership path was found.
  - 9. The medium and another medium of claim 7 wherein the querying entity B is a DRM server, the method of the medium further comprising querying entity A sending to querying entity B an identification of querying entity A as being a DRM server, the method of the another medium further comprising querying entity B determining based on the sent identification that querying entity A is entitled to be informed whether the user is a member of the group.
  - 10. The medium and another medium of claim 9 wherein the method of the medium comprises querying entity A sending to querying entity B a digital certificate with a certificate chain leading back to a trusted root of authority as recognized by querying entity B, and the method of the another medium comprising querying entity B verifying the certificate.
  - 12. The another medium of claim 7 wherein the user is determined to be a direct member of the group, and wherein the method further comprises querying entity B reporting to querying entity A that the user is in fact a member of the group.

13. A method for determining whether a user from an organization is a member of a group pre-defined within the organization, wherein the group is identified in a signed rights label naming one or more groups and specifying a set of corresponding rights for each group, the organization maintaining a computer network comprising at least a forest A and a forest B, forest A having a directory A and a querying entity A configured to query directory A, forest B having a directory B and a querying entity B configured to query directory B, the group being native to either forest A or forest B, querying entity A and querying entity B both being digital rights management (DRM) servers, the method comprising:
- querying entity A receiving a request from the user within forest A for a digital license to render a corresponding piece of digital content within forest A, the request including an identification of the user and an identification of the group;
  
  querying entity A querying directory A of forest A to request any object therein associated with the group, the group instead being native to forest B, the directory B of forest B having therein a record object corresponding to the group, the record object for the group in directory B including all direct members of the group, directory A of forest A having therein a pointer object corresponding to the group, the pointed object in directory A including an address of forest B;
  
  querying entity A receiving in response to the request to directory A the pointed object containing the address of forest B, such pointer object thereby signifying that the group is not native to forest A but is instead native to forest B;
  
  querying entity A retrieving the address of forest B from the received pointer object;
  
  querying entity A employing the address of forest B to query directory B of forest B for an address of querying entity B of forest B;
  
  querying entity A receiving in response from directory B the address of querying entity B;
  
  querying entity A contacting querying entity B at the address of querying entity B, and requesting querying entity B to query directory B whether the group currently exists, and if the group currently exists, whether the user is a member of the group in forest B, wherein if the group does not currently exist, the user is not a member of the group, the request from querying entity A to querying entity B including an identification of querying entity A as being a DRM server;
  
  querying entity B determining based on the identification of querying entity A that querying entity A is entitled to be informed whether the user is a member of the group;
  
  querying entity B querying directory B of forest B to return any object therein for the group;
  
  querying entity B receiving in response from directory B the record object in directory B for the group;
  
  querying entity B reviewing the direct members of the group as set forth in the record object to determine whether the user is a direct member of the group, wherein the user is determined to not be a direct member of the group;
  
  querying entity B querying directory B to return any object for the user and proceeding to determine whether the user is an indirect member of the group by attempting within directory B to find a membership path from the user to the group, whereby the membership path found from the user to the group establishes that the user is in fact a member of the group;
  
  querying entity B reporting to querying entity A that the user within forest A is in fact a member of the group based on the membership path being found; and
  
  querying entity A granting the request within forest A from the user within forest A based at least in part on whether the user is a member of the group in forest B.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Rozenfeld, Yevgeniy Eugene, Waxman, Peter David, Narin, Attila, Venkatesh, Chandramouli
Primary Examiner(s)
Rones; Charles
Assistant Examiner(s)
Adams; Charles D

Application Number

US10/374,321
Publication Number

US 20040168077A1
Time in Patent Office

2,806 Days
Field of Search

709/225, 709/229, 707/9, 707/200, 713/155, 713/156, 726/2, 726/17
US Class Current

707/694
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 2463/101   applying security measures ...

H04L 63/105   Multiple levels of security

Issuing a digital rights management (DRM) license for content based on cross-forest directory information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Issuing a digital rights management (DRM) license for content based on cross-forest directory information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links