Using an identity-based communication layer for computing device communication

US 7,962,655 B2
Filed: 02/25/2003
Issued: 06/14/2011
Est. Priority Date: 07/29/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for communicating between two endpoints connected to a network, the method comprising having a first endpoint use a global address of a second endpoint to communicate with the second endpoint, wherein:

the global address specifies a protocol, a network identifier, and an address meaningful for the combination of the protocol and a network identified by the network identifier, an application of the first endpoint sends messages directed to the second endpoint through an identity-based communication layer, implemented on a computing device, that is situated between a network layer and an application layer,the messages being independent of the protocol,the identity-based communication layer transmits the messages to the second endpoint using the protocol, the network, and the address specified by the global address,wherein the first endpoint comprises a first physical device and the second endpoint comprises a second physical device;

the method further comprising determining the global address of the second endpoint by using a unique identity identifier associated with the second endpoint;

wherein the unique identity identifier specifies a realm and a unique identifier that identifies the second endpoint within the realm, and the combination of the realm and the unique identifier uniquely identifies the identity.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer architecture for enterprise device applications provides a real-time, bi-directional communication layer for device communication. An identity-based communications layer provides for secure, end-to-end telemetry and control communications by enabling mutual authentication and encryption between the devices and the enterprise. The identity-based communications layer is situated between a network layer and an application layer and transmits a message between two devices identified by a global address. The global address specifies a protocol, a network, and an address meaningful for the combination of the protocol and the network.

Citations

56 Claims

1. A computer-implemented method for communicating between two endpoints connected to a network, the method comprising having a first endpoint use a global address of a second endpoint to communicate with the second endpoint, wherein:
- the global address specifies a protocol, a network identifier, and an address meaningful for the combination of the protocol and a network identified by the network identifier, an application of the first endpoint sends messages directed to the second endpoint through an identity-based communication layer, implemented on a computing device, that is situated between a network layer and an application layer,the messages being independent of the protocol,the identity-based communication layer transmits the messages to the second endpoint using the protocol, the network, and the address specified by the global address,wherein the first endpoint comprises a first physical device and the second endpoint comprises a second physical device;
  
  the method further comprising determining the global address of the second endpoint by using a unique identity identifier associated with the second endpoint;
  
  wherein the unique identity identifier specifies a realm and a unique identifier that identifies the second endpoint within the realm, and the combination of the realm and the unique identifier uniquely identifies the identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 2. The computer-implemented method of claim 1 wherein the global address may be different each time a session is initiated with the second endpoint.
  - 3. The computer-implemented method of claim 1 wherein the unique identity identifier comprises an identity identifier for a composite identity, the composite identity being associated with two or more other identity identifiers.
  - 4. The computer-implemented method of claim 3 wherein the composite identity is associated with an authentication credential.
  - 5. The computer-implemented method of claim 3 further comprising creating the composite identity only when each of the two or more other identity identifiers associated with the composite identity have been authenticated.
  - 6. The computer-implemented method of claim 3 wherein at least one of the two or more other identity identifiers associated with the composite identity comprises an identity identifier for another composite identity.
  - 7. The computer-implemented method of claim 1 wherein determining the global address is accomplished through the use of a presence and availability service that provides the global address in response to a received identity identifier.
  - 8. The computer-implemented method of claim 7 further comprising having the second endpoint announce the global address of the second endpoint through the use of the presence and availability service.
  - 9. The computer-implemented method of claim 8 further comprising:
    - determining whether the second endpoint is permitted to announce the global address;
      
      and only when the second endpoint is permitted to announce the global address, having the second endpoint announce the global address through the use of the presence and availability service.
  - 10. The computer-implemented method of claim 9 wherein determining whether the second endpoint is permitted to announce the global address is based on the identity identifier of the second endpoint.
  - 11. The computer-implemented method of claim 9 wherein determining whether the second endpoint is permitted to announce the global address is performed by a policy service.
  - 12. The computer-implemented method of claim 8 wherein the global address the presence and availability service provides in response to an identity identifier is the global address most recently announced by the endpoint associated with that identity identifier.
  - 13. The computer-implemented method of claim 1 wherein determining the global address of the second endpoint occurs during an authentication procedure involving the first endpoint, the second endpoint and a third entity.
  - 14. The computer-implemented method of claim 13 further comprising:
    - determining whether a communication session between the second endpoint and a first endpoint is permitted; and
      
      completing the authentication procedure only when the communication session is permitted.
  - 15. The computer-implemented method of claim 14 wherein determining whether the communication session is permitted is based on the identity identifier of at least one of the second endpoint and the first endpoint.
  - 16. The computer-implemented method of claim 14 wherein determining whether the communication session is permitted is performed by a policy service.
  - 17. The computer-implemented method of claim 1 further comprising encrypting messages exchanged in the communication session between the first endpoint and the second endpoint.
  - 18. The computer-implemented method of claim 17 further comprising having a policy service determine whether to encrypt messages exchanged in the communication session between the first endpoint and the second endpoint.
  - 19. The computer-implemented method of claim 17 wherein determining whether to encrypt messages occurs when the first endpoint initiates a communication session with the second endpoint.
  - 20. The computer-implemented method of claim 17 wherein determining whether to encrypt messages is based on the identity identifier of at least one of the first endpoint and the second endpoint.
  - 21. The computer-implemented method of claim 17 wherein determining whether to encrypt messages occurs during an authentication procedure involving the first endpoint, the second endpoint, and a third entity.
  - 22. The computer-implemented method of claim 1 further comprising applying an integrity check to a message exchanged in the communication session between the first endpoint and the second endpoint.
  - 23. The computer-implemented method of claim 22 wherein the integrity check employs a message authentication code.
  - 24. The computer-implemented method of claim 22 further comprising having a policy service determine whether to apply integrity checks to messages exchanged in the communication session between the first endpoint and the second endpoint.
  - 25. The computer-implemented method of claim 22 wherein determining whether to apply data integrity checks occurs when the first endpoint initiates a communication session with the second endpoint.
  - 26. The computer-implemented method of claim 25 wherein determining whether to apply data integrity checks is based on the identity identifier of at least one of the first endpoint and the second endpoint.
  - 27. The computer-implemented method of claim 25 wherein determining whether to apply data integrity checks occurs during an authentication procedure involving the first endpoint, the second endpoint, and a third entity.
  - 28. The computer-implemented method of claim 1 wherein:
    - the first endpoint is connected to a first network,the second endpoint is connected to a second network, anda relay is used to connect the first network and the second network.
  - 29. The computer-implemented method of claim 1 wherein the protocol comprises a message framing protocol using the transmission control protocol.
  - 30. The computer-implemented method of claim 29 wherein the address meaningful for the combination of the protocol and the network identified by the network identifier comprises an Internet Protocol address and a transmission control protocol port number.
  - 31. The computer-implemented method of claim 29 wherein the address meaningful for the combination of the protocol and the network identified by the network identifier comprises an Internet Protocol domain name and a transmission control protocol port number.
  - 32. The computer-implemented method of claim 1 wherein the protocol is the Hypertext Transfer Protocol.
  - 33. The computer-implemented method of claim 32 wherein the address meaningful for the combination of the protocol and the network identified by the network identifier comprises a uniform resource locator.
  - 34. The computer-implemented method of claim 1 wherein the identity identifier of the second endpoint is associated with more than one global address, the method further comprising selecting a global address for the second endpoint from the more than one global address associated with the identity identifier of the second endpoint to use for communicating between the first endpoint and the second endpoint.

35. A computer-implemented method for communicating between two endpoints connected to a network, the computer-implemented method comprising:
- having an application of a first endpoint provide to a global-address-based communication layer, implemented on a computing device, (1) a message destined for a second endpoint, and (2) a global address of the second endpoint, wherein the global address specifies a protocol, a network identifier, and an address meaningful for the combination of the protocol and a network identified by the network identifier;
  
  having the global-address-based communication layer select an appropriate networking layer;
  
  having the global-address-based communication layer provide to the selected networking layer (1) the message destined for the second endpoint and (2) the address meaningful for the combination of the protocol and network identified by the network identifier;
  
  having the selected networking layer send the message to the second endpoint,wherein the first endpoint comprises a first physical device and the second endpoint comprises a second physical device; and
  
  determining the global address of the second endpoint by using a unique identity identifier associated with the second endpoint;
  
  wherein the unique identity identifier specifies a realm and a unique identifier that identifies the second endpoint within the realm, and the combination of the realm and the unique identifier uniquely identifies the identity.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The computer-implemented method of claim 35 wherein the selected networking layer transmits the message using the protocol specified by the global address of the second endpoint.
  - 37. The computer-implemented method of claim 35 further comprising:
    - having the application provide to an identity-based communication layer (1) a message destined for the second endpoint and (2) an identity identifier associated with the second endpoint;
      
      having the identity-based communication layer use a presence and availability service to determine the global address of the second endpoint using the identity identifier associated with the second endpoint; and
      
      having the identity-based communication layer provide to the global-address-based communications layer (1) the message destined for the second endpoint and (2) the global address of the second endpoint.
  - 38. The computer-implemented method of claim 37 wherein using the presence and availability service to determine the global address of the second endpoint comprises:
    - sending to the presence and availability service the identity identifier associated with the second endpoint; and
      
      receiving from the presence and availability service the global address associated with the second endpoint.
  - 39. The computer-implemented method of claim 35 further comprising:
    - having a networking layer of the second endpoint receive the message andproviding the message to a global-address-based communication layer of the second endpoint;
      
      and having the global-address-based communication layer of the second endpoint provide the message to an application layer of the second endpoint.
  - 40. The computer-implemented method of claim 39 further wherein providing the message to the application layer of the second endpoint comprises:
    - having the global-address-based communication layer of the second endpoint provide the message to an identity-based communication layer of the second endpoint; and
      
      having the identity-based communication layer of the second endpoint provide the message to the application layer of the second endpoint.

41. A non-transitory computer-readable medium having embodied thereon a computer program configured to cause a processor to communicate between two endpoints connected to a network,the non-transitory computer-readable medium comprising one or more code segments configured to cause the processor to:
- have a first endpoint use a global address of a second endpoint to communicate with the second endpoint,have the global address specify a protocol, a network identifier, and an address meaningful for the combination of the protocol and a network identified by the network identifier,have an application of the first endpoint send messages directed to the second endpoint through an identity based communication layer that is situated between a network layer and an application layer, the messages being independent of the protocol, and have the identity-based communication layer transmit the messages to the second endpoint using the protocol, the network, and the address specified by the global address,wherein the first endpoint comprises a first physical device and the second endpoint comprises a second physical device; and
  
  determine the global address of the second endpoint by using a unique identity identifier associated with the second endpoint;
  
  wherein the unique identity identifier specifies a realm and a unique identifier that identifies the second endpoint within the realm, and the combination of the realm and the unique identifier uniquely identifies the identity.
- View Dependent Claims (42, 43, 44, 45)
- - 42. The non-transitory computer-readable medium of claim 41 wherein the global address may be different each time a session is initiated with the second endpoint.
  - 43. The non-transitory computer-readable medium of claim 41 wherein the identity identifier comprises an identity identifier for a composite identity, the composite identity being associated with two or more other identity identifiers.
  - 44. The non-transitory computer-readable medium of claim 41 wherein:
    - the first endpoint is connected to a first network,the second endpoint is connected to a second network, anda relay is used to connect the first network and the second network.
  - 45. The non-transitory computer-readable medium of claim 41 wherein:
    - the identity identifier of the second endpoint is associated with more than one global address, andthe one or more code segments are further configured to cause the processor to select a global address for the second endpoint from the more than one global address associated with the identity identifier of the second endpoint to use for communicating between the first endpoint and the second endpoint.

46. A non-transitory computer-readable medium having embodied thereon a computer program configured to cause a processor to communicate between two endpoints connected to a network, the non-transitory computer-readable medium comprising one or more code segments configured to cause the processor to:
- have an application of a first endpoint provide to a global-address-based communication layer (1) a message destined for a second endpoint, and (2) a global address of the second endpoint, wherein the global address specifies a protocol, a network identifier, and an address meaningful for the combination of the protocol and a network identified by the network identifier;
  
  have the global-address-based communication layer select an appropriate networking layer;
  
  have the global-address-based communication layer provide to the selected networking layer (1) the message destined for the second endpoint and (2) the address meaningful for the combination of the protocol and network identified by the network identifier; and
  
  have the selected networking layer send the message to the second endpoint,wherein the first endpoint comprises a first physical device and the second endpoint comprises a second physical device; and
  
  determine the global address of the second endpoint by using a unique identity identifier associated with the second endpoint;
  
  wherein the unique identity identifier specifies a realm and a unique identifier that identifies the second endpoint within the realm, and the combination of the realm and the unique identifier uniquely identifies the identity.
- View Dependent Claims (47, 48)
- - 47. The non-transitory computer-readable medium of claim 46 wherein the selected networking layer transmits the message using the protocol specified by the global address of the second endpoint.
  - 48. The non-transitory computer-readable medium of claim 46 wherein the one or more code segments are further configured to cause the processor to:
    - have the application provide to an identity-based communication layer (1) a message destined for the second endpoint and (2) an identity identifier associated with the second endpoint;
      
      have the identity-based communication layer use a presence and availability service to determine the global address of the second endpoint using the identity identifier associated with the second endpoint; and
      
      have the identity-based communication layer provide to the global-address-based communications layer (1) the message destined for the second endpoint and (2) the global address of the second endpoint.

49. A system for communicating between two endpoints connected to a network, the system comprising a processor connected to a physical storage device and one or more input/output physical devices, wherein the processor is configured to:
- have a first endpoint use a global address of a second endpoint to communicate with the second endpoint,have the global address specify a protocol, a network identifier, and an address meaningful for the combination of the protocol and a network identified by the network identifier, have an application of the first endpoint send messages directed to the second endpoint through an identity based communication layer that is situated between a network layer and an application layer, the messages being independent of the protocol, and have the identity-based communication layer transmit the messages to the second endpoint using the protocol, the network, and the address specified by the global address,wherein the first endpoint comprises a first physical device and the second endpoint comprises a second physical device; and
  
  determine the global address of the second endpoint by using a unique identity identifier associated with the second endpoint;
  
  wherein the unique identity identifier specifies a realm and a unique identifier that identifies the second endpoint within the realm, and the combination of the realm and the unique identifier uniquely identifies the identity.
- View Dependent Claims (50, 51, 52, 53)
- - 50. The system of claim 49 wherein the global address may be different each time a session is initiated with the second endpoint.
  - 51. The system of claim 49 wherein the identity identifier comprises an identity identifier for a composite identity, the composite identity being associated with two or more other identity identifiers.
  - 52. The system of claim 49 wherein:
    - the first endpoint is connected to a first network,the second endpoint is connected to a second network, anda relay is used to connect the first network and the second network.
  - 53. The system of claim 49 wherein:
    - the identity identifier of the second endpoint is associated with more than one global address, and the processor is further configured to select a global address for the second endpoint from the more than one global address associated with the identity identifier of the second endpoint to use for communicating between the first endpoint and the second endpoint.

54. A system for communicating between two endpoints connected to a network, the system comprising a processor connected to a physical storage device and one or more physical input/output devices, wherein the processor is configured to:
- have an application of a first endpoint provide to a global-address-based communication layer (1) a message destined for a second endpoint, and (2) a global address of the second endpoint, wherein the global address specifies a protocol, a network identifier, and an address meaningful for the combination of the protocol and a network identified by the network identifier have the global-address-based communication layer select an appropriate networking layer;
  
  have the global-address-based communication layer provide to the selected networking layer (1) the message destined for the second endpoint and (2) the address meaningful for the combination of the protocol and network identified by the network identifier;
  
  have the selected networking layer send the message to the second endpoint,wherein the first endpoint comprises a first physical device and the second endpoint comprises a second physical device; and
  
  determine the global address of the second endpoint by using a unique identity identifier associated with the second endpoint;
  
  wherein the unique identity identifier specifies a realm and a unique identifier that identifies the second endpoint within the realm, and the combination of the realm and the unique identifier uniquely identifies the identity.
- View Dependent Claims (55, 56)
- - 55. The system of claim 54 wherein the selected networking layer transmits the message using the protocol specified by the global address of the second endpoint.
  - 56. The system of claim 54 wherein the processor is further configured to:
    - have the application provide to an identity-based communication layer (1) a message destined for the second endpoint and (2) an identity identifier associated with the second endpoint;
      
      have the identity-based communication layer use a presence and availability service to determine the global address of the second endpoint using the identity identifier associated with the second endpoint; and
      
      have the identity-based communication layer provide to the global-address-based communications layer (1) the message destined for the second endpoint and (2) the global address of the second endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Douglas, David C., Traub, Kenneth R., Birger, Chet, Rosenthal, Steven
Primary Examiner(s)
Nguyen; Dustin

Application Number

US10/372,399
Publication Number

US 20090006840A1
Time in Patent Office

3,031 Days
Field of Search

709/201, 709/223, 709/227, 709/232, 709/313, 709/230, 709/245, 370/522
US Class Current

709/250
CPC Class Codes

H04L 61/50   Address allocation

H04L 63/0492   by using a location-limited...

H04L 67/125   involving control of end-de...

H04L 67/52   specially adapted for the l...

H04W 12/02   Protecting privacy or anony...

Using an identity-based communication layer for computing device communication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

Using an identity-based communication layer for computing device communication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links