Trust management systems and methods
First Claim
1. In a computer-implemented trust management system, a method for controlling access to a computing resource, the method including;
- obtaining a request for the computing resource;
obtaining a group of certificates, each certificate expressing at least one authorization by at least one principal;
identifying a set of principals associated with the certificates;
initializing a state associated with each principal;
evaluating a certificate as a function of the state associated with one or more of the principals;
updating the state of one or more of the principals if the result of said evaluating step indicates that the state of a principal should be changed; and
repeating said evaluating and updating steps until a fixpoint is reached or until a predefined principal is found to authorize the request.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals.
-
Citations
8 Claims
-
1. In a computer-implemented trust management system, a method for controlling access to a computing resource, the method including;
- obtaining a request for the computing resource;
obtaining a group of certificates, each certificate expressing at least one authorization by at least one principal;
identifying a set of principals associated with the certificates;
initializing a state associated with each principal;
evaluating a certificate as a function of the state associated with one or more of the principals;
updating the state of one or more of the principals if the result of said evaluating step indicates that the state of a principal should be changed; and
repeating said evaluating and updating steps until a fixpoint is reached or until a predefined principal is found to authorize the request. - View Dependent Claims (2, 3, 4, 5, 6)
- obtaining a request for the computing resource;
-
7. A non-transitory computer-readable medium containing computer-executable program instructions that, when executed by a computer system, cause the computer system to perform a method comprising:
-
obtaining a request to perform a predefined action; obtaining a group of authorizations for the predefined action, one or more of the authorizations in the group being a function of the authorization state of one or more principals; identifying a set of principals associated with the authorizations and for initializing a state associated with each principal; evaluating authorizations from the set of authorizations using the state associated with each principal; updating the state of the principals; repeating said evaluating and updating steps until a fixpoint is reached or until a predefined principal is deemed to authorize the request. - View Dependent Claims (8)
-
Specification