Shared credential store

US 8,015,596 B2
Filed: 06/28/2004
Issued: 09/06/2011
Est. Priority Date: 06/28/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing a personal credential store for a networked computer system user, comprising:

accepting a plurality of search tags, through an application programming interface, wherein each of said plurality of search tags indicates a corresponding one of a plurality of application programs and a type of request to be performed with an obtained credential by said corresponding one of said plurality of application programs;

searching a plurality of physical credential stores responsive to a received one of said plurality of search tags to obtain at least one credential from said plurality of physical credential stores, wherein said obtained credential meets requirements of one of said application programs indicated by said received one of said plurality of search tags to perform said type of request indicated by said received one of said plurality of search tags;

wherein said one of said application programs indicated by said received one of said plurality of search tags is an electronic mail program;

wherein said type of request to be performed indicated by said received one of said plurality of search tags is verification of an incoming electronic mail message;

wherein said received one of said plurality of search tags has a value comprising an electronic mail address of a sender of said incoming electronic mail message; and

wherein said verification of said incoming electronic mail message includes directly searching, responsive to said received one of said plurality of search tags having said value comprising said electronic mail address of said sender of said incoming electronic mail message, for a digital certificate of said sender of said incoming electronic mail message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A personal credential store that aggregates a number of physical credential stores beneath an application programming interface (API) and offers tag-based credential look-up. The API of the disclosed system runs on the user'"'"'s client system, and effectively hides the underlying credential store types from applications using it. The tags used to look up credentials through the API may advantageously include or consist of unique identifiers indicating the functional purpose of the desired credential. The types of physical credential store aggregated together under the disclosed API may include a local credential store, a network-resident private credential store that may be shared across multiple client systems operated by a single user, and a network-resident shareable credential store, that may be used by processes acting on behalf of the user, and/or shared by multiple users.

12 Citations

View as Search Results

26 Claims

1. A method of providing a personal credential store for a networked computer system user, comprising:
- accepting a plurality of search tags, through an application programming interface, wherein each of said plurality of search tags indicates a corresponding one of a plurality of application programs and a type of request to be performed with an obtained credential by said corresponding one of said plurality of application programs;
  
  searching a plurality of physical credential stores responsive to a received one of said plurality of search tags to obtain at least one credential from said plurality of physical credential stores, wherein said obtained credential meets requirements of one of said application programs indicated by said received one of said plurality of search tags to perform said type of request indicated by said received one of said plurality of search tags;
  
  wherein said one of said application programs indicated by said received one of said plurality of search tags is an electronic mail program;
  
  wherein said type of request to be performed indicated by said received one of said plurality of search tags is verification of an incoming electronic mail message;
  
  wherein said received one of said plurality of search tags has a value comprising an electronic mail address of a sender of said incoming electronic mail message; and
  
  wherein said verification of said incoming electronic mail message includes directly searching, responsive to said received one of said plurality of search tags having said value comprising said electronic mail address of said sender of said incoming electronic mail message, for a digital certificate of said sender of said incoming electronic mail message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of providing a personal credential store of claim 1, wherein said plurality of physical credential stores comprises a local credential store for storing local credentials, wherein said local credential store is located on a first client computer system associated with said user, and wherein said local credential store is not accessible to systems other than said first client computer system.
  - 3. The method of providing a personal credential store of claim 2, wherein said plurality of physical credential stores further comprises at least one network resident private credential store that is shared only across a plurality of client computer systems associated with said user, wherein said plurality of client computer systems includes said first client computer system, and wherein said at least one network resident private credential store is stored on at least one remote server computer system.
  - 4. The method of claim 3, wherein said local credential store comprises a password-encrypted file, and wherein said local credential store cannot be accessed without a password associated with said user.
  - 5. The method of claim 3, wherein said network resident private credential store comprises password-encrypted data, and wherein said password-encrypted data cannot be accessed without a password associated with said user.
  - 6. The method of providing a personal credential store of claim 3, wherein said plurality of physical credential stores further comprises at least one network-resident shareable credential store that is accessible to at least one process acting on behalf of said user that does not know said user'"'"'s password.
  - 7. The method of providing a personal credential store of claim 3, wherein said plurality of physical credential stores further comprises at least one network resident shareable credential store that is accessible to multiple users including said user.
  - 8. The method of providing a personal credential store of claim 7, wherein said at least one network resident shareable credential store is further accessible by an administration software tool through an application programming interface.
  - 9. The method of providing a personal credential store of claim 7, wherein said network resident shareable credential store comprises a set of rows in a database stored on a remote server system.
  - 10. The method of providing a personal credential store of claim 1, further comprising:
    - copying a contents of at least one of said plurality of physical credential stores from a remote server system to a local copy on a client computer system.
  - 11. The method of providing a personal credential store of claim 10, further comprising:
    - detecting at least one credential marked for migration in said local copy, and copying said credential marked for migration from a first one of said plurality of physical credential stores to a second one of said plurality of physical credential stores.
  - 12. The method of providing a personal credential store of claim 11, wherein said first one of said plurality of physical credential stores comprises a network resident shareable credential store that is accessible to multiple users, and wherein said second one of said plurality of physical credential stores comprises a private credential store only accessible to a user of said client computer system.
  - 13. The method of providing a personal credential store of claim 11, further comprising detecting that said credential marked for migration in said local copy is further marked for merging with another credential in said second one of said plurality of physical credential stores, and combining said credential marked for migration into said credential in said second one of said plurality of physical credential stores.
  - 14. The method of claim 1, further comprising:
    - wherein at least some of said plurality of search tags of credentials obtained from said credential stores may be examined by said application programs regardless of whether said search tags were used in searching to obtain said credentials.
  - 15. The method of claim 8, further comprising:
    - wherein said administration software tool enables an administrator user to manage portions of otherwise private credentials in said at least one network resident shareable credential store.
  - 16. The method of claim 15, wherein said portions of said otherwise private credentials comprise a set of administrator defined root certificates.
  - 17. The method of claim 15, further comprising:
    - wherein said portions of said otherwise private credentials include a public key of said networked computer system user; and
      
      storing a private key associated with said public key in said local credential store.

18. A method of providing a personal credential store for a networked computer system user, comprising:
- accepting a plurality of search tags, through an application programming interface, wherein each of said plurality of search tags indicates a corresponding one of a plurality of application programs and a type of request to be performed with an obtained credential by said corresponding one of said plurality of application programs;
  
  searching a plurality of physical credential stores responsive to a received one of said plurality of search tags to obtain at least one credential from said plurality of physical credential stores, wherein said obtained credential meets requirements of one of said application programs indicated by said received one of said plurality of search tags to perform said type of request indicated by said received one of said plurality of search tags;
  
  wherein said received one of said plurality of search tags indicates a domain name;
  
  wherein said one of said application programs indicated by said received one of said plurality of search tags is associated with said domain name;
  
  wherein said type of request to be performed indicated by said received one of said plurality of search tags is a HyperText Transfer Protocol (HTTP) request; and
  
  wherein said received one of said plurality of search tags indicates that said HTTP request requires said at least one obtained credential;
  
  wherein said plurality of physical credential stores comprises a local credential store for storing local credentials, wherein said local credential store is located on a first client computer system associated with said user, and wherein said local credential store is not accessible to systems other than said first client computer system; and
  
  wherein said plurality of physical credential stores further comprises at least one network resident private credential store that is shared only across a plurality of client computer systems associated with said user, wherein said plurality of client computer systems includes said first client computer system, and wherein said at least one network resident private credential store is stored on at least one remote server computer system.

19. A computer-implemented method of providing a personal credential store for a networked computer system user, comprising:
- generating, by at least one computer system, an application programming interface to a plurality of physical credential stores, said plurality of physical credential stores includinga private credential store accessible only to said user, anda network-resident shareable credential store accessible to at least one process acting on behalf of said user that does not know said user'"'"'s password;
  
  wherein a keypair credential associated with said user is stored in said private credential store, said keypair credential including a public key and a private key;
  
  wherein a digital certificate associated with said user is stored in said network resident shareable credential store, said digital certificate issued by a certificate authority and containing said public key;
  
  wherein said keypair credential stored in said private credential store and said digital certificate stored in said network resident shareable credential store are both accessible through said application programming interface responsive to a single predetermined search tag and a predetermined value; and
  
  wherein said predetermined value comprises a cryptographic hash of said public key.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, wherein said private credential store comprises a local credential store for storing local credentials, wherein said local credential store is located on a first client computer system associated with said user, and wherein said local credential store is not accessible to systems other than said first client computer system.
  - 21. The method of claim 19, wherein said private credential store comprises at least one network resident private credential store that is shared only across a plurality of client computer systems associated with said user, wherein said plurality of client computer systems includes said first client computer system, and wherein said at least one network resident private credential store is stored on at least one remote server computer system.

22. A system, comprising:
- at least one processor and a non-signal computer readable storage medium, said computer readable storage medium having program code stored thereon for providing a personal credential store for a networked computer system user, said program code comprisingprogram code for generating an application programming interface to a plurality of physical credential stores, said plurality of physical credential stores includinga private credential store accessible only to said user, anda network-resident shareable credential store accessible to at least one process acting on behalf of said user that does not know said user'"'"'s password;
  
  wherein a keypair credential associated with said user is stored in said private credential store, said keypair credential including a public key and a private key;
  
  wherein a digital certificate associated with said user is stored in said network resident shareable credential store, said digital certificate issued by a certificate authority and containing said public key;
  
  wherein said keypair credential stored in said private credential store and said digital certificate stored in said network resident shareable credential store are both accessible through said application programming interface responsive to a single predetermined search tag and a predetermined value; and
  
  wherein said predetermined value comprises a cryptographic hash of said public key.
- View Dependent Claims (23, 24, 25)
- - 23. The system of claim 22, wherein said private credential store comprises a local credential store for storing local credentials, wherein said local credential store is located on a first client computer system associated with said user, and wherein said local credential store is not accessible to systems other than said first client computer system.
  - 24. The system of claim 22, wherein said private credential store comprises at least one network resident private credential store that is shared only across a plurality of client computer systems associated with said user, wherein said plurality of client computer systems includes said first client computer system, and wherein said at least one network resident private credential store is stored on at least one remote server computer system.
  - 25. The system of claim 22, wherein said predetermined value comprises a cryptographic hash of said public key.

26. A computer program product, comprising:
- at least one non-signal computer readable storage medium, said computer readable storage medium having program code stored thereon for providing a personal credential store for a networked computer system user, said program code comprisingprogram code for generating an application programming interface to a plurality of physical credential stores, said plurality of physical credential stores includinga private credential store accessible only to said user, anda network-resident shareable credential store accessible to at least one process acting on behalf of said user that does not know said user'"'"'s password;
  
  wherein a keypair credential associated with said user is stored in said private credential store, said keypair credential including a public key and a private key;
  
  wherein a digital certificate associated with said user is stored in said network resident shareable credential store, said digital certificate issued by a certificate authority and containing said public key;
  
  wherein said keypair credential stored in said private credential store and said digital certificate stored in said network resident shareable credential store are both accessible through said application programming interface responsive to a single predetermined search tag and a predetermined value; and
  
  wherein said predetermined value comprises a cryptographic hash of said public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Wray, John C.
Primary Examiner(s)
Dada; Beemnet W
Assistant Examiner(s)
Debnath; Suman

Application Number

US10/878,166
Publication Number

US 20050289644A1
Time in Patent Office

2,626 Days
Field of Search

726/2, 726 5- 6, 726/18, 713/155, 713168-181, 380/247
US Class Current

726/5
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

H04L 63/0815   providing single-sign-on or...

Shared credential store

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Shared credential store

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links