Security assertion revocation
First Claim
Patent Images
1. A method for creating a security token having independently-revocable assertions, the method comprising:
- generating a first assertion with an associated first assertion identifier;
generating a second assertion with an associated second assertion identifier, wherein the second assertion is independently-revocable with respect to the first assertion;
combining, at a computing device, the first assertion and the second assertion into the security token and digitally signing the security token comprising multiple independently-revocable assertions;
ascertaining, at the computing device, whether a plurality of conditional revocation assertions are valid;
in response to ascertaining that one or more conditional revocation assertions are valid, including a corresponding assertion identifier from each of the one or more valid conditional revocation assertions in a set of revoked assertion identifiers;
rejecting the first assertion when the first assertion identifier matches a revoked assertion identifier in the set of revoked assertion identifier; and
applying the second assertion to an evaluation algorithm when the second assertion identifier does not match any revoked assertion identifier in the set of revoked assertion identifiers.
2 Assignments
0 Petitions
Accused Products
Abstract
Security assertion revocation enables a revocation granularity in a security scheme down to the level of individual assertions. In an example implementation, a security token includes multiple respective assertions that are associated with multiple respective assertion identifiers. More specifically, each individual assertion is associated with at least one individual assertion identifier.
112 Citations
13 Claims
-
1. A method for creating a security token having independently-revocable assertions, the method comprising:
-
generating a first assertion with an associated first assertion identifier; generating a second assertion with an associated second assertion identifier, wherein the second assertion is independently-revocable with respect to the first assertion; combining, at a computing device, the first assertion and the second assertion into the security token and digitally signing the security token comprising multiple independently-revocable assertions; ascertaining, at the computing device, whether a plurality of conditional revocation assertions are valid; in response to ascertaining that one or more conditional revocation assertions are valid, including a corresponding assertion identifier from each of the one or more valid conditional revocation assertions in a set of revoked assertion identifiers; rejecting the first assertion when the first assertion identifier matches a revoked assertion identifier in the set of revoked assertion identifier; and applying the second assertion to an evaluation algorithm when the second assertion identifier does not match any revoked assertion identifier in the set of revoked assertion identifiers. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method configured to execute instructions which, when executed by a computer processor, direct a computing device to perform acts for filtering revoked assertions, the method comprising:
-
acquiring multiple assertions from a security token at the computing device, each respective assertion of the multiple assertions associated with a respective assertion identifier of multiple assertion identifiers; comparing the multiple assertion identifiers to a set of revoked assertion identifiers; determining, by the computing device, if at least one assertion identifier of the multiple assertion identifiers matches a revoked assertion identifier of the set of revoked assertion identifiers; and if at least one assertion identifier of the multiple assertion identifiers is determined to match a revoked assertion identifier of the set of revoked assertion identifiers, rejecting at least one assertion that is associated with the at least one assertion identifier that is determined to match the revoked assertion identifier; and processing a revocation assertion that includes a revoked assertion identifier, wherein the revocation assertion comprises a security assertion and is logically of the form; principal says fact, in which fact corresponds to; applying the plurality of assertions to the evaluation algorithm that evaluates the authorization query when no none of the at least one assertion identifier is determined to match any revoked assertion identifier of the set of revoked assertion identifiers. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. One or more computer-readable memory storing computer-executable instructions that, when executed by a processor, configures the processor to perform acts comprising:
-
generating a plurality of assertions such that each assertion has an associated assertion identifier; comparing each assertion identifier to a set of revoked assertion identifiers; determining whether the each assertion identifier has a matching revoked assertion identifier from the set of revoked assertion identifiers; when at least one assertion identifier is determined to match a revoked assertion identifier of the set of revoked assertion identifiers, rejecting a corresponding assertion of each assertion identifier that is matched with a corresponding revoked assertion identifier, and applying one or more remaining assertions to an evaluation algorithm that evaluates an authorization query; and when no assertion identifier is determined to match any revoked assertion identifier of the set of revoked assertion identifiers, applying the plurality of assertions of the evaluation algorithm that evaluates the authorization query. - View Dependent Claims (12, 13)
-
Specification