Attested content protection
First Claim
1. At a computer system including a processor, an operating system and one or more applications, a method for protecting content, the method comprising:
- establishing a protection policy to protect content regardless of where the content is initially or subsequently distributed, the protection policy being manageable by a rights management system that includes a separate rights management server, the protection policy including;
a list of users that are authorized to access the protected content and a list of authorized computing environments that are permitted to access the protected content, wherein the list of authorized computing environments is separately specified for and is specific to each portion of protected content, and wherein each authorized computing environment comprises a specific combination of computer system attributes required for the computing environment to be authorized to access the protected content;
determining by the processor that a user is attempting to access the protected content through an application of the one or more applications at the computer system;
prior to allowing the application to access the protected content;
the computer system exchanging information with the rights management server about the user'"'"'s identity so as to validate that the user is authorized to access the protected content;
the operating system attesting to a specified set of information indicating that the computer system includes the specified combination of computer system attributes required for the computer system to be an authorized computing environment that is permitted to access the protected content according to the established protection policy which includes the list of users and authorized computing environments that are permitted to access the protected content; and
the computer system allowing the application to access the protected content in response to the operating system attesting to an authorized computing environment that is permitted to access the protected content and validating that the user is authorized to access the protected content.
2 Assignments
0 Petitions
Accused Products
Abstract
Computer systems and environments implemented herein permit a local machine increased participation in authorizing access to protected content. An operating system attests to a computing environment at a corresponding computer system. If the computing environment is one permitted to access protected content, the operating system is permitted to regulate further (e.g., application) access to protected content in accordance with a procreation policy. As such, authorization decisions are partially distributed, easing the resource burden on a content protection server. Accordingly, this computing environment can facilitate more robust and efficient authorization decisions when access to protected content is requested.
-
Citations
20 Claims
-
1. At a computer system including a processor, an operating system and one or more applications, a method for protecting content, the method comprising:
-
establishing a protection policy to protect content regardless of where the content is initially or subsequently distributed, the protection policy being manageable by a rights management system that includes a separate rights management server, the protection policy including;
a list of users that are authorized to access the protected content and a list of authorized computing environments that are permitted to access the protected content, wherein the list of authorized computing environments is separately specified for and is specific to each portion of protected content, and wherein each authorized computing environment comprises a specific combination of computer system attributes required for the computing environment to be authorized to access the protected content;determining by the processor that a user is attempting to access the protected content through an application of the one or more applications at the computer system; prior to allowing the application to access the protected content; the computer system exchanging information with the rights management server about the user'"'"'s identity so as to validate that the user is authorized to access the protected content; the operating system attesting to a specified set of information indicating that the computer system includes the specified combination of computer system attributes required for the computer system to be an authorized computing environment that is permitted to access the protected content according to the established protection policy which includes the list of users and authorized computing environments that are permitted to access the protected content; and the computer system allowing the application to access the protected content in response to the operating system attesting to an authorized computing environment that is permitted to access the protected content and validating that the user is authorized to access the protected content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. At a computer system including a processor, an operating system and one or more applications, a method for protecting content, the method comprising:
-
establishing a protection policy to protect content regardless of where the content is initially or subsequently distributed, the protection policy including;
a list of users that are authorized to access the protected content, operations that authorized users are permitted to perform with respect to the protected content, and a list of authorized computing environments that are permitted to access the protected content, wherein the list of authorized computing environments is separately specified for and is specific to each portion of protected content, and wherein each authorized computing environment comprises a specific combination of computer system attributes required for the computing environment to be authorized to access the protected content;determining by the processor that a user is attempting to access the protected content through an application of the one or more applications at the computer system; sending user identity information for the user to a rights management server; the operating system attesting to a specified set of information indicating that the computer system includes the specified combination of computer system attributes required for the computer system to be an authorized computing environment that is permitted to access the protected content according to the established protection policy which includes the list of users and authorized computing environments that are permitted to access the protected content; receiving a user key from the rights management server, the user key usable by the user to access the protected content, the user key being returned to the computer system from the rights management server in response to the rights management server authenticating the user and determining that the attested authorized computing environment is permitted to access the protected content; the operating system of the computer system permitting the application to use the user key to access the protected content; and the application controlling the user'"'"'s access to the protected content in accordance with the operations that the users are permitted to perform as indicated in the protection policy. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer system, the computer system comprising:
-
one or more processors; system memory; and one or more physical storage media having stored thereon computer-executable instructions that, when executed by one of the processors, cause the computer system to regulate access to protected content, including the following; establish a protection policy for protecting content regardless of where the content is initially or subsequently distributed, the protection policy being manageable by a rights management system that includes a separate rights management server, the protection policy including a list of users that are authorized to access the protected content and a list of authorized computing environments that are permitted to access the protected content, wherein the list of authorized computing environments is separately specified for and is specific to each portion of protected content, and wherein each authorized computing environment comprises a specific combination of computer system attributes required for the computing environment to be authorized to access the protected content; determine that a user is attempting to access the protected content through an application at the computer system; send user identity information to the rights management server; attest to a specified set of information indicating that the computer system includes the specified combination of computer system attributes required for the computer system to be an authorized computing environment to the rights management server according to the established protection policy which includes the list of users and authorized computing environments that are permitted to access the protected content; receive a user key from the rights management server, reception of the user key indicative of; the rights management server having authenticated the user; and the rights management server determining that the attested information portrayed an authorized computing environment that is permitted to access the protected content such that the operating system is trusted to regulate the user'"'"'s access to the protected content in accordance with the protection policy. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification