Interoperable systems and methods for peer-to-peer service orchestration
First Claim
1. A method of accessing content according to a DRM policy, comprising:
- communicating, using a service access point of a device, with one or more web services agents to receive;
a content object including an encrypted content item,a license object comprising a control object including a control program containing instructions for querying an authorization graph for an existence of a path from a first node to a second node, and a content key object including an encrypted content key for decrypting the encrypted content item,a first link object associated with a validity constraint comprising authorization conditions governing the use of a first link key to sign the first link object, the authorization conditions expressed by a control program, a certificate for the first link key comprising the constraint program;
determining authorization to access the encrypted content item using a DRM engine on the device, the DRM engine requesting cryptographic services from a host environment, comprising;
verifying, by the DRM engine, the license object,validating, by the DRM engine, the first link object according to the validity constraint and cryptographic services requested from the host environment, validation comprising;
determining satisfaction of the authorization conditions for the first link key by executing the constraint program using the DRM engine,verifying the certificate for the first link key based on satisfaction of the authorization conditions using the cryptographic services, andvalidating the first link object based on verification of the certificate using the DRM engine,constructing, by the DRM engine, an authorization graph comprising nodes connected by links, construction using valid link objects, the valid link objects comprising the first link object, andquerying, by the DRM engine, the authorization graph by executing the control program and determining by the control program the existence of the path from the first node to the second node;
providing by the DRM engine based on a result of the query;
an indication that the encrypted content item may be accessed, anda decrypted version of the encrypted content key for decrypting the encrypted content item;
generating a decrypted version of the encrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, based on the indication;
andaccessing the decrypted version of the encrypted content item based on the indication.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL. In a preferred embodiment, a media services framework is provided that enables nodes to find one another, interact, exchange value, and cooperate across tiers of networks from WANs to PANs.
253 Citations
29 Claims
-
1. A method of accessing content according to a DRM policy, comprising:
-
communicating, using a service access point of a device, with one or more web services agents to receive; a content object including an encrypted content item, a license object comprising a control object including a control program containing instructions for querying an authorization graph for an existence of a path from a first node to a second node, and a content key object including an encrypted content key for decrypting the encrypted content item, a first link object associated with a validity constraint comprising authorization conditions governing the use of a first link key to sign the first link object, the authorization conditions expressed by a control program, a certificate for the first link key comprising the constraint program; determining authorization to access the encrypted content item using a DRM engine on the device, the DRM engine requesting cryptographic services from a host environment, comprising; verifying, by the DRM engine, the license object, validating, by the DRM engine, the first link object according to the validity constraint and cryptographic services requested from the host environment, validation comprising; determining satisfaction of the authorization conditions for the first link key by executing the constraint program using the DRM engine, verifying the certificate for the first link key based on satisfaction of the authorization conditions using the cryptographic services, and validating the first link object based on verification of the certificate using the DRM engine, constructing, by the DRM engine, an authorization graph comprising nodes connected by links, construction using valid link objects, the valid link objects comprising the first link object, and querying, by the DRM engine, the authorization graph by executing the control program and determining by the control program the existence of the path from the first node to the second node; providing by the DRM engine based on a result of the query; an indication that the encrypted content item may be accessed, and a decrypted version of the encrypted content key for decrypting the encrypted content item; generating a decrypted version of the encrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, based on the indication; and accessing the decrypted version of the encrypted content item based on the indication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer readable medium containing instructions that, when executed by a processor of a device, cause the device to perform operations comprising:
-
communicating, using a service access point of a device, with one or more web services agents to receive; a content object including an encrypted content item, a license object comprising a control object including a control program containing instructions for querying an authorization graph for an existence of a path from a first node to a second node, and a contentkey object including an encrypted content key for decrypting the encrypted content item, a first link object associated with a validity constraint comprising authorization conditions governing the use of a first link key to sign the first link object, the authorization conditions expressed by a control program, a certificate for the first link key comprising the constraint program; determining authorization to access the encrypted content item using a DRM engine on the device, comprising; verifying, by the DRM engine, the license object, validating, by the DRM engine, the first link object according to the validity constraint and cryptographic services requested by the DRM engine from a cryptographic services module of a host environment indirectly using a host services module, validation comprising; determining satisfaction of the authorization conditions for the first link key by executing the constraint program using the DRM engine, verifying the certificate for the first link key based on satisfaction of the authorization conditions using the cryptographic services, and validating the first link object based on verification of the certificate using the DRM engine, constructing, by the DRM engine, an authorization graph comprising nodes connected by links, construction using valid link objects, the valid link objects comprising the first link object, and querying, by the DRM engine, the authorization graph by executing the control program and determining by the control program the existence of the path from the first node to the second node; providing by the DRM engine based on a result of the query; an indication that the encrypted content item may be accessed, and a decrypted version of the encrypted content key for decrypting the encrypted content item; generating a decrypted version of the encrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, based on the indication; and accessing the decrypted version of the encrypted content item based on the indication. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A device for obtaining and accessing a content item, comprising:
-
at least one processer, and a non-transitory computer memory containing instructions that, when executed by the at least one processor, cause the device to perform operations comprising; communicating, using a service access point of a device, with one or more web services agents to receive; a content object including an encrypted content item, a license object comprising a control object including a control program containing instructions for querying an authorization graph for an existence of a path from a first node to a second node, and a contentkey object including an encrypted content key for decrypting the encrypted content item, and a first link object associated with a validity constraint comprising authorization conditions governing the use of a first link key to sign the first link object, the authorization conditions expressed by a control program, a certificate for the first link key comprising the constraint program; determining authorization to access the encrypted content item using a DRM engine on the device, comprising; verifying, by the DRM engine, the license object, validating, by the DRM engine, the first link object according to the validity constraint and cryptographic services requested by the DRM engine from a cryptographic services module of a host environment indirectly using a host services module, validation comprising; determining satisfaction of the authorization conditions for the first link key by executing the constraint program using the DRM engine, verifying the certificate for the first link key based on satisfaction of the authorization conditions using the cryptographic services, and validating the first link object based on verification of the certificate using the DRM engine, constructing, by the DRM engine, an authorization graph comprising nodes connected by links, construction using valid link objects, the valid link objects comprising the first link object, and querying, by the DRM engine, the authorization graph by executing the control program and determining by the control program the existence of the path from the first node to the second node; providing, by the DRM engine, based on a result of the query; an indication that the encrypted content item may be accessed, and a decrypted version of the encrypted content key for decrypting the encrypted content item; generating a decrypted version of the encrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, based on the indication; and accessing the decrypted version of the encrypted content item based on the indication. - View Dependent Claims (26, 27, 28, 29)
-
Specification