Interoperable systems and methods for peer-to-peer service orchestration
First Claim
1. A method of accessing content according to a DRM policy, comprising:
- receiving, by a service access point of a device, from one or more web services agents;
an encrypted content item,a control program containing executable code,an encrypted content key for decrypting the encrypted content item,a first link object digitally-signed by a link key, the first link object representing a relationship between a first node object and a second node object and comprising references to first node attributes included in the first node object and second node attributes included in the second node object, anda certificate for validating the link key, the certificate comprising a constraint program, the constraint program imposing link conditions on use of the link key to digitally sign link objects, and the link conditions depending on the first node attributes and the second node attributes;
determining, by the device, authorization to access the encrypted content item, comprising;
validating the first link object, comprising executing the constraint program and determining by the constraint program satisfaction of the link conditions based on the first node attributes and the second node attributes referenced by the first link object, verifying the certificate based on satisfaction of the link conditions, validating the use of the link key to digitally sign the first link object based on verification of the certificate, and validating the first link object based on validation of the use of the link key to digitally sign the first link object,constructing an authorization graph by processing two or more link objects, including the validated first link object;
generating a chain of keys by processing the two or more link objects, including the validated first link object;
querying the authorization graph by executing the executable code contained in the control program, andgenerating a target node key by processing the chain of keys; and
based on a result of querying the authorization graph, generating by the device a decrypted version of the encrypted content key by decrypting the encrypted content key using the target node key, generating by the device a decrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, and accessing by the device the decrypted content item.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL. In a preferred embodiment, a media services framework is provided that enables nodes to find one another, interact, exchange value, and cooperate across tiers of networks from WANs to PANs.
-
Citations
23 Claims
-
1. A method of accessing content according to a DRM policy, comprising:
-
receiving, by a service access point of a device, from one or more web services agents; an encrypted content item, a control program containing executable code, an encrypted content key for decrypting the encrypted content item, a first link object digitally-signed by a link key, the first link object representing a relationship between a first node object and a second node object and comprising references to first node attributes included in the first node object and second node attributes included in the second node object, and a certificate for validating the link key, the certificate comprising a constraint program, the constraint program imposing link conditions on use of the link key to digitally sign link objects, and the link conditions depending on the first node attributes and the second node attributes; determining, by the device, authorization to access the encrypted content item, comprising; validating the first link object, comprising executing the constraint program and determining by the constraint program satisfaction of the link conditions based on the first node attributes and the second node attributes referenced by the first link object, verifying the certificate based on satisfaction of the link conditions, validating the use of the link key to digitally sign the first link object based on verification of the certificate, and validating the first link object based on validation of the use of the link key to digitally sign the first link object, constructing an authorization graph by processing two or more link objects, including the validated first link object; generating a chain of keys by processing the two or more link objects, including the validated first link object; querying the authorization graph by executing the executable code contained in the control program, and generating a target node key by processing the chain of keys; and based on a result of querying the authorization graph, generating by the device a decrypted version of the encrypted content key by decrypting the encrypted content key using the target node key, generating by the device a decrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, and accessing by the device the decrypted content item. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer readable medium containing instructions that, when executed by a processor of a device, cause the device to perform operations comprising:
-
receiving, by a service access point of the device, from one or more web services agents; an encrypted content item, a control program containing executable code, an encrypted content key for decrypting the encrypted content item, a first link object digitally-signed by a link key, the first link object representing a relationship between a first node object and a second node object and comprising references to first node attributes included in the first node object and second node attributes included in the second node object, and a certificate for validating the link key, the certificate comprising a constraint program, the constraint program imposing link conditions on use of the link key to digitally sign link objects, and the link conditions depending on the first node attributes and the second node attributes; determining, by the device, authorization to access the encrypted content item, comprising; validating the first link object, comprising executing the constraint program and determining by the constraint program satisfaction of the link conditions based on the first node attributes and the second node attributes referenced by the first link object, verifying the certificate based on satisfaction of the link conditions, validating the use of the link key to digitally sign the first link object based on verification of the certificate, and validating the first link object based on validation of the use of the link key to digitally sign the first link object, constructing an authorization graph by processing two or more link objects, including the validated first link object; generating a chain of keys by processing the two or more link objects, including the validated first link object; querying the authorization graph by executing the executable code contained in the control program, and generating a target node key by processing the chain of keys; and based on a result of querying the authorization graph, generating by the device a decrypted version of the encrypted content key by decrypting the encrypted content key using the target node key, generating by the device a decrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, and accessing by the device the decrypted content item. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A device for obtaining and accessing an encrypted content item, comprising at least one processor, and a non-transitory computer memory containing instructions that, when executed by the at least one processor, cause the processor to perform operations comprising:
-
receiving, by a service access point of the device, from one or more web services agents; the encrypted content item, a control program containing executable code, an encrypted content key for decrypting the encrypted content item, a first link object digitally-signed by a link key, the first link object representing a relationship between a first node object and a second node object and comprising references to first node attributes included in the first node object and second node attributes included in the second node object, and a certificate for validating the link key, the certificate comprising a constraint program, the constraint program imposing link conditions on use of the link key to digitally sign link objects, and the link conditions depending on the first node attributes and the second node attributes; determining, by the device, authorization to access the encrypted content item, comprising; validating the first link object, comprising executing the constraint program and determining by the constraint program satisfaction of the link conditions based on the first node attributes and the second node attributes referenced by the first link object, verifying the certificate based on satisfaction of the link conditions the constraint program, validating the use of the link key based on the certificate, and validating the first link object based on validation of the use of the link key to digitally sign the first link object, constructing an authorization graph by processing two or more link objects, including the validated first link object; generating a chain of keys by processing the two or more link objects, including the validated first link object; querying the authorization graph by executing the executable code contained in the control program; and generating a target node key by processing the chain of keys; and based on a result of querying the authorization graph, generating by the device a decrypted version of the encrypted content key by decrypting the encrypted content key using the target node key, generating by the device a decrypted content item by decrypting the encrypted content item using the decrypted version of the encrypted content key, and accessing by the device the decrypted content item. - View Dependent Claims (21, 22, 23)
-
Specification