Trust management systems and methods
First Claim
1. A trust management method performed by a computer system comprising a processor and a non-transitory computer-readable storage medium storing instructions that when executed by the processor, cause the processor to perform the method, the method comprising:
- receiving a request for use of a computing resource;
obtaining a group of certificates expressing a plurality of authorizations, each certificate of the group of certificates expressing at least one authorization of the plurality of authorizations by at least one principal;
constructing a dependency graph based on the group of certificates, the dependency graph comprising a plurality of nodes and at least one connection between at least two nodes of the plurality of nodes, the at least one connection being associated with an authorization of the plurality of authorizations expressed by the group of certificates;
computing, based on the dependency graph, a fixpoint of the plurality of authorizations expressed by the group of certificates, or an approximation thereof; and
implementing a trust management decision based on a result of the fixpoint computation, the trust management decision comprising a determination of whether to grant the request for use of the computing resource.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals.
-
Citations
18 Claims
-
1. A trust management method performed by a computer system comprising a processor and a non-transitory computer-readable storage medium storing instructions that when executed by the processor, cause the processor to perform the method, the method comprising:
-
receiving a request for use of a computing resource; obtaining a group of certificates expressing a plurality of authorizations, each certificate of the group of certificates expressing at least one authorization of the plurality of authorizations by at least one principal; constructing a dependency graph based on the group of certificates, the dependency graph comprising a plurality of nodes and at least one connection between at least two nodes of the plurality of nodes, the at least one connection being associated with an authorization of the plurality of authorizations expressed by the group of certificates; computing, based on the dependency graph, a fixpoint of the plurality of authorizations expressed by the group of certificates, or an approximation thereof; and implementing a trust management decision based on a result of the fixpoint computation, the trust management decision comprising a determination of whether to grant the request for use of the computing resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable storage medium storing instructions that when executed by a system comprising a processor, cause the processor to perform a trust management method comprising:
-
receiving a request for use of a computing resource; obtaining a group of certificates expressing a plurality of authorizations, each certificate of the group of certificates expressing at least one authorization of the plurality of authorizations by at least one principal; constructing a dependency graph based on the group of certificates, the dependency graph comprising a plurality of nodes and at least one connection between at least two nodes of the plurality of nodes, the at least one connection being associated with an authorization of the plurality of authorizations expressed by the group of certificates; computing, based on the dependency graph, a fixpoint of the plurality of authorizations, or an approximation thereof; and implementing a trust management decision based on a result of the fixpoint computation, the trust management decision comprising a determination of whether to grant the request for use of the computing resource. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification