Trust management systems and methods

US 9,485,100 B2
Filed: 06/15/2015
Issued: 11/01/2016
Est. Priority Date: 05/19/2000
Status: Expired due to Term

First Claim

Patent Images

1. A trust management method performed by a computer system comprising a processor and a non-transitory computer-readable storage medium storing instructions that when executed by the processor, cause the processor to perform the method, the method comprising:

receiving a request for use of a computing resource;

obtaining a group of certificates expressing a plurality of authorizations, each certificate of the group of certificates expressing at least one authorization of the plurality of authorizations by at least one principal;

constructing a dependency graph based on the group of certificates, the dependency graph comprising a plurality of nodes and at least one connection between at least two nodes of the plurality of nodes, the at least one connection being associated with an authorization of the plurality of authorizations expressed by the group of certificates;

computing, based on the dependency graph, a fixpoint of the plurality of authorizations expressed by the group of certificates, or an approximation thereof; and

implementing a trust management decision based on a result of the fixpoint computation, the trust management decision comprising a determination of whether to grant the request for use of the computing resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals.

Citations

18 Claims

1. A trust management method performed by a computer system comprising a processor and a non-transitory computer-readable storage medium storing instructions that when executed by the processor, cause the processor to perform the method, the method comprising:
- receiving a request for use of a computing resource;
  
  obtaining a group of certificates expressing a plurality of authorizations, each certificate of the group of certificates expressing at least one authorization of the plurality of authorizations by at least one principal;
  
  constructing a dependency graph based on the group of certificates, the dependency graph comprising a plurality of nodes and at least one connection between at least two nodes of the plurality of nodes, the at least one connection being associated with an authorization of the plurality of authorizations expressed by the group of certificates;
  
  computing, based on the dependency graph, a fixpoint of the plurality of authorizations expressed by the group of certificates, or an approximation thereof; and
  
  implementing a trust management decision based on a result of the fixpoint computation, the trust management decision comprising a determination of whether to grant the request for use of the computing resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein constructing the dependency graph further comprises:
    - identifying a set of principals associated with the group of certificates, wherein each node of the plurality of nodes is associated with at least one principal of the set of principals.
  - 3. The method of claim 1, wherein at least one certificate of the group of certificates comprises a Simple Public Key Infrastructure certificate.
  - 4. The method of claim 1, wherein at least one certificate of the group of certificates comprises a Keynote certificate.
  - 5. The method of claim 1, wherein the computing resource comprises at least one of access to a piece of electronic content, use of a computer program, access to a computing system, access to a processing resource, and access to a network.
  - 6. The method of claim 1, wherein obtaining the group of certificates comprises obtaining at least one certificate of the group of certificates from the non-transitory computer readable storage medium.
  - 7. The method of claim 1, wherein obtaining the group of certificates comprises obtaining at least one certificate of the group of certificates from a remote system.
  - 8. The method of claim 1, wherein each certificate of the group of certificates is expressed as a function, wherein each function possesses one or more properties sufficient to ensure that the plurality of authorizations expressed by the group of certificates with have a fixpoint.
  - 9. The method of claim 8, wherein the one or more properties sufficient to ensure that the plurality of authorizations will have a fixpoint includes a property that each function is monotone.

10. A non-transitory computer-readable storage medium storing instructions that when executed by a system comprising a processor, cause the processor to perform a trust management method comprising:
- receiving a request for use of a computing resource;
  
  obtaining a group of certificates expressing a plurality of authorizations, each certificate of the group of certificates expressing at least one authorization of the plurality of authorizations by at least one principal;
  
  constructing a dependency graph based on the group of certificates, the dependency graph comprising a plurality of nodes and at least one connection between at least two nodes of the plurality of nodes, the at least one connection being associated with an authorization of the plurality of authorizations expressed by the group of certificates;
  
  computing, based on the dependency graph, a fixpoint of the plurality of authorizations, or an approximation thereof; and
  
  implementing a trust management decision based on a result of the fixpoint computation, the trust management decision comprising a determination of whether to grant the request for use of the computing resource.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable storage medium of claim 10, wherein constructing the dependency graph further comprises:
    - identifying a set of principals associated with the group of certificates, wherein each node of the plurality of nodes is associated with at least one principal of the set of principals.
  - 12. The non-transitory computer-readable storage medium of claim 10, wherein at least one certificate of the group of certificates comprises a Simple Public Key Infrastructure certificate.
  - 13. The non-transitory computer-readable storage medium of claim 10, wherein at least one certificate of the group of certificates comprises a Keynote certificate.
  - 14. The non-transitory computer-readable storage medium of claim 10, wherein the computing resource comprises at least one of access to a piece of electronic content, use of a computer program, access to a computing system, access to a processing resource, and access to a network.
  - 15. The method of claim 10, wherein obtaining the group of certificates comprises obtaining at least one certificate of the group of certificates from the non-transitory computer readable storage medium.
  - 16. The method of claim 10, wherein obtaining the group of certificates comprises obtaining at least one certificate of the group of certificates from a remote system.
  - 17. The method of claim 10, wherein each certificate of the group of certificates is expressed as a function, wherein each function possesses one or more properties sufficient to ensure that the plurality of authorizations expressed by the group of certificates with have a fixpoint.
  - 18. The method of claim 17, wherein the one or more properties sufficient to ensure that the plurality of authorizations will have a fixpoint includes a property that each function is monotone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Original Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Inventors
Weeks, Stephen P., Serret-Avila, Xavier
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US14/739,277
Publication Number

US 20150312045A1
Time in Patent Office

505 Days
Field of Search

726/1, 726/2, 726/8, 713/156, 713/175, 713/182, 380/45, 380/277
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 9/3263   involving certificates, e.g...

Trust management systems and methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Trust management systems and methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links