Abstract: One embodiment includes a method which may be practiced in a computing environment where resources are distributed. The method includes acts for obtaining policy information defining restrictions on resources distributed in the computing environment. The method includes sending a request to a server for metadata about one or more resource protection policies at the server. In response to the request, metadata about one or more resource protection polices at the server is received from the server. The metadata from the server is analyzed. Based on analyzing the metadata, one or more resource protection policies stored at the client are updated.

Abstract: An improved certificate issuing system may comprise a certificate translation engine for translating incoming certificates and certificate requests from a first format into a second format. A certificate issuing engine may then operate on incoming requests in the common format. The issuing engine can issue certificates to clients according to its certificate issuing policy. The policy may be expressed as data in a policy expression language that can be consumed at runtime, which provides for flexible and efficient changing of issuing policy. Issued certificates can be translated back into a format that is consumed by the requesting client. Such translation can be performed by the translation engine prior to delivery of certificates to requesting clients.

Abstract: An improved certificate issuing system may comprise a novel arrangement for expressing certificate issuing policy. The policy may be expressed in a human-readable policy expression language and stored for example in a file that is consumed by a certificate issuing system at runtime. The policy may thus be easily changed by altering the digital file. Certain techniques are also provided for extending the capabilities of the certificate issuing system so it may apply and enforce new policies.

Abstract: A key management interface that allows for different key protection schemes to be plugged into a digital rights management system is disclosed. The interface exposes the functionality of signing data, decrypting data encrypted using a public key, and re-encrypting data encrypted using the public key exported by the interface to a different authenticated principal (i.e., a different public key). Thus, a secure interface can be provided such that the data does not enter or leave the interface in the clear. Such an interface exports private key operations of signing and decryption, and provides security and authentication for the digital asset server in licensing and publishing. During publishing, a client can encrypt asset keys such that only a specified entity can decrypt it, using a plug-in, for example, that implements the aforementioned interface.

Abstract: A Digital Rights Management (DRM) system has a plurality of DRM servers performing DRM functionality and an entering DRM-E server is enrolled into the system by an enrolling DRM-R server such that the entering DRM-E server is to be trusted within the system. The DRM-E server sends an enrollment request to the DRM-R server including a proffering identification and a public key (PU-E). The DRM-R server validates the proffering identification, and, if the request is to be honored, generates a digital enrollment certificate with (PU-E) for the DRM-E server to enroll such DRM-E server into the DRM system. The now-enrolled DRM-E server with the generated enrollment certificate is able to employ same to issue DRM documents within the DRM system.

Abstract: A Digital Rights Management (DRM) system has a plurality of DRM servers performing DRM functionality and an entering DRM-E server is enrolled into the system by an enrolling DRM-R server such that the entering DRM-E server is to be trusted within the system. The DRM-E server sends an enrollment request to the DRM-R server including a proffering identification and a public key (PU-E). The DRM-R server validates the proffering identification, and, if the request is to be honored, generates a digital enrollment certificate with (PU-E) for the DRM-E server to enroll such DRM-E server into the DRM system. The now-enrolled DRM-E server with the generated enrollment certificate is able to employ same to issue DRM documents within the DRM system.

Abstract: A key management interface that allows for different key protection schemes to be plugged into a digital rights management system is disclosed. The interface exposes the functionality of signing data, decrypting data encrypted using a public key, and re-encrypting data encrypted using the public key exported by the interface to a different authenticated principal (i.e., a different public key). Thus, a secure interface can be provided such that the data does not enter or leave the interface in the clear. Such an interface exports private key operations of signing and decryption, and provides security and authentication for the digital asset server in licensing and publishing. During publishing, a client can encrypt asset keys such that only a specified entity can decrypt it, using a plug-in, for example, that implements the aforementioned interface.

Abstract: A key management interface that allows for different key protection schemes to be plugged into a digital rights management system is disclosed. The interface exposes the functionality of signing data, decrypting data encrypted using a public key, and re-encrypting data encrypted using the public key exported by the interface to a different authenticated principal (i.e., a different public key). Thus, a secure interface can be provided such that the data does not enter or leave the interface in the clear. Such an interface exports private key operations of signing and decryption, and provides security and authentication for the digital asset server in licensing and publishing. During publishing, a client can encrypt asset keys such that only a specified entity can decrypt it, using a plug-in, for example, that implements the aforementioned interface.

Abstract: An improved certificate issuing system may comprise a certificate translation engine for translating incoming certificates and certificate requests from a first format into a second format. A certificate issuing engine may then operate on incoming requests in the common format. The issuing engine can issue certificates to clients according to its certificate issuing policy. The policy may be expressed as data in a policy expression language that can be consumed at runtime, which provides for flexible and efficient changing of issuing policy. Issued certificates can be translated back into a format that is consumed by the requesting client. Such translation can be performed by the translation engine prior to delivery of certificates to requesting clients.

Abstract: An improved certificate issuing system may comprise a novel arrangement for expressing certificate issuing policy. The policy may be expressed in a human-readable policy expression language and stored for example in a file that is consumed by a certificate issuing system at runtime. The policy may thus be easily changed by altering the digital file. Certain techniques are also provided for extending the capabilities of the certificate issuing system so it may apply and enforce new policies.

Abstract: A Digital Rights Management (DRM) system has a plurality of DRM servers performing DRM functionality and an entering DRM-E server is enrolled into the system by an enrolling DRM-R server such that the entering DRM-E server is to be trusted within the system. The DRM-E server sends an enrollment request to the DRM-R server including a proffering identification and a public key (PU-E). The DRM-R server validates the proffering identification, and, if the request is to be honored, generates a digital enrollment certificate with (PU-E) for the DRM-E server to enroll such DRM-E server into the DRM system. The now-enrolled DRM-E server with the generated enrollment certificate is able to employ same to issue DRM documents within the DRM system.

Abstract: Systems and methods for providing digital rights management services are disclosed. Such a system includes a service program that provides a processing framework for performing a digital rights management service, such as publishing or licensing rights managed digital content. A plurality of plug-in components are provided, each of which performs a respective task associated with the digital rights management service. The plug-in components are integrated into the processing framework according to predefined sets of interface rules.

Abstract: A key management interface that allows for different key protection schemes to be plugged into a digital rights management system is disclosed. The interface exposes the functionality of signing data, decrypting data encrypted using a public key, and re-encrypting data encrypted using the public key exported by the interface to a different authenticated principal (i.e., a different public key). Thus, a secure interface can be provided such that the data does not enter or leave the interface in the clear. Such an interface exports private key operations of signing and decryption, and provides security and authentication for the digital asset server in licensing and publishing. During publishing, a client can encrypt asset keys such that only a specified entity can decrypt it, using a plug-in, for example, that implements the aforementioned interface.