Abstract: A sending entity creates a structured document and communicates it to a receiving entity includes a transform to ensure document elements are not moved during communication. The structured document comprises a root element and a set of child elements. A child element is protected by a digital signature, prior to being positioned within the document. This element includes a sending entity security policy. The receiving entity includes a transform that determines whether the signed element is in a given position within the received document. The transform evaluates the data string against a set of ancestor elements of the signed element to determine whether the signed element is in the given position. If so, the transform preferably outputs the signed element itself. If the transform determines that the signed element has been moved, however, preferably it outputs a given value other than the signed element.

Abstract: An apparatus and method for service classification are provided. The apparatus and method make use of canonical service descriptions which designate minimum requirements for a service to be classified into a corresponding classification. Based on the canonical service description, it can be determined whether a service that wishes to be classified into a particular classification of a taxonomy on a service broker meets the minimum requirements for that classification. Furthermore, the use of canonical service descriptions ensures that all services classified into a particular classification have a minimum level of functionality that will allow them to function properly when invoked.

Abstract: A method, system, apparatus, or computer program product is presented for routing event messages between data processing systems based on privacy policies associated with the data processing systems and based on event policies associated with event types for the event messages. When a system attempts to publish an event message for a particular type of event or to subscribe to those event messages, an event policy is checked to determine whether the system may publish messages for that type of event or may subscribe to those messages. Moreover, if a publishing system publishes an event message that contains personally identifiable information for a user of a data processing system, and a subscribing system has subscribed to event messages having the same event type, then the privacy policies associated with the systems are compared to determine compatibility or incompatibility between the privacy policies before routing a message between the systems.

Abstract: A method, system and computer program product for implementing authorization policies for web services may include defining an authorization policy for access to a web service. The method, system and computer program product may also include attaching the authorization policy to a service definition for the web service.

Abstract: A method, system, apparatus, or computer program product is presented for routing event messages between data processing systems based on privacy policies associated with the data processing systems and based on event policies associated with event types for the event messages. When a system attempts to publish an event message for a particular type of event or to subscribe to those event messages, an event policy is checked to determine whether the system may publish messages for that type of event or may subscribe to those messages. Moreover, if a publishing system publishes an event message that contains personally identifiable information for a user of a data processing system, and a subscribing system has subscribed to event messages having the same event type, then the privacy policies associated with the systems are compared to determine compatibility or incompatibility between the privacy policies before routing a message between the systems.

Abstract: A system in which a sending entity creates a structured document and communicates that document to a receiving entity includes a transform to ensure that document elements are not moved during communication. The structured document is typically XML, and the document comprises a root element and a set of one or more child elements. At least one child element is protected, for example, by a digital signature, prior to being positioned within the XML document. This “signed” element includes a sending entity security policy, preferably in the form of a position dependent or absolute path expression. The receiving entity includes a transform that determines whether the signed element is in a given position within the received XML document. Typically, the given position is the position at which the signed element was placed within the structured document by the sending entity.

Abstract: A method, system, apparatus, or computer program product is presented for routing event messages between data processing systems based on privacy policies associated with the data processing systems and based on event policies associated with event types for the event messages. When a system attempts to publish an event message for a particular type of event or to subscribe to those event messages, an event policy is checked to determine whether the system may publish messages for that type of event or may subscribe to those messages. Moreover, if a publishing system publishes an event message that contains personally identifiable information for a user of a data processing system, and a subscribing system has subscribed to event messages having the same event type, then the privacy policies associated with the systems are compared to determine compatibility or incompatibility between the privacy policies before routing a message between the systems.

Abstract: Methods, systems, and products are disclosed in which secure data communications in web services are provided generally by receiving in a web service from a client a request containing an element bearing a first signature, the signature having a value; signing the value of the first signature, thereby creating a second signature; and sending a response from the web service to the client, the response including the second signature. The requester may verify that the response includes the second signature. The request may be encrypted, and the response may be encrypted. The first signature may be encrypted, and the web service may encrypt the value of the first signature and include the encrypted value of the first signature in the response. The web service may receive a request encoded in SOAP and may send a response also encoded in SOAP.

Abstract: A method, system and computer program product for implementing authorization policies for web services may include defining an authorization policy for access to a web service. The method, system and computer program product may also include attaching the authorization policy to a service definition for the web service.

Abstract: A distributed trust infrastructure is presented that interfaces disparate trust models across trust domain boundaries and manages inter-domain and intra-domain trust relationships such that they are not reliant upon a single trust manager entity. A trust relationship between trust domains is represented by a trust link, which associates a namespace with a trust oracle, which is a service in a trust domain given responsibility to authoritatively resolve trust-related operations relative to the associated namespace. Trust links for a given trust domain are used by a trust link reference agent that is supported within the trust domain. The trust link reference agent is consulted for trust-related operations within its trust domain; after identifying the appropriate trust oracle for handling the trust-related operation, the trust-related operation is forwarded to the trust oracle for resolution. In addition, the trust links are associated with policies that guide the management of the trust links.

Abstract: A method, system, apparatus, or computer program product is presented for routing event messages between data processing systems based on privacy policies associated with the data processing systems and based on event policies associated with event types for the event messages. When a system attempts to publish an event message for a particular type of event or to subscribe to those event messages, an event policy is checked to determine whether the system may publish messages for that type of event or may subscribe to those messages. Moreover, if a publishing system publishes an event message that contains personally identifiable information for a user of a data processing system, and a subscribing system has subscribed to event messages having the same event type, then the privacy policies associated with the systems are compared to determine compatibility or incompatibility between the privacy policies before routing a message between the systems.

Abstract: The present invention provides an apparatus and method for service classification verification. The present invention makes use of canonical service description tests which designate minimum requirements for a service to be classified into a corresponding classification. Based on the canonical service description tests, it can be determined whether a service that wishes to be classified into a particular classification of a taxonomy on a service broker meets the minimum requirements for that classification. Furthermore, the use of canonical service description tests ensures that all services classified into a particular classification have a minimum level of functionality that will allow them to function properly when invoked.

Abstract: An apparatus and method for service classification are provided. The apparatus and method make use of canonical service descriptions which designate minimum requirements for a service to be classified into a corresponding classification. Based on the canonical service description, it can be determined whether a service that wishes to be classified into a particular classification of a taxonomy on a service broker meets the minimum requirements for that classification. Furthermore, the use of canonical service descriptions ensures that all services classified into a particular classification have a minimum level of functionality that will allow them to function properly when invoked.