Abstract: Establishing a chain of trust in a public key infrastructure can be costly, time consuming and requires nearly constant access to the appropriate network-based authorities. Local trust between devices is established using a combination of a personal identification number (PIN) delivered out-of-band and self-signed certificates. The client may present the PIN to an electronic device such as a projector or printer so the electronic device can trust the client. The electronic device may present a self-signed digital certificate with the electronic device UUID based on a hash of the electronic device public key from the certificate.

Abstract: Discovery of services between devices is provided prior to establishing a connection between devices, including wireless-enabled devices or devices that are communicatively coupled to wireless access points or other wireless communication devices. Discovering services prior to establishing a connection may facilitate finding a desired service. The services that may be discovered may be, for example, print services, camera services, PDA services or any other suitable services. Services may be discovered using 802.11, Bluetooth, UWB or any other suitable wireless technology. An information element is used to wirelessly convey information related to a service and/or information related to service discovery.

Abstract: An authentication process using a combined code as a shared secret between a client and target service is provided. The combined code is provided out-of-band and includes data to perform two-way authentication for both the client and the target service. The target service may provide the client with a certificate to establish a secure channel. The client may use the data in the combined code to validate the target service. When the target service is validated, the client may provide credentials in the combined code to the target service for authentication. In one example implementation, the combined code includes a hash of a public key. The client may compute another hash of another public key in the certificate provided by the target service and validate the service by comparing the hash in the combined code and the computed hash.

Abstract: Systems and methods are provided that facilitate automated network address determinations and communications between roaming peers. In one aspect, a network communications system is provided. The system includes methods for updating a resolution provider with a current host transport address and for determining a roaming hosts service address and port information. Other processes include opening and mapping ports through Network Address Translators and Firewalls and opening/mapping ports in conjunction with cascaded Network Address Translators.

Abstract: A timed erasure mechanism can be used with portable computer-readable media to ensure automatic erasure of secure information, minimizing the security risks in using such media to store and transport passwords, codes, keys and similar private setup information. The portable computer-readable media can comprise volatile memory and a timed erasure mechanism in the form of a power supply and discharging circuitry that discharges the power supply after a predetermined amount of time. Alternatively, the portable computer-readable media can comprise nonvolatile memory and a timed erasure mechanism in the form of a digital time and erasure algorithms that are initiated after a predetermined amount of time. Furthermore, such portable computer-readable media can comprise a container that bears unique physical properties that can alert users to the volatile nature of the media.

Abstract: A system and methods to facilitate provision of network-based services is provided. The system comprises a signaling module that uses a first communication protocol to send a trigger signal to a potential recipient of a network-based service. The trigger signal indicates to the potential recipient that the network-based service is available for the potential recipient to access via the network. The system also includes a service module that receives a request from the potential recipient via a second communication protocol to provide to the potential recipient the network-based service that the trigger signal indicated was available.

Abstract: Data associated with a function instance corresponding to a resource on one computer system is published for use on another computer system. A function instance is created on the other computer system using the published data.

Abstract: Methods and systems for establishing a secure network channel between two ore more devices in a communication network are disclosed. In exemplary implementations the network may be a UPnP network. A first device passes authentication information to at least a second device to permit the second device to authenticate the first device. Optionally, the first device may request to authenticate the second device, in which authentication information associated with the second device is passed to the first device. The first device uses this information to authenticate the second device. At least one of the first and second device may store authentication information in an data store associated with the device.

Abstract: The present invention relates to a system and method for configuring and managing network devices. The arrival (and departure) of devices on a network can be detected by a monitor. Upon detection, network devices can be simply and dynamically configured with little or no end-user intervention, for instance by automatically loading device drivers and allocating resources for the devices. Furthermore, network devices can be associated with other network devices such as a personal computer to facilitate seamless integration of network devices with a computer operating system.

Abstract: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.

Abstract: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.