Patents by Inventor Brian LaMacchia
Brian LaMacchia has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 7877264Abstract: Intelligent Trust Management provides a centralized security facility that gives system components a flexible mechanism for implementing security policies. System components such as applications create a request describing an action that needs to be checked against an appropriate security policy. The request is given to a trust system that determines which policy object applies to the request, and may pass request arguments to the policy. The policy objects include executable code that uses any arguments along with dynamically obtained variable information to make a decision. The decision is returned to the system component, which then operates accordingly. Policy objects may maintain state and interface with the user independent of the system component in order to obtain information to make their decisions. Policy objects may call other policy objects and/or mathematically combine the results of other policy objects to make a decision.Type: GrantFiled: November 14, 2005Date of Patent: January 25, 2011Assignee: Microsoft CorporationInventors: Barbara L. Fox, Brian A. LaMacchia
-
Patent number: 7792758Abstract: A computer-implemented mechanism for granting rights is described. A license may be used to identify one or more principals, resources, rights and conditions. The license also identifies a license format scheme and a license format modification scheme. An access control module or other entity may interpret the license in accordance with the license format scheme and license format modification scheme.Type: GrantFiled: November 18, 2002Date of Patent: September 7, 2010Assignee: Microsoft CorporationInventors: Bob Atkinson, John DeTreville, Brian A. LaMacchia
-
Publication number: 20100212002Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.Type: ApplicationFiled: February 13, 2009Publication date: August 19, 2010Applicant: MICROSOFT CORPORATIONInventors: John R. Michener, Niels T Ferguson, Carl M. Ellison, Josh Benaloh, Brian A LaMacchia
-
Patent number: 7770206Abstract: A resource of a first organization provides access thereto to a requestor of a second organization. A first administrator of the first organization issues a first credential to a second administrator of the second organization, including policy that the second administrator may issue a second credential to the requestor on behalf of the first administrator. The second administrator issues the second credential to the requester, including the issued first credential. The requestor requests access from the resource and includes the issued first and second credentials. The resource validates that the issued first credential ties the first administrator to the second administrator, and that the issued second credential ties the second administrator to the requester. The resource thus knows that the request is based on rights delegated from the first administrator to the requester by way of the second administrator.Type: GrantFiled: March 11, 2005Date of Patent: August 3, 2010Assignee: Microsoft CorporationInventors: Blair Brewster Dillaway, Brian LaMacchia, Muthukrishnan Paramasivam, Charles F. Rose, III, Ravindra Nath Pandya
-
Patent number: 7603717Abstract: A computer-implemented mechanism for granting rights to a resource is described. A license identifies one or more principals, resources, rights and conditions in fields of the license. The license fields include one or more instances of one or more variables. The variables are universally quantified so that each variable may be any one of a set of values. All instances of any given variable are bound to the same value.Type: GrantFiled: November 18, 2002Date of Patent: October 13, 2009Assignee: Microsoft CorporationInventors: Bob Atkinson, Brian A. LaMacchia, John DeTreville, Muthukrishnan Paramasivam, Xin Wang, Thomas DeMartini
-
Patent number: 7596692Abstract: Method, system, and computer program products for identifying potentially fraudulent receivers of digital content. A receiver authenticates to an auditing service with data that should be unique to the receiver. The auditing service detects when multiple receivers attempt to authenticate with the same data, suggesting that a receiver has been cloned or duplicated. The audit service also detects when a receiver authenticates improperly, suggesting an unsuccessful and unauthorized attempt to duplicate an authorized receiver. Individual receivers may be networked together. To help protect a receiver's authentication data from tampering, at least a portion of the data may be digitally signed with a private key. The audit service may then verify the digital signature with a corresponding public key. Varying the order in which data is signed or where the data is stored from one receiver or group of receivers to another may provide an additional level of security.Type: GrantFiled: June 5, 2002Date of Patent: September 29, 2009Assignee: Microsoft CorporationInventors: Barbara Lynch Fox, David G. Conroy, Brian A. LaMacchia
-
Patent number: 7581231Abstract: An application program interface (API) provides a set of functions for application developers who build Web applications on Microsoft Corporation's .NETâ„¢ platform.Type: GrantFiled: February 28, 2002Date of Patent: August 25, 2009Assignee: Microsoft CorporationInventors: Adam W. Smith, Anthony J. Moore, Anders Hejlsberg, Brian A. LaMacchia, Blaine J. Dockter, Brian M. Grunkemeyer, Brian K. Pepin, Caleb L. Doise, Christopher W. Brumme, Chad W. Royal, Christopher L. Anderson, Corina E. Feuerstein, Craig T. Sinclair, Daniel Dedu-Constantin, Daniel Takacs, David S. Ebbo, David S. Mortenson, Erik B. Christensen, Erik B. Olson, Fabio A. Yeon, Giovanni M. Della-Libera, Gopala Krishna R. Kakivaya, Gregory D. Fee, Hany E. Ramadan, Jayanth V. Rajan, Jeffrey M. Cooperstein, Jonathan C. Hawkins, James H. Hogg, Joe D. Long, John I. McConnell, Jesus Ruiz-Scougall, James S. Miller, Julie D. Bennett, Jun Fang, Krzysztof J. Cwalina, Keith W. Ballinger, Lance E. Olson, Loren M. Kohnfelder, Luca Bolognese, Manu Vasandani, Mark T. Anders, Mark P. Ashton, Mark A. Boulter, Mark W. Fussell, Michael M. Magruder, Manish S. Prabhu, Neetu Rajpal, Nikhil Kothari, Nithyalakshmi Sampathkumar, Nicholas M. Kramer, Omri Gazitt, Radu Rares Palanca, Raja Krishnaswamy, Robert M. Howard, Ramasamy Krishnaswamy, Shawn P. Burke, Scott D. Guthrie, Sean E. Trowbridge, Seth M. Demsey, Shajan Dasan, Subhag P. Oak, Sreeram Nivarthi, Stefan H. Pharies, Suzanne M. Cook, Susan M. Warren, Tarun Anand, Travis J. Muhlestein, William A. Adams, Yan Leshinsky, Yann E. Christensen, Yung-shin Lin, Stephen J. Millet, Joseph Roxe, Alan Boshier, Henry L. Sanders, David Bau
-
Patent number: 7555757Abstract: An application program interface (API) provides a set of functions, including a set of base classes and types that are used in substantially all applications accessing the API, for application developers who build Web applications on Microsoft Corporation's .NETâ„¢ platform.Type: GrantFiled: June 23, 2005Date of Patent: June 30, 2009Assignee: Microsoft CorporationInventors: Adam W. Smith, Anthony J. Moore, Brian A. LaMacchia, Anders Hejlsberg, Brian M. Grunkemeyer, Caleb L. Doise, Christopher W. Brumme, Christopher L. Anderson, Corina E. Feuerstein, Craig T. Sinclair, Daniel Takacs, David S. Ebbo, David O. Driver, David S. Mortenson, Erik B. Christensen, Erik B. Olson, Fabio A. Yeon, Gopala Krishna R. Kakivaya, George D. Fee, Hany E. Ramadan, Henry L. Sanders, II, Jayanth V. Rajan, Jeffrey M. Cooperstein, Jonathan C. Hawkins, James H. Hogg, Joe D. Long, John I. McConnell, Jesus Ruiz-Scougall, James S. Miller, Julie D. Bennett, Krzysztof J. Cwalina, Lance E. Olson, Loren M. Kohnfelder, Michael M. Magruder, Manish S. Prabhu, Radu Rares Palanca, Raja Krishnaswamy, Shawn P. Burke, Sean E. Trowbridge, Seth M. Demsey, Shajan Dasan, Stefan H. Pharies, Suzanne M. Cook, Tarun Anand, Travis J. Muhlestein, Yann E. Christensen, Yung-shin Lin, Ramasamy Krishnaswamy, Joseph Roxe, Alan Boshier, David Bau
-
Patent number: 7549051Abstract: A digital certificate is employed to produce a digital signature for a digital construct. In the digital certificate is set forth a certificate validity period defining for the digital certificate a time period during which the digital certificate is to be honored as valid for producing digital signatures, and a signature validity period defining for each digital signature produced based on the digital certificate a time period during which the digital signature is to be honored as valid.Type: GrantFiled: March 10, 2005Date of Patent: June 16, 2009Assignee: Microsoft CorporationInventors: Blair Brewster Dillaway, Brian LaMacchia, John Manferdelli, Muthukrishnan Paramasivam
-
Patent number: 7543140Abstract: A digital certificate identifies an entity as having authority over the certificate to revoke same as delegated by the issuer. The certificate also has at least one revocation condition relating to possible revocation of the certificate. To authenticate the certificate, the identification of the delegated revocation authority, a location from which a revocation list is to be obtained, and any freshness requirement to be applied to the revocation list are determined from the certificate. It is then ensured that the revocation list from the location is present and that the present revocation list satisfies the freshness requirement, that the revocation list is promulgated by the delegated revocation authority identified in the certificate, and that the certificate is not identified in the revocation list as being revoked.Type: GrantFiled: February 26, 2003Date of Patent: June 2, 2009Assignee: Microsoft CorporationInventors: Blair Brewster Dillaway, Philip Lafornara, Brian A. LaMacchia, Rushmi U. Malaviarachchi, John L. Manferdelli, Charles F. Rose, III
-
Patent number: 7506158Abstract: A system for using a certificate authority to first provide a customer with a digital certificate, and then having a relying party that receives that digital certificate access a status authority (the certificate authority or its designated agent) to receive a reissued certificate on that certificate. The reissued certificate has a much shorter validity period, which ensures that the information is timely. Moreover, the certificate may serve as a receipt, including an accumulated record of the signatures (digital certificates) and policy applied throughout the financial transaction. As a result, each transfer of the transaction forms a digitally-signed chain of evidence recording each step of the transaction and policy applied thereto, whereby risk may be assumed and charged for appropriately and in accordance with the risk purchaser's policy.Type: GrantFiled: January 10, 2005Date of Patent: March 17, 2009Assignee: Microsoft CorporationInventors: Barbara L. Fox, Brian A. LaMacchia
-
Publication number: 20080065899Abstract: A security scheme enables control over variables that are expressed in security assertions. In an example implementation, a security type is implicitly assigned to variables based on their syntactic position within a given assertion. In another example implementation, a security scheme enforces strong variable typing such that each variable in an assertion binds to only a single security type. In yet another example implementation, a security scheme constrains the binding behavior of two variables with respect to each other.Type: ApplicationFiled: September 8, 2006Publication date: March 13, 2008Applicant: Microsoft CorporationInventors: Blair B. Dillaway, Brian A. LaMacchia, Moritz Y. Becker, Andrew D. Gordon, Cedric Fournet
-
Publication number: 20080066147Abstract: Composable security policies enable multiple authorization policies to be combined into a composed effective authorization policy such that policy authoring rights may be arbitrarily and flexibly delegated. In an example implementation, making an authorization decision based on a composed effective policy is described. In another example implementation, the delegation of policy authoring rights using an assertion in accordance with a security language is described. In yet another example implementation, a security authorization system is described that includes a mechanism enabling an administrator to explicitly grant all or a part of policy authoring rights to another administrator.Type: ApplicationFiled: September 11, 2006Publication date: March 13, 2008Applicant: Microsoft CorporationInventors: Blair B. Dillaway, Brian A. LaMacchia, Gregory D. Fee
-
Publication number: 20080066170Abstract: Security assertion revocation enables a revocation granularity in a security scheme down to the level of individual assertions. In an example implemenation, a security token includes multiple respective assertions that are associated with multiple respective assertion identifiers. More specifically, each individual assertion is associated with at least one individual assertion identifier.Type: ApplicationFiled: September 8, 2006Publication date: March 13, 2008Applicant: Microsoft CorporationInventors: Blair B. Dillaway, Moritz Y. Becker, Andrew D. Gordon, Cedric Fournet, Brian A. LaMacchia
-
Publication number: 20080066158Abstract: Authorization descisions may be made based on principal attributes. In an example implementation, a security scheme has a principal-to-attribute binding mechanism that is unified across both token assertions and policy assertions. In another example implementation, conditional access to a resource is based on a principal simultaneously possessing multiple attributes. In yet another example implementation, a principal may be granted access to a resource if the principal possesses at least one value that is included in a defined subset of values for a given attribute.Type: ApplicationFiled: September 8, 2006Publication date: March 13, 2008Applicant: Microsoft CorporationInventors: Blair B. Dillaway, Brian A. LaMacchia
-
Publication number: 20070300285Abstract: Techniques for managing security contexts may be described. An apparatus may comprise a processor and a security management module. The security management module may form a merged security context for multiple concurrent threads, with one of the threads depending on more than one preceding operation from other threads. Other embodiments are described and claimed.Type: ApplicationFiled: June 21, 2006Publication date: December 27, 2007Applicant: Microsoft CorporationInventors: Gregory D. Fee, Brian A. LaMacchia, Blair Dillaway
-
Patent number: 7310822Abstract: A security policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager can execute in a computer system (e.g., a Web client) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. A permission request set may also be received in association with the code assembly. The permission request set may include a minimum request set, specifying permissions required by the code assembly to run properly. The permission request set may also include an optional request set, specifying permissions requested by the code assembly to provide an alternative level of functionality. In addition, the permission request set may include a refuse request set, specifying permissions that are not to be granted to the code assembly.Type: GrantFiled: November 14, 2005Date of Patent: December 18, 2007Assignee: Microsoft CorporationInventors: Brian A. LaMacchia, Loren M. Kohnfelder, Gregory D. Fee, Michael J. Toutonghi
-
Patent number: 7269702Abstract: A trusted data store is provided for use with a trusted element of a trusted operating system on a computing machine. In the trusted data store, a storage medium stores data in a pre-determined arrangement, where the data includes trusted data from the trusted element of the trusted operating system on the computing machine. An access controller writes data to and reads data from the storage medium, and a trust controller is interposed between the computing machine and the access controller. The trust controller allows only the trusted element to perform operations on the trusted data thereof on the storage medium.Type: GrantFiled: June 6, 2003Date of Patent: September 11, 2007Assignee: Microsoft CorporationInventors: Bryan Mark Willman, Paul England, Keith Kaplan, Alan Stuart Geller, Brian A. LaMacchia, Blair Brewster Dillaway, Marcus Peinado, Michael Alfred Aday, Selena Wilson
-
Patent number: 7251834Abstract: A security policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager can execute in a computer system (e.g., a Web client) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. A permission request set may also be received in association with the code assembly. The permission request set may include a minimum request set, specifying permissions required by the code assembly to run properly. The permission request set may also include an optional request set, specifying permissions requested by the code assembly to provide an alternative level of functionality. In addition, the permission request set may include a refuse request set, specifying permissions that are not to be granted to the code assembly.Type: GrantFiled: October 20, 2005Date of Patent: July 31, 2007Assignee: Microsoft CorporationInventors: Brian A. LaMacchia, Loren M. Kohnfelder, Gregory D. Fee, Michael J. Toutonghi
-
Publication number: 20070055880Abstract: AKE with derived ephemeral keys is described. In one aspect, a first party computes a derived ephemeral public-key based on a derived ephemeral secret key and a mathematical group. The derived ephemeral secret key is based on an ephemeral secret key and a long-term secret key. The first party generates a session key for secure exchange of information with a second party. The session key is generated using the derived ephemeral secret key and a second party derived ephemeral public-key key to demonstrate to the second party that the first party possesses the long-term secret key.Type: ApplicationFiled: August 18, 2005Publication date: March 8, 2007Applicant: Microsoft CorporationInventors: Kristin Lauter, Brian LaMacchia, Anton Mityagin