Abstract: System and method for providing reciprocity in a reputation system are described.

Abstract: A system and method for consumer-side authorization and authentication is disclosed. In one embodiment, the method comprises receiving a request for a credential from a business-side party, matching the credential request to a set of available credentials, the available credentials comprising consumer-side information. The credential is retrieved from a credential store, and the authorization of the business-side party to receive the credential is evaluated before returning a response. In another embodiment, the system comprises a receiver module adapted to receive credential requests from business-side parties. The credential request is passed to a selection and matching module for matching against consumer-side credentials. The credential is retrieved from a storage and retrieval module, but is not passed until an authorization module allows a sender module to return a credential response to the business-side party.

Abstract: System and method for facilitating user authentication of web page content are described. In one embodiment, the method comprises receiving a request from a web browser for web page content; and responsive to receipt of the request, providing to the web browser the requested web page content and associated digitally signed content; wherein prior to display of the web page content by the web browser, the digitally signed content is evaluated by a plug-in portion of the web browser to determine whether the digitally signed content is verified, indicating that a provider of the web page content is trustworthy.

Abstract: A method for expressing and evaluating signed reputation assertions is disclosed. In one embodiment, a first entity receives a request to generate a signed assertion relating to a piece of content. The first entity generates a reputation statement about a second entity from reputation-forming information (RFI) about the second entity available to the first entity. The first entity then generates a signed assertion from the reputation statement and the piece of content at least in part by binding the piece of content to the reputation statement and signing a portion encompassing at least one of the bound piece of content and the bound reputation statement. The signed assertion is then transmitted to a receiving entity.

Abstract: A client includes a card selector, and receives a security policy from a relying party. If the client does not have an information card that can satisfy the security policy, the client can define a virtual information card, either from the security policy or by augmenting an existing information card. The client can also use a local security policy that controls how and when a virtual information card is defined. The virtual information card can then be used to generate a security token to satisfy the security policy.

Abstract: A method for expressing and evaluating signed reputation assertions is disclosed. In one embodiment, a first entity receives a request to generate a signed assertion relating to a piece of content. The first entity generates a reputation statement about a second entity from reputation-forming information (RFI) about the second entity available to the first entity. The first entity then generates a signed assertion from the reputation statement and the piece of content at least in part by binding the piece of content to the reputation statement and signing a portion encompassing at least one of the bound piece of content and the bound reputation statement. The signed assertion is then transmitted to a receiving entity.

Abstract: System and method for rule location, ordering, and combining in a polyhierarchical environment are described. In one embodiment, a polyhierarchical environment contains at least one rule, at least one logical structure representable by a graph and at least two connections between one or more of the logical structures and a rule set evaluator (RSE). The RSE retrieves an assembly definition associated with a particular ordering or combination of rules. Each assembly definition is associated with one or more location chains, and each location chain is associated with one of the connections to a logical structure. For each location chain, a rule location policy is invoked, returning a rule. An assembly policy is invoked upon the returned rules, forming the returned rule into a dataset that conforms to the ordering or combination associated with the assembly definition.

Abstract: A client includes a card selector, and receives a security policy from a relying party. If the client does not have an information card that can satisfy the security policy, the client can define a virtual information card, either from the security policy or by augmenting an existing information card. The client can also use a local security policy that controls how and when a virtual information card is defined. The virtual information card can then be used to generate a security token to satisfy the security policy.

Abstract: System and method for facilitating user authentication of web page content are described. In one embodiment, the method comprises receiving a request from a web browser for web page content; and responsive to receipt of the request, providing to the web browser the requested web page content and associated digitally signed content; wherein prior to display of the web page content by the web browser, the digitally signed content is evaluated by a plug-in portion of the web browser to determine whether the digitally signed content is verified, indicating that a provider of the web page content is trustworthy.

Abstract: System and method for providing reciprocity in a reputation system are described.

Abstract: System and method for representing agreements as reputation are disclosed. In one embodiment, the method comprises, in response to a request to generate an assertion relating to a piece of content, regenerating a reputation statement concerning an agreement from reputation-forming information (RFI) associated with an agreement; and generating an assertion from the reputation statement and the piece of content, the generating comprising binding the piece of content to the reputation statement.

Abstract: A system and method for assisting in ordered credential selection is disclosed. In one embodiment, the system enables ordered credential selection for credentials associated with one or more digital identities. The system comprises a plurality of security tokens, with each security token comprising a claim associated with a digital identity and where at least two of the security tokens are different from each other. The system also comprises an ordering module and manager module. The ordering module imposes a preferential ordering on the security tokens in accordance with an ordering policy to select a preferred security token. The manager module transmits at least one security token in response to a request, where at least one of the security tokens transmitted by the manager module is the preferred security token.

Abstract: A method for expressing and evaluating signed reputation assertions is disclosed. In one embodiment, a first entity receives a request to generate a signed assertion relating to a piece of content. The first entity generates a reputation statement about a second entity from reputation-forming information (RFI) about the second entity available to the first entity. The first entity then generates a signed assertion from the reputation statement and the piece of content at least in part by binding the piece of content to the reputation statement and signing a portion encompassing at least one of the bound piece of content and the bound reputation statement. The signed assertion is then transmitted to a receiving entity.

Abstract: A method for expressing and evaluating signed reputation assertions is disclosed. In one embodiment, a first entity receives a request to generate a signed assertion relating to a piece of content. The first entity generates a reputation statement about a second entity from reputation-forming information (RFI) about the second entity available to the first entity. The first entity then generates a signed assertion from the reputation statement and the piece of content at least in part by binding the piece of content to the reputation statement and signing a portion encompassing at least one of the bound piece of content and the bound reputation statement. The signed assertion is then transmitted to a receiving entity.

Abstract: A system and method for consumer-side authorization and authentication is disclosed. In one embodiment, the method comprises receiving a request for a credential from a business-side party, matching the credential request to a set of available credentials, the available credentials comprising consumer-side information The credential is retrieved from a credential store, and the authorization of the business-side party to receive the credential is evaluated before returning a response. In another embodiment, the system comprises a receiver module adapted to receive credential requests from business-side parties. The credential request is passed to a selection and matching module for matching against consumer-side credentials. The credential is retrieved from a storage and retrieval module, but is not passed until an authorization module allows a sender module to return a credential response to the business-side party.

Abstract: System and method for rule location, ordering, and combining in a polyhierarchical environment are described. In one embodiment, a polyhierarchical environment contains at least one rule, at least one logical structure representable by a graph and at least two connections between one or more of the logical structures and a rule set evaluator (RSE). The RSE retrieves an assembly definition associated with a particular ordering or combination of rules. Each assembly definition is associated with one or more location chains, and each location chain is associated with one of the connections to a logical structure. For each location chain, a rule location policy is invoked, returning a rule. An assembly policy is invoked upon the returned rules, forming the returned rule into a dataset that conforms to the ordering or combination associated with the assembly definition.

Abstract: A system and method for conforming a decision to a compliance expression is described. In one embodiment, the method comprises receiving an intermediate conclusion generated by a decision system as a result of a policy evaluation performed based on at least one of a premise and a policy expression; performing a compliance evaluation to determine conformance of the received intermediate conclusion with a compliance expression; responsive to the performing a compliance evaluation, selectively executing a compliance statement in connection with the intermediate conclusion; and subsequent to the selectively executing, issuing a decision response, wherein the decision response conforms to the compliance expression.

Abstract: System and method for enforcing role membership removal requirements are described. In one embodiment, the method includes, responsive to receipt of a removal request, performing a role evaluation of the removal request to generate a policy request; performing a policy evaluation of the policy request; generating a policy response in accordance with the policy evaluation; and enforcing the policy response.

Abstract: Policy enforcement via attestations is provided. A principal operates within an environment and assumes roles having certain access rights to resources and the principal takes actions while assuming those roles. The roles and actions are monitored and attestations are raised under the proper set of circumstances. The attestations trigger policy restrictions that are enforced against the principal. The policy restrictions circumscribe the access rights to the resources.

Abstract: Methods and systems are provided for enforcing security on attributes of objects. A requestor attempts to assign a value to a target attribute of a target object. The value is a reference to a third object. The target attribute includes security for assigning values and is also linked to a related third attribute associated with the third object. The security associated with the target attribute and security associated with the third attribute are both independently enforced before the assignment of the value to the target attribute is permitted to proceed.