Abstract: In a networked computer environment, a client is unencumbered from signature generating components, yet conversant to transmit signature-based documents in a signature-based metalanguage such as XML. The nonsigning client/user invokes a signature from a signature server to send a payload of data in a signed message format to a recipient also conversant in the metalanguage, according to the metalanguage format. The nonsigning client receives a signature block including a signature value from the server. The client identifies a payload for transmission according to the metalanguage. Employing the metalanguage interpreter in client, the client stores the payload data in the signature block without disrupting the signature and the data it covers in the signature block. The nonsigning client the sends the resulting signature message including the payload data and the signature value, in the metalanguage format, to the recipient destination conversant in the metalanguage.

Abstract: In accordance with the invention, a presenter of credentials presents to a recipient of credentials one or more chains of group credentials to prove entity membership or non-membership in a nested group in a computer network. The ability to present a chain of credentials is particularly important when a client is attempting the prove membership or non-membership in a nested group and one or more of the group servers in the family tree are off-line. A chain of group credentials includes two or more proofs of group membership and/or proofs of group non-membership Furthermore, the proofs of group membership may include one or more group membership certificates and/or one or more group membership lists; and proofs of group non-membership may include one or more group non-membership certificates and/or one or more group membership lists.

Abstract: A method and system for evaluating a set of credentials that includes at least one group credential and that may include one or more additional credentials. A trust rating is provided in association with the at least one group credential within the set of credentials and trust ratings may also be provided in other credentials within the set of credentials. Each trust rating provides an indication of the level of confidence in the information being certified in the respective credential. In response to a request for access to a resource or service, an evaluation of the group credentials is performed by an access control program to determine whether access to the requested resource or service should be provided. In one embodiment, within any given certification path a composite trust rating for the respective path is determined. An overall trust rating for the set of credentials is determined based upon the composite trust ratings.

Abstract: The basic concept is that before a resource is accessed, the entity that has the burden of gathering the credentials, pro-actively refreshes the credentials and keeps them current. In one instance, a presenter of credentials, for example, a client, pro-actively refreshes the credentials such that at the time of presentation, the credentials meet the resource-specific constraints of a recipient of credentials, for example, a resource server. For each resource that it protects, a resource server typically establishes various constraints such as a recency requirement, which specifies how recently a credential has to have been issued to be accepted as an adequate credential. Other constraints may include maximum certificate chain length, trust level and so forth. In another instance, a recipient of credentials pro-actively gathers and refreshes credentials to prevent un-authorized access to the various resources it is protecting.

Abstract: One embodiment of the present invention provides a system that replaces an attachment to an email message with a reference to a location where the attachment is stored. Upon receiving the email message, the system examines the email message to determine if the email message includes an attachment. If the email message includes the attachment, the system stores the attachment at a location on a communication network from which the attachment can be retrieved. The system also modifies the email message by replacing the attachment with a reference specifying the location of the attachment, and sends the modified email message to a recipient of the email message. In one embodiment of the present invention, the recipient receives the modified email message and uses the reference specifying the location of the attachment to retrieve the attachment across the communication network.

Abstract: In accordance with the invention, on-line group servers issue group membership or group non-membership certificates upon request. Furthermore, when a requester requests a group certificate for a particular entity, the associated group server makes a dynamic decision regarding the entity's membership in the group rather than simply referring to a membership list. These capabilities provide for, among other things, the implementation of “nested” groups, wherein an entity may indirectly prove membership in a first, or nested, group by proving membership in a second group which is a member of the first group. In the nested group situation, the dynamic decision may involve the group server of the nested group obtaining proof of the entity's membership or non-membership in the second group. Proof of membership or non-membership may include a group certificate and/or a group membership list.

Abstract: A method and system for granting an applicant associated with a client computer in a client-server system access to a requested service without providing the applicant with intelligible information regarding group membership. The applicant transmits a request for service to an application server over a computer network. In response, the application server prepares an encrypted message which includes the identification of the group or groups having access privileges and transmits the encrypted message to the client along with a request that the client prove membership in at least one of the groups. The message is encrypted with an encryption key which can be decrypted by a group membership server.

Abstract: A method and system for evaluating a set of credentials that includes at least one group credential and that may include one or more additional credentials. A trust rating is provided in association with the at least one group credential within the set of credentials and trust ratings may also be provided in other credentials within the set of credentials. Each trust rating provides an indication of the level of confidence in the information being certified in the respective credential. In response to a request for access to a resource or service, an evaluation of the group credentials is performed by an access control program to determine whether access to the requested resource or service should be provided. In one embodiment, within any given certification path a composite trust rating for the respective path is determined. An overall trust rating for the set of credentials is determined based upon the composite trust ratings.

Abstract: A method and apparatus for identifying an applicant as a member of a group without explicitly listing all possible applicants. A test is defined which specifies the criteria for group membership. The test definition and an optional group identifier code are supplied to a criterion generator. The criterion generator generates an authenticated message based, at least in part, upon said test definition. The authenticated message is delivered to one or more criterion evaluators that verify the authenticated message. In one embodiment, once the authenticated message has been verified, the applicant for access to a resource presents a credential to the criterion evaluator. If the credential satisfies the test definition, the applicant is granted access to the specified resource and denied access if the credential does not satisfy the test definition.