Abstract: Discovery of services between devices is provided prior to establishing a connection between devices, including wireless-enabled devices or devices that are communicatively coupled to wireless access points or other wireless communication devices. Discovering services prior to establishing a connection may facilitate finding a desired service. The services that may be discovered may be, for example, print services, camera services, PDA services or any other suitable services. Services may be discovered using 802.11, Bluetooth, UWB or any other suitable wireless technology. An information element is used to wirelessly convey information related to a service and/or information related to service discovery.

Abstract: An authentication process for a client and a target service to perform mutual authentication. A combined code is received that comprises a combined code hash of at least two sets of data from which an encoding scheme of the at least two sets of data can be determined. The two sets of data comprise a first set of data that includes a first hash of a public key associated with a certificate used to establish a secure channel with a target service, and a second set of data that includes a credential for authentication. The certificate can be validated with the first set of data included in the combined code. In response to a successful validation of the certificate, the credential from the second set of data can be provided to the target service for authentication.

Abstract: The present invention relates to a system and method for configuring and managing network devices. The arrival (and departure) of devices on a network can be detected by a monitor. Upon detection, network devices can be simply and dynamically configured with little or no end-user intervention, for instance by automatically loading device drivers and allocating resources for the devices. Furthermore, network devices can be associated with other network devices such as a personal computer to facilitate seamless integration of network devices with a computer operating system.

Abstract: Systems and methods are provided that facilitate automated network address determinations and communications between roaming peers. In one aspect, a network communications system is provided. The system includes methods for updating a resolution provider with a current host transport address and for determining a roaming hosts service address and port information. Other processes include opening and mapping ports through a traversal component which can include Network Address Translators and Firewalls and opening/mapping ports in conjunction with cascaded Network Address Translators.

Abstract: The present invention relates to a system and method for configuring and managing network devices. The arrival (and departure) of devices on a network can be detected by a monitor. Upon detection, network devices can be simply and dynamically configured with little or no end-user intervention, for instance by automatically loading device drivers and allocating resources for the devices. Furthermore, network devices can be associated with other network devices such as a personal computer to facilitate seamless integration of network devices with a computer operating system.

Abstract: The present invention relates to a system and method for configuring and managing network devices. The arrival (and departure) of devices on a network can be detected by a monitor. Upon detection, network devices can be simply and dynamically configured with little or no end-user intervention, for instance by automatically loading device drivers and allocating resources for the devices. Furthermore, network devices can be associated with other network devices such as a personal computer to facilitate seamless integration of network devices with a computer operating system.

Abstract: An authentication process for a client and a target service to perform mutual authentication. A combined code is received that comprises a combined code hash of at least two sets of data from which an encoding scheme of the at least two sets of data can be determined. The two sets of data comprise a first set of data that includes a first hash of a public key associated with a certificate used to establish a secure channel with a target service, and a second set of data that includes a credential for authentication. The certificate can be validated with the first set of data included in the combined code. In response to a successful validation of the certificate, the credential from the second set of data can be provided to the target service for authentication.

Abstract: An authentication process using a combined code as a shared secret between a client and target service is provided. The combined code is provided out-of-band and includes data to perform two-way authentication for both the client and the target service. The target service may provide the client with a certificate to establish a secure channel. The client may use the data in the combined code to validate the target service. When the target service is validated, the client may provide credentials in the combined code to the target service for authentication. In one example implementation, the combined code includes a hash of a public key. The client may compute another hash of another public key in the certificate provided by the target service and validate the service by comparing the hash in the combined code and the computed hash.

Abstract: A timed erasure mechanism can be used with portable computer-readable media to ensure automatic erasure of secure information, minimizing the security risks in using such media to store and transport passwords, codes, keys and similar private setup information. The portable computer-readable media can comprise volatile memory and a timed erasure mechanism in the form of a power supply and discharging circuitry that discharges the power supply after a predetermined amount of time. Alternatively, the portable computer-readable media can comprise nonvolatile memory and a timed erasure mechanism in the form of a digital time and erasure algorithms that are initiated after a predetermined amount of time. Furthermore, such portable computer-readable media can comprise a container that bears unique physical properties that can alert users to the volatile nature of the media.

Abstract: Methods and systems for establishing a secure network channel between two or more devices in a communication network are disclosed. In exemplary implementations the network may be a UPnP network. A first device passes authentication information to at least a second device to permit the second device to authenticate the first device. Optionally, the first device may request to authenticate the second device, in which authentication information associated with the second device is passed to the first device. The first device uses this information to authenticate the second device. At least one of the first and second device may store authentication information in an data store associated with the device.

Abstract: Methods and systems suitable for sharing media content are provided. One system includes at least one media holder, at least one media cataloger, at least one user control point, at least one media player, and at least one network operatively connecting them. The media holder is configured to selectively output shared media metadata, media content and at least one corresponding media playing license over the network. The media cataloger is configured to receive the metadata identifying the shared media content that is available from the media holder(s). The media cataloger is configured to output at least one media catalog over the network. The media catalog identifies the shared media content that is available from the media holder(s). The user control point is configured to receive the media catalog(s) and request the shared media content as selected from the media catalog, for example, by a user.

Abstract: Data associated with a function instance corresponding to a resource on one computer system is published for use on another computer system. A function instance is created on the other computer system using the published data.

Abstract: In accordance with a key exchange mechanism for streaming protected media content, key exchange components on both a client device and a server device communicate with one another to pass one or more keys from a removable storage medium (e.g., a DVD) on the server device to a media content player on the client device. The communications passed between the components allow keys used by the media content player to be transferred from the removable storage medium to the player so that the player can decode the content on the storage medium.

Abstract: A method and system for installing software implementations such as applications and COM classes as they are needed from an external source, such as a centralized network store. When a software implementation is needed, the system and method first look to the local system (e.g., registry) for that software implementation, and if found, returns the information such as a local path needed to use the software implementation. If the implementation is not found locally, the present invention dynamically looks to a centralized class store of a network, to locate the needed implementation. When located, the implementation is downloaded and locally installed in a manner that is essentially transparent to the user. Software implementations such as application products may be divided into features and components to improve on-demand installation thereof.

Abstract: A method and system for installing software implementations such as applications and COM classes as they are needed from an external source, such as a centralized network store. When a software implementation is needed, the system and method first look to the local system (e.g., registry) for that software implementation, and if found, returns the information such as a local path needed to use the software implementation. If the implementation is not found locally, the present invention dynamically looks to a centralized class store of a network, to locate the needed implementation. When located, the implementation is downloaded and locally installed in a manner that is essentially transparent to the user. Software implementations such as application products may be divided into features and components to improve on-demand installation thereof.

Abstract: A method and system for installing software implementations such as applications and COM classes as they are needed from an external source, such as a centralized network store. When a software implementation is needed, the system and method first look to the local system (e.g., registry) for that software implementation, and if found, returns the information such as a local path needed to use the software implementation. If the implementation is not found locally, the present invention dynamically looks to a centralized class store of a network, to locate the needed implementation. When located, the implementation is downloaded and locally installed in a manner that is essentially transparent to the user. Software implementations such as application products may be divided into features and components to improve on-demand installation thereof.

Abstract: In accordance with a key exchange mechanism for streaming protected media content, key exchange components on both a client device and a server device communicate with one another to pass one or more keys from a removable storage medium (e.g., a DVD) on the server device to a media content player on the client device. The communications passed between the components allow keys used by the media content player to be transferred from the removable storage medium to the player so that the player can decode the content on the storage medium.

Abstract: A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource.

Abstract: A computer method and system for passing a pointer to an interface from a server process to a client process. In a preferred embodiment, the server process instantiates an object that has multiple interfaces. The server process identifies an interface to pass to the client process and creates a stub object for receiving a request to invoke a function member of the interface and for invoking the requested function member upon receiving the request. The server process then sends an identifier of the stub to the client process. When the client process receives the identifier of the stub, it instantiates a proxy object for receiving requests to invoke a function member of the interface and for sending the request to the identified stub. The client process can then invoke the function members of the interface by invoking function members of the proxy object. The proxy object sends a request to the identified stub. The identified stub then invokes the corresponding function member of the interface.