Abstract: A distributed authentication model that operates within a protocol-based sphere of trust. Rather than being able to communicate with any one of the computing systems internal to the sphere of trust, the amount of authentication is reduced by having the external computing systems initially communicate with a specific edge internal computing system. Many if not all of the internal computing systems then delegate the task of authentication to the edge computing system, and will rely on any authentication performed by the edge computing system. This allows the task of authentication to scale well for large protocol-based spheres of trust.

Abstract: Techniques for secure federation of data communications networks are provided. The techniques employ an edge proxy server to route messages depending on a federation mode. In Direct federation mode, an edge proxy server of a network is configured to exchange messages with a specified set of entities, such as other networks, servers, other devices, or users. In Automatic federation mode, an edge proxy server may accept all incoming messages from entities that have a valid certificate. In Clearinghouse federation mode, the edge proxy server forwards all outgoing messages to a specified, trusted clearinghouse server.

Abstract: A distributed authentication model that operates within a protocol-based sphere of trust. Rather than being able to communicate with any one of the computing systems internal to the sphere of trust, the amount of authentication is reduced by having the external computing systems initially communicate with a specific edge internal computing system. Many if not all of the internal computing systems then delegate the task of authentication to the edge computing system, and will rely on any authentication performed by the edge computing system. This allows the task of authentication to scale well for large protocol-based spheres of trust.

Abstract: A method is provided for allocating resources for users of a service based on whether a user has expressed intent to fully utilize capabilities of the service. If the intent is expressed by a user, an infrastructure is created that enables the user to maintain, via a user interface, artifacts associated with an account of the user on the service. A user that has not yet expressed such intent is presented with a prospective user interface simulating the user interface without enabling the prospective user to maintain the artifacts associated with an account of the prospective user.

Abstract: Techniques for secure federation of data communications networks are provided. The techniques employ an edge proxy server to route messages depending on a federation mode. In Direct federation mode, an edge proxy server of a network is configured to exchange messages with a specified set of entities, such as other networks, servers, other devices, or users. In Automatic federation mode, an edge proxy server may accept all incoming messages from entities that have a valid certificate. In Clearinghouse federation mode, the edge proxy server forwards all outgoing messages to a specified, trusted clearinghouse server.

Abstract: Copying and pasting information from one application to another allows identical information to be present in multiple locations. Pasted information can be updated based on changes to the source of the pasted information. With updating pasted information, the information can remain identical in both locations even if a change takes place after the paste.

Abstract: Allowing external computing systems to access a data conference with low risk of eavesdropping. An external computing system accesses a virtual lobby before joining the data conference. The virtual lobby is an object that may include a list of computing systems admitted to the lobby. An external computing system joins the lobby when it is included in a waiting list associated with the lobby. Being joined to the lobby does not allow full access to the live data exchanges in the data conference, but does facilitate functions that are less sensitive such as notifying a conference organizer that the joined party in the lobby would like to join the data conference. Upon receiving notice that an external computing system has joined the lobby, the conference organizer then provides further authorization for the external computing system to enter the data conference using any number of in-band or out-of-band mechanisms.

Abstract: Architecture for a scalable, pluggable multi-party, and distributed multimedia conferencing. A centralized policy and control conferencing component allows the seamless plug-in of different distributed media components (e.g., data, audio/video, messaging) to accommodate client participation in a conference session. The centralized conference control component includes the following: a conference notification service for accepting subscriptions to the conference state and notifying subscribers about changes to that state; a conference policy and roster control service for storing and manipulating conference policy and rosters; a security service for user authorization/authentication based on user identity information; a scheduling service for conference scheduling; an allocation service for allocating the most available media component(s) for a conference session; and, an MCU management service for conference policy and roster management of the distributed media components.

Abstract: A system and method for management of software application use licenses and software application subscription licenses are provided. A software subscription service of one or more client computing devices having a number of subscriber-based software applications and a software subscriber agent. The software applications are associated with a software application use license and a software application subscription license. The system can also include a software subscription service for generating and transmitting software application subscription licenses to the client computing devices based upon a comparison of credentials. During the execution of the software application, the software subscription agent periodically transmits a request to update the software application subscription license based upon a detected condition.

Abstract: A method and system for identifying whether an electronic communication is likely to be unwanted by the recipient is provided. A trust system relies on a trust provider, such as a sending domain, to indicate whether an electronic communication is likely to be unwanted. The sending domain may assign its trust level to the electronic communications based on various factors. Upon receiving the electronic communication and the trust level assigned by the sending domain, the receiving domain may determine whether to forward the electronic communication to the recipient based on the trust level. If a sending domain consistently provides trust levels that are accurate assessments of whether electronic communications are unwanted, then the receiving domain learns to trust the trust levels assigned by the sending domain.

Abstract: Approaches for efficiently routing messages using a server pool are provided. In an embodiment, the system attempts to ensure high availability of servers by enabling clients to specify a domain name for the server pool even though the server pool comprises multiple servers, each having a distinct name. When a client initiates a session by using the server pool's domain name, the system may select an available server with a different name, and will route the request and subsequent messages during the session to the selected server. The system may select a server from the pool having the lowest load. The system may also indicate servers that subsequent messages in the session are to transit. Subsequent messages may then be routed to indicated servers to enable application services on the indicated servers to take actions based on the messages and the direction of the messages.

Abstract: Techniques for secure federation of data communications networks are provided. The techniques employ an edge proxy server to route messages depending on a federation mode. In Direct federation mode, an edge proxy server of a network is configured to exchange messages with a specified set of entities, such as other networks, servers, other devices, or users. In Automatic federation mode, an edge proxy server may accept all incoming messages from entities that have a valid certificate. In Clearinghouse federation mode, the edge proxy server forwards all outgoing messages to a specified, trusted clearinghouse server.

Abstract: Enabling media (audio/video) scenarios across firewalls typically requires opening up multiple UDP ports in an external firewall. This is so because RTP (Real Time Protocol, RFC 1889), which is the protocol used to carry media packets over IP network, requires a separate UDP receive port for each media source. Opening up multiple media ports on the external firewall is something that administrators are not comfortable doing as they consider it security vulnerability. The system and method according to the invention provides an alternate mechanism which changes RTP protocol a little and achieves a goal of traversing firewalls for media packets using a fixed number, namely two, of UDP ports.

Abstract: Allowing external computing systems to access a data conference with low risk of eavesdropping. An external computing system accesses a virtual lobby before joining the data conference. The virtual lobby is an object that may include a list of computing systems admitted to the lobby. An external computing system joins the lobby when it is included in a waiting list associated with the lobby. Being joined to the lobby does not allow full access to the live data exchanges in the data conference, but does facilitate functions that are less sensitive such as notifying a conference organizer that the joined party in the lobby would like to join the data conference. Upon receiving notice that an external computing system has joined the lobby, the conference organizer then provides further authorization for the external computing system to enter the data conference using any number of in-band or out-of-band mechanisms.

Abstract: A distributed authentication model that operates within a protocol-based sphere of trust. Rather than being able to communicate with any one of the computing systems internal to the sphere of trust, the amount of authentication is reduced by having the external computing systems initially communicate with a specific edge internal computing system. Many if not all of the internal computing systems then delegate the task of authentication to the edge computing system, and will rely on any authentication performed by the edge computing system. This allows the task of authentication to scale well for large protocol-based spheres of trust.

Abstract: The present invention allows a server to delay allocating resources to a client's request. When the client requests a feature that requires server resources, the server accepts and acknowledges the client's request, but the client is prohibited from using the requested feature until further notice from the server. For example, during an authorization process, the server allocates only the minimum resources required to maintain the session and to authorize the client. Thereafter, the server allocates the resources necessary to support the client's request only when the resources become available. Until then, the server maintains the communications session without supporting the request. Thus, the server shepherds its resources rather than committing them at the whim of a client. Also, a client need not repeat its request if the server cannot immediately satisfy it; instead, the server accepts the request and then later begins to support it when adequate resources become available.

Abstract: A Web crawler creates an index of documents in a document store on a computer network. In an initial crawl, the crawler creates a first full index for the document store. The first full crawl is based on a set of predefined “seed” URLs and crawl restrictions, and involves recursively retrieving each folder/document directly or indirectly linked to the seed URLs. In the process of creating the first full index, the crawler creates a History Table containing a list of URLs for each folder and document found in the first full crawl. The History Table also includes a local commit time (LCT) for each document and a deleted documents count (DDC) and LCT or maximum LCT (MLCT) for each folder (this assumes that the store supports a folder hierarchy and the MLCT, LCT and DDC properties). Thereafter, in an incremental crawl, the crawler determines, for each folder, (1) whether the DDC for that folder has changed and (2) whether the MLCT is more recent than the corresponding value in the History Table.

Abstract: A Web crawler application takes advantage of a document store's ability to provide a content identifier (CID) having a value that is a unique function of the physical storage location of a data object or document, such as a Web page. In operation, the crawler first tries to fetch the CID for a document. If the CID attribute is not supported by the document store, the crawler fetches the document, filters it to obtain a hash function, and commits the document to an index if the hash function is not present in a history table. If the CID is available from the document store, the CID is fetched from the document store. The crawler then determines whether the CID is present in the history table, which indicates whether an identical copy of the document in question has already been indexed under a different URL.

Abstract: Systems and methods for enforcing access control on secured documents that are stored outside of the direct control of the original application that would normally store and govern access to the documents. Access security can be enforced at a search engine associated with an indexing system that compiles references to documents at any number of network locations. The search engine discloses to the requesting user only those documents that the user is authorized to read. If a document is identified for potential disclosure to a user, and the document's source location has an access control system that is not directly interoperable with a native access control system of the search engine, a security provider at the search engine enforces access control. The security provider, in cooperation with the source location of the document, converts the user context that identifies the requesting user to a format that can be used by the security provider.

Abstract: A method and system for improved monitoring of document changes in a search engine by an indexing program. Once an indexing or other such monitoring program is halted, upon restart the monitoring program needs to update its own files and its indexes to reflect document changes that occurred while halted. A file system such as the Windows NT file system persistently logs document change information on disk in a monotonically increasing, uniquely-numbered persistent record, which further identifies the file that has changed. The method and system utilize the logged change information to efficiently maintain the indexes, and to rapidly update the indexes after a shutdown and subsequent restart.