KR20070086059A - Method, system, and device for verifying authorized issuance of a rights expression - Google Patents

Abstract

A method, system, and device for verifying authorized issuance of a statement or expression (303), including determining if a statement or expression is associated with a statement of trusted issuance (309); determining if the statement of trusted issuance applies (319); determining if issuance of the statement of trusted issuance is authorized; and verifying that the issuance of the statement or expression was authorized, if the statement of trusted issuance applies, and the issuance of the statement of trusted issuance is authorized (321).

Description

METHOD, SYSTEM, AND DEVICE FOR VERIFYING AUTHORIZED ISSUANCE OF A RIGHTS EXPRESSION}

The present invention relates generally to the field of processing declarations and representations, including representations of rights, and more particularly, methods, systems for determining authorization of a representation of rights with respect to a root of trust. And to an apparatus.

[0002] The digital age is not only the ownership, access and control of copyrighted information, limited services and valuable resources, but also the electronic or automation of electronic communications and products and services via email, by the Internet and other means. There has been a significant increase in interests and abilities in electronic transactions such as purchase and sale. Rapid progress and widespread development are taking place with computers and other electronic devices such as mobile phones, pagers, PDAs, pocket PCs, music players, and e-book readers. . These devices are then connected to one another via communication links including the Internet, intranets and other networks. These interconnected devices are particularly conducive to the publishing of content, the provision of services, and the availability of resources electronically.

[0003] One of the difficulties encountered in distributing digital works (eg, documents or other content in computer readable form) widely through electronic means, in particular over the Internet, is that Exercise the intellectual property rights of the content owners during use. One of the difficulties with digital commerce, including the distribution and use of products and services, is the ability to securely and effectively handle electronic transactions, particularly in accordance with the requirements of the parties involved in the transaction.

Efforts to solve these difficulties have been called the term "intellectual property management", "digital rights management", "intellectual property management", "rights management", and "electronic copyright management", collectively " Digital Rights Management (DRM) ”. There are a number of issues that should be considered when operating a DRM system, for example authentication, authorization, accounting, settlement and financial clearing, rights specifications and rights verification. rights verification, rights enforcement, and document protection. U.S. Pat.Nos. 5,530,235, 5,634,012, 5,715,403, 5,638,443, and 5,629,980 address these issues, the disclosures of which are incorporated by reference herein.

In the case of a simple DRM system that manages the distribution and use of digital works, one agent issues rights expressions to another agent, so that the agent owns the rights expression, 1 Recognize an agent as an authorized agent and act on its rights expression. In this simple model, the recognition of the first agent by the second agent is innate or hard-coded. As the DRM system evolves, more and more agents want to issue rights expressions and use the DRM system for their assets. As these new rights expression issuing agents are added, some solution other than the inherent or invariant recognition of agents issuing rights expressions is desirable.

One such approach is the use of certificates to authenticate agents that issue rights expressions. Such certificates are used by other agents to recognize the authorized agents. In this approach, one authorized agent issues a rights expression to another agent, so that the other agent carries the rights expression and checks the certificates associated with the first (authenticated) agent, 1 Treats an (authenticated) agent as authenticated, provided that it recognizes the trusted root of the certificate chain and then acts on that representation of rights. Certificate languages, such as X509 and SPKI, allow only relatively simple conditions, usually valid time intervals, in each certificate. Thus, the most common certificate chain verification algorithms for these languages (IETF RFC 2459 and RFC 2693, respectively) are relatively straight forward to implement.

As the DRM system continues to evolve and more and more agents are authorized to issue rights representations, as a result, either intentionally or accidentally, with respect to one authenticated agent that issues rights representations. At the same time, interest may arise over the assets of another authorized agent, resulting in a yield to that asset. One approach that can be taken to address this concern is the OMA DRM 2.0 specifications issued by the Open Mobile Alliance (OMA), an industry consortium whose mission is to promote global user adoption of mobile data services. In detail). The OMA specification includes requiring each authorized agent to know the content encryption key for each asset that issues rights expressions.

Another approach is to give a scope to each agent's certificate (eg by restricting it) to issue rights expressions so that they apply only to the assets it owns or controls. Defining the exact scope for each certificate requires a bit of work, but it can be done. Such expression of scope is given, for example, in US Patent Application No. 10 / 162,701 to Xin et. Al. Entitled "METHOD AND APPARATUS MANAGING THE TRANSFER OF RIGHTS." And US patent application Ser. No. 10 / 298,872 to Atkinson, et al. Entitled "DIGITAL LICENSES THAT INCLUDE UNIVERSALLY QUANTIFIED VARIABLES." And the right expression language, such as ODRL, XrML or the International Standard (ISO / IEC 21000-5) adopted by the Moving Picture Experts Group (MPEG), to be completed using a language such as what is known as ISO MPEG REL. Can be. Such an approach is also described, for example, in US Pat. Appl. No. 10 / 856,865 to Lao, et al, entitled "NETWORKED SERVICES LICENSING SYSTEM AND METHOD." For example, a more sophisticated chain verification algorithm can be included to verify the scope within each certificate, although the implementation of such an algorithm is still relatively straightforward, while the conditions in each certificate remain relatively simple. As long as it is.

In this evolutionary stage of DRM, the technique approaches approaches to verifying the authorized issue of a rights expression (which are not original or immutable), such as 1) issuance of rights expressions that need to know the content encryption key. 2) Unscoped certificates with 2) scoped certificates.

As DRM business models continue to evolve, users should be more interested in an independent transaction of rights (independent of the transaction of the underlying asset). A person must be able to trade any rights in any domain or field with respect to any digital work or service. For example, a person may trade rights to a set of web services or the right to view all current and past publications of a particular publisher in the United States on a particular topic. You should be able to. In that case, the need for knowledge of the appropriate content encoding key for each transaction is a limiting, because there is no clear mapping of a single asset being traded from the representation of rights. In this regard, the scoped certificate approach is advantageous. This is because it does not restrict the issue of potentially overbroad rights expressions, but instead restricts the effectiveness of certificates as part of the chain validation algorithm.

For example, a scoped certificate may be said to be an agent publisher 1 may publish a representation of rights belonging to a paperback book1. Publisher-1 may actually issue rights expressions to Agent1 while allowing Consumer1 to view some paperback. When these two expressions of rights are put together and the chain verification algorithm is executed, only consumer 1 will see the paper cover. However, if another scoped certificate could be added later and publisher 1 could also issue rights expressions belonging to paper cover book 2, then consumer 1 would be able to add both the paper cover book 1 and paper cover book 2 together. (Because publisher 1 said that consumer 1 could see some paper cover, and publisher 1's ability to publish is limited to paper cover 1 and paper cover 2).

As the trading business in the field of rights continues to expand, publishers may wish to engage retailers and other value-added providers in the chain of expression of rights between their publishers and consumers. Moreover, publishers grant the rights-issuing capabilities of various retailers or other middlemen in various ways, such as to certain areas or by requiring payment of special fees, or granting other conditions regarding the authorization to issue rights. By doing so, you may wish to scope. The types of conditions in the right expression that form the certificate chain can be very creative and complex, and the implementation of chain validation algorithms for such chains becomes less direct. Thus, there is a need to make the execution of these processes more direct, without sacrificing business model resiliency, technical features, or security.

One of the potential difficulties in verifying a certificate chain, including creative conditions, is that the information needed to perform the verification typically is not available. For example, consider a scenario that includes three agents, one author, one reader, and one friend. There is an expression of rights, which allows the author to issue an expression of rights belonging to his book. There is another expression of the right given to the reader from the writer, which allows the reader to read the book and publish up to two expressions of rights, one for each of his two friends. There is a third expression of rights given to his friend from the reader, which allows his friend to view the book. When the friend wants to see the book, he will validate the chain of certificates, including the expression of the rights, and in some ways must decide whether the reader satisfies the condition of issuing up to two rights. If for some reason the information is not available (e.g., the reader did not keep all of the required information or did not continue to provide the information in an accessible format), a problem arises. But if the reader keeps track of this information, he may not be able to make contact with that friend. The reader may also have stored this information in some place where contact is available. However, the place may have a privacy policy or technology restriction that prohibits or blocks sharing the information with the friend.

One possibility is that the information about the number of rights expressions that the reader has issued so far is stored in the rights information that the friend receives. Assuming that the friend can access this information in any way, the friend still needs to use the information to validate the "maximum two rights expressions" condition. However, this means that the friend must understand what the condition means. In some situations, the friend may be using outdated software or hardware, and may not be able to support all the latest conditions that the author and the reader are using. This means that if the friend also doesn't upgrade the conditions they can understand, the author and reader can't upgrade the conditions they use. One solution to this is to store the information about the condition satisfaction in the following way. That is, the friend can possess the information without detailed knowledge of the condition (for example, by comparing the name of the condition that is satisfied with the name of the condition that needs to be satisfied). .

But there is another problem. The friend has access to information about the terms and their names under which the reader can issue rights expressions. This is because in some situations it is not desirable to share the information so that it must be treated confidentially. For example, if the fee associated with the reader is to give his friend an expression of rights, the reader may not want his friend to know the price of the gift. To address this concern, the condition information is encrypted so that the friend does not recognize it, but the friend's software or hardware allows it to own it. This extra encryption, however, complicates the system to some extent. In situations where it is more sensitive to know about the details of the conditions than the actual asset itself, the cryptographic cost required for those conditions may be an imbalance in the value of the asset.

Therefore, there is a need for a method and system for handling the above-mentioned problems, which is a further step that users want, while maintaining security and without incurring unbalanced costs or burdens in the rights expression chain validation algorithm. To enable one DRM features. These and other needs are addressed by exemplary embodiments of the present invention, which provide methods, systems and apparatus for use, limited services and valuable resources related to the use and distribution of digital works.

Thus, in an exemplary aspect of the present invention, a method, system, and apparatus are provided for verifying an authorized issue of a declaration or expression, which includes the following steps: Declaration or expression is a trusted issue Determining whether it is associated with a declaration; Determining whether the declaration of trusted publication is appropriate; Determining whether issuance of the declaration of trusted publication is permitted; And if the declaration of the trusted issue is appropriate, verifying that the publication of the declaration or expression was authorized and that the declaration of trusted publication is permitted.

Other aspects, features, and advantages of the invention are apparent from the following detailed description, which includes numerous exemplary embodiments and implementations, including the best mode contemplated to practice the invention. So by explaining. The invention may also be practiced with other various embodiments and its various details may be modified in various ways without departing from the spirit and scope of the invention. Accordingly, the accompanying drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.

Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings. Like reference numerals in the drawings refer to like elements.

FIG. 1 shows a rights derivation scenario with one trust root, six derived rights representations, and two trusted publications.

FIG. 2 shows a rights derivation scenario with one trust root, two derivative rights expressions, one declaration or expression, and a declaration of trusted publication.

FIG. 3 shows a procedure using a declaration of trusted issuance to confirm that it is a licensed issue of the expression of rights.

FIG. 4 shows the arrangement of a declaration and the right of a trusted publication as an alternative to that shown in FIG. 1.

FIG. 5 shows the content of a declaration of being a trusted publication, in another alternative to that shown in FIG. 1.

6 shows an example issue chain verify signal.

FIG. 7 shows an example system for verifying authorized issuance of a right expression. FIG.

[0027] The illustrated embodiments include a declaration of trusted publication, which is a declaration containing an assertion that the publication is authorized in accordance with some root of trust or expression of rights. Claims of trusted publications may be issued by an agent, who may verify declarations or expressions, including declarations of rights and including declarations or expression chains (or parts of chains), and perform such verification. It may be trusted by another agent who may or may not be able to perform.

1 shows a root of trust 101, six rights expressions 103, 105, 107, 109, 111, 113. The rights expression 103 is derived from the trusted root 101 and is issued by Agent A to Agent B. No declaration of trusted publication is included in the rights expression 103. The rights expression 105 is derived from the rights expression 103 and is issued to Agent C by Agent B. No declaration of trusted publication is included in the rights expression 105. The rights expression 107 is derived from the rights expression 105 and is issued to Agent D by Agent C. Rights expression 107 includes a declaration of trusted issue 115 rooted in Agent A. When using the rights expression 107, without tracking through the rights expressions 105 and 103, if Agent Z is deemed to be reliable, then a declaration of trusted issuance 115 is used in connection with the rights expression 117 to ensure that It can be seen that the representation 107 is issued correctly with respect to the trust route 101. The illustrated embodiment of FIG. 1, along with other illustrated embodiments, applies to declarations or representations that are not representations of rights.

An example XML representation of a declaration of trusted publication 115 is further described herein. Agent A is typically represented in an exemplary XML representation using RSA public key information in the declaration of trusted issue 115. The issuer field within the declaration of trusted publication 115 is omitted in the exemplary XML representation because it will be inherited from the rights expression that includes that declaration of trusted publication.

Exemplary embodiments include derivative declarations or expressions immediately following, including the right expressions. For example, rights expression 109 is derived from rights expression 107 and is issued to agent E by agent D. Since the rights expression 109 does not have a declaration that it is a trusted issue, when using the rights expression 109, the derivative terms of the rights expression 109 are defined by the rights statement in order to establish the authorized issue of the rights expression 109. It must be reconfirmed from the string 107. It is not necessary to further identify the conditions of derivation of the rights expression 107 from the rights expression 105. This is because the rights expression 107 includes a declaration of trusted issuance 115 that can be utilized when Agent Z is deemed to be reliable by Agent E, as described above.

[0031] If the other right expression 111 is derived from the right expression 109 and agent E is authorized to make declarations that are trusted publications, as represented in the rights expression 121. Agent E, for example, may include in the rights expression 111 a declaration that it is a trusted issue 119 rooted in Agent A, for example. When Agent F uses the rights expression 111 to play a media file or to derive another rights expression 113, its declaration of trusted publication 119 validates the verification in relation to the rights expression 121. Can be used to verify that the rights expression 111 has been issued correctly with respect to the root of trust 101, without tracking through the rights representation 109, 107, 105, 103.

FIG. 2 shows a rights derivation scenario similar to that shown in FIG. 1, except that the rights representation 107 may be replaced with a declaration or representation 207 that is not necessarily a representation of rights. Declaration or expression 207 could be any declaration or expression. For example, the declaration or expression 207 may indicate that Agent C has pigs flew yesterday, pigs will fly tomorrow, contractual obligations have been fulfilled, and some entities may have branded products, for example. Or they could say that they were certified for a clear qualification, or that a purchase was made, such as a Microsoft Certified Engineer. The declaration of trusted publication 215 and the second right representation 217 determine that the publication by Agent C of the declaration or representation 207 was authorized in the following manner, based on the root of trust 201. Can be used to Here, the declaration of trusted issuance 115 and the second right expression 117 were used to determine that the issuance by agent C of the rights expression 107 was authorized, based on the root of trust 101. That's how it is.

An example procedure is shown in FIG. 3 to verify a licensed issuance of a declaration or expression, such as for example a representation of rights. The process begins at step 301, and at step 303 an attempt is made to find a declaration or expression, including some desired assertions, for example, to find a rights expression, such as a license to a media file. If a suitable declaration or expression can be found (e.g. no rights should be granted in the file or for example expired time, unpaid costs, too early to see) If some conditions are not met), the process ends in failure at step 305. However, if a suitable declaration or expression is found, then checking is performed at step 307. If in step 309 the declaration or expression does not contain a declaration that it is a trusted publication, then the process follows a sub-process that will continue in step 311 to be described in more detail, and in step 313 It ends with either failing at step 305 or returning processing to step 307. In particular, if the issuer of the declaration or expression conforms to the root of trust in step 311, the process ends with success in step 313. Otherwise, if such an expression of rights from which the checked declaration or expression is derived (and all the conditions for it being satisfied) can be found in step 315 (may be possible with the help of additional beings), the process Returns to step 307 using the new right expression. Otherwise, the process ends in failure at step 305.

If step 309 finds that the declaration or expression includes a declaration of a trusted publication, step 319 determines whether the declaration of trusted publication conforms to the root of trust. If so, step 321 determines whether the declaration of trusted issuance is authorized. This determination can be made by various means, for example by employing original knowledge or recursively employing the process shown in FIG. If step 321 determines that the declaration that the trusted issuance is authorized, the process ends with success in step 313, and preferably, in many cases, ends with success in step 313 resulting from step 311. Rather than either faster or more desirable than failing in step 305. If either of the decisions in step 319 or 321 is negative, the process continues in step 311.

Figure 4 shows the configuration items 407, 415 and 417, these are configurations that can replace the configuration items 107, 115, 117 of Figure 1, respectively. For example, the declaration of trusted issue 415 applies to the rights expression 407 and does not appear inside the rights expression 407. Instead, some other means is used to link the two. The issuers of the declaration of rights 107 and the declaration of trusted publication 115 are the same, while the issuer of rights expression 407 is different from the issuer of the declaration of trusted publication 415. The right expression 117 permitting issuance of a declaration of trusted issuance 115 is issued by a third party, while the rights expression 417 permits issuance of a declaration of trusted issuance 415 to the same agent. A declaration issued by and through its agent that the trusted publication asserts that the publication should be trusted. Exemplary embodiments include other forms of construction and modifications, and the exemplary process shown in FIG. 3 is applied thereto.

Example embodiments include a root of trust in a declaration of trusted publication, but further example embodiments include other content in a declaration of trusted publication. For example, as shown in FIG. 5, the declaration of trusted issuance 515 includes an indication that authorized issuance has been identified through rights representation 503. Assuming that agent Z is trusted, agent D uses the declaration of rights 507 and the declaration of trusted publication 515 contained therein, and the second right expression 517 to express the rights expression 507. The permission to issue may determine to trace back the rights expression 503. Agent D can then independently continue the chain verification process and determine based on trust route 501 whether or not the issuance of the rights expression 503 is authorized.

By employing the exemplary embodiments, it is possible to implement many desired features in Digital Rights Management (DRM) while lowering costs. For example, consider a scenario that includes four agents representing Publisher A, Distributor B, Retailer C, and Customer D. The publisher A may have issued a rights statement 103 to distributor B, which distributed all paperback books of that publisher in the United States and Canada. Distributor B may then issue a rights statement 105 to retailer C, which may then retailly sell the paperback book published by the publisher in the United States and Canada at a publisher's price of $ 2 each. After consumer D has paid $ 5 to retailer C, retailer C may issue a rights expression 107 to consumer D to read the paperback book 1. When retailer C issues a rights expression 107, retailer C checks the chain of rights expressions, distributor B distributes paper covers, distributor B distributes them in the United States and Canada, and Of the $ 5 paid by the consumer, $ 2 went to Publisher A, confirming that all the conditions for all parties were fulfilled. Since retailer C verifies the authorized issuance of the rights expression 107 based on publisher A as its root of trust, retailer C issues a rights expression 107 at the time of issuing a declaration that it is a trusted publication 115. ) Inside. Consumer D can now determine whether he is allowed to play with the paperback. Rights expression that publisher A is its root of trust for book 1, retailer C says that consumer D can play with paperback book 1 and contains a declaration that it is a trusted publication rooted in publisher A. 107), and it is possible by looking at just a few expressions of rights, including a representation of rights 117 that retailer C can issue declarations of trusted publication rooted in publisher A.

Consumer D may know that the distribution took place in the form of a paper cover in the United States, but Consumer D may not know what information about where, in what form, and how much he paid to publishers, etc. You do not need to have access. Moreover, Consumer D may know what the practical possibilities or conditions of distribution are (for example, the book may have been distributed in Canada as well, but hardback books cannot be distributed and $ 2 is paid to the publisher). You don't need to know.

Publisher D, Distributor B, and Retailer C do not have to worry about the impact on Consumer D or their effects, because Consumer D does not need to know such details, their software or hardware. It is also possible to support additional creative conditions by changing. Consumer D does not need to have access to the rights expressions (103 or 105), so that these rights expressions are encrypted or protected in a manner other than encryption, or that consumer D is protected by software or There is no need to incur the cost of ensuring that you have the hardware. Preferably, by using the declaration of trusted issuance, the task of ascertaining the authorized issuance of the expression of rights on the root of trust is more direct to consumer D.

[0040] However, the problem is the possibility that someone may mistakenly or improperly insert a declaration of trusted publication. For example, retailer C, inserting a declaration of trusted publication, was thought to have confirmed, according to publisher A, the authorized issue of rights expression 107 as its trusted root, but that may have failed, or For example, it may have been believed that distribution of Distributor B is in the United States and Canada, but that is not the case in practice. In that case, one might believe that declaration as a trusted publication by mistake. For this reason, it may be desirable to restrict the issuance of declarations of trusted invention.

In an example embodiment, the root of trust, eg, publisher A, issues a declaration of trusted publication to specific agents or agents that meet certain criteria, including, for example, a criterion of reliability. You can also restrict your rights. In another embodiment, the agent may refuse to rely on a declaration of trusted publication issued by another. The decision as to whether a declaration should be believed may be based on several criteria or the agent may generally decide not to believe such declarations. In another embodiment, agents may be prohibited from believing declarations of trusted publication issued by certain other agents. In yet another embodiment, agents may have the option to believe a declaration of being a trusted publication or “bypass” that declaration and may verify all or part of a chain of rights expressions. In another embodiment, agents may need to believe a declaration that it is a trusted issue, allowing the agent to verify all or part of the rights expression chain or to access or censor the rights expression chain if not. It may not be.

In addition to the representation of rights, the exemplary embodiments may also be used for permission determination of other declarations or representations. For example, consider the scenario where A is a manufacturer of branded goods, C is one of its regional distributors in B's country, and D is a retailer in C's territory. Proof of purchase certificate must be presented to service the goods manufactured by A. D may issue proof of purchase. However, its permission needs to be traced backwards from C to B to A. Preferably, as described with respect to the embodiments, for example, if the certificate of the purchase certificate issued by D includes a declaration that it is a trusted issue rooted in manufacturer A, verifying the authorization on the evidence of this purchase certificate. This can be simplified and made quickly.

Example embodiments may include a language (also called issuance chain verification signal language) on declarations of trusted publication, which may be compatible with ISO MPEG REL. Thus terms (eg terms, definitions, symbols, abbreviated terms, namespaces and conventions) may be used within that ISO MPEG REL. In addition, sections 3 (terms, definitions, symbols, and abbreviated terms) and section 4 (namespaces and conventions) of the ISO MPEG REL are incorporated herein by reference.

[0044] The syntax for the issue chain validation signal language is given by the following example schema:

As further illustrated in FIG. 6, an example issue chain verify signal is given as follows:

[0046] An example semantics for issuing chain verification signal language is given by:

(Translated => l a r: Let License i is sx applied to l:. Let issuanceChainVerificationThrough Then, i / sx for i:. The number of h child is l / r: the grant and the l l / r: grantGroup will be equal to the number of the child, the meaning of i is i of the i / sx from 1: allowed containing grantGroup:, k ^th l / r in l with respect to each of k number of up to h children: grant or l / r Is verified with respect to each of the trusted roots identified by the r: trustRoot child of this i k ^th i / sx: h child.)

[0047] An exemplary issue chain verification signal ISO MPEG REL profile is given as follows:

(Translation => sx: to apply issuanceChainVerif icationThrough i to r: License /,

I will appear as a child of l / r: otherlnfo,

2. l / r: issuer / dsig : with respect to the issuer, dsig:: each of l / r, which is present Signature Signature will not exclude from the scope of the signature i (i is a base the supplied signature variations or licensed strain Note that it will be included in any signature on that license that you use)).

[0048] An example property for verifying issuance chain verification signals is given as follows:

The URI urn: standards-organization: 2004: icvs (to use sx: propertyUri) defines a property to authenticate that the Principal's issuance chain validation signals should be trusted. )

[0049] An example signal processing model is given as follows:

Let p be r: Principal. Let / be r: License containing l / r: otherlnfo / sx: issuanceChainVerificationThrough i . Then, the first principal identified by p will be l of the before sign, verify identity by p the first actors is, i of the i / sx from 1: h in respect to each up to the number of children, from 1 i k ^th i / sx: h of children i / For each j up to the number of sx: h / r: trustRoot children, we will verify that there is permission evidence for the authorization request ( p , r: issue, h , ν, S, L, R ), where h is within the k ^th l l / r: grant or l / r: grantGroup and, r i is the k ^th i / sx: h Child j ^th i / sx: h / r: trustRoot child, ν, S, L are elaborately chosen)

[0050] An example signal interpreter processing model is given as follows:

It is common for some principals whose identity is identified by r: Principal p to determine how many r: Grant or r: GrantGroup h are allowed to be included in a license issued by him. The rights interpreter could potentially face some difficulties: licenses allowing such inclusion (eg, licenses containing the r: issue component) or historical environments of such inclusion (eg For example, any fee system paid or account consumed may be available to the rights resolver.

However, such information may be available to a rights interpreter when the license is issued. If the rights interpreter adds an issuance chain verification signal to the license, the rights analyzer with the issuance chain verification signal interpreter can read that issuance chain verification signal later instead of secondly verifying the issuance chain.

For example, instead of verifying that the inclusion of some r: Grant or r: GrantGroup h in the license is permitted with respect to some trusted roots R , the issuer chain validation signal interpreter may be substituted for:

1 indicated by the at least one trust root corresponding to h r: Grant a set of component r represented by R: verify that the several subsets of Grant, and

2. Verify that the first party who issued the license is permitted to own the assets defined by urn: standards-organization: 2004: icvs. )

FIG. 7 shows an example system 700 for verifying authorized issuance of a right expression according to the embodiment illustrated in FIGS. 1-6. In FIG. 7, example system 700 includes one or more devices 702-708, a content server 710, and a content database 712, which are coupled through a communication network 714.

The apparatus or subsystems described in the embodiment illustrated in FIGS. 1-7 are, for example, suitable servers, workstations, personal computers (PCs), laptop computers, PDAs, Internet appliances, portable devices ( handheld devices), mobile phones, wireless devices, and other devices, which are capable of performing the process of the embodiments illustrated in FIGS. 1-7. The devices and subsystems of the illustrated embodiments of FIGS. 1-7 can communicate with each other using suitable protocols and can be implemented using one or more programmed computer systems or devices.

One or more interface mechanisms may be used in the embodiments of FIGS. 1-7, for example, Internet connection, telecommunications in some suitable form (eg, voice, modem, etc.), wireless communication. Such as media may be included here. For example, the wireless communication network 714 may include one or more wireless communication networks, cellular communication networks, G3 communication networks, public telecommunication networks (PSTNs), packet data networks (PDNs), the Internet, intranets, and combinations thereof.

The devices and subsystems of the embodiments of FIGS. 1-7 are presented for purposes of illustration and, as will be apparent to those of ordinary skill in the relevant art, the specific hardware used to perform the exemplary embodiments is as far as possible. It should be understood that many changes are possible. For example, the functionality of one or more devices and subsystems of the embodiments of FIGS. 1-7 may be implemented through one or more programmed computer systems or devices.

In order to implement such changes as well as other changes, a single computer system may be programmed to perform the special purpose functions of one or more devices of the embodiments of FIGS. 1-7. On the other hand, two or more programmed computer systems or devices may be replaced for any one of the devices and subsystems of the illustrated embodiments of FIGS. 1-7. Thus, the principles and advantages of distributed processing such as, for example, redundancy, replication, etc., may also be implemented to improve the robustness and performance of the devices and subsystems of the embodiments of FIGS. 1-7, as desired.

The apparatuses and subsystems of the embodiments of FIGS. 1-7 may store information related to the various processes described herein. This information may be stored in one or more memories, such as, for example, hard disks, optical disks, magneto-optical disks, RAM, and the like. One or more databases of the devices and subsystems of the embodiments of FIGS. 1-7 may store information used to practice embodiments of the present invention. The databases may be organized using data structures (eg, records, tables, arrays, fields, graphs, trees, lists, etc.) contained in one or more of the memories or storage devices listed herein. The processes described with respect to the embodiments of FIGS. 1-7 are suitable for storing data collected and / or generated within one or more databases thereof by the processes of the devices and subsystems of the embodiments of FIGS. 1-7. It may include data structures.

All or some of the apparatuses and subsystems of the embodiments of FIGS. 1-7 use one or more general purpose computer systems, such as microprocessors, digital processors, microcontrollers, etc., to implement an exemplary embodiment of the present invention. Programmed in accordance with the teachings of the examples, and can be conveniently executed in a form that will be appreciated by those skilled in the computer and software arts. Appropriate software can be prepared, in a form deemed by those skilled in the art based on the teachings of the embodiments, to be considered by those skilled in the software art. Furthermore, the devices and subsystems of the embodiments of FIGS. 1-7 can be implemented on the World Wide Web. In addition, the devices and subsystems of the embodiments of FIGS. 1-7 may be conceived by those skilled in the art of electrical engineering by preparing application-specific integrated circuits or by appropriately connecting conventional circuit configurations. In the same form as can be done. Thus, example embodiments are not limited to any specific combination of hardware circuitry and / or software.

Exemplary embodiments of the invention are stored on any one or several combined computer readable media to control devices and subsystems of the example embodiments of FIGS. 1-7, FIGS. The devices and subsystems of the devices and subsystems of the embodiments of FIGS. 1-7 can include software for interacting with human users. Such software may include, but is not limited to, device drivers, firmware, operating systems, development tools, application software, and the like. Such computer readable media may further comprise the computer program product of an embodiment of the invention to perform all or part of its processing (if processing is distributed) that is performed in practicing the invention. The computer code devices of the embodiment of the present invention are, for example, scripts, interpretable programs, dynamic link libraries (DLLs), Java classes and applets, completed executable programs, Common Object Request Broker Architecture (CORBA) objects. And any suitable interpretable to executable code mechanism, including but not limited to such. Moreover, portions of the processing of embodiments of the present invention may be distributed for better performance, reliability, cost, and the like.

As mentioned above, the devices and subsystems of the embodiments of FIGS. 1-7 are for storing instructions programmed in accordance with the teachings of the present invention and for the data structures, tables, records and / or other described herein. It may include a computer readable medium or a memory for storing data. Computer-readable media can include any suitable media that participates in providing instructions to a processor for execution. Such media can include many forms, including but not limited to nonvolatile media, volatile media, transmission media, and the like. Volatile media can include dynamic memory and the like. Transmission media may include coaxial cable, copper wire, optical fiber, and the like. The transmission medium may also take the form that may be generated in the course of sound, light, electromagnetic waves, other wireless communications, infrared data communications, and the like. Common forms of computer readable media include, for example, profidisks, flexible discs, hard disks, magnetic tapes, other suitable magnetic media, CD-ROMs, CDRWs, DVDs, any other suitable optical media, punched cards, paper tapes, optical Any other suitable physical medium, RAM, PROM, EPROM, flash-EPROM, any other suitable memory chip or cartridge, carrier, or computer readable medium having a pattern of mark sheets, holes or other optically recognizable markings And any other suitable medium.

In the context of example embodiments, an agent may be substituted for other entities and / or rule sets (examples of agents are hardware devices, integrated circuits, firmware modules, software modules, software systems, humans, organizations, Services, smart cards, and seeing-eye dogs). An asset is an entity, quality, event, condition, concept, substance, or something else called by a noun, and some possible values (examples of assets are books, ebooks, videos, services, web services, companies, security levels, Domain name, email address, football game, message, and rights). The certificate may include a "right representation". Conditions may include restrictions on any claim made within an expression or declaration (eg, validity period, scope of coverage, number of times the claim can be trusted, and the circumstances under which the claim is held). Publishing may include the acts of making claims in an expression or declaration and the claims behind those claims. Rights can include actions or attributes that an agent is allowed to take on an asset or other rights (examples of walks and walks; examples of actions on assets include play and print and Such as consumption behaviors, modifications such as editing and additions, distributions such as copying and moving, service activities such as requestService and sendMessage; examples of actions with respect to other rights Examples of attributes are name, address, color, security level, employee, relative, friend, domain, graduation, and certified repair; examples of attributes on assets are author and distributor; Examples of attributes related to rights are issuanceChainVerifier, certificate authority, and trusted issuer. The derivation of rights may include the declaration or expression of rights, for example, the issuance of such rights expressions that the publication is permitted within other rights expressions or roots of trust. It is derived from the expression of the right or the root of trust that permits its publication). Rights expressions include expressions that contain claims that rights are granted (examples of rights expression languages include agreements set out in ISO MPEG REL, extensible rights markup language, and content reference forums). Contract Expression Language (see http://www.crforum.org/ ), IPRSystems Open Digital Rights Language, OMA DRM 2.0 Specification Rights Expression Language , Security Assertion Markup Language by Organization for the Advancement of Structured Information Standards (OASIS), Extensible Access Control Markup Language by OASIS, X.509, SPKI , Rights Management and Protection Information as presented by the TV Anytime Forum, and Copy Control Information bits). Signing involves creating something that gives confidence that an expression or declaration issued by a party has been issued by that party. Declaration of the Trust issued may contain a declaration claiming that contain a single permit issued in accordance with any confidence that the root or the right presentation. The root of trust may include an encapsulation of rights that are supposed to be granted.

Although the illustrated embodiments are described by the use of the rights expression and the distribution and use of the digital work, the embodiments are not limited to the rights expression and the digital work. Thus, the benefits associated with not having to process all the data in the chain of data of the embodiments and other advantages of the illustrated embodiments can be applied to other kinds of computing applications. For example, in addition to rights expressions, the illustrated embodiments may be used in conjunction with such other declarations or expressions that may benefit from determining authorization from an efficient method, such as, for example, the settlement of a transaction. Such as proof of certificate, proof of identity, proof of approval, declaration of fact, business intent, business contract, rules, policy, etc.

Although the present invention has been described in connection with various exemplary embodiments and actual implementations, the invention is not limited thereto but includes various modifications and equivalent constructions that fall within the scope of the claims.

Claims (69)

A computer-implemented method for verifying an authorized issue of a declaration or expression, the method comprising: determining whether the declaration or expression is associated with a declaration of trusted publication; Determining whether the declaration of trusted publication is appropriate; Determining whether issuance of the declaration of trusted publication is permitted; And verifying that the declaration of the declaration or expression was authorized if the declaration of the trusted issue was appropriate and that the declaration of trusted publication is permitted. 2. The method of claim 1, wherein the declaration of trusted publication specifies an entity associated with it, and wherein the step of determining whether the declaration of trusted publication is appropriate is trusted by the entity associated with the declaration of trusted publication. Determining whether the entity is an authorized entity. The method of claim 1, wherein the declaration of trusted issuance specifies a permission associated with it, and wherein the step of determining whether the declaration of trusted issuance is appropriate is whether the permission associated with the declaration of trusted is a trusted permission. Determining the method. The method of claim 1, wherein the declaration of trusted issuance specifies a chain-ancestor rights expression associated with it, and the step of determining whether the declaration of trusted issuance is appropriate is trust. Determining if the chain-predecessor right expression associated with the declaration of issued is authorized. The method of claim 1, wherein the declaration or expression associated with the declaration of trusted issuance includes a representation of rights. The method of claim 1, wherein the declaration of trusted publication is part of the declaration or expression associated with the declaration of trusted publication. 2. The method of claim 1, wherein the declaration of trusted publication is issued by the same entity that issued the declaration or expression associated with the declaration of trusted publication. 8. The method of claim 7, wherein the declaration of trusted issuance and the declaration or expression associated with the declaration of trusted issuance are signed by the same entity using one signature. 2. The method of claim 1, wherein the step of determining whether the issuance of the declaration of trust issuance is authorized to test the expression of the rights permitting the issuance of the declaration of trust issuance and the issuance of granting the rights expression. Determining whether this is authorized. 2. The method of claim 1, wherein the step of determining whether the declaration of trusted issuance is permitted is to use the same root of trust that verifies that the declaration or expression associated with the declaration of trusted issuance is permitted. How to feature. The method of claim 1, wherein if the declaration or expression is not associated with a declaration that it is a trusted publication, the verifying step includes verifying that the publication of the declaration or expression is authorized using information associated with the declaration or expression. Method comprising a. 12. The method of claim 11, wherein the information associated with the declaration or expression comprises one or more rights expressions associated with the declaration or expression. 10. The method of claim 9, wherein if the authorized issue of the declaration as a trusted issue cannot be verified, the verifying step verifies that the issue of the declaration or expression is authorized using information associated with the declaration or expression. And comprising the step of: The method of claim 13, wherein the information associated with the declaration or expression includes one or more rights expressions associated with the declaration or expression. The method of claim 1, wherein the declaration of trusted issuance is signed by an entity that issues the declaration of trust. 2. The method of claim 1, further comprising limiting the right to issue the declaration of trusted publication. 2. The method of claim 1, wherein one entity can refuse to rely on a declaration that it is a trusted issue issued by another entity. The method of claim 1, wherein entities are prohibited from believing that a declaration is a trusted issue issued by an entity. The method of claim 1, wherein entities may believe a declaration of trusted publication or of not a declaration of trusted publication by verifying all or part of a chain of rights expressions associated with the declaration or expression. The method of claim 1, wherein entities are required to believe a declaration of being a trusted issue. 2. A method according to claim 1, wherein the entity is not allowed to verify all or part of the rights expression chain or, if not, to access or examine the rights expression chain. The method of claim 1, wherein the declaration or expression associated with the declaration of trusted publication is evidence of entitlement to a digital work, evidence of entitlement to a service, evidence of entitlement to a resource, Proof of purchase, proof of transaction, proof of purchase, proof of authentication, proof of identification, proof of approval, declaration of fact, declaration or expression of business intent, declaration or expression of a business contract, or declaration of rules or policies, or And at least one of the expressions. One or more computer readable instructions stored on a computer readable medium and configured to cause the one or more computer processors to perform the steps recited in claim 1. A system for verifying an authorized issue of a declaration or expression, the system comprising: means for determining whether the declaration or expression is associated with a declaration of being a trusted issue; Means for determining whether the declaration of trusted publication is appropriate; Means for determining whether issuance of the declaration of trusted publication is permitted; And means for verifying that, if the declaration of the trusted issue is appropriate, the publication of the declaration or expression was authorized and that the declaration of trusted publication is permitted. The apparatus of claim 24, wherein the declaration of trusted issuance specifies an entity associated with it, and wherein the means for determining whether the declaration of trusted issuance is appropriate is whether the entity associated with the declaration of trusted is a trusted entity. Means for determining the number of points of interest. 25. The method of claim 24, wherein the declaration of trusted issuance specifies a grant associated with it, and wherein the means for determining whether the declaration of trusted issuance is appropriate is provided that the permission associated with the declaration of trusted issuance is And means for determining if it is a trusted permission. The chain of claim 24 wherein said declaration of trusted issuance specifies a chain-preferred right expression associated therewith and said means for determining whether said declaration of trusted issuance is appropriate is the chain associated with said declaration of trusted issuance. Means for determining whether said issuance of a prior right representation is permitted. 25. The system of claim 24, wherein said declaration or expression associated with said declaration of trusted issuance comprises a representation of rights. 25. The system of claim 24, wherein the declaration of trusted publication is part of the declaration or expression associated with the declaration of trusted publication. 25. The system of claim 24, wherein the declaration of trusted publication is issued by the same entity that issued the declaration or expression associated with the declaration of trusted publication. 31. The system of claim 30, wherein said declaration of trusted issuance and said declaration or expression associated with said declaration of trusted issuance are signed by the same entity using one signature. 25. The method of claim 24, wherein the means for determining whether the issuance of the declaration of trust issuance is permitted, including means for examining a right expression that authorizes the issuance of the declaration of trustworthiness. Means for determining whether the publication is authorized. 25. The method of claim 24, wherein the means for determining whether the declaration of trusted issuance is permitted uses the same root of trust where the declaration or expression associated with the declaration of trusted issuance is verified to be permitted. System. 25. The method of claim 24, wherein if the declaration or expression is not associated with a declaration that it is a trusted publication, the verifying means includes means for verifying that the publication of the declaration or expression is authorized using information associated with the declaration or expression. System comprising a. 35. The system of claim 34, wherein the information associated with the declaration or expression includes one or more rights expressions associated with the declaration or expression. 33. The method of claim 32, wherein if said authorized issuance of said declaration of trusted issuance cannot be verified, said verifying means verifies that said issuance of said declaration or expression is authorized using information associated with said declaration or expression. System comprising means. 37. The system of claim 36, wherein the information associated with the declaration or expression includes one or more rights expressions associated with the declaration or expression. 25. The system of claim 24, wherein said declaration of trusted issuance is signed by an entity that issues said declaration of trusted issuance. 25. The system of claim 24, wherein the system further comprises means for limiting the right to issue the declaration of trusted publication. 25. The system of claim 24, wherein one entity can refuse to believe a declaration of trusted publication issued by another entity. 25. The system of claim 24, wherein entities are prohibited from believing a declaration that a entity is a trusted issue. 25. The method of claim 24, wherein entities can trust a declaration of trusted publication or distrust of a declaration of trusted publication by verifying all or part of a chain of rights expressions associated with the declaration or expression. system. 25. The system of claim 24, wherein entities are required to believe a declaration of trusted publication. 25. The system of claim 24, wherein any entity is not allowed to verify all or part of the rights expression chain or otherwise to access or examine the rights expression chain. 25. The method of claim 24, wherein the declaration or expression associated with the declaration of trusted publication is evidence of entitlement to a digital work, evidence of entitlement to a service, or evidence of entitlement to a resource. , Proof of purchase, proof of transaction, proof of purchase, proof of certification, proof of identity, proof of approval, declaration of fact, declaration or expression of business intent, declaration or expression of business contract, or declaration of rules or policies Or at least one of the expressions. 25. The method of claim 24, wherein the means for determining whether a declaration or expression is associated with a declaration of trusted publication, the means for determining whether the declaration of trusted publication is appropriate, issuing the declaration of trusted publication is permitted. And said means for determining, and said means for verifying, comprise one or more computer readable instructions stored on a computer readable medium. 25. The method of claim 24, wherein the means for determining whether a declaration or expression is associated with a declaration of trusted publication, the means for determining whether the declaration of trusted publication is appropriate, issuing the declaration of trusted publication is permitted. And said means for determining, and said means for verification comprise one or more computer devices of a computer system. A device for verifying an authorized issue of a declaration or expression, the device comprising: means for determining whether the declaration or expression is associated with a declaration of being a trusted issue; Means for determining whether the declaration of trusted publication is appropriate; Means for determining whether issuance of the declaration of trusted publication is permitted; And means for verifying that, if the declaration of trusted publication is appropriate, the publication of the declaration or expression was authorized and that the declaration of trusted publication is permitted. 49. The method of claim 48, wherein the declaration of trusted issuance specifies an entity associated with it, and wherein the means for determining whether the declaration of trusted issuance is appropriate is whether the entity associated with the declaration of trusted is a trusted entity. Means for determining the number of times. 49. The method of claim 48, wherein said declaration of trusted issuance specifies a grant associated with it, and said means for determining whether said declaration of trusted issuance is appropriate is said permission associated with said declaration of trusted issuance. Means for determining if is a trusted permission. 49. The chain of claim 48, wherein said declaration of trusted issuance specifies a chain-preferred right expression associated therewith and said means for determining whether said declaration of trusted issuance is appropriate is the chain associated with said declaration of trusted issuance. Means for determining whether said issuance of a prior right representation is permitted. 49. The apparatus of claim 48, wherein the declaration or expression associated with the declaration of trusted issuance includes a representation of rights. 49. The apparatus of claim 48, wherein the declaration of trusted publication is part of the declaration or expression associated with the declaration of trusted publication. 49. The apparatus of claim 48, wherein the declaration of trusted issuance is issued by the same entity that issued the declaration or expression associated with the declaration of trusted issuance. 55. The apparatus of claim 54, wherein the declaration of trusted issuance and the declaration or expression associated with the declaration of trusted issuance are signed by the same entity using one signature. 49. The apparatus of claim 48, wherein said means for determining whether issuance of said declaration of trusted issuance is authorized by means of examining a right expression and authorizing the issuance of said declaration of trustworthiness. Means for determining whether the publication is authorized. 49. The method of claim 48, wherein the means for determining whether the declaration of trusted issuance is permitted uses the same root of trust where it is verified that the declaration or expression associated with the declaration of trusted issuance is permitted. Device. 49. The method of claim 48, wherein if the declaration or expression is not associated with a declaration that it is a trusted publication, the means for verifying means for verifying that the publication of the declaration or expression is authorized using information associated with the declaration or expression. Apparatus comprising a. 59. The apparatus of claim 58, wherein the information associated with the declaration or expression includes one or more rights expressions associated with the declaration or expression. 59. The method of claim 56, wherein if the authorized issuance of the declaration as a trusted issue cannot be verified, the verifying means verifies that the issuance of the declaration or expression is authorized using information associated with the declaration or expression. An apparatus comprising means. 61. The apparatus of claim 60, wherein the information associated with the declaration or expression includes one or more rights expressions associated with the declaration or expression. 49. The apparatus of claim 48, wherein said declaration of trusted issuance is signed by an entity that issues said declaration of trusted issuance. 49. The apparatus of claim 48, wherein the system further comprises means for restricting the right to issue the declaration of trusted publication. 49. The apparatus of claim 48, wherein one entity can refuse to believe a declaration of trusted publication issued by another entity. 49. The apparatus of claim 48, wherein entities are prohibited from believing a declaration that a entity is a trusted issue. 49. The method of claim 48, wherein entities can trust a declaration of trusted publication or not believe in a declaration of trusted publication by verifying all or part of a chain of rights expressions associated with the declaration or expression. Device. 49. The apparatus of claim 48, wherein entities are required to believe a declaration of trusted publication. 49. The apparatus of claim 48, wherein no entity is allowed to verify all or part of the rights expression chain or otherwise to access or examine the rights expression chain. 49. The method of claim 48, wherein the declaration or expression associated with the declaration of trusted publication is evidence of entitlement to a digital work, evidence of entitlement to a service, or evidence of entitlement to a resource. , Proof of purchase, proof of transaction, proof of purchase, proof of certification, proof of identity, proof of approval, declaration of fact, declaration or expression of business intent, declaration or expression of business contract, or declaration of rules or policies Or at least one of the expressions.

Images